audit & assurance review

A D V A N C E D A U D I T A N D A S S U R A N C E S T U D Y G U I D E 3 . 1

Module 3Understanding the entity, assessing risk and responding to risks

ContentsPreview 3.3

IntroductionObjectivesTeaching materials

Overview of standards covering risk assessment and response to assessed risks 3.4Planning an audit of financial statements 3.5Audit materiality 3.8

Materiality conceptsApplication of materiality conceptsPerformance materiality

Financial statement assertions 3.12Identifying and assessing the risks of material misstatement through understanding the entity and its environment 3.15

Perform risk assessment proceduresDiscuss the susceptibility of the entity’s financial statements to material misstatement Understand specified aspects of the entity and its environment, including internal controlControls in an IT environmentAssess the risks of material misstatementIdentify significant risks

Strategic analysis 3.33Techniques used in strategic analysis 3.36

SWOT analysisPEST analysisPorter’s five forces model for industry analysisValue chain analysis

Analytical procedures 3.43Simple comparisonsReasonableness testsRatio analysis

Responding to assessed risks 3.52Key principlesTests of controlSubstantive procedures

Evaluation of misstatements identified during the audit 3.55Review 3.57References 3.57

Suggested answers


Preview

IntroductionIn this module we introduce the concept of a ‘business risk’ and how it:! impacts on the auditor’s knowledge and understanding of the client; and! relates to the risk of material misstatement.

Obtaining an understanding of the business assists the auditor in:! assessing risks and identifying problems;! planning and performing the audit both effectively and efficiently; and! evaluating audit evidence

This module provides an overview of some techniques for obtaining an understanding of the entity and its environment, including analytical procedures.

As a number of the large audit firms have adopted a strategic systems audit approach based on risk analysis, this approach is discussed in this module.

Strategic analysis is an important part of risk analysis. Emphasis is placed on the following techniques used in strategic analysis to identify business risks: ! SWOT analysis; ! PEST analysis; ! Porter’s five forces; and ! value chain analysis

While the management literature employs these types of analysis to identify investing and operating opportunities, auditors consider threats to the auditee’s business as a source of audit risk.

After discussing the planning of an audit and audit materiality, substantial emphasis is placed in this module on ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and ISA 330 The!Auditor’s Responses to Assessed Risks. As internal control is a means of mitigating business risk, we examine the components of internal control using the framework set out in ISA 315. We then consider these internal controls in an IT!environment. An important topic is audit assertions.

Following ISA 330, this module discusses the auditor’s response to assessed risks. There!are two major classes of audit procedures: tests of control and substantive tests. The purpose of tests of controls is to support an assessed level of control risk (or the risk of material misstatement) as determined by the evaluation of internal controls. Substantive tests of transactions and balances involve substantively verifying the associated dollar values. The auditor will outline in the audit plan the most efficient and!effective combination of audit procedures to achieve a desired level of audit risk.

Finally, issues related to the evaluation of misstatements identified during an audit are!discussed.

3 . 4 S T U D Y G U I D E A D V A N C E D A U D I T A N D A S S U R A N C E

ObjectivesAfter completing this module, you should be able to:! explain the importance of audit planning;! explain what a material misstatement is;! identify and describe the key audit assertions;! explain the aspects of the entity and its environment that the auditor needs

to!have an understanding of;! explain what is meant by a business risk and how it impacts on the audit;! outline the strategic systems approach to auditing and the importance of

strategic!analysis;! apply the following techniques for carrying out strategic analysis:

! SWOT analysis; ! PEST analysis; ! Porter’s five forces; and ! value chain analysis

! describe the types of analytical procedures of the audit process;! describe the types of control that may exist in an IT environment;! define internal control and outline the elements of an internal control system;! identify the various ways the auditor can respond to assessed risks; ! explain the concepts of test of controls and the meaning of the term

‘substantive!test’; ! explain the different types of substantive tests; and! evaluate misstatements identified during an audit.

Teaching materials! Relevant standards ISA 300 Planning an Audit of Financial Statements ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment ISA 320 Materiality in Planning and Performing an Audit ISA 330 The Auditor’s Responses to Assessed Risks ISA 450 Evaluation of Misstatements Identified during the Audit AASB 1031 Materiality

! Learning tasks Learning tasks are available in ‘My Online Learning’ for this module. Please check

‘My Online Learning’ at least once a week, as more learning tasks may be added during the semester.

Overview of standards covering risk assessment and response to assessed risks

In this module we start with ISA 300 Planning an Audit of Financial Statements. The!major focus of this module is ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment. The remainder of the module covers materiality (ISA 320), responses to audit risks (ISA 330) and evaluation of misstatements identified (ISA 450). More detailed coverage of the!procedures is given in Module 4, which looks at the ‘500’ series of the ASAs.


Planning an audit of financial statements ISA 300 Planning an Audit of Financial Statements, paragraph 4, states that ‘the auditor is to plan the audit so that it will be performed in an effective manner’. This involves developing an overall audit strategy (ISA 300.7) and developing an audit plan (ISA!300.9) in order to reduce audit risk to an acceptably low!level.

The reason for planning is to ensure appropriate attention is given to important areas of the audit, to identify potential problems on a timely basis, to organise and manage the engagement properly, assisting in the selection of team members, facilitating their supervision and assisting in the coordination of work done (ISA 300.2).

The nature and extent of planning activities will vary with:! the size and complexity of the entity (i.e. greater complexity may result in

more!planning);! the auditor’s previous experience with the entity (e.g. on a new audit one would

expect planning to be more extensive); and! changes in circumstances that occur during the audit engagement (e.g. if the entity

increases the level of management bonuses and their correlation with profitability levels, the auditor needs to consider this in the audit plan); this!situation increases the incentive for fraud and auditors must adjust their gathering of evidence!accordingly.

You should note the continual and iterative nature of planning. It is not a discrete phase of the audit but a continuous process often beginning shortly after the completion of the previous audit and continuing to the completion of the current audit. As!new information becomes available, the audit plan is updated on an iterative basis. For!example, the auditor may initially assess that the entity has effective internal controls and the audit plan prescribes tests of controls to be carried out with reduced substantive tests. However, weaknesses in the internal control system found when carrying out tests of controls will result in the audit plan being changed (e.g.!increased substantive testing). Less reliance may also be placed on analytical procedures if the weaknesses in internal control affect the data on which the analytical procedures are being executed. As another example, the auditor may find during substantive testing that controls are not working during a particular time of the year. Consequently the audit plan will need to be revised if these controls were previously relied on.

While we note above the iterative nature of an audit plan, you should understand that certain audit planning activities and procedures need to be coordinated early in the audit process, for example:! conducting preliminary analytical procedures as part of risk assessment;! obtaining an understanding of the legal and regulatory framework applicable

to!the!entity;! determining materiality levels; and! considering the need to involve experts and specialists prior to identifying and

assessing risks (e.g. in the mining industry an auditor may need to consult a geologist prior to assessing risks related to inventory and non-current assets).

ISA 300.6 requires the auditor to perform the following activities at the beginning of!audit engagements:

! Perform procedures regarding the continuance of the client relationship and the specific audit engagement …

! Evaluate compliance with relevant ethical requirements relating to the audit engagement, including independence …

! Establish an understanding of the terms of the engagement (ISA 300.6).


The aims of these procedures are to ensure:

! The auditor maintains the necessary independence and ability to perform the!engagement.

! There are no issues with management integrity that may affect the auditor’s willingness to continue the engagement.

! There is no misunderstanding with the client as to the terms of the engagement (ISA 300.A6).

The auditor is required to establish the overall strategy for the audit (ISA 300.7). The!overall audit strategy sets the scope, timing and direction of an audit. In!particular,!the!establishment of the audit strategy must involve the following (ISA!300.9 and A8–A11):! Identify the characteristics of the engagement that define its scope, such as the

financial reporting framework used, industry-specific reporting requirements and the locations of the components of the entity.

! Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the communications required—such as deadlines for interim and final reporting—and key dates for expected communications with management and those charged with governance.

! Consider the factors that are significant in directing the focus of the engagement team’s efforts, such as determination of appropriate materiality levels, preliminary identification of areas where there may be higher risks of material misstatement, preliminary identification of material components and account balances, evaluation!of whether the auditor may plan to obtain evidence regarding the effectiveness of internal control, and identification of recent significant entity-specific, industry, financial reporting or other relevant developments.

! Consider the results of preliminary engagement activities (e.g. client continuance activities, compliance with relevant ethical requirements, and establishing an understanding of the term of engagement).

! Ascertain the nature, timing and extent of resources needed (e.g. staff needs, experts).

The appendix of ISA 300 lists examples of matters the auditor may consider in establishing the overall audit strategy. The appendix is divided into four sections: 1 Characteristics of the engagement.2 Reporting objectives, timing of the audit and nature of communications. 3 Significant factors, preliminary engagement activities and knowledge gained on

other engagements.4 Nature, timing and extent of resources.

Read the appendix of ISA 300 now to gain an understanding of the above four points.

The auditor is required to develop an audit plan (ISA 300.9). The audit strategy guides the development of this more detailed audit plan. The audit plan documents the auditor’s initial assessment of the evidence necessary to form an opinion, and the method of obtaining this evidence. Although audit planning is the first stage in the audit process, the!audit plan must be a dynamic document if it is to reflect the impact of information gathered during the course of the audit. For example, a weakness identified in the internal controls may necessitate increased substantive audit procedures for the accounts involved. This will require a modification of the audit plan.


The audit plan needs to!include a description of (ISA 300.9):

! the nature, timing and extent of planned risk assessment procedures sufficient to assess the risks of material misstatement, as determined under!ISA 315 …

! the nature, timing and extent of planned further audit procedures at the assertion level under ISA 330 … The plan for further audit procedures reflects the auditor’s decision whether to test the operating effectiveness of controls, and the nature, timing and extent of planned!substantive!procedures …

! other audit procedures required to be carried out for the engagement in!order to comply with ISAs.

While the actual content of the audit plan will vary, it will generally include an outline of the general audit approach to be followed without going into specific detail about the exact audit procedures that will be used. In this sense, the audit plan acts as an overview of the audit, indicating:! the major objectives of the audit; ! the constraints within which the audit must be performed; ! materiality and risk considerations; and ! an estimate of the resources required to carry out the audit.

Question 3.1The auditor of LRS Ltd has completed the audit strategy and audit plan and is presently carrying out substantive procedures. The auditor discovers some errors that suggest that the original audit plan may have incorrectly assumed that the controls over inventory were strong. Is it too late to change the audit plan?

An important part of planning relates to direction, supervision and review. Specifically, ISA 300.11 requires the auditor to ‘plan the nature, timing and extent of direction and supervision of engagement team members’ and review of their work, wherein: ! ‘nature’ refers to type of direction and supervision (e.g. very detailed step-by-step;

or a more global approach concentrating on key issues); ! ‘timing’ refers to ‘when’—while direction and supervision are likely to be ongoing,

review can take place at different times (e.g. real time review as the work is done or!at the end of the audit); and

! ‘extent’ refers to ‘how much’.

Review can be done face-to-face where the reviewer asks questions of the preparer verbally, or by looking at the working papers (manual or electronic) in the absence of!the preparer and preparing written review notes to be answered/cleared.

Various factors including the size and complexity of the entity, the area of the audit (e.g. inventory, financial instruments), the risks of material misstatement, and the capabilities and competence of personnel performing the work (e.g. prior industry audit experience) all have an impact. For example, if the work related to inventory and the preparer was an audit manager with extensive manufacturing experience, the level of direction, supervision and review would be less than if the preparer was an assistant whose previous audit experience was with banks and insurance companies. Where there is an increase in the assessed risk of material misstatement for the area of audit risk, you would expect increases in the extent and timeliness of direction and supervision of!engagement team members and a more detailed review of their work.


The auditor is required to document the overall audit strategy and the audit plan, including any significant changes made during the audit engagement (ISA 300.12).

To gain a better understanding of the above documentation you should now refer to ISA 300.A16–.A19.

One other issue relates to the communications regarding audit planning with those charged with governance and management. ISA 300.A3 states that an auditor may discuss elements of planning with an entity’s management. These discussions may include overall audit strategy and timing of the audit. While the auditor often needs to have these discussions with management to facilitate the conduct of the audit, it is important that the auditor not compromise the effectiveness of the audit. For example, the auditor should not compromise the effectiveness of the audit by making the audit too predictable (ISA 300.A3).

Case Study 3.1 provides an illustration of issues for consideration in planning for an audit. Complete the case study now.

Case Study 3.1: LM LtdYou are planning the audit of LM Ltd, a soft drink manufacturer with bottling plants throughout the world. Each country has its own bottling plant together with an accounting and administrative centre. Each country prepares financial data monthly and submits it to head office in Sydney. The financial data from each country has been shown to be very accurate in previous audits. You are planning the June 20X9 audit and it is now April 20X9.

Your tasksFor each of the following facts, state what would be the impact on your overall audit plan for 20X9:1 As a result of budget cuts and reduced employee numbers in some countries, management has

expressed some concern about recent financial data it has been receiving.2 The cost of labour has been increasing quickly in some countries with the result that proposals

are being put forward to rationalise the number of plants across the world.3 The US bottling plant has entered into a two-year contract with a local sugar supplier to maintain

a supply of quality sugar at predetermined prices.4 A new ‘low-carb’ soft drink accounts for over 20 per cent of total revenues. At a recent sporting

event in the United Kingdom, there were large numbers of customers taken to hospital after having an allergic reaction to the drink. This has been traced to a new ingredient used worldwide and the product has been temporarily taken off the market.

Audit materiality and audit assertions are two key issues in auditing which are discussed!below.

Audit materialityIn this section materiality is discussed through the Australian accounting standard AASB!1031 Materiality. The Preface of AASB 1031 states that the international Framework!for the Preparation and Presentation of Financial Statements has limited guidance!on materiality in comparison to AASB 1031 Materiality (AASB 2004, p. 4).


Materiality conceptsThe concept of materiality is of fundamental importance to both preparers and auditors. However, there are no universally agreed-upon numeric guidelines or specific criteria for determining whether a given fact is material. Further, materiality!judgments are significantly influenced by surrounding facts and!circumstances.

In general terms, audit materiality may be defined as the highest level of misstatement that, in the auditor’s judgment, will be tolerated by the user of the financial statements. If the decision-maker would reach a different decision, were that person aware of the fact in question, then the fact is material. However, this general definition does little to reduce the degree of judgment required. Nevertheless, audit materiality is directly related to the concept of materiality in financial statements as covered by AASB 1031 Materiality. The concept of materiality set out in AASB 1031 is concerned with the point!at which errors or distortions in financial statements will alter users’ decisions.

Review AASB 1031 before proceeding.

AASB 1031 outlines the following guidelines on materiality:

! an amount which is equal to or greater than 10 per cent of the appropriate base amount may be presumed to be material unless there is evidence or convincing argument to the contrary; and

! an amount which is equal to or less than 5 per cent of the appropriate base amount may be presumed not to be material unless there is evidence, or!convincing argument, to the contrary (AASB 1031.15).

The appropriate base amounts for income statement items suggested in AASB 1031 are!the more appropriate of the:

(i) profit or loss and the appropriate income or expense amount for the current reporting period; and

(ii) average profit or loss and the average of the appropriate income or expense amounts for a number of reporting periods (including the current reporting period) (AASB 1031.13).

For balance sheet items, the appropriate base amount suggested in AASB 1031.13 is!‘the!more appropriate of the recorded amount of equity and the appropriate asset or!liability class total’.

For audit planning purposes, some audit firms use a rule-of-thumb approach to determine planning materiality. Common rules of thumb for establishing a planning materiality figure are as follows:! 5–10 per cent of profit;! 0.5–1 per cent of revenue; and! 0.5–1 per cent of assets.

While some auditors use one of the above bases of calculation, others use a blend of these, making several calculations on a variety of bases and then taking the average of!them. Others use a sliding scale, such as a declining percentage of total assets.

3 . 1 0 S T U D Y G U I D E A D V A N C E D A U D I T A N D A S S U R A N C E

The choice of rule of thumb depends on value judgments about relevance, stability and predictability. Profit may be the most relevant base for a company with publicly traded securities. However, because profit can fluctuate significantly from year to year, it may lack stability. It is not relevant to some entities such as not-for-profit organisations. In!practice, size-related bases such as total assets or total revenue are preferred because of their relative stability.

Use of a rule of thumb as a decision aid in general planning is not universal in auditing practice. However, materiality has to be reduced to an explicit dollar amount as a practical necessity in conducting the audit. As different approaches to calculating materiality can result in substantially different amounts, the auditor’s judgment in the circumstances is critical.

The amount considered material does not remain fixed after its initial calculation. The auditor may revise this judgment based on the results of audit tests and new information as the audit progresses and the auditor’s approach in evaluation at the completion of the audit may be considerably different. This means the amount estimated for planning materiality should not be confused with the amount used in the!evaluation of the materiality of individual misstatements.

The auditor’s use of materiality in evaluation will be influenced by qualitative considerations, additional information, and the nature of the decisions to be made. Qualitative considerations, for example, may include the nature of the transaction (such!as related-party transactions or possible illegal acts).

While, in general, materiality is concerned with the highest level of misstatement that can be tolerated and hence the financial statements still fairly presented, equal regard should be given to a number of other factors:! The nature of the item in question should be considered. An item could be

‘material’ because of its nature. For example, in Australia for listed companies, a!Corporations Act 2001 (Cwlth) disclosure item has to be disclosed (e.g. audit fees), irrespective of!whether it is material in dollar amount.

! Where financial limits are prescribed, like the borrowing limits set down in trust deeds, regard should be given to the effect of identified errors of such limits even though the errors would not otherwise be material. The breach of such limits can have significant consequence to companies and could even lead to a questioning of!the going concern basis.

The materiality of an item in relation to the financial statements taken as a whole affects the auditor’s judgment as to what is sufficient appropriate audit evidence, in!accordance with ISA 500 Audit Evidence. Those figures that are most material require more evidence, both in quantity and quality.

We have seen that audit risk is present to a greater or lesser extent in every audit and that absolute certainty in auditing is rarely attainable. The auditor is concerned that the audit examination will provide reasonable assurance that the financial statements is not misstated to a degree of materiality which, had it been identified, would have resulted in a modified audit opinion.

The auditor should therefore plan the audit to minimise the risk of failure to detect errors that, in aggregate, exceed an acceptable degree of materiality. Obviously, the!lower the degree of materiality deemed acceptable, the more audit work will have!to!be performed and the higher the cost to the entity.

A D V A N C E D A U D I T A N D A S S U R A N C E S T U D Y G U I D E 3 . 1 1

The decision as to what constitutes an acceptable degree of materiality will vary depending on the circumstances of each engagement. The auditor must, in the final analysis, decide on an acceptable level of materiality using individual professional judgment. However, some guidelines are provided in ISA 320 Materiality in Planning and!Performing an Audit.

Application of materiality conceptsMateriality issues are covered in ISA 320 and ISA 450. ISA 320 covers the auditor’s responsibility to apply the concept of materiality in planning and performing an audit of financial statements. ISA 450 (discussed later in this module) covers how materiality is applied in evaluating the effect of identified misstatements on the audit!(ISA 320.1).

The concept of materiality is applied in the following situations:! audit planning;! performing the audit;! evaluating the effect of identified misstatements on the audit and of unrecorded

misstatements, if any, on the financial statements; and! in forming the opinion in the auditor’s report (ISA 320.5).

Some key actions for the auditor related to audit materiality are:! when establishing audit strategy, determining materiality for the financial

statements as a whole and in some circumstances (see ISA 320.10) materiality levels for particular classes of transactions, account balances and disclosures;

! determining performance materiality (as defined in ISA 320.9) for the purposes of assessing the risk of material misstatement and determining the nature, timing and extent of further audit procedures (ISA 320.11);

! revising materiality levels when the auditor becomes aware of information during the audit that would have changed their initial materiality estimates (ISA!320.12) and to consider whether to revise performance materiality and the nature, extent!and timing of audit procedures (ISA 320.3).

Determining the levels of materiality requires the exercise of professional judgments. These are judgments related to what is an appropriate benchmark and the percentage to be applied to the chosen benchmark (e.g. 5% of profit before tax, 1% of revenues, x% of total assets). Examples of potential benchmarks are provided in ISA 320.A4 and factors that have an impact on the appropriate benchmark are given in ISA 320.A10.

Performance materialityThere is a distinction between materiality and performance materiality (as noted above). Performance materiality takes into account that planning the audit solely to detect individual material misstatements overlooks the following:! the aggregate of individually immaterial misstatements may cause the financial

statements to be materially misstated; and ! consideration of the possibility of undetected misstatements.

For example, if we consider the materiality of the financial statements as a whole, performance materiality means the amount:

set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected or undetected misstatements exceeds materiality (ISA 320.9).

This concept is further explained in ISA 320.A12.


Financial statement assertionsFinancial statement assertions are ‘representations, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur’ (ISA 315.4). Given the importance of the term ‘assertion’ for understanding ISA 315 we introduce the concept here.

Assertions used by the auditor are classified under three categories: (i) class of transactions and events for the period under audit (e.g. revenue and expenses); (ii)!account balances at the period end (e.g.!assets, liabilities); and (iii) presentation and!disclosure (e.g. income statement, balance sheet,!notes).

ISA 315.A111 sets out the following assertions:

(a) Assertions about classes of transactions and events for the period under!audit:

(i) Occurrence—transactions and events that have been recorded have occurred and pertain to the entity.

(ii) Completeness—all transactions and events that should have been recorded have been recorded.

(iii) Accuracy—amounts and other data relating to recorded transactions and events have been recorded appropriately.

(iv) Cutoff—transactions and events have been recorded in the correct accounting period.

(v) Classification—transactions and events have been recorded in the proper accounts.

(b) Assertions about account balances at the period end:

(i) Existence—assets, liabilities, and equity interests exist.

(ii) Rights and obligations—the entity holds or controls the rights to assets, and liabilities are the obligations of the entity.

(iii) Completeness—all assets, liabilities and equity interests that should have been recorded have been recorded.

(iv) Valuation and allocation—assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately!recorded.

(c) Assertions about presentation and disclosure:

(i) Occurrence and rights and obligations—disclosed events, transactions, and!other matters have occurred and pertain to the entity.

(ii) Completeness—all disclosures that should have been included in the!financial statements have been included.

(iii) Classification and understandability—financial information is appropriately presented and described, and disclosures are clearly!expressed.

(iv) Accuracy and valuation—financial and other information are disclosed fairly and at appropriate amounts.

By way of example, we consider the assertions about asset and liability account balances at period end. As auditors are particularly interested in overstatement of assets, assertions related to existence and valuation are particularly important.


In establishing occurrence, the auditor is concerned with obtaining evidence that a transaction or event which relates to the entity during the relevant period took place. Occurrence is similar to existence (see below) except that it relates to transactions and events (transactions and events occur) rather than balance sheet items (which exist). For!example, we are interested in the occurrence of sales (i.e. Did the sale actually occur?).

In establishing completeness, which relates to both classes of transactions and events for the period under audit and account balances at the period end, the auditor is concerned with obtaining evidence that all amounts that should be included are included. This!objective requires evidence that there are no unrecorded assets, liabilities, transactions or other events, or undisclosed items. This is generally one of the hardest assertions to test for—looking for things that are not included but should be. In!testing for omitted assets, liabilities, transactions or events, the auditor must generally rely on the study and evaluation of accounting controls (such as a sequence check of pre-numbered documents) and substantive procedures of transactions (such!as a search of transactions in the next accounting period that relate to the accounting period under audit). Completeness is particularly important for liabilities and expenses as understatement of these items results in profits being overstated.

In establishing the accuracy assertion, the auditor is concerned that the details of the transactions under review are completely correct. It is surprising how easily small errors of detail can arise and how significant the impact of the mistakes can be. Consider the calculation of sales revenue by multiplying sales price by quantity sold. If the decimal point is left out of the sales price, it is possible that sales revenue may be inflated by a factor of 100. Accuracy is also considered with valuation under the heading of assertions about presentation and disclosure. Here, the auditor is concerned with the accuracy of the details of the item being presented.

In establishing the cutoff assertion, the auditor is concerned that the details of the transaction under review are recorded in the correct period. It is essential that in this test the auditor ensures that double counting does not occur. For example, if a sale occurs before year end, the auditor should ensure that it is not only recorded correctly in that period but that the related inventory is removed from the year-end physical count if it has not yet been transferred from the warehouse. The auditor needs to consider potential management incentives to put revenues or expenses in the wrong period.

In establishing the classification assertion, the auditor is concerned that the correct account is used in recording a transaction. This is not always a simple matter. Consider, for example, the decision relating to whether certain types of overhead costs should be capitalised or expensed. The classification assertion is also considered under the presentation and disclosure grouping where it is included with understandability. In establishing the understandability assertion under the presentation and disclosure grouping, the auditor is concerned that the disclosures are clearly expressed.

In establishing existence, the auditor is concerned with obtaining evidence that an asset or a liability exists at a given date (generally at the end of the financial period). Generally, observation is the primary audit procedure for substantiating the existence of physical assets such as inventory and fixed assets (i.e. Do they exist at year end?). For other financial balances, such as cash at bank and accounts receivable, external!confirmation is a primary procedure. Such procedures are designed to detect errors that cause balances to be overstated.


In establishing rights and obligations, the auditor is concerned with obtaining evidence that recorded assets are future economic benefits controlled by the entity, and that liabilities are the future sacrifices of economic benefits that an entity is presently obliged to make as a result of past transactions or other past events. The auditor needs to obtain evidence that the accounting recognition is appropriate. The rights and obligations objective usually involves procedures to provide evidence that assets in the client’s possession that have been sold or pledged are not reported as assets. For example, accounts receivable may be sold, that is the receivables are factored out, but the client may continue to make collections. The audit procedures used to obtain evidence of rights and obligations may also include examining land tax assessments, rate!notices, title deeds, correspondence and minutes of meetings of the board of directors, and!making inquiries of the client’s management.

In establishing the appropriate valuation and allocation of assets and liabilities, the!auditor is concerned that the carrying value of balances is in conformity with generally accepted accounting principles. Satisfying this objective may require the exercise of audit judgment in evaluating the reliability of estimates and the appropriateness of accounting methods. For example, some assets, such as inventory, are required to be stated at the lower of cost and net realisable value, and many allocations, such!as depreciation or the allowance for doubtful debts, can be made with!a variety of measurement methods.

The auditor needs to obtain evidence that supports each of the assertions for every material component of the financial statements. A component of the financial statements may be an account balance (or group of account balances) or a class of transactions. The!categories of assertions provide a framework for developing specific audit objectives for each material account balance or class of transaction. The auditor’s assessment of risk is used to determine those assertions that require greater audit attention.

A useful way of thinking about the class of assertions about presentation and disclosure is that they primarily relate to the presentations and disclosures contained in the notes to the accounts. In establishing the occurrence and rights and obligations about presentation and disclosure, the auditor is concerned that all disclosed events and transactions have occurred and pertain to the entity. In establishing the completeness of presentation and disclosure, the auditor is concerned that all disclosures that should have been included in the financial statements have in fact been included. In establishing the classification and understandability of presentation and disclosure, the auditor is concerned that all financial information is appropriately presented and described, and disclosures are clearly expressed. In establishing the accuracy and valuation around presentation and disclosure, the auditor is concerned that financial and other information is disclosed fairly and at appropriate amounts.

Case Study 3.2: Beta LtdThe auditor of Beta Ltd carried out audit procedures for sales and inventory and detected the following misstatements:1 Some inventory items were out on consignment and were not counted during the physical inventory.2 During the physical count, the client’s employees mistakenly counted some items twice.3 The basis of inventory valuation was not included in the draft financial statements.4 Included in the inventory counts were some items that were held on consignment.5 Some inventory items were listed at cost, but the realisable value was lower.6 It was recognised that some sales were being recorded before they were shipped.7 The sales price recorded for sales transactions was different to that agreed with the customer.

It was found to be taken from an outdated version of the sales price file.

Your taskFor each misstatement, identify the broad category of financial statement assertion involved.


Question 3.2Your initial audit plan for sales transactions placed substantial reliance on the system of internal control and the use of analytical procedures rather than substantive tests of detail. Your testing of the internal control system for sales has found a significant number of instances where customers’ credit ratings have not been checked. The sales manager states that these changes have been the result of difficulties in maintaining past sales levels.

1 Identify the balance sheet account and the relevant assertion most at risk given the above information.

2 Discuss how your initial planned strategy would change given the additional information in regard to the results of testing of controls.

Identifying and assessing the risks of material misstatement through understanding the entity and its environment

ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment establishes mandatory requirements and provides application and explanatory material to the auditor on obtaining an understanding of the entity and its environment, including!its internal control, and on assessing the risks!of material misstatement in the!financial statements.

Perform risk assessment proceduresISA 315 requires the auditor to perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement (both error and fraud) at the financial statement and at the assertion level.

In carrying out these risk assessment procedures the auditor obtains an understanding!of the entity and its environment, including the entity’s internal control. This understanding provides the frame of reference for planning and exercising professional judgment throughout the audit, for example, when:! assessing risks of material misstatements;! determining the level of materiality;! considering the appropriateness of accounting policy choices and disclosures;! identifying areas where special audit consideration may be necessary;! developing expectations for use when performing analytical procedures;! responding to the assessed risks of material misstatements including obtaining

sufficient appropriate audit evidence; and! evaluating the sufficiency and appropriateness of audit evidence. (ISA 315.A1)

You should note the continual references to the importance of audit judgments. This idea was introduced in Module 1 and you should note the range of judgments made by auditors.

The following risk assessment procedures are mandated:! Inquiries of management and others within the entity—‘Others’ include: those charged

with governance; internal audit personnel; employees involved in initiating, processing or recording complex or unusual transactions; in-house legal counsel; marketing or sales personnel. The types of inquiries are discussed in ISA 315.A6.

! Analytical procedures—Evaluations of financial information made by a study of!plausible relationships among both financial and non-financial data. Analytical procedures include comparisons of the entity’s financial information with prior period information, budgeted information and similar industry information.


They!also include a consideration of the relationship, such as between elements of financial information where one would expect a predictable pattern (e.g. gross margin to sales) and between financial and non-financial information (e.g. payroll costs and employee numbers). Given the importance of analytical procedures to a number of areas of the audit we discuss these procedures in a separate section later in this module.

! Observation and inspection—Observation and inspection may support the enquiries discussed above and provide information about the entity and its environment. ISA!315.A11 suggests that such audit procedures include observation and inspection of:! the entity’s operations;! documents;! reports prepared by management and those charged with governance; and! the entity’s premises and plant facilities.

Question 3.3Provide examples of each of the above four procedures related to observation and inspection.

Question 3.4How is risk assessment impacted if the engagement partner has performed other engagements for the entity?

Discuss the susceptibility of the entity’s financial statements to material misstatement

ISA 315 also requires the engagement team to discuss the susceptibility of the entity’s financial statements to material misstatement both at the financial statement and assertion level. ISA 315.10 requires that the members of the engagement team ‘shall discuss the susceptibility of the entity’s financial statements to material misstatement’. The material misstatement may result from fraud or error. The aim of the discussion is to gain a better understanding of potential fraud or errors, and how they could be perpetrated. Further, it gives the more experienced members of the audit team the opportunity to provide insights and for team members to exchange information about business risks, including how the financial statements may be susceptible to material misstatement (including fraud, as per ISA 240 as discussed in Module 2).

Two key components of the above discussion are professional judgment and professional scepticism. Professional judgment is required in order to decide who to include in the discussion, how and when the discussion occurs and its extent. In!Module 2, the!importance of professional scepticism in planning and performing an audit was noted. The above discussion among team members should emphasise professional scepticism, which includes being alert to information that may indicate a material misstatement and the rigorous follow-up of these indications.

Question 3.5Provide at least three examples of professional judgment by the auditor responsible for organising this discussion among the engagement team.


In Module 2, the importance of the consultation process during audit engagements was emphasised as part of the quality control process. The discussion among the engagement team about the susceptibility of the entity’s financial statements to material misstatement raises some specific consultation issues as:! it allows the team members to exchange information about business risks

and about how and where the financial statements might be susceptible to misstatement due to error or fraud—the ‘where’ refers to where in the financial statements and the ‘how’ refers to how the error or fraud occurred (e.g. How could management manipulate the sales figure?); and

! engagement team members obtain new information throughout the audit that!may affect the assessment of risks of material misstatement and it is important that they!share this information with other team members.

You should now refer to ISA 315.A14 for further details on this discussion among engagement team members.

Understand specified aspects of the entity and its environment, including internal control

An understanding of specified aspects of the entity and its environment, including the internal control components, is required.

The entity and its environmentUnder ISA 315.11 the understanding of the entity and its environment includes the following aspects:

! Industry, regulatory and other external factors, including the applicable financial reporting framework (discussed in ISA 315.A17-A22).

! Nature of the entity: operations, ownership, governance structures, types of investments, organisation structure and financing arrangements (discussed in ISA 315.A23-A27).

! The entity’s selection and application of accounting policies (discussed in ISA 315.A28).

! Objectives and strategies and the related business risks that may result in!risks of material misstatement (discussed in ISA 315.A29-A35).

! Measurement and review of the entity’s financial performance (discussed!in ISA 315.A36-A41).

The auditor is required to obtain an understanding of the entity’s objectives and strategies, and those related business risks that may result in risks of material misstatement (ISA!315.11d). Given that an entity conducts its business in the context of!industry, regulatory and other internal and external factors, management in responding to these factors needs to define its objectives (which are ‘the overall plans for the entity’) and strategies (which are ‘the operational approaches by which management intends to achieve its objectives’). Business risks are ‘risk[s] resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of!inappropriate objectives and strategies’ (ISA 315.4).

Question 3.6What is the relationship between business risk and the risk of material misstatement?


Appendix 2 of ISA 315 provides a detailed list of conditions and events that may indicate risks of material misstatement.

You should now read Appendix 2 of ISA 315 ‘Conditions and Events That May Indicate Risks of Material Misstatement’ to gain an understanding of the conditions and events that may indicate a risk of material misstatement.

Later in this module we discuss in detail the various techniques used in understanding a!client’s business. In addition, a strategic systems approach to auditing, which places substantial emphasis on understanding business risks, is discussed.

Question 3.7 Your client is a manufacturer of golf equipment accessories including golf bags, golf buggies and various attachments (e.g. water bottle holders, score card holders). The year 20X9 has been particularly profitable with the introduction of a golf bag with wheels attached that has proven particularly popular with travellers. Suggest some potential business risks faced by the client.

Question 3.8How might an understanding of the internal and external environment of the audit client facilitate the identification, assessment and evaluation of the risk of financial statement misstatement due to fraudulent activity or the misappropriation of assets?

Internal controlsISA 315.12 requires that ‘the auditor shall obtain an understanding of internal control relevant to the audit’. This understanding of internal control is used by the auditor to identify types of potential misstatements and factors that affect the risks of material misstatement, and in designing the nature, timing and extent of audit procedures (ISA!315.A42).

Internal control consists of the following five components (ISA 315.A51):1 control environment;2 the entity’s risk assessment process;3 information system;4 control activities; and5 monitoring of controls.

The requirements for each of these five components are covered in ISA 315.14 to .24 with the relevant application and explanatory material in ISA 315.A69 to .A104.

You should read these sections now.

In the above paragraphs there are certain requirements outlining what an auditor must have an understanding of. These are:! the control environment, including organisational structure, management’s

philosophy and operating style (ISA 315.14);! whether the entity has a process for:

! identifying business risks relevant to financial reporting objectives;! estimating the significance of the risks;! assessing the likelihood of their occurrence;! deciding the actions to address these risks (ISA 315.15)—various!different

actions are required by the auditor depending on whether the entity has established such a process (ISA 315.16–.17);


! an understanding of the information system—including the related business processes—related to financial reporting (ISA 315.18–.19);

! an understanding of control activities relevant to the audit which are the ones the auditor judges to be necessary to understand in order to assess the risks of material misstatement at the assertion level, and design further audit procedures responsive to those assessed risks (ISA 315.20)—further elaboration of risks arising from IT are!referred to in ISA 315.A95–.A97;

! an understanding of the major activities that the entity uses to monitor internal control over financial reporting (ISA 315.22);

! where internal audit exists, an understanding of the nature of internal audit responsibilities, reporting structure and activities performed (ISA 315.23); and

! an understanding of the sources of information used in the entity’s monitoring activities (ISA 315.24).

Appendix 1 of ISA 315 further explains the components of internal controls as they relate to a financial statement audit.

The five components of internal control are discussed below.

Control environmentThe control environment sets the tone of an organisation. It includes the governance and management functions as well as the attitudes, awareness and actions of management (and those charged with governance) concerning an entity’s internal control and its importance within the entity (ISA 315.A69).

The auditor considers the following in evaluating the design of the entity’s control environment:! Communication and enforcement of integrity and ethical values (e.g. existence and

implementation of codes of conduct and other policies regarding acceptable business practice, conflicts of interest, or expected standards of ethical and moral behaviour).

! Commitment to competence (e.g. job descriptions or other means of defining tasks that comprise particular jobs; staff selection procedures).

! Participation by those charged with governance (e.g. the independence of the board from management, such that necessary, even difficult and probing, questions are!raised).

! Management’s philosophy and operating style (e.g. nature of business risks accepted; attitudes and actions toward financial reporting, including the aggressiveness of the!choice of accounting policies).

! Organisational structure (e.g. appropriateness of the entity’s organisational structure, and!its ability to provide the necessary information flow to inform managers).

! Assignment of authority and responsibility (e.g. assignment of responsibility and delegation of authority throughout the organisation).

! Human resource policies and practices (e.g. the extent to which policies and procedures for hiring, training, promoting and compensating employees are in!place) (ISA 315.A70).

The entity’s risk assessment processIn evaluating the entity’s risk assessment process it is important to consider the adequacy of the!mechanism for identifying risks arising from both external and internal sources and!the thoroughness of the risk analysis process including estimating the significance of the risks, the likelihood of them occurring and determining needed action (ISA!315.15–.17). Techniques such as SWOT analysis and Porter’s five forces (discussed later in this module) are very useful for identifying risks.


Information systemThis includes:! the information system relevant to financial reporting objectives, including the

accounting system (see ISA 315.A81);! journal entries (see ISA 315.A82); and! related business processes (see ISA 315.A84).

You should refer to ISA 315.A81–.A84 for further discussions on the above items.

Control activitiesControl activities are the policies and procedures that help ensure management directives are carried out (ISA 315.A88). They include:! Authorisation (e.g. level of management with authority to authorise expenses to

a!particular level).! Performance reviews (e.g. actual performance versus budgets, forecasts, prior periods

and competitors; major initiatives are tracked to measure the extent to which targets are being reached).

! Information processing (e.g. controls performed to check accuracy, completeness and authorisation of transactions; a customer’s order is only accepted after reference to an approved customer file and credit limit).

! Physical controls (e.g. equipment, inventories, cash and other assets are secured physically such as in a secure location).

! Segregation of duties (e.g. duties are divided among different people to reduce the risk of error; responsibilities for authorising transactions, recording transactions and handling the related asset are segregated).

You should refer to ISA 315.A89 to .A91 for a discussion of which control activities are relevant to the auditor.

Monitoring of controlMonitoring assesses the quality of a system’s performance over time. It involves assessing the design and operation of the controls on a timely basis. Necessary!corrective action may need to be taken for changes in conditions. Monitoring is used to ensure that the internal controls continue to operate effectively (ISA 315.A98). Examples of ongoing monitoring activities include regular management supervisory activities, communication from external parties which corroborate internally generated information (e.g. a client paying an invoice indicates the invoice is likely to be correct) and comparison of records with physical assets (e.g. inventory stocktake).

Question 3.9Discuss the main factors that may result in an internal control system failing.

The use of IT has the potential to affect the way that control activities are implemented (ISA 315.A95). The next section discusses the controls in an IT environment.

Controls in an IT environmentThe auditor is required to obtain an understanding of the entity’s response to risks arising from IT (ISA 315.21). Think about your organisation or any other organisation with which you are familiar. Consider whether the IT environment affects the audit of your organisation. If so, which aspects of auditing have been affected by IT in your organisation (or in any other)? Keep these in mind while reading the following sections.


Impact of an IT environment on internal control and control proceduresThe IT environment influences the internal control and the procedures adopted by an entity. The!reasons are discussed in the following eight factors:

1 There is a breakdown of the traditional division of duties between personnel and departments and a concentration of the recording, processing and control functions within the IT department. This concentration of functions has resulted in a greater reliance being placed on programmed controls (which encompass the general authorisation of transactions) by users to ensure the reliability of!IT!outputs.

2 The human scrutiny and checking inherent in manual systems disappears. This loss of human involvement, coupled with the lack of visible evidence in IT, may reduce the potential to detect errors, and increase the potential for individuals to gain unauthorised access to information and assets or alter information to the detriment of the entity.

3 The concentration of system expertise and control within the IT department, coupled with the concentration of computer resources in one of a few locations within the entity, may increase the potential risk of fraud or error and make detection difficult.

4 The partial or complete loss of traditional audit trails, as well as the temporary nature of such audit trails in IT and the absence of source documents and visible output, will have a direct bearing on the auditor’s assessment of the risks of material misstatements.

5 Access to computer programs and data files by multiple users via online terminals increases the potential for unauthorised access to, and alteration of, data and programs in the absence of appropriate controls.

6 IT ensures that all transactions entered are subject to the same processing procedures, thus increasing the reliability of the system through the reduction of random errors. Poor programming, however, may result in the occurrence of systematic errors, the!effect of which can be greater than random errors if not discovered.

7 IT may be designed to permit the single transaction update of multiple or database computer files as well as the automatic initiation and execution of transactions. A!risk is that an error in one data item can potentially affect a number of different applications across the entity.

8 Data files and programs may be stored on portable or fixed-storage media. These!media are vulnerable to theft, loss and intentional or accidental destruction.

Types of controlsControls over IT systems are effective when they maintain the integrity of information and the security of the data such as systems process, and include effective general IT controls and application controls (ISA 315.A95).

General controls refer to the overall controls an entity has over its entire IT environment. These controls affect all applications processed by the IT department. The purpose of general IT controls is to establish a framework of overall control of the IT activities and to provide a reasonable level of assurance that the overall objectives of internal control are!achieved.

Application controls refer to controls that are specific to individual accounting applications—that is, they relate to, and are unique to, particular accounting systems (e.g. debtors, creditors, payroll and inventory). The purpose of IT application controls is to establish specific control procedures over the accounting applications in order to!provide reasonable assurance that transactions are authorised and recorded and are processed completely, accurately and on a timely basis.


Table 3.1 details the basic categories of general controls and application controls.

Table 3.1

General and application control categories

General: Controls applying to all parts of the IT environment

Application:Controls applying to a class of transactions, such as accounts receivable or accounts payable

Organisational and management controls Input controls

Systems development and program maintenance controls Processing controls

Computer operation controls Output controls

System software controls

Data entry and program controls

The integrity of the system output and financial statement representations depends on the effectiveness of general controls. Because of the pervasive impact of general controls, significant weaknesses in general controls may affect the reliability of application controls due to the potential risk of undetected fraud or error in processing transactions.

General controls

Organisational and management controlsOrganisational and management controls are designed to establish the:! organisational structure of IT activities;! policies and procedures necessary to ensure the performance of duties; and! segregation of incompatible functions.

Two factors need to be considered. The IT department should be:1 independent of the functions of initiating or authorising transactions and

maintaining custody of assets—it should not change or correct data that originated outside the department; and

2 segregated and separated from other user departments—there should be clearly defined lines of authority and responsibility between IT personnel.

Within the IT department the following functions should be segregated:! systems analyst (program development);! applications programmer (program maintenance);! operators (program operations);! data control and file library function;! quality control over development of new systems and maintenance of

existing!systems;! control group (supervises and reviews inputs, processing and distribution of outputs);! data security (maintains integrity of software access controls); and! database administrator.

In an IT environment, it is important to separate the systems development, systems maintenance, database administration and operating functions.

In the case of small IT installations (e.g. in a small business environment), it!may not!be!possible to achieve a satisfactory segregation of duties. If any degree of segregation can be achieved, however, it should be between programming and operations. Adequate!supervision may compensate for a lack of segregation of duties.


Systems development and program maintenance controlsSystems development and program maintenance controls are designed to establish control over:! program changes; ! the conversion, testing, implementation and documentation of new or revised

systems, and access to system documentation;! the authorisation and approval of new or revised IT systems; and ! adherence to a formal development process that ensures system design standards,

programming standards and documentation standards are met.

A steering committee of senior management may be established to formulate a strategic plan for the organisation and appraise and approve the development of a system through its life cycle. A systems development methodology should be established to monitor and control the development process. This methodology should include clearly defined phases, each with a measurable end product, appropriate review and control points for the overall evaluation of the system, and be flexible enough to accommodate different kinds of projects and management reporting procedures. There should be defined responsibilities for all participants, user department representation and participation, and proper documentation standards.

Program changes are of particular interest to the auditor, as data may be lost or altered when a new program is introduced. The objectives of program change controls are to ensure that all changes to programs are properly approved and authorised, and that all authorised changes are completed, tested and correctly implemented. Users should participate in authorising, testing and approving the implementation of program changes.

Computer operation controlsComputer operation controls are designed to ensure the proper operation of systems by operators. More specifically, they are designed to ensure that IT systems are used for authorised purposes only, that access to computer operations is restricted to authorised personnel and that errors are detected during processing.

There should be clearly defined procedures for activities such as:! daily operations;! problem handling;! backup and recovery; and! activity logging, which could include maintenance of a diary of all operator activity

(i.e. recording major events during the shift).

Operator activity should be appropriately restricted and/or monitored (e.g. through access control software), responsibilities for operational duties should be clearly defined, all operating tasks should be scheduled, and operator logs should be reviewed and compared to schedules. Only authorised work should be scheduled and run. Physical access should be controlled, for example, by the use of security keys and identification cards. Computer access should be controlled by the use of passwords.

System software controlsSystem software relates to operating systems that are designed to translate program languages into machine-readable form, allocate computer resources to users and applications, and manage job scheduling and multiprocessing. The operating system should protect itself from users, and users from each other and themselves as well as other influences (e.g.!environmental factors).


Examples of system software controls include restricting access to system software and related documentation to authorised personnel through the control of access privileges and passwords. System software changes should be controlled by a formal system of authorisation, approval, testing, implementation and documentation. Monitoring keystrokes, events and modifications to system software through the use of software logs!would help to provide an audit trail.

Data entry and program controlsData entry and program controls are concerned with the authorisation of transactions entered into the system (inputs should be received on a timely basis and reviewed to ensure they are from an authorised source) and restricting access to:! data and programs to only authorised personnel;! terminals and other computer hardware to only authorised individuals,

computer!operators and supervisors;! files and library; and! documentation.

Access may be controlled by physical or electronic means. Physical access controls could!include: ! use of security guards; ! automated key cards; ! manual key locks;! use of fingerprint, palm print or voice print access devices; ! terminal locks; and ! dedicated terminals (such as read-only or restricted-access terminals).

The user ID governs what files, programs and utilities a given user may access and their authority to perform specific activities, such as reading, modifying, adding or deleting data. Passwords are effective only if combined with procedures to reduce the likelihood of discovery or use by unauthorised persons.

Other general IT controlsTo maintain continuity of operations, management should ensure that the entity has adequate backup and recovery procedures, physical safeguards against loss or destruction, and contingency plans.

Backup and recovery proceduresAdequate procedures should be in place to enable restoration of the availability and!integrity of applications and data in the event of a system or application failure. A!disaster recovery plan should clearly document the actions to be taken before, during!and after a disaster.

Examples of backup and recovery procedures include:! copies of application data, production libraries, system software and other relevant

files, to be made at appropriate intervals consistent with the criticality of recovery;! well-defined, documented and tested procedures for performing recovery,

including!establishment of a disaster recovery team;! offsite storage arrangements for copies of critical system and data resources,

full!system copies, documentation of procedures for recovery, security authorities, and IT manuals; and

! an automated transaction logging and recovery capability.


Physical safeguardsThe proper construction of the computer centre can reduce the risk of damage from security or environmental hazards. Appropriate measures for protecting the physical environment would include:! strong walls, ceilings and floors in rooms without windows and with restricted

access if at all possible;! fire-detection and suppression equipment; and! alarms for detection of problems concerning air-conditioning, water, power,

humidity and temperature.

Contingency plansThe continuity of computer and related business functions should be protected against unscheduled interruptions by adequate contingency plans, which include provision for complete loss of central site computer facilities. These contingency plans require, among other things:! development of user fall-back procedures for critical systems (for use when

unavailability is prolonged);! formal written agreements for the provision of alternative and/or replacement

computer facilities; and! a documented disaster recovery plan that is regularly reviewed and tested,

and!securely stored, and details of recovery procedures for hardware, the!computer environment, the!communications network, critical applications and!necessary resources.

Case Study 3.3 deals with the identification and the purpose of controls adopted by Acme Ltd which is planning to computerise its payroll system. Read the case study and complete the tasks.

Case Study 3.3: Acme LtdAcme Ltd is planning to computerise its entire accounting system. All computer hardware will be purchased from a national vendor. All software will be written by members of the organisation’s IT staff. The computerisation of the accounting function will take place in phases, with the payroll function being completed first.

The computerised payroll system will function in the following sequence: ! An employee’s immediate supervisor will review and approve time cards. ! The time cards will be sent to the payroll department where they will be reviewed for

completeness and obvious errors. ! The time cards will then be batched by the payroll department and sent for data processing. ! Data-processing operations will convert data from time cards to a transaction file by a

key-to-disk operation. ! The transaction file will then be input to the payroll application. ! Hardcopy output will include: ! cheques; ! a payroll journal; ! payroll summary; and ! error listings.

Your tasksFor the development and operation of this IT system, for each of the listed general control categories (organisational, system development, operations, and data entry and program):1 list the specific control(s) required;2 state the purpose that each control serves; and3 identify the techniques that would be used to assess each control.

Source: Adapted from the CIA exam of Institute of Internal Auditors, USA.


Application controlsThe purpose of application controls is to provide reasonable assurance that transactions are appropriately authorised and recorded, and are processed accurately, completely and in a timely manner, and that incorrect transactions are rejected, corrected and resubmitted. Application controls include controls over:! input;! processing and computer files; and! output.

Prior to relying on the general and application controls, the auditor should conduct a preliminary evaluation of the controls to determine whether they are effective and efficient. Weakness in the general controls may preclude reliance on application controls.

Input controlsInput controls are designed to provide reasonable assurance that transactions are authorised, and accurately and completely converted into machine-readable form, that!is, not:! lost; ! added to; ! duplicated; or! improperly changed; and that incorrect transactions are rejected, corrected and resubmitted.

Proper authorisationProper authorisation can be achieved through the following procedures:! Duties are segregated.! Access controls, data entry and program controls are used. These include input

validation checks such as field tests, reasonableness tests, limit tests, validity tests, completeness tests and sequence tests.

! Transactions are authorised. Transactions should be prepared in accordance with management’s general or specific authorisation. Authorisation may be evidenced by affixing a signature or stamp onto source documents. (If the documents are electronic, a digital signature and time stamp can be attached.)

! Transactions are approved. Individual transactions should be approved either by a responsible supervisor or through the use of special forms, access to which is restricted to those designated to initiate transactions (e.g. the use of batch control sheets or batch transmittal forms to provide evidence of batch approval).

Accurate conversionAccurate conversion requires the following:! Adequate document design (standardisation). This is a very important input control

that aids in safeguarding assets and in contributing to the accuracy of output information. Forms should be pre-printed and standardised to reduce and monitor errors. Unchanged information can be pre-printed as formatted forms which are more readable, and all documents should be pre-numbered and sequentially accounted for.

! Adequate training and supervision.! Data entry manuals (written procedures). These deal with data conversion and the

correction of errors.! Appropriate chart of accounts. Using one of these to code data can greatly

reduce!transcription and transposition errors.


Completeness of dataThe following controls are designed to ensure the completeness of data:! ‘Turnaround documents’ are documents produced by the computer system that

are later resubmitted into the system. This minimises errors in data preparation when the output that has already been verified becomes input. Most bills, including!domestic power and telephone bills, are turnaround documents.

! Control totals are effective in ensuring that all data are accurate and complete: that!data have not been lost, suppressed, duplicated, added or otherwise improperly changed. One control total is manually computed while another is accumulated by the computer and the two are compared. Control totals deal with value fields (e.g.!total cash receipts, sales, accounts payable). These include the!following:! Record counts. Transactions or records entered are counted before and after

entry and processing then reconciled.! Batch totals. An information field is totalled, usually in dollar amounts, for all

records of a batch. Batch totals scan similar items and verify totals after each processing step.

! Hash totals. Non-financial fields are totalled for control purposes only (e.g.!all!sales invoice numbers in a batch).

! Check digits. These are redundant digits inserted in account numbers (e.g.!part!number, file number) and verified for correctness by a key-entry device prior to processing or by a computer edit run during processing (e.g.!a!suffix digit related algorithmically to the preceding digits of the number). A check digit permits the detection of data coding errors by ensuring the integrity of codes.

Error correction and data resubmissionThe following controls relate to error correction and data resubmission:! Responsibility for error correction should be assigned to a group, such as the control

group, or to a specific individual such as an internal auditor.! Error log. An error log should be maintained for all data rejected during processing.

As they are entered in the log, the errors should be fully accounted for, and then checked off as they are corrected and re-entered into the system.

! Review and approval of corrections should be done by an independent official who should approve the re-entry of corrected items.

! Prompt re-entry of corrections into the system. A well-defined procedure should be established for promptly re-entering corrections as input into the system.

Processing controlsProcessing controls are designed to ensure the accuracy and reliability of data processing—that is, that all authorised transactions are properly processed; that no authorised transactions are omitted, duplicated or improperly changed; and that no unauthorised transactions are added. Processing errors should be identified, corrected!and resubmitted on a timely basis. Reliable processing ensures that data processed are:! accurate; ! complete; ! reasonable; and ! correct in all material respects.


Completeness and accuracy of dataThe following controls relate to completeness and accuracy of data:! Control totals—ensure the accuracy and completeness of data.! Run to run controls—use batch control totals to monitor each processing step;

at!each processing checkpoint, errors are recorded in an error file and the batch control totals adjusted. The batch totals are recalculated and compared to the original totals to determine the accuracy and completeness of batch processing.

! Field size test—tests the number of characters in a field to ensure that the field size is as specified. If a field should have five characters and the test indicates there are only three, an error condition is indicated.

! Field sign test—ensures that the arithmetic sign is correct (e.g. some items should always be positive or negative). If the opposite sign is present an error condition is!indicated.

! Transaction codes—are verified at each processing step to ensure the right application process is being applied.

! Check-digit test (see under ‘Input controls’).! Valid character test—ensures that a data field only contains certain valid characters;

that is, that characters are of the appropriate type for that field (e.g. alphabetic only, numerical or alphanumeric).

! Sequence test—verifies that the fields in sequential items are in the proper alphanumeric sequence (e.g. pre-numbered purchase orders in sequence).

! Validity test—tests ID numbers or transaction codes for validity by comparing these with known authorised or correct IDs and codes.

! Cross-footing test—checks the arithmetical accuracy by totalling rows and columns and comparing the sums are in agreement, then the totals of each row and column are most likely correct.

! Zero-balancing test—(closely related to the cross-footing test) checks, for example, that the sum of net wages plus deductions minus gross wages equals zero.

! Audit trail—automatic transactions may be logged or uniquely identified by the use!of tags.

! Completeness test—ensures that all mandatory data fields are complete. If a mandatory data field is blank, an error condition is indicated.

! Rounding test—ensures that rounding errors are properly controlled through the use of a balancing equation to prevent an out-of-balance situation.

! Per cent error test—ensures that if the number of errors in a particular batch of input data exceeds a predetermined standard, an error condition is indicated.

Maintaining accuracy during processingThe following controls relate to the maintenance of accuracy during processing:! Control totals (see ‘Completeness of data’ under ‘Input controls’ above).! Console messages—are indicated on console input/output devices such as video

display units (VDUs) or printers. Console messages attempt to reduce the possibility of operator errors, such as loading incorrect files or incorrect batches of data. Many!programs are interactive and should prompt operators to take action.

! Error log—errors detected during processing are generated to an error log, usually!kept on magnetic tape. At the conclusion of processing, the errors are investigated, and the data are corrected and re-entered into the system.

! Limit test (see ‘Reasonableness of data’ below).! Reasonableness test (see ‘Reasonableness of data’ below).


Reasonableness of dataThe following controls relate to the reasonableness of data:! Limit test—ensures that an item in a data field is not greater or less than a

predetermined limit (e.g. hours worked per week should not exceed 70 hours).! Range test—is related to a limit test. A limit test specifies a lower or upper limit

whereas a range test specifies both limits (e.g. employees should work between 30!and 60 hours per week).

! Reasonableness (logic) test—determines whether various data items are normal or reasonable. It ensures that illogical combinations of inputs are rejected by checking the logical relationship between items (e.g. Do net payroll deductions exceed 30!per!cent of gross pay?).

Updating correct filesThe following controls relate to updating correct the files:! Proper training and supervision.! File run and control instructions aid in ensuring that correct files are processed,

updated and properly controlled and should specify the following for each file: ! file name and number; ! updating cycle; and! retention cycle for data.

! Internal labels consist of a header label and a trailer label. A header label is the first record in a file and indicates file contents, identification number and file destruction data. This label ensures that the correct files are mounted and updated and that files are not inadvertently destroyed. A trailer label is the last record in a file and contains record counts, other control totals, and an end-of-file code. The!trailer label separates one file from another and thus ensures that the entire file is processed and that files are not commingled. Internal labels are automatically!checked for correctness by the computer.

! External labels are written on the side of tape reels or disks, or on the containers of tape files or disk files. This label identifies file contents, file identification number and file retention data. An external label assists in locating files, in preventing their early destruction, and in returning them to their proper location in the file library. An unlabelled file is assumed to be a ‘scratch’ file, that is, available for reuse.

Output controlsOutput controls are designed to ensure that the results of processing are reliable, distributed to authorised personnel only, and are not lost, corrupted or their confidentiality compromised. Output control may be exercised where the control group!(or clerk) or users reconcile output control totals with input and processing control totals. Output may be compared to details on source documents. The review of output by control groups and users is important in determining the overall reasonableness of processing results. The review may be done by visual scanning, or manual or electronic editing. User departments should scan output for exceptions or unusual items and should anticipate reports at designated times. System output should be tested at proper times by the control group to ensure that it has been distributed only to authorised user departments. The supervision of output and the shredding of waste or discarded reports are essential to prevent the loss of confidentiality and misdirection of output.


Learning task: Controls in an IT environmentThis learning task provides an overview of the controls in an IT environment. There are also activities to reinforce your understanding. Go to ‘My Online Learning’ to complete it.

Case Study 3.4 requires you to discuss the controls in an IT environment. Read the background information presented below and then complete the task.

Case Study 3.4: CWC China Wide Consortium (CWC) has recently converted its phone sales ordering service to an e-commerce system wherein customers can place their orders and get them processed over the internet.

Under this new system, online customer purchases are initiated when customers access CWC’s home page, click on the ‘Customer order’ icon, order the goods on the relevant template and then click on the ‘Submit’ icon. Clicking on the ‘Submit’ icon transfers the customer’s order to CWC’s central processing facility. This then responds to customers, via an email message, informing them that the order has been received and the goods will be delivered within a specified time frame. This process also initiates the electronic credit card transfer of monies from the customer bank account into CWC’s bank account. The customer banking details are obtained when customers sign up for the online sales and delivery service.

Before CWC began providing this online sales-order service, the general manager (Angie Fung) hired Jing Wu, an old school friend who had recently been made redundant, to take care of ‘the computer side of things’. CWC also hired Melissa, a recent computer studies graduate, to help supervise data entry and local area network (LAN) operations.

All sales orders are processed using the CWC computer system. The system is in a separate office space next to the accounts department above the cafeteria. In this office, 20 personal computers are linked via a LAN. Because customer demand is constant, 18 computer operators work three shifts, accepting sales orders around the clock. In an attempt to maintain the computer operators’ enthusiasm, Jing allows the operators to bring in their own computer games to play during times when orders are ‘light on’. The staff appreciate this gesture and as a consequence respect Jing and her endeavours to keep their work interesting even though they work in very poor physical conditions. In particular, temperature variations are always extreme—too cold in winter and too hot in summer. In an attempt to make conditions more pleasant in the summer months, Jing allows staff to open windows to let a breeze flow through the office.

Jing set up CWC’s home page and wrote the programs for processing customer orders. Additionally, she prepares just-in-time orders from suppliers, updates and controls inventory records, transfers credit card receipts to CWC’s bank account and reconciles credit card deposits with individual customer sales accounts. Jing also helps Melissa maintain the LAN. Because Jing was asked to set up the computer system in such a short time frame, most of the details of the system are in Jing’s head, and the documentation, where it does exist, is sketchy and difficult to interpret. On the advice of Jing, Angie copies monthly backup files and keeps these in her office until they are replaced with the following month’s backup files.

Since the online system is relatively new, Jing is working 12 hours a day, seven days a week to keep the system functioning smoothly. Angie is so impressed with Jing’s work ethic that she has asked Jing if she can prepare and complete the company’s bank reconciliation. Jing agrees to do this for an increased salary of $10 000 per annum as it will help pay off her $450 000 mortgage in a shorter time span.

Your taskExplain any control concerns you may have in relation to the above facts.


Assess the risks of material misstatementISA 315.25 requires the auditor to assess the risks of material misstatements, both at the financial statement level and assertion level for transactions, account balances and disclosures to provide a basis for designing and performing further audit procedures.

ISA 315.26 sets out the steps required by the auditor in identifying and assessing the risk of material misstatement, which are to:! identify risks throughout the process of obtaining an understanding of the entity

and its environment;! assess the identified risks;! relate the identified risks to what can go wrong at the assertion level; and! consider the likelihood and magnitude of the potential misstatement.

Note that earlier in this module assertions were discussed, and you should again refer to ISA 315.A111 if you need further revision on the types of assertions.

Consider that the following two risks were identified by the auditor:1 A risk that the allowance for doubtful debts is understated. Through the information

obtained by the auditor and his/her industry knowledge, the auditor becomes aware that the entity does not know that a large debtor may not be in a position to pay the amount they owe. This is an example of a potential material misstatement due to error.

2 A risk that fictitious sales have been included in sales revenue. It has come to the auditor’s attention that the documentation related to certain sales close to year-end may have been falsified by management to increase profits to the level needed to meet analyst expectations and receive related incentive bonuses.

Having identified the first risk, the auditor would need to assess whether it relates more pervasively to the financial statements as a whole. This error is unlikely to affect assertions besides valuation of accounts receivable and completeness of doubtful debts expense. The auditor then needs to consider the likelihood of misstatement and whether the magnitude is such that it will be a material misstatement. The likelihood of multiple misstatements is relatively low given that this error is due to a specific internal factor.

The second identified risk will affect the assertion of occurrence of sales and existence of accounts receivable. There is also some likelihood of it relating to the financial statements as a whole given that management fraud may exist for other financial statement amounts. There is also, given the incentives, the possibility of multiple misstatements—that is, the!auditor has seen some documents that appear to be falsified and would likely look closely at documentation for other sales transactions.

Question 3.10Consider each of the following items and describe how it affects the auditor’s assessment at the financial statement level and/or assertion level for transactions, account balances and disclosures:

1 Management has a poor reputation in the business community over the integrity of recent decisions.

2 Repairs and maintenance accounts were misstated in previous audits.

3 Management lacks experience.

4 The entity is facing a cash flow problem.

5 The inventory consists of a range of expensive jewellery.


6 Taxation calculations are extremely complex.

7 The entity is a computer manufacturer.

8 There are significant related party transactions.

9 Management’s rewards are heavily dependent on financial results.

10 Provisions are a material liability.

11 The company has built a number of office blocks which it retains as investments.

12 The entity has a range of transactions that are not part of normal processes.

13 The entity has just opened a major retail outlet in the United States.

Identify significant risks The auditor is required as part of the risk assessment to determine if any of the risks identified are a significant risk (ISA 315.27).

First, it is necessary to consider what is a significant risk. This is a matter for the auditor’s professional judgement. Some of the matters to be considered in exercising this professional judgment are described in ISA 315.28. They include whether the risk is a risk of fraud, whether related to recent significant economic, accounting or other developments, complexity of transaction, extent of related parties, degree of subjectivity or unusual transactions.

Further, significant risks often relate to significant non-routine transactions and judgment matters. Non-routine transactions refer to transactions that are unusual because of their size or nature and therefore occur infrequently. An example would be a one-off event such as notice of a significant lawsuit.

The importance of the above discussion is that if the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of the entity’s controls, including control activities, relevant to that risk (ISA 315.29).

To identify business risks it is important to gain an understanding of the systematic properties of the client’s operating environment including the nature and effectiveness of the interactions between the external environment and the client’s internal business processes. Bell et al. (1997) provide the following framework for the auditor to develop a comprehensive understanding of the client’s position within its value chain, and its ability to create and sustain a competitive advantage within its environment:! Understand the client’s strategic advantage: What is the client’s plan for creating

value? What are its niches and what are its advantages that make it better suited than its competitors to occupy these niches?

! Understand the risks that threaten attainment of the client’s business objectives: What!might prevent the client from creating targeted value? What forces are challenging its competitive advantages? How effective are its risk management, strategic management and information management processes?

! Understand the key processes and related competencies needed to realise strategic advantage: What competencies and process advantages must the client possess to create targeted value? What are the business risks threatening attainment of its process objectives? Are its process objectives properly aligned with its strategic objectives? How effective are process controls at controlling process risks?

! Measure and benchmark process performance: Is there evidence that the expected value is actually being created? That is, how well are the processes actually performing, in!terms of strategic goals, compared to the competition? How much above-normal profit is earned as a result of the realised strategic advantage and related process!efficiencies?


! Document the understanding of the client’s ability to create value and generate future cash flows using a client business model, process analyses, key performance indicators and a business risk profile: Create a comprehensive business knowledge decision frame to serve as a strategic-systems lens through which professional judgments about management assertions can be made.

! Use the comprehensive business knowledge decision frame to develop expectations about key assertions embodied in the overall financial statements.

! Compare reported financial results to expectations and design additional audit test work to address any gaps between expectations and reported results (Bell et al. 1997, pp. 31–2).

With knowledge of the way an organisation creates value and the sustainability of its competitive advantage the auditor is in a much better position to make professional judgments about:! the risks faced by the entity and the entity’s responses;! appropriate recording of transactions; ! the appropriateness of assumptions underlying accounting estimates; ! the valuation of assets; ! the client’s ability to continue as a going concern; and ! the likelihood of management fraud.

To illustrate the relationship between business risks and risk of material misstatement, consider the following valuation assertion example. Assume a client whose strategic objectives rely heavily on maintaining harmonious relations with an alliance partner responsible for distributing its products. The auditor would monitor relations with the supplier, because any breakdown in relations would increase business risks. For!example, such disputes could affect the valuation of accounts receivable from the alliance partner and the appropriateness of recognising alliance-related revenues. Risk of!material misstatement could also be affected with respect to equipment asset valuation, if!previously anticipated revenues related to the alliance were no longer expected. Another key SSA principle is anticipating how other organisations’ actions and business risks can impact on the auditee’s business risks and hence risk of material misstatement (Bell et al. 2002).

The importance of understanding strategy is outlined in ISA 315.11 which requires an understanding of ‘the entity’s objectives and strategies, and those related business risks that may result in material misstatement’ (ISA 315.11d).

We will now consider the gathering and use of knowledge about the client’s strategies and business processes for the purpose of understanding the entity and its environment.

Strategic analysisAs part of strategic analysis of the client, the auditor obtains information about the:! broad environment in which the client operates;! industry within which the organisation operates;! markets in which it operates;! organisation’s products and services;! external forces that impact on it;! nature of suppliers, customers and alliance partners;! client’s strategy to achieve its sustainable comparative advantages;! business risks that threaten the success of the strategy; and! organisation’s response to these risks.


At the conclusion of the strategic analysis the auditor should have a good understanding of where the organisation is situated in its environment and its strategic!direction by taking into account such factors as the:! broad economic environment and industry condition;! organisation’s position and role within each industry segment;! existing threats to its current position;! total productive capacity for the organisation and its competitors in each

market!segment;! organisation’s competitive advantages and whether they are sustainable; and! management’s specific strategies.

After completing this strategic analysis it is important for the auditor to consider:! the implication of the organisation’s strategy and business risks for underlying

accounting choices and financial statement assertions;! whether accounting estimates and valuations are consistent with the significant

business risks; and! how the business risks impact on additional work at the business process or

transaction levels.

Consider the following potential impacts of strategic analysis on the audit process:! Expectations: Knowledge of specific business risks affects what an auditor will expect

to see in the financial statements. For example, increased competition from lower priced competitors should result in the auditor expecting to see lower margins and/or lower turnover. The better the auditor understands the client’s strategy, the!more likely they will know how the client will react to price cutting and the likely!impacts.

! Going concern: Some threats have the potential to seriously affect profits and may indicate that the organisation is not viable given its present strategies and markets. Going concern issues may need to be addressed.

! Audit risks: Some threats provide a direct indication that a financial statement assertion is incorrect. For example, loss of brand reputation can negatively influence sales, resulting in inventory valuation issues and, potentially, equipment!valuation issues due to impairment resulting from the lost sales.

! Control environment: Some threats put pressure on management related to holding their jobs and receiving potential bonuses, with the potential for inappropriate responses (Knechel 2007).

Table 3.2 below, outlines a series of business risks and the potential audit implications that result from these risks.


Table 3.2

Risk assessment: Strategic risks and potential audit implications

** PLEASE REFER TO THE PRINTED STUDY GUIDE FOR THIS TABLE **

Source: Adapted from Knechel, Salterio & Ballou (2007), Auditing: Assurance and Risk, ‘Figure 5-9’, Thomson!South-Western, Mason, Ohio, pp. 170–1.


Case Study 3.5 provides you with an opportunity to look at the sources of risks and threats and their potential implications for the audit. Complete the case study now.

Case Study 3.5: ProGolf LtdYour client is an Australian distributor of US-manufactured golf equipment. Their golf clubs are at the top end of the market. At present they have 30 per cent of the Australian market, are used by two of the top 10 golfers in the world, and 18 per cent of the top 100 golf professionals. Over the last 10 years these golf clubs have always accounted for over 20 per cent of world sales of golf equipment.

Your tasksFor each of the business risks/threats listed below identify: a the source of the threat; and b the potential audit implication.

1 The Australian economy is entering a recession.2 The Professional Golf Association is putting restrictions on the size and weight of golf clubs.

Some of the present designs will be banned in two years under the new regulations.3 Tennis racquet manufacturers are also using the new graphite composition resulting in a potential

shortage of the raw material.4 One of their ‘top 10’ professional golfers who uses the equipment is suffering a form slump.

He is thinking of changing equipment to arrest the form slump.5 Large retail golf outlets are developing in all large capital cities and significantly impacting on

the local ‘pro shop’ at golf courses.6 Golf ball manufacturers are developing balls that respond to more ‘standard’ clubs.7 There are new rules lengthening ‘hit off’ interval times imposed by insurance companies.8 There have been complaints that one of the new revolutionary clubs causes the ball to go

dramatically to the left causing a greater percentage of balls to go on roads and into houses.

Techniques used in strategic analysisThe auditor is required to develop an understanding of the client’s business strategies and identify the external forces that threaten the success of these strategies. Using this knowledge, the auditor identifies the key competencies and related business processes that drive the organisation’s implementation of its strategy and its interactions with its!environment.

Techniques used in strategic analysis to identify business risks are:! SWOT analysis;! PEST analysis; ! Porter’s five forces; and! value chain analysis.

SWOT analysisWe have noted the importance of examining both the organisation’s external environment and its internal capabilities. One useful technique for combining these factors is to use SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis. SWOT analysis is used to determine whether the organisation’s strategies are producing a good fit between an organisation’s resource capability (in terms of resource strengths and weaknesses) and its external environment (including opportunities in the market and threats to market share and profitability).


Strengths refer to characteristics, expertise, assets etc. that provide a competitive advantage (e.g. technological know-how, natural resources, strong management, good!location, valuable brands, superior products, strong alliances). A weakness is a condition that puts it at a competitive disadvantage (e.g. lack of technological know-how, poor location). Firms have a range of market opportunities and they need to appraise the profit potential of the opportunities most likely to be successful. Organisations face threats from the environment to their profitability and!competitiveness. These include:! changing tastes; ! new technologies; ! greater competition; ! unfavourable demographic shifts; and ! adverse exchange rate changes.

Table 3.3 provides a list of the major issues to consider in a SWOT analysis.

Just making lists of the strengths, weaknesses, opportunities and threats is not sufficient. It is important to determine what we learn from the four lists about the organisation’s situation and what actions are required to be undertaken in response.

Table 3.3

SWOT analysis—What to look for in sizing up a company’s strengths, weaknesses, opportunities and threats




Source: Adapted from A. Thompson & A. J. Strickland III (2001), Strategic Management: Concepts!and!Cases, ‘Table 4.1’, 12th edn, McGraw-Hill Higher Education, p. 95.

Identifying strengths and threats and their potential impact on the audit are important steps in a SWOT analysis. Complete Case Study 3.6 now.

Case Study 3.6: Cosmic Electronics LtdCosmic Electronics Ltd is a high technology electronic components manufacturer located in Hong Kong. It has established a strong brand name based on its reputation for reliability and value for money. However, one of its competitors has just produced a low-cost high-quality substitute for its leading selling component.

Your taskUsing a SWOT analysis, identify one strength and one threat for Cosmic Electronics Ltd. Indicate the impact of each on the audit.

PEST analysisFor many years organisations have carried out a PEST (political, economic, social and technological) analysis as a way of understanding their external environment. Table!3.4 provides examples of environmental factors that are affecting the organisation. However, as the use of the PEST framework can lead to an under-emphasis on environmental and legal issues, the use of PESTEL (political, economic, social, technological, environmental, legal) analysis is used by some organisations as a framework for!asking questions about important forces existing in the macro-environment.


Table 3.4

Macro-environmental Influences—PEST analysis

1 What environmental factors are affecting the organisation?2 Which of these are the most important at the present time? In the next few years?

Political! Government outsourcing! Government policy! Social welfare policies! Taxation laws, GST

Economic factors! Business cycles! Disposable income and savings rates! Inflation rates! Interest rates! Money supply! Unemployment levels

Social factors! Attitudes to work and leisure balance! Education levels! Income distribution trends! Lifestyle changes! Mobility of the labour force! Population demographics, ageing! Workforce diverts

Technological! Government and industry focus on

technological effort! Government and industry spending on

research and development! New discoveries/development! Obsolescence rates for equipment! Speed of technology transfer

Table 3.4 can be converted to a PESTEL framework by adding an environmental category (e.g. energy consumption, environmental issues, waste disposal) and a legal category (e.g. employment laws, health and safety issues, industry deregulation, product safety).

In carrying out a PEST/PESTEL analysis, it is important to consider which environmental factors are affecting the organisation at the present and which factors are going to be most important over the next few years. It should also be noted that some factors will be especially important for some organisations but not others. For example, environmental protection laws are critical for mining and chemical companies; interest!rates for banks; life-style changes for sports goods manufacturers; rates of obsolescence for computer manufacturers; safety for an airline. Interest rate changes are more important for organisations with high debt/equity levels than those with low debt/equity levels; foreign trade regulations are important to importers/exporters.

Case Study 3.7 focuses on a PESTEL analysis, a useful framework for asking questions about important forces existing in the macro-environment. Complete the case study now.

Case Study 3.7: Airline industryYour taskCarry out a PESTEL analysis for the airline industry.


Porter’s five forces model for industry analysisPorter (1985) developed a technique for analysing five forces which affect industry profitability. Known as the five forces model, it is superior analytically to the conventional idea of considering only the organisation’s competitive position. The!five!forces are the:1 threat of new entrants to the industry;2 power of suppliers to the industry;3 power of buyers from the industry;4 power of substitutes for the industry’s products and services; and5 intensity of industry rivalry between competitors.

This has been the dominant tool used in business strategy for conducting industry analysis for many years.

While not every factor will be important in any particular industry, the lists cover not only well-known economic factors, but also many factors which reflect the competitive behaviour, psychological make-up and values of the organisations in the industry. Some!of these forces are discussed below.

Threat of new entrantsThe profitability of the existing industry may be eroded because new firms will enter the!market and compete for profits.

The number and probability of new entrants is often determined through consideration of entry barriers. Entry barriers make it difficult for a potential competitor to enter an industry. Typical entry barriers include:

! Economies of scale: New entrants with little market share will not enjoy the cost advantages of these established competitors.

! Product differentiation: Well-established brand names and trade marks make it difficult for a new entrant to establish brand awareness and thereby capture sales.

! Capital requirements: Some industries require high capital investment to be able to deliver a product or service.

! Access to distribution channels: New entrants may have difficulty distributing their goods and services through established distribution channels as those have already been locked in by existing competitors.

! Government policy: Government can restrict new entrants through licensing restrictions (such as in radio and TV broadcasting) and through policies (e.g.!limiting foreign investment).

Power of suppliers Suppliers provide products or services to the industry. They include labour and capital suppliers. If a supplier is particularly important to the industry, it will have bargaining power and this will work to reduce the profitability of the industry.


Suppliers can affect the returns to any competitors within an industry through their ability to raise prices and determine quality. Circumstances that increase a supplier’s power include:! The supplier industry is dominated by a few companies but sells to many customers.! Its product or service is unique and the switching costs are high. ! Substitutes are not readily available. ! A purchasing industry only buys a small percentage of the supplier’s output and

is!therefore relatively unimportant to the supplier.

Power of buyersBuyers are the customers of the industry. If buyers are particularly important to the industry, they will have power over the industry, thus tending to reduce the profitability of the industry. The bargaining power of buyers is essentially the mirror image of the bargaining power of suppliers. Circumstances that increase a buyer’s power include:! A buyer purchases a large proportion of the seller’s product or service. ! A buyer has the potential to backward integrate, which means the ability to make

or supply the supplier’s product or service themselves. ! There are many alternative suppliers because the product is standard. ! There are few costs of changing suppliers (switching costs).

Power of substitutesSubstitutes are other products or services which can be used instead of the products or services of the particular industry. For instance, for the local stockbroking industry, direct investment in property or consulting financial planners are substitutes.

The more substitutes the buyers have for the industry’s products or services, the higher the buyer bargaining power. A substitute can be defined as a direct substitute, such as Pepsi for Coke, or a substitute which fulfils the same need for the buyer. For example, an!email would be a substitute for a letter.

Intensity of industry rivalry Intensity of industry rivalry is the degree of competitiveness that is found between existing industry competitors. The way the existing firms compete with each other will also determine the level of returns available to any one competitor. An action by one firm may generate a reaction from other competitors. For example, in the airline industry, attempts to offer discount fares are readily met.

For each of the five forces, an assessment can be made whether its power is high, average or low. After doing this for all five forces, one can then draw a conclusion about the current industry profitability. If all five forces are rated high, industry profitability should be very low. Conversely, if all forces are rated low, industry profitability should be very high. However, at this point the key causes of the level of industry profitability and business risks associated with the entity’s activities would have been identified.


Case Study 3.8: Timber floorsYour client is FB Ltd, a manufacturer of timber flooring. Over 90 per cent of its production is supplied to one customer LR Ltd (a larger retailer of home furnishings). There are many alternative suppliers and LR Ltd often mentions the possibility of switching to another supplier.

Your task1 For which of Porter’s five forces would the power be classified as high?2 What impact does this have on identifying risks faced by FB Ltd?

Value chain analysisA ‘value chain’ is usually considered as the series of activities or processes within and around an organisation which creates a product or service that is valued by customers.

Figure 3.1 shows primary and support activities that form the value chain within an!organisation.

Figure 3.1

The value chain within an organisation

Firm infrastructure

Inboundlogistics Operations Outbound

logisticsMarketingand sales Services

Margin

Margin

Human resource management

Technology development

Procurement

Source: Porter, M. E. (1985), Competitive Advantage: Creating and Sustaining Superior Performance, The!Free Press, New York, p. 37. Reprinted and adapted with the permission of the Free Press, a!Division of Simon & Schuster Inc. Copyright© 1985 by Michael E. Porter.

Primary activities are directly concerned with the creation or delivery of a product or!service:! Inbound activities: Receiving, storing and distribution of materials—includes material

handling and inventory control.! Operations: Converting inputs into the final product or service—includes machinery,

packaging, assembly and testing.! Outbound logistics: Collecting, storing and distributing the product to customers—

includes warehousing, material handling and transport in the case of products.! Marketing and sales: Activities making customers aware of the product/service

and able to purchase them—includes advertising, selection of distribution channels,!selling.

! Service: Activities to enhance or maintain the value of a product or service—includes installation, repairs, training.

Primary activities cannot be successfully undertaken without the benefit of support!activities.


Support activities are those that improve the effectiveness and efficiency of the primary!activities:! Firm infrastructure: Planning, finance, accounting, quality control, information

management aimed to support the entire value chain.! Human resource management: Activities involved with recruiting, training,

staff!development, rewarding.! Technology development: Improving products and processes used in production

(e.g.!research and development, product design, process development).! Procurement: Activities/processes for acquiring inputs needed to produce the

organisation’s products/services.

Case Study 3.9 focuses on the audit implications of a breakdown in an organisation’s value chain. Complete the case study now.

Case Study 3.9: Creamy LtdCreamy Ltd has produced a very popular fruit-based ice cream. However, due to problems with its distribution system, its ability to deliver on time has declined. This has resulted in a significant drop in its customer satisfaction index.

Your taskExplain the audit implications of the breakdown in Creamy Ltd’s value chain.

Question 3.11For each of the primary activities of the value chain, suggest possible audit problems that may arise:

! inbound logistics;

! operations;

! outbound logistics;

! marketing and sales; and

! service.

Analytical proceduresAn important technique for understanding the client and the industry is analytical procedures. ‘Analytical procedures’ refers to the investigation and analysis of fluctuations and relationships to determine whether there are inconsistencies with other relevant information or deviations from predicted amounts. Analytical procedures include:! comparisons with prior periods, anticipated results (e.g. budgets and forecasts)

and!industry comparisons; ! consideration of relationships between elements of financial information that

would be expected to follow a predictable pattern; and ! relationships between financial information and relevant non-financial information.

Certain elements of financial accounting would be expected to conform to predictable patterns, for example:! gross margin and sales; ! sales commission and sales; ! accounts receivable and sales; and! internal expense to borrowings.


For other costs such as advertising, training, and repairs and maintenance, the amount spent is more likely to be discretionary and the relationship of these amounts to sales is less predictable. There are also likely to be relationships between financial information and non-financial information, for example:! payroll and staff numbers; ! motor vehicle costs and number of vehicles; and! workers compensation insurance and staff numbers.

Analytical procedures can be used for the following purposes:! Planning the nature, extent and timing of other audit procedures. This will

include!obtaining a better understanding of the client and the industry, highlighting changes in profitability trends and usual/unexpected relationships (ISA 315.A7–.A8). Overall, the aim is to direct attention to areas with the highest!potential for material!misstatement.

! As a substantive procedure when their use can be more effective or efficient than tests of details for the specific financial statement assertion.

! As a final overall review at the completion of the audit. This is to give an indication of the reasonableness of the financial statements taken as a whole.

In this module we are most concerned with the audit planning aspects. In Module 4, analytical procedures, as part of substantive testing, are considered.

Analytical procedures can be either evaluative or predictive. Evaluative techniques use past information to help the auditor to:! understand the client and the industry;! identify and assess potential risk;! assess the extent of other audit tests; and! corroborate other conclusions and ascertain the overall reasonableness of the

financial information.

Predictive analytical procedure techniques are used to estimate activity levels or account balances based on trends or relationships. Generally, at the planning stage of the audit, evaluative techniques such as simple comparisons, ratio analysis, common-size statements and trend statements are used. Simple reasonableness tests can also be useful.

Various techniques may be used in performing analytical procedures at the planning stage. The choice of techniques is a matter of professional judgment. The!discussion below on simple comparisons, reasonableness tests and ratio analysis is!based on Trotman (1990).

Simple comparisonsSimple comparisons generally involve comparison of a current year income statement (and balance sheet items) to an appropriate norm or standard—for example, actual results for!prior periods, actual results for similar operating locations within the!entity, budgets!for the current year and actual results for the current or previous periods for other companies in the industry.

Comparisons to prior periods—Percentage or dollar changes from prior periods can be an indicator of changes in circumstances, particular trends or errors. While unexpected deviations or fluctuations may not necessarily indicate an error, the auditor should follow up to understand why these fluctuations have occurred. The comparisons with prior periods normally should extend over a number of years. Where changes in either the economic environment or the organisation’s business have occurred, there is a need to adjust (even if only an approximation) the historical information prior to making the comparisons. Based on other work conducted by the auditor (e.g. strategic


analysis) auditors should have expectations about particular balances. For example, new profitable contracts were signed earlier in the year and have been in operation for six months, therefore, the auditor may expect that sales figures are expected to be approximately X!per cent greater than the previous year. Alternatively, there has been a sale of certain equipment with the expectation that depreciation expenses will decrease.

Comparisons between locations—Comparing financial information between similar operating locations can be very effective in the planning stage of the audit in order to identify potential errors and the areas where audit work should be most concentrated. However, in making these comparisons (e.g. retail stores) differences between locations need to be considered. For example, the location of a retail store may allow it to have larger mark-ups than average.

Comparisons to budgets—The current year’s figures can be compared to the entity’s budget to determine now the actual figures for the period compare with earlier expectations of management and to consider the audit implications of major variances. The auditor needs to determine the nature and past accuracy of the entity’s budgeting system. For example, little, if any, reliance can be placed on these comparisons if the budgeting system historically has been inadequate due to such factors as poor preparation or frequent large variances. In addition, where management places considerable emphasis on the need to achieve budget, there is the possibility of manipulation of recorded results in order to achieve budget.

Comparisons to industry figures—Comparison of financial statement amounts and relationships for an entity or segments of that entity to industry figures can improve the auditor’s understanding of an entity’s business and industry, indicate financial strengths or weaknesses and highlight areas requiring audit attention. In particular, the highlighting of abnormal trends compared to industry may be informative. Comparisons to industry averages can be difficult in many circumstances due to the unique characteristics of the organisation and/or its diversified nature. However, the!understanding of significant variances from industry averages can be useful for!the!auditor, particularly in the planning stages.

Reasonableness testsGenerally, reasonableness tests are simple calculations using relevant financial and operating data in order to develop an estimate of an amount.

Many revenue and expense items can be reasonably estimated from one or a few other items. Examples include:! income for hotels can be estimated from average room charges and occupancy rates;! gross margin as a percentage of sales;! professional service fees can be related to number of staff, average charge-out rates

and average chargeable time;! investment income can be related to average amounts invested and average

interest!rates;! payroll expense can be related to the average number of employees and average

pay!rates;! commission expense can be estimated from sales and commission rates;! interest expense can be related to the average amount owing and average

interest!rates; and! depreciation expense can be estimated by reference to asset balances,

additions!and!deletions, and depreciation rates.


Ratio analysisFor interpretation purposes, ratios need to be compared to some benchmark. This!benchmark can be the same ratio computed in prior periods and/or ratios of other!comparable organisations. Ratio analysis can be an effective method of increasing an auditor’s understanding of an entity’s business. By identifying trends and unusual fluctuations it is a useful technique for identifying areas that require particular!attention.

Auditors should consider changes in a group of related ratios rather than concentrating on single ratios. For example, an organisation’s ‘quick ratio’ may appear satisfactory until it is viewed in the light of a declining net profit margin, a negative cash flow or!a!decrease in debtors turnover.

Ratios can be classified into the following categories: ! profitability; ! activity; ! liquidity; and ! financing.

Profitability ratiosProfitability ratios generally provide an indication of an organisation’s profitability and changes in profitability. They include:

Gross margin =Gross profit

Sales

Net profit =Net operating profit

Sales

Operating expenses =Each individual item of expense

Sales

Asset turnover =Sales

Total assets

Return on total assets =Operating profit before tax

Total assets

Return on shareholders’ equity =Net profit after tax

Ordinary shareholders’ funds

The gross margin ratio is one ratio that is commonly used by auditors. For many firms this ratio will have a relatively stable and predictable pattern. Fluctuations may indicate changes in the nature of the business (e.g. competition, pricing policies, manufacturing efficiencies, sales-mix changes) or financial statement errors. The net profit ratios indicate trends in profitability and the effectiveness with which the organisation’s resources are being used. Ratios of expenses to sales may provide reasons for changes in profitability as well as possible financial statement errors. For example, a large increase in the ratio of repairs and maintenance to sales may indicate that a capital item has been charged to the repairs and maintenance account.


Activity ratiosActivity ratios provide an indication of an entity’s efficiency in using available resources. Examples include:

Inventory turnover =Cost of goods soldClosing inventory

Days sales in inventory =Closing inventory " 365

Cost of goods sold

Debtors turnover =Credit sales

Closing debtors

Average collection period in days =Closing debtors " 365

Credit sales

Average payment period in days =Closing accounts payable " 365

Credit purchases

The inventory turnover ratio can be compared over time and with the industry average. If the ratio is substantially below those of past years or the industry averages, it can indicate obsolete and slow-moving stock. Generally, a high ratio is preferable as it indicates an efficient inventory management. However, it can also indicate problems such as unrecorded inventory. The ratio varies significantly between industries and for some industries it will vary seasonally. Ratios may also vary within industries because of different methods of accounting for inventory (e.g. FIFO, weighted average).

The debtors turnover ratio is an indication of an entity’s credit control policy. The!higher this ratio, the better the performance. A decrease in this ratio compared to prior years or industry average may indicate deficiencies in the entity’s credit and collection policies, possible uncollectability of some accounts, possible fictitious sales or incorrect cut-off or an increase in the credit period granted in order to increase sales. Fluctuations in these ratios may indicate changes in liquidity or cash management!procedures.

Liquidity ratiosLiquidity ratios provide an indication of an organisation’s ability to meet current obligations as they fall due. Unusual or unexpected trends may also indicate over- or understatement of current assets and current liabilities. The ratios need to be reviewed with regard to the organisation’s current and projected cash flow. Liquidity!ratios!include:

Current ratio =Current assets

Current liabilities

Quick asset ratio =Cash + Marketable securities + Accounts receivable

Current liabilities

The quick asset ratio is a more conservative indication of liquidity than the current ratio. The comparative importance of these ratios depends on such factors as the inventory turnover ratio, the debtors turnover ratio and the predictability of future cash!flows. For example, the larger the inventory turnover ratio the less relevant the current ratio; the less predictable the cash flow, the higher these ratios need to be in order to be acceptable.


Financing ratiosGearing ratios consider long-term financial strength of an entity. They may indicate, for example, that there is an over-reliance on debt finance. Examples of gearing ratios!include:

Debt/Equity ratio =Total liabilities

Shareholders’ equity

orLong-term liabilitiesShareholders’ equity

Debt/Assets ratio =Total liabilityTotal assets

Number of times interest earned = EBITInterest expense

The first two ratios indicate the gearing level. The third one considers the ability of the entity to meet its interest commitments as they fall due. Changes in these ratios may indicate business risk and the auditor needs to consider related audit risk.

Question 3.12Whilst performing your preliminary analytical procedures (i.e. analytical procedures performed at the audit planning stage), you note that over the last few months there has been a substantial increase in goods returned as a percentage of total sales.

What impact would this have on your audit?

Below are additional comments regarding analytical procedures. Many of these methods!can be used both at the planning stage and as a substantive test (to be covered in Module 4).

! Reasonableness relationships such as interest to borrowings, fuel expenses to vehicles used and kilometres travelled can be useful calculations. However,!care should be taken as the relationship gets more complex. For example, the!relationship between interest expense and borrowings gets more complicated when different borrowings have different interest rates and new borrowings are taken out/repaid during the year. Similarly, a reasonableness test on the revenue for a large city hotel will depend on the number of rooms, occupancy rate and percentage of clients in various rate categories (e.g. government rate, range of corporate rates).

! Many ratios can be calculated in a number of different ways. For example, for!return on asset (ROA) you could use earnings before income tax allowance (EBITA), earnings before income tax (EBIT), net profit before tax or net profit after tax. If!you are unsure about the interpretation of any of the ratios you should consult any introductory financial accounting textbook. Further information on!textbooks is in the Segment Outline.

! In interpreting the set of ratios discussed above, it is important to consider the relationships between ratios. One way of doing this is to consider a DuPont analysis. The name is used because in the 1920s, DuPont in the United States was the first company to formally integrate the linking of these ratios into its organisational control system. The DuPont analysis shows that return on equity (ROE) can be explained by two ratios, namely return on assets (ROA) and leverage. ROA can be explained by profit margin and total assets turnover.


! The relationship between the ROE ratio and its two components can be seen below (here operating profit after tax has been used in both ROE and ROA):

ROE = ROA " Leverage

Operating profit after tax Shareholders’ equity

Operating profit after tax Total assets

Total assets Shareholders’ equity

! The relationship between ROA and its two components is as follows:

ROA = Profit margin " Total assets turnover

Operating profit after tax Total assets

Operating profit after tax Sales

Sales Total assets

! An example of a trend analysis is as follows:

20X5 20X6 20X7 20X8 20X9

Sales $400 000 $480 000 $580 000 $640 000 $800 000

Trend Statement Percentages using 20X5 as the base year 100% 120% 145% 160% 200%

Case Study 3.10: QRS LtdAssume you are the audit manager responsible for the audit of QRS Ltd, a wine producer. You have obtained the following financial information from the client.

QRS Ltd Balance Sheet Unaudited Audited 30 June 20X9 30 June 20X8 $’000 $’000 Current assets Cash 5 162 4 480Receivables 4 500 4 000Inventories 7 348 4 294Total current assets 17 010 12 774Non-current assets Property, plant and equipment 48 826 50 134Receivables 9 000 9 000Total non-current assets 57 826 59 134Total assets 74 836 71 908 Current liabilities Bank borrowings—Secured 14 748 18 000Payables 10 000 10 092Provisions 1 928 1 830Total current liabilities 26 676 29 922


Non-current liabilities Interest-bearing liabilities 32 000 28 000Provisions 1 314 1 240Total non-current liabilities 33 314 29 240Total liabilities 59 990 59 162

Net assets 14 846 12 746

Shareholders’ equityShare capital 10 000 10 000Retained profit 4 846 2 746Total shareholders’ equity 14 846 12 746

Profit and loss accountRevenue 21 228 19 393Gross profit 5 808 3 733Operating expenses 2 808 2 137Net profit before tax 3 000 1 596Taxation 900 479Net profit after tax 2 100 1 117Retained profits at the beginning of the year 2 746 1 629Retained profits at the end of the period 4 846 2 746

Additional information:! This is your first year on the audit but QRS has been a client of your firm for over five years.! Sales have been gradually increasing due to the popularity in overseas markets of Australian wine.

Exports now account for 40 per cent of sales.! Overseas customers are invoiced in the importer’s currency.! QRS has a new CEO who has a reputation for improving profitability and share prices. He has

considerable stock options and has announced he intends to retire in two years.! The company uses a standard cost system for wine; raw materials are valued at cost.! The company has recently updated its earnings expectations due to cheaper grapes resulting from

an excess of the grape variety it uses.! The company has received substantial criticism from some analysts for underperforming over the

last few years.! Discussion with management last year indicated that it intended to reduce its debt substantially

during the current year.! Some retailers have passed on customer concerns about the quality of some of the red wine and

the percentage of bottles that were ‘off’. Staff at the winery have suggested that this may be due to the ageing equipment.

! Management has noted that they are not willing to move to new technology involving ‘screw tops’ for the wine because of the capital investment outlay.

! The non-current receivable relates to an amount in dispute with the tax office. The company believes the amount was incorrectly assessed and has legal advice to support this. The amount was paid to avoid interest accumulating.

Your tasks1 Calculate the following ratios for 20X9 and 20X8: a Gross margin. b Net profit. c Asset turnover. d Return on total assets. e Current ratio. f Quick asset ratio. g Inventory turnover. h Debtors turnover.


i Debt to equity. j Days in inventory. k Days in debtor.

2 Identify key risk factors that will have an impact on the audit.

Case Study 3.11: MNO Ltd Shown below are common-size statements for MNO Ltd prepared in a time series format over four years and a cross-sectional form with two competitors.

Your taskOutline any trends the auditor would need to pay additional attention during the audit.

MNO Ltd—30 June 20X9 20X9 20X8 20X7 20X6 % % % % Percentage common-size balance sheet Assets Cash 8.7 8.4 8.0 8.0Receivables 19.3 19.0 18.8 18.6Inventories 24.8 21.7 23.5 20.2Other current assets 4.1 3.9 3.6 3.7Property, plant and equipment 43.1 47.0 46.1 49.5 100.0 100.0 100.0 100.0 Liabilities and shareholders’ funds Payables 15.2 13.9 19.7 20.3Other current liabilities 8.9 9.1 9.5 9.6Non-current liabilities 33.0 34.5 31.0 30.7Deferred income tax 4.0 4.0 3.8 3.7Shareholders’ equity 38.9 38.5 36.0 35.7 100.0 100.0 100.0 100.0 Percentage common-size income statement Revenue Net sales 97.2 98.6 98.1 98.2Returns 2.8 1.4 1.9 1.8 100.0 100.0 100.0 100.0

Expenses Cost of goods sold 52.9 53.8 54.3 54.6Selling, administrative and general expenses 11.7 12.3 11.2 11.2Interest expense 5.5 5.4 4.7 4.4Depreciation 10.6 10.9 11.0 10.9Income tax 10.5 10.3 9.9 9.8Profit after tax 8.8 7.3 8.9 9.1 100.0 100.0 100.0 100.0


MNO Ltd—30 June 20X9

MNO Ltd Competitor 1 Competitor 2 % % % Percentage common-size balance sheet Assets Cash 8.7 6.5 9.8Receivables 19.3 15.7 11.3Inventories 24.8 23.5 23.1Other current assets 4.1 4.9 3.5Property, plant and equipment 43.1 49.4 52.3 100.0 100.0 100.0Liabilities and shareholders’ funds Payables 15.2 21.2 13.3Other current liabilities 8.9 10.9 15.4Non-current liabilities 33.0 35.4 36.6Deferred income tax 4.0 7.4 2.2Shareholders’ equity 38.9 25.1 32.5 100.0 100.0 100.0 Percentage common-size income statement Revenue Net sales 97.2 98.4 98.1Returns 2.8 1.6 1.9 100.0 100.0 100.0Expenses Cost of goods sold 52.9 49.5 48.3Selling, administrative and general expenses 11.7 11.6 10.6Interest expense 5.5 3.9 4.1Depreciation 10.6 11.1 10.9Income tax 10.5 11.3 12.6Profit after tax 8.8 12.6 13.5 100.0 100.0 100.0

Responding to assessed risks

Key principlesISA 330 The Auditor’s Responses to Assessed Risks outlines in detail the nature, timing and extent of evidence-gathering procedures that the auditor can undertake to respond to assessed risks. ISA 330.5 requires the auditor to ‘design and implement overall responses to address the assessed risks of material misstatements at the financial statement level’. ISA 330.6 further requires the auditor to ‘design and perform further audit procedures whose nature, timing and extent are based on and responsive to the assessed risks of material misstatement at the assertion level’.

Examples of overall responses to address the assessed risk of material misstatement at the financial statement level are discussed in ISA 330.A1. You should read this now.


ISA 330.A4 provides guidance concerning the nature, timing and extent of further audit procedures and identifies the circumstances where tests of controls and/or substantive procedures are required. ISA 330.A5 states that:

the nature of an audit procedure refers to its purpose (that is, tests of controls or substantive procedure) and its type (that is, inspection, observation, inquiry, confirmation, recalculation, reperformance, or!analytical procedure).

According to ISA 330.A6, timing ‘refers to when [audit procedures] are performed, or the period or date to which the audit evidence applies’.

ISA 330.A7 indicates that the extent of audit procedures refers to the quantity of a specific audit procedure to be performed, for example, ‘a sample size or the number of observations of a control activity’. Various factors are considered when determining the!extent of audit procedures, including:! the judgment of the auditor after considering materiality;! the assessed risk; and! the degree of assurance the auditor plans to obtain.

Audit procedures will normally increase as the risk of material misstatement increases, but!this would be effective only if the increased procedures are relevant to the specific risk. Therefore, there is a relationship between the nature and the extent of audit procedures. It is important for the auditor to consider the nature of the evidence and the potential for the evidence to be manipulated. If the evidence is subject to management control (e.g.!internal documentation), varying the nature of the evidence (e.g. external reports) may be more important than collecting more of the same type of evidence.

Tests of controlOnce an understanding of the internal control that is sufficient for audit planning is obtained, the auditor must assess the control risk or the risk of material misstatement occurring. If the auditor assesses that control risk is less than high, it means he/she plans to rely to some extent on key controls in the control system. He/she needs evidence to support reliance on these controls; the tests to gather this evidence are called tests of control. If control risk is assessed as high, then no reliance is to be placed on these controls, there will be no testing of the controls, and more substantive testing will need to be undertaken.

Some audits require the auditor to undertake tests of control. Where!the auditor has determined that it is not possible or practicable to reduce risk of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, the auditor shall perform tests of controls for operating effectiveness. Thus, for these key controls, it is not possible to evaluate control risk as high by default, and it would be necessary to undertake tests of controls. Further, where!the auditor plans to rely on controls that have not changed since they were last tested, ISA 330.A37 requires that the auditor test the operating effectiveness of such controls at least every third audit. However, if the auditor plans to rely on controls that have changed since they were last tested, the auditor needs to test the operating effectiveness of such controls in the current audit (ISA 330.A36).

You should review ISA 330.8–.17 and the related explanatory paragraphs (ISA 330.A20–.A41) to ensure that you are aware of the concepts contained in this key standard with regards to tests of controls.


Substantive proceduresSubstantive procedures are aimed at detecting material misstatement (at the assertion level) in the dollar value of the information contained in the accounting records or in the financial statements. Thus, the risk of material misstatement is reduced by the auditor undertaking tests of controls and substantive procedures. If the auditor can gain confidence that the controls in place will help reduce material misstatement, the!auditor is able to reduce the level of substantive testing.

Substantive procedures consist of two categories: substantive analytical procedures and tests of details (ISA 330.4). A more detailed discussion of actual procedures is included in!Module 4.

Analytical procedures are used to compare account balances and transactions with other financial and non-financial information in order to identify unusual fluctuations or values. A common example is ratio analysis. These techniques are used to indicate areas of potential error that may require further audit investigation, and to assist the auditor in assessing the extent of tests of transactions and balances.

Tests of details are tests of transactions and balances designed to obtain direct evidence to support the account balances shown in the financial statements. Commonly, this will involve drawing conclusions from a sample of the transactions or account balances and projecting these results to the entire population.

‘Irrespective of the assessed risks of material misstatement, the auditor [is required to] design and perform substantive, procedures for each material class of transactions, account balance and disclosure’ (ISA 330.18). If under ISA 315 it has been determined that the assessed risk of material misstatement at the assertion level is a significant risk!(e.g. significant risk of material overstatement of sales) the auditor needs to perform substantive procedures that are specifically responsive to that risk (ISA!330.21).!These!substantive tests related to significant risks should be test of details!only and/or in!combination with analytical procedures.

It is important to consider the nature, timing and extent of substantive tests. The!nature of the tests refers to the use of substantive analytical procedures or test of details. The former are generally more applicable to large volumes of transactions that tend to be predictable over time whereas test of details are ordinarily more appropriate in obtaining evidence regarding certain assertions (e.g. existence and valuation) about account balances.

Timing refers to when the evidence is collected. The auditor may perform substantive procedures at year end or at an interim date. In the latter situation, the auditor must perform further substantive procedures or substantive procedures combined with tests of controls to cover the remaining period to year end (ISA 330.22). For example, a debtor’s circularisation may be carried a month before year end and the additional evidence collected for the last month of the year related to that month. Such factors as the control environment and the assessed risk of a material misstatement affect whether substantive procedures are performed at year end. For example, if control procedures are weak and the risk of material misstatement is high, it is less likely that audit procedures would be performed at an interim date.

The extent of substantive testing ordinarily increases when the risk of material misstatement is greater.


Based on the audit procedures performed, the auditor is required to evaluate the sufficiency and appropriateness of audit evidence obtained (ISA 330.25). However:

If the auditor has not obtained sufficient appropriate audit evidence as to a material financial statement assertion, the auditor shall attempt to obtain further audit evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor shall express a qualified opinion or disclaim an opinion on the financial statements (ISA 330.27).

The auditor’s reporting determination is discussed further in Module 5.

You should review ISA 330.18–.23 to ensure that you are aware of the concepts contained in this key standard with regards to substantive procedures.

Question 3.13Consider the following audit procedures:

i examine large invoices for the two days prior to year end to determine if sales are recorded in the correct period;

ii compare inventory turnover across products using monthly data for the last two years;

iii select a sample of trade debtors to be confirmed and follow up on non-replies;

iv attend the annual inventory stocktake and ensure all procedures are complied with;

v review any changes to the staff involved in authorising fixed asset purchases and disposals;

vi for a sample of fixed assets, determine if the depreciation rates used are consistent with the approved depreciation policy of the client;

vii check arithmetic on a sample of sales invoices; and

viii check authorisation signatures on a sample of travel reimbursements.

1 Which of the above procedures are tests of controls?

2 For the procedures that are substantive tests, state the key financial statement assertion being tested.

Evaluation of misstatements identified during the auditPreviously in this module, we considered ISA 320 which dealt with the auditor’s responsibility to apply the concept of materiality in planning and performing the audit. Here, ISA 450 Evaluation of Misstatements Identified during the Audit is considered. It!deals with the auditor’s responsibility to evaluate the effect of identified misstatements (see!ISA 450.4 for a description) and uncorrected misstatements (misstatements that the!auditor has accumulated and that have not been corrected) (ISA 450.4).

Misstatements can result from the following:! inaccuracies in gathering and processing of data;! omission of an amount or disclosure;! incorrect accounting estimates; and! judgments of management concerning accounting estimates (ISA 450.A1).


The auditor is required to accumulate misstatements identified during the audit, except!where these are clearly trivial (ISA 450.5). ‘Clearly trivial’ does not mean the same as ‘not material’ (ISA 450.A2), that is, it will normally be a much smaller number (e.g.!to classify $12 000 as an expense when it should be capitalised is likely to be clearly trivial if the company’s net profit is $120 million). When evaluating the effect of the misstatements the auditor should consider the nature of the misstatement (e.g. factual, judgmental or projected misstatements—see ISA 450.A3). Factual items are likely to be more clear-cut than judgmental or projected items (e.g. management may be able to provide sound reasons for the differences in judgments between management and the!auditor).

Depending on the level of the misstatements and the circumstances of their occurrence there may be a need to revise the overall audit strategy and audit plan (ISA 450.6) as discussed earlier in ISA 300. For example, if many of the misstatements identified during the audit occurred in a particular month yet the original audit plan placed no particular emphasis on this month, a revised audit plan may be necessary.

Auditors are required to communicate to management all misstatements accumulated and request management to correct those misstatements (ISA 450.8). If management refuses to correct some of the misstatements, the auditor needs to obtain an understanding of the!reasons and take that into account in forming an opinion (ISA!450.9).

Note that management may refuse to correct some misstatements because they genuinely believe they have made the correct judgments. This is much more likely to be the case where there are differences arising from the judgments of management concerning estimates compared to the auditor’s judgments. It may also relate to what is the appropriate accounting policy or treatment in areas where accounting standards are vague. These differences between auditors and management often lead to prolonged negotiations where additional evidence is collected by both sides and the accounting firms may draw on the expertise of the technical experts within their firms.

The auditor also needs to consider uncorrected misstatements that are considered material, either individually or in aggregate. ISA 450.11 requires the auditor to:! consider the size and nature of these misstatements; and! consider the effect of uncorrected misstatements related to prior periods or the

relevant classes of transactions, account balances or disclosures and the financial statements as a whole.

The auditor is required to communicate with those charged with governance uncorrected misstatements and the effect they may have on the auditor’s report (ISA!450.12). ISA!450.12 is a recent change to the auditing standards and is likely to put the auditor in a much stronger position in any disagreements with management over recording of!misstatements.

You should now refer to ISA 450.A11 to .A23 for more details on evaluating the effect of uncorrected misstatements.


ReviewThis module considered the importance of business risk for the auditor. We considered the auditor’s role in understanding entities and their environments and assessing the risk of material statement.

As audit firms have moved to a much greater emphasis on risk analysis, we outlined the steps in a strategic systems audit and outlined a variety of techniques for conducting strategic analyses in order to better understand these risks. Also analytical procedures were discussed as they play an important role in understanding business risk and the audit implications.

Internal control is one way that management can mitigate business risks, and the auditing standards require the auditor to understand the entity and its environment, including internal control. Controls in an IT environment were also discussed.

Having assessed the risks of material misstatement the auditor needs to develop procedures in response to the assessed risks.

References Australian Accounting Standards Board (2004)AASB 1031 MaterialityAASB, Melbourne.<http://www.aasb.com.au/Pronouncements/Old/Current-standards.aspx> (accessed!November 2009).

Bell, T. B., Marrs, F., Solomon, I. & Thomas, H. (1997)Auditing Organizations through a Strategic-Systems LensThe KPMG Business Measurement Process <http://www.business.uiuc.edu/kpmg-uiuccases/monograph.pdf>(accessed November 2010).

Bell, T. B., Peecher, M. & Solomon, I. (2002) ‘The strategic-systems approach to auditing’ In Cases in Strategic-Systems Auditing, edited by T. Bell and I. Solomon KPMG, Montvale, New Jersey, pp. 1–34.<http://www.business.uiuc.edu/kpmg-uiuccases/casebook.pdf>(accessed November 2010).

International Federation of Accountants (IFAC) (2009)Handbook of International Standards on Auditing and Quality ControlIFAC, New York.

Knechel, Salterio, S. & Ballou, B. (2007) Auditing: Assurance and Risk3rd edn, Cengage, Melbourne.

Porter, M. (1980)Competitive StrategyThe Free Press, New York.


Porter, M. (1985)Competitive Advantage: Creating and Sustaining Superior Performance The Free Press, New York.

Thompson, A. & Strickland III, A. J. (2001)Strategic Management: Concepts and Cases 12th edn, McGraw-Hill Higher Education, Columbus, Ohio.

Trotman, K. T. (1990)Analytical ReviewAudit Monograph No. 1Australian Accounting Research Foundation, June, Melbourne.

Trotman, K. T. & Gibbins, M. (2009)Accounting: An Integrated ApproachThomson Learning, Melbourne.

A D V A N C E D A U D I T A N D A S S U R A N C E S U G G E S T E D A N S W E R S 3 . 1

Module 3Suggested answers

Question 3.1The audit plan would need to be revised. ISA 300.10 states ‘that the auditor shall update and change the overall audit strategy and the audit plan as necessary during the course of the audit’ (see also ISA 300.A13). Given there were incorrect assumptions in developing the original plan, it would need to be revised.

Question 3.21 Accounts receivable—valuation. Without appropriate credit checks there is a high

likelihood of debtors not paying.

2 Less reliance would be placed on tests of controls and more substantive testing would be required. The substantive testing would be more tests of details as analytical procedures is less reliable when internal control weaknesses exist (this!will be!discussed more in Module 4).

Question 3.3! Observation of production processes; sales processes at stores; stocktake procedures;

operation of internal controls such as gatekeeping; employee time recording.! Inspection of documents (e.g. business plans, strategy documents, records such as

fixed assets registers, internal control manuals).! Reports prepared by management (e.g. monthly reports, balanced scorecard,

variance analysis, capital investment analysis); reports prepared by those charged with governance (e.g. board minutes).

! Visits to the entity’s premises (e.g. factory, retail outlet).

3 . 2 S U G G E S T E D A N S W E R S A D V A N C E D A U D I T A N D A S S U R A N C E

Question 3.4This is covered by ISA 315.8 and .9. ISA 315.8 refers specifically to the situation where the auditor has performed other engagements for the entity (e.g.!previous year audit, review!or other assurance engagement) and the need to consider whether information obtained is relevant to identifying risks of material misstatement.

If the auditor decides to use information obtained in previous audits, it is necessary to consider whether changes have occurred that affect the relevance of that information (ISA 315.9).

Question 3.5! The members of the engagement team to be included when the meeting occurs.! The extent of the discussion (affected by roles, experience and information needs

of the team).! The role to be taken by the partner (e.g. lead the discussion, or be part of a round

table discussion).! Does the meeting need to be face-to-face, by telephone or computer link?! Preparation expected prior to the meeting.! Will it be more of a brainstorming session or a presentation by a senior staff

member with follow-up discussion?

Question 3.6Some of the key points are:! business risk is broader than the risk of material misstatement (ISA 315.A30);! an understanding of business risk increases the likelihood of identifying risks of

material misstatement; and! most business risks eventually have financial consequences but these effects may

not be immediate and they may not result in material misstatement.

Question 3.7One of the clear business risks facing the client is increased competition with a likely result of substantial reductions in market share. There appear to be low barriers to entry because costs of adapting production processes are likely to be relatively low for other manufacturers and, as bags with wheels attached are quite common in the luggage industry, it is unlikely to be protected via patent etc. The risk is concerned with market share and margins being affected by competition. This could have an impact on the valuation of inventory and potential impairment of productive assets.


Question 3.8A knowledge and understanding of the internal and external environment of the audit!client may uncover:! incentives or pressures; ! opportunities and attitudes; or ! rationalisation to engage in fraudulent activity or the misappropriation of assets.

For individuals, incentives or pressures may be personal circumstances or unrealistic expectations of management. Incentives or pressures for management are often associated with financial goals set by the organisation or market expectations. Opportunity usually arises when there is an absence of adequate or effective internal controls. Internal control deficiencies are often related to positions held by trusted employees. Rationalisation is the process of neutralising or justifying fraudulent activities or the misappropriation of assets.

Question 3.91 Human judgments. The effectiveness of controls can be limited by the judgments

made by individuals. Even well-designed controls can break down (e.g. staff misunderstanding, being careless, fatigued).

2 Management override. This refers to the overruling of prescribed policies and procedures by management (e.g. ‘No need for credit clearance for X who is an excellent client’).

3 Collusion. Individuals acting in collusion can often circumvent controls (e.g.!separation of duties becomes ineffective when collusion occurs).

4 Cost versus benefit. Organisations have to consider the costs versus the benefits of establishing and monitoring controls. Benefits, in particular, can be difficult to!measure.

Question 3.101 If management lacks integrity, it is more likely that they might be prepared to

produce materially misstated or misleading financial statements.

2 Accounts that were misstated in previous audits are more likely to contain similar misstatements in the current year.

3 Lack of experience and knowledge may affect preparation of the financial statements. Further, if poor business decisions are made, this is likely to result in pressure to manipulate the results.

4 If the entity is experiencing cash flow problems and poor liquidity, there may be an!incentive to make the financial position look better.

5 Small, high-value products are more likely to be stolen than bulky, low-value items.

6 Transactions that are subject to difficult calculations or have complex accounting standard requirements, such as tax-effect accounting, are more likely to have errors than simple repetitive transactions.


7 Some businesses are inherently risky because the nature of their products may mean that they are subject to the inherent risk of obsolescence due to improvements in!technology.

8 The existence of related-party transactions would also increase risk as the transactions are not with an independent party and so may be subject to manipulation. In addition, the required related-party accounting disclosures are quite complex.

9 If there is a management compensation scheme that is tied to earnings or share prices, there is a clear incentive for management to misstate the result so that they can get a bonus. Similarly, if management has substantial shareholdings in the company, they have a vested interest in reporting a good result as it will affect the dividends they receive and the value of their shares. Pressure may also be placed on management by head office, major investors or lenders to meet budgets, forecasts!or targets.

10 The more judgment involved in determining an account balance, the greater the possibility of an error. Accounting estimates, such as provision for long-service leave or provision for warranty, are more likely to be subject to manipulation than routine factual data.

11 Decisions involving subjective judgments, such as whether to capitalise development expenditure or whether an entity has control of a subsidiary, also!have a high inherent risk. Items or events that require using the work of an expert, such as the value of properties, are more susceptible to misstatement as it is!difficult for the non-expert to assess the true value.

12 Transactions that are not subject to normal processing are more susceptible to misappropriation or errors.

13 If the entity buys or sells goods in a foreign currency, inherent risk will also increase as there is a risk of incurring foreign-exchange losses due to changing exchange rates. If hedges are taken out for those transactions, the hedging contracts may be complex. The complexity of the recording of the transactions under the relevant accounting standards also increases the chance of an error.

Question 3.11Inbound logistics! completeness and valuation of inventory;! recognition of liabilities; and! timing of expenses.

Operations! measurement of COGS; and! cost allocation issues.

Outbound logistics! sales cut-off;! revenue recognition; and! allocation of delivery costs.


Marketing and sales! revenue recognition; and! collectibility of accounts receivable.

Service! warranty expenses and liabilities.

Question 3.12Risks:! Valuation of inventory—what is the remaining value of inventory on hand?! Completeness of warranty provisions—may need rework and replacement.! Valuation of accounts receivable—unhappy customers are less likely to pay.! Valuation of property, plant and equipment—may raise impairment issues if it

has!an impact on the generation of cash flows from equipment.

Question 3.131 Tests of controls: iv; v; vi; viii.

2 Substantive tests: i cut-off; ii valuation and allocation; iii existence; vii accuracy.

Case Study 3.1: LM Ltd1 The audit plan must allow for additional testing of the monthly data coming to

head office. The materiality of the areas affected by the poor quality reporting needs to be determined.

2 You would need to consider how far these plans have gone and the implications for the valuation of property, plant and equipment in those countries. Potential employee costs including redundancy payments need to be considered.

3 You would need to review the contract to assess the impact on the audit. Is the entity complying with the contract and are there penalties for non-compliance? Are there exchange rate implications?

4 You would need to consider issues related to contingent liabilities, inventory valuation, collection of debtors, brand name valuation and going concern.


Case Study 3.2: Beta Ltd1 Assertions about inventory account balances at the period end: Completeness.2 Assertions about inventory account balances at the period end: Existence.3 Assertions about presentation and disclosure: Completeness.4 Assertions about inventory account balances at the period end:

Rights!and!obligations.5 Assertions about inventory account balances at the period end:

Valuation!and!allocation.6 Assertions about sales transactions and events: Occurrence.7 Assertions about sales transactions and events: Accuracy.

Case Study 3.3: Acme Ltd

Control category Specific control Purpose of controlTechnique to assess!control

General controls

1 Organisational Separation of duties between analyst, programmers, operators, library function, and central control group.

Avoid incompatible functions, prevent manipulation.

Observation of operations or review organisational charts.

2 System development

! User participation in system design.

! Preparation of documentation on system description.

! Assure that system meets user needs.

! Provide explanation of system design.

! Review manuals. ! Review

the system documentation.

3 Operations ! Operator manuals and instructions.

! Control features to monitor data and system changes.

! Ensure proper and efficient use of IT.

! Ensure that data are controlled and changes authorised.

! Review manuals and observe operations.

! Review organisational functions and procedures.

4 Data entry and program

! Physical measures.

! File protection.

! Limit physical access.

! Limit access to file data or manipulation.

! Attempt access.! Verify

procedures for passwords, locks, badges or!guards.


Case Study 3.4: CWC

General control concernsSegregation of functionsThe use of information technology (IT) generally implies that, due to increased processing speed, fewer people will be required to carry out data-processing activities. In!CWC’s case, there is a concentration of functions and knowledge, which means many conventional controls, based on the segregation of incompatible functions, are!no!longer possible. In particular, Jing has too much control and a significant amount of authority over the IT system and individual e-commerce application programs. Jing!seems to be performing the role of an IT manager who is also responsible for writing application programs. Jing also seems to be performing the tasks that would normally be carried out by a systems analyst. These functions are incompatible and should be segregated. It represents a serious control problem that can only be corrected by employing more staff.

People involved with running IT systems should be organisationally independent of user departments. Jing wrote the application programs that initiate the transfer of credit card receipts to CWC’s bank account and reconcile credit card deposits with individual customer sales accounts. When one considers that Jing is also expected to manually prepare and complete CWC’s bank reconciliation, a control issue again arises regarding incompatible functions.

Jing should not be involved in maintaining the local area network and the website. This!represents a serious control issue—especially given Jing’s other duties.

Location of computersThe location of the computers above the cafeteria could present a significant security risk should there be a fire. Also, the fact that staff need to open windows in summer raises issues regarding unauthorised access to the computers and staff safety.

Backup and recovery concernsBackup copies should be taken on a regular basis (more frequently than monthly) and!stored at a commercial offsite location. Other standard backup protocols should also be introduced.

Staff issuesJing is working extremely long hours, which could ultimately lead to health and safety concerns. There appears to be a fairly strong argument to employ additional staff to support the work currently done by Jing and Melissa.

Angie is relying on the fact that Melissa and, in particular, Jing are honest people who would not take advantage of their positions. Given the size of Jing’s mortgage this issue becomes all the more significant.

Environmental conditionsCWC should install central-heating and air-conditioning systems which can reduce the risk of damage to its IT systems from environmental hazards.


Specific control concernsDual systemIt is of concern that no attempt has been made to protect the reputation of CWC by running together the phone sales-ordering system and the internet sales-ordering system for a period of six to 12 months. This would provide a backup arrangement should any teething problems with the internet sales-ordering system arise.

DocumentationThe systems documentation that does exist is poor and difficult to understand. It is essential for Jing to maintain up-to-date documentation of the new system that is complete and accurate. All of the application programs and interface issues seem to be in Jing’s head, which is of little use to CWC should anything happen to Jing.

Physical security over data and programsStaff are allowed to play games on their computers at work. Computer viruses probably represent the greatest single threat in a personal computer environment. It is therefore essential that controls be put in place to restrict and scan all input for viruses. The!practice of allowing operators to bring in their own computer games to play!should!cease immediately.

Case Study 3.5: ProGolf Ltd

Source of threat Potential audit implications

1 Economy ! collectibility of receivables! valuation of non-current assets related to impairment; and! viability due to potential loss of customers (luxury item).

2 Regulation, technology

! valuation of inventory (prices drop quickly due to loss of potential second-hand market);

! valuation of equipment (some equipment may become redundant); and

! viability (depends on ability to adapt in a timely manner).

3 Suppliers ! control environment (pressure to cut corners to meet demand);

! potential impact on wastage rates; and! implications for managing and follow-on effects.

4 Alliances, customers

! demand is sensitive to brand image, valuation of brand names;! inventory valuation resulting from lower sales; and! control environment.

5 Retailers ! impact on margins as new retailers are more powerful, and! control environment (pressure on staff to cut costs or increase

sales to keep profits up).

6 Technology competition

! potential decrease in demand with potential impact on valuation of inventory and equipment; and

! control environment (pressure to increase sales).


Source of threat Potential audit implications

7 Suppliers of insurance

Note: This has been included to show that you really need to know your client’s industry to understand the implications for the audit.

If you lengthen the time between golfers teeing off, you decrease the number of golfers that can play on a course and therefore potential overall demand. Calculations could be done on the total impact across a city to determine the potential affect on!demand.

8 Legal, customer

! increase in warranty costs;! inventory valuation;! accounts receivable valuation (collectibility more difficult

after problems); and! potential litigation.

Case Study 3.6: Cosmic Electronics LtdA strength of Cosmic Electronics Ltd is its strong brand name based on its reputation for reliability. This indicates that warranty claims and rework are likely to be low. Hence, audit risk in relation to warranty expenses and provisions will be low.

A threat to Cosmic Electronics Ltd will be the entry of the low-cost substitute component. This threat is likely to affect sales, creating a downward pressure on prices and introducing the possibility of obsolete inventory. This threat will increase the audit risk associated with the valuation of inventory. As this is Cosmic Electronics Ltd’s leading selling component, it may ultimately affect the viability of Cosmic Electronics Ltd as a going concern.

Case Study 3.7: Airline industryPolitical! government stability in routes flown;! traffic rights and freedom (e.g. what countries can the aircraft land in);! route restrictions (e.g. open sky agreements);! airport restrictions;! taxation on tickets; and! terrorist activities.

Economic! inflation, employment, economic growth etc;! industry capacity;! increased competition in general and on specific routes;! world fuel prices;! currency trends and fluctuations;! strength of aircraft suppliers;! availability of staff (e.g. pilots); and! greater competition.

3 . 1 0 S U G G E S T E D A N S W E R S A D V A N C E D A U D I T A N D A S S U R A N C E

Sociocultural! population demographics;! attitude to leisure and work;! changes in the propensity to travel;! appeal of substitute products (e.g. rail, telephone conferences);! rising expectations for plane comfort/services;! changes in economic distribution; and! employees requiring greater flexibility.

Technological! new types of aircraft;! new capabilities of aircraft;! electronic tickets;! better databases (e.g. frequent flyers);! upgrading of IT systems;! integrated reservation systems with alliance partners; and! availability of internet to compare prices.

Environmental! environment regulation related to noise and pollution emission;! airport curfews related to noise level;! community around airports; and! fuel consumption.

Legal! safety regulations;! foreign ownership regulations; and! employment law.

Case Study 3.8: Timber floors1 Power of buyers.

2 Risks include:! decreased profitability;! holding excess inventory; and! potential for slow collection of debtors.

From an audit planning perspective this has implications for the valuation of both inventory and accounts receivable; there are potential going concern issues to be!considered.

Case Study 3.9: Creamy LtdFailure to deliver products on time is likely to cause loss of customer satisfaction and erosion of market share in a competitive market. This is likely to lead to a loss of revenues and profits. From an audit perspective, it may lead to going concern problems. It also has implications for the impairment of non-current assets and collectibility of accounts receivable.

A D V A N C E D A U D I T A N D A S S U R A N C E S U G G E S T E D A N S W E R S 3 . 1 1

Case Study 3.10: QRS Ltd1 a Gross margin = Gross profit/Sales 20X9 = 5808 ÷ 21 228 = 27.4% 20X8 = 3733 ÷ 19 393 = 19.2%

b Net profit = Net operating profit after tax/Sales 20X9 = 2100 ÷ 21 228 = 9.9% 20X8 = 1117 ÷ 19 393 = 5.8%

c Asset turnover = Sales/Total assets 20X9 = 21 228 ÷ 74 836 = 28.4% 20X8 = 19 393 ÷ 71 908 = 27.0%

d Return on total assets = Operating profit before tax/Total assets 20X9 = 3000 ÷ 74 836 = 4% 20X8 = 1596 ÷ 71 908 = 2.2%

e Current ratio = current assets/current liabilities 20X9 = 17 010 ÷ 26 676 = 0.64 20X8 = 12 774 ÷ 29 922 = 0.43

f Quick asset ratio = (cash + receivables)/current liabilities 20X9 = (5162 + 4500) ÷ 26 676 = 0.36 20X8 = (4480 + 4000) ÷ 29 922 = 0.28

g Inventory turnover = COGS/Closing inventory 20X9 = (21 228 – 5808) ÷ 7348 = 2.1 times 20X8 = (19 393 – 3733) ÷ 4294 = 3.6 times

h Debtors turnover = Credit sales/Closing debtors* 20X9 = 21 228 ÷ 4500= 4.7 times 20X8 = 19 393 ÷ 4000 = 4.8 times

i Debt/Equity ratio = Long-term liabilities/Equity 20X9 = 33 314 ÷ 14 846 = 2.2 20X8 = 29 240 ÷ 12 746 = 2.3

j Days in inventory = (Closing inventory " 365)/COGS 20X9 = (7348 " 365) / (21 228 – 5808) = 174 days

20X8 = (4294 " 365) / (19 393 – 3733) = 100 days

k Days in debtors = (Closing debtors* " 365)/Sales 20X9 = (4500 " 365) / 21 228 = 77 days 20X8 = (4000 " 365) / 19 393 = 75 days

* Note: Excludes non-current receivable which is represented by an amount in dispute with!the!tax!office.

2 Current receivables (valuation and allocation):! have increased by over 10 per cent;! slight decrease in debtors turnover;! days in debtors is high at 77 days;! retailers complaining about quality which may impact on collectibility; and! with many customers paying in foreign currencies, accuracy of currency

translation is a risk.

3 . 1 2 S U G G E S T E D A N S W E R S A D V A N C E D A U D I T A N D A S S U R A N C E

Non-current receivables (existence):! further evidence would be needed on the collectibility of this amount from

the!tax office.

Inventory (valuation and allocation):! inventory turnover is considerably slower (3.6 to 2.1 times); and! grape prices have dropped; carrying value of raw materials, work in progress

and finished goods (at standard cost) needs to be checked.

Earnings management/fraud risk:! reputation of CEO for increasing profit;! criticism of analysts;! stock options and impending retirement of CEO in two years; and! gross profit and net profit are growing much quicker than sales.

Going concern! while there is an improvement in liquidity ratios, they are quite low;! concern about quality of the product;! debt not reduced in line with management’s plans;! not moving to new technology because of capital investment outlays; and! decrease in debt/equity ratio.

Case Study 3.11: MNO Ltd! There is a trend upwards for both accounts receivable and inventory as a percentage

of total assets, and both figures are higher than for competitors. Inventory and debtors’ turnover rates should be followed up.

! COGS is higher than for competitors but it is improving for MNO Ltd over the four!year period.

! Interest is a higher percentage than for competitors but non-current liabilities are generally smaller.

! Depreciation is decreasing and is lower than competitors but so are non-current assets.

! Profit after tax is considerably lower than competitors (as a percentage of expenses). This should be considered in relation to the information obtained as part of the strategic analysis of MNO Ltd.

! There has been an increase in returns. The reasons should be ascertained.

audit & assurance review

Documents