Вы находитесь на странице: 1из 11

Klaus 2015

Audit and Assurance


Prepare for Planning and Initial Procedures

Identifying Risks and Developing Strategy
Develop Audit Approach and Gather Evidence
Finalise the Audit


Aura Roadmap

Understand Organiser, Materiality, Scoping, Planning Activities

Assess Risks and Respond Audit Risks, Controls, gather Evidence, Delivery Centre
Review and Conclude Evidence Review, Explanation, Significant Matters, Misstatements, CD/W LOG,
Completion Activities

Audit Risk Components (IR+CR = RoMM) (Audit evidence mitigates the RoMM)

Inherent Risk Normal, Elevated, Significant

Control Risk Expected Controls Reliance None, Partial, High
Detection Risk Planned Substantive Evidence Low, Medium, High

Materiality various benchmarks and percentages of benchmark. (pbt, ebitda, total assets, net assets, total
revenues or total expenses; 1% to 10% etc)

Overall Materiality Our assessment of materiality at the overall financial statement level
Performance Materiality- Materiality at assertion level in relation to classes of transactions, account
balances, and disclosures
De Minimis SUM posting level Amount below which potential audit adjustments need not be

Performance materiality determines nature, timing, extent of further audit procedures, takes into account
aggregation risk of individually immaterial misstatement. Overall materiality is specific to company and
industry, states maximum amount of misstatement that could exist before information in financial statements is
considered misleading.
ISA Assertion
Rights and Obligations
Valuation and Allocation

PwC Assertion
Accuracy (A)
Completeness (C)
Cut-of (CO)
Existence / Occurrence (E/O)

BS or P&L
P&L + BS

Presentation and Disclosure

Rights and Obligations (R&O)
Valuation (V)

Audit Documentation
Audit Evidence must be:

Appropriate reliable, relevant

More reliable
Original documents, auditor obtained/written/external

Less Reliable
Photocopies/fax, audit evidence indirect oral evidence
client generated

Klaus 2015




The Purpose of the procedure should be clear.

All documents must indicate their Source, e.g. Obtained from client.
Conclusions should be documented for every audit procedure.
Documentation should be sufficient for an experienced auditor with no previous
connection with the engagement to understand the nature, timing and Extent of the
procedures performed, the evidence obtained, and the conclusions reached.
Document the Nature of auditing procedures, e.g. involving the inspection of
documents and confirmations, including tests of operating efectiveness of controls
and Tests of Details.
Documentation should be completed and reviewed on a Timely basis.

PwC Audit Process

Prepare for Planning and Initial Procedures

Acceptance and continuance assessment

Agreeing the terms of the engagement between us and the client
Building the engagement team
Attending team planning meetings
Required planning procedures Plan for planning, risk assessment, audit approach

Identifying Risks and Developing Strategy Control environment, risk assessment, information systems, control
activities, process for monitoring controls. Walkthroughs Show me meeting, what controls are in place, who
implements them? Who can write/cash cheques? Who performances bank reconciliation?

Significant risk An inherent risk, that in our judgement, requires special audit consideration in terms
of the nature, timing, or extent of testing, because of: the nature of the risk, the likely magnitude of
the potential misstatements (including the possibility that the risk may give rise to multiple
misstatements and the likelihood of the risks occurring. In assessing whether a significant risk exists,
we do not consider the efects of controls related to the risks. A significant risk is a higher risk than an
elevated or normal risk.
Normal Risk The Inherent risk related to relatively routine, non-complex transactions that tend to be
subject to systematic processing and require little management judgment. Although it is considered
that there is a risk, it is judged that there are no elevated or special factors relating to the nature, the
likely magnitude of the potential misstatements or the likelihood of the risk occurring. In assessing
whether a normal risk exists, we do not consider the efects of controls related to the risk. Risks that
are less than normal are not considered risks of material misstatement.
Elevated Risk An inherent risk, that in our judgement, requires additional audit consideration beyond
what would be required for a normal risk, but which does not rise to the level of a significant risk,
because of its nature, the likely magnitude of potential misstatements that could result from it or the
likelihood of the risk occurring. Elevated risks frequently will be risks that we will discuss with
management and those charged with governance of the entity, but that do not rise to the level of a
significant risk. In assessing whether a risk is elevated, the auditor does not consider the efect of
controls related to the risk.

Respond to Risk, and Gather Evidence

Obtaining audit evidence Bucket

Tier 1 Controls testing

Tier 2 Test of details or Substantive analytics (Generally, perform tests of details for significant risks)
Tier 3 Evaluate whether further evidence is necessary from tests of details and/or substantive

Finalise the Audit

Overall conclusion analytics

Uncorrected misstatements
Read directors report
Review significant matters
Identify subsequent events
Management representation letter (issued no later than date of audit work completion by client to
auditor declaring in writing that the financial statements and other presentations to the auditor are

Klaus 2015

sufficient and appropriate and without omission of material facts to the financial statements, to the
best of the managements knowledge)
Financial statement procedures
Sign audit opinion
Debrief audit
Archive audit file
Client communications

Professional Scepticism sufficiency, validity and reliability of audit evidence obtained. Being alert to unusual
circumstances requiring further inquiry or audit evidence that contradicts or brings into question the reliability
of documents and responses to inquiries from management.

Open mind about the honesty of integrity of management and those charged with governance until
inquiries are concluded.
Alert to unusual circumstances
Questioning mind
Question reliability of documents

Determine Course of Action: (AF.28)


Recognise the event, decision or issue

Think before you act
Decide on a course of action
Test your decision
Proceed with confidence


Technical and Professional Competence and Due Care

Professional Behaviour

Threats and Safeguards


Delivery Centres and Envoy (AF.31)

AFS Monitoring and Review

Template Preparation for - Engagement letters, Group instructions, Management representation letter,
audit opinion
Analytics assistance computing calculations and variances, providing research information to use in
setting expectations
Central Entity Service (CES) Maintenance
Knowledge Management Company background management, SWOT analysis, etc.
Aura Set-up, Maintenance and Support
External Confirmations
Financial Statements FSQCs

FSQC Financial Statements quality check

Do prior year figures agree to prior year statements?

Do figures cast /cross cast
Are figures internal consistent
Are all necessary disclosures included
Do current year figures agree to what weve audited in Aura

Klaus 2015


Fraud is an intentional act by one or more individuals among management, those charged with
governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal
advantage. Fraud may take the form of:
-Fraudulent financial reporting; and
-Misappropriation of assets
Error is an unintentional misstatement in financial statement, including the omission of an amount or
disclosure, such as the following: a mistake in gathering or processing data from which financial
statements are prepared; an incorrect accounting estimate arising from oversight or misinterpretation
of facts and a mistake in the application of accounting principles relating to measurement, recognition,
classification presentation or disclosure.
An auditors objective (ISA 240 UK&I) is to identify and assess the risk of material misstatement of the
financial statements due to fraud, obtain sufficient appropriate audit evidence regarding the assessed
risk of material misstatement due to fraud, through designing and implementing appropriate
responses; and respond appropriately to fraud or suspected fraud identified during the audit.

Fraud Triangle Why commit fraud? Generally there are 3 Conditions present when fraud occurs.

What to do if you suspect a fraud:

Tell your manager or engagement leader, ensure the
relevant documents are safe, consult someone in
PwC may have come across a similar situation
The Audit Trail

Tip of the client, keep things to yourself, play
detective without proper consultation, be fooled or
manipulated by the client

In scope FSLI Agreeing the FSLI to Cash Lead Schedule

Initial trial balance Agreeing the Cash LS to the Initial Trial Balance
Risk assessment- Documenting the Risk Assessment and EGA via Audit Risks and Gather Evidence views
Response to risk (EGA)
Workpapers (Electronic & Paper) (+4) Agreeing the Cash LS to the bank reconciliation, agreeing the BR to
the bank statement, agreeing the bank statement to the bank confirmation
Final trial balance Agreeing the cash lead schedule to the Final Trial Balance

Internal Audit Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organisations operations. It helps an organisation accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the efectiveness of governance, risk
management and control processes.
Role of the internal auditor:

Review of accounting and internal control systems.

Examination of financial and operating information.
Review of the economy, efficiency and efectiveness of operations.
Review of compliance with laws and regulations etc.
Review of the implementation of corporate objectives.
Identification of business and financial risks.
Monitoring risk management policies and strategies.

IIA (Institute of Internal Auditors)


Code of Ethics Principles, Rules of Conduct

International Standards for the Professional Practice of Internal Auditing, performance standards.

ORCA PwC risk assessment process, approach based on business risk


Alignment Are controls in line with risks?

Information Processing Objectives CAVR = Completeness, Accuracy, Validity, Restricted Access

Klaus 2015

Lines of defence:

Business Management day-to-day

Compliance risk management
Audit (Independent) includes external auditors/external assurance

Internal Audit Service

Internal Audit Advisory services

Full outsourcing, directed outsourcing
Significant co-sourcing, co-sourcing
External Quality Assessments (EQAs)/Internal Audit
Efectiveness Reviews, Internal Audit Advisory
Services, Secondments (stand alone)
Outsourced no in-house internal audit resource and no Head of Internal Audit (HIA) within the
organisation. Directed outsourcing client exerts significant direction In relation to the internal audit
plan or work delivered.
Co-Sourced if the client has its own in-house HIA. Significant PwC delivers a significant proportion of
the internal audit efort.
Internal Audit Advisory services Clients may wish to engage PwC to deliver other internal audit
services without outsourcing their internal audit function or engaging PwC to deliver co-sourced
internal audit assignments. Stand-alone secondments also come under this heading (where they are
not part of co-sourced engagements), but PwC staf may also second to the clients part of co-sourced
engagements. (AA.49)

Document the following when we find exceptions:

details of the control weakness found

the root cause
the potential risks arising as a result of that issue
the risk rating
an action plan

Common root causes

internal environment
external factors

Risk Ratings Critical, High, Medium, Low, Advisory


Foundation Confirm stakeholder needs and expectations are reflected in the objectives of the internal
audit function as set out in the internal audit charter.
Planning Develop an internal audit plan that addresses the needs and expectations of the
stakeholders and the key risks of the organisation.
Fieldwork Obtain sufficient evidence to achieve the objectives of the internal audit review.
Reporting Report the internal audit results, including practical and value-added recommendations,
clearly and concisely.
Quality Establish a stronger link between the strategic focus of internal audit and value drivers of its
key stakeholders and measure commitment to highest levels of quality, continuous evaluation and
overall internal audit efectiveness.

Fieldwork - determine audit approach to be used

Value protection approaches are focussed on assessing the design and operating effectiveness
of controls.
Value enhancement approaches are focussed on efficiency gains ,process performance, and/or
monetary savings

Internal Controls

Klaus 2015

Indirect Entity level controls

Direct Entity level controls

Information Technology
General Controls (ITGCs)

Transaction level controls

Entity level controls that do not directly relate to any specific

FSLI/business processes or assertions and, therefore, would not by
themselves prevent or detect on a timely basis material misstatements to
assertion(s) at the FSLI level. They may, however, contribute to the
efectiveness of controls.
Typically operate at least at the sub-process level, that is, at a level higher
than transaction level controls, and, when performed efectively, at a
sufficient level of precision to adequately prevent, or detect and correct
on a timely basis, material misstatements related to one or more relevant
assertions for FSLIs/business processes. An example is a business
performance review.
Policies and procedures that are used to manage the IT activities and
computer environment relate to many applications and support the efective
functioning of application controls by helping to verify the continued proper
operation of information systems.
Transaction level controls are control activities over the initiation,
recording, processing and reporting of transactions designed to operate
at a level of precision that would prevent, or detect and correct on a timely
basis, misstatements related to one or more relevant assertions for a
FSLI/business process. Transaction level controls can be either detective
(stock cycle counts) or preventive (authorisation for a payment run) in
nature. They often include manual application, (physical sign of)
automated application (password access) or IT dependent manual
controls (running an aged debt report from the system for manual review
and sign-of)

Nature of controls tests





Inquiry Inquiry alone will not provide sufficient evidence. We require further corroboration, reports,
manuals or other documents used in or generated by the performance of the control. Should always be
used as the first step to any of the other techniques.
Observation Appropriate where there is no documentation of the operation of a control, like segregation
of duties. Is also useful for physical controls, for example, seeing that the warehouse door is locked or that
blank checks are safeguarded. We need to consider that the control we observe might not be performed in
the same manner when we are not present.
Inspection This is often used often used to determine whether manual controls, like the follow-up of
exception reports, are being performed. Absence of evidence may indicate that the control is not operating
as prescribed and further procedures will be necessary to determine whether there is in fact an efective
Re-performance provides the best evidence. Used when a combination of inquiry, observation and
inspection of evidence does not provide sufficient, appropriate audit evidence that a control is operating
efectively. However, if extensive re-performance is likely to be necessary, we reconsider whether it is
efficient to perform tests of controls to restrict the scope of substantive testing.

Control Attributes

How often. Can be driven by a schedule or by an


Automated, IT-dependent, Manual. It-dependent

controls are manual control activities which rely on
system generated reports and data.
Preventive controls are control activities which
prevent incorrect financial information from being
recorded, processed, or reported. Detective controls
are controls which detect incorrectly recorded,
processed or reported transactions.

Time of error

Annual, Quarterly, Monthly,
Weekly, Daily, Multiple times per
Automated, It-dependent, Manual

Preventive, Detective

Internal Control framework


Monitoring being carried out correctly

Information & Communication - Infrastructure and communication throughout the organisation
Control Activities Policies and procedures carried out to achieve those management objectives

Klaus 2015


Risk Assessment assess risks, determine how and whether to manage those risks
Control Environment Attitude, behaviour, culture, awareness

Control activities occur at all levels, in all functions throughout the organisation operations, financial
reporting, compliance

Substantive Analytical procedures and Employee Costs


Planning Stage risk assessment analytics used at planning, mandatory. RISK ASSESSMENT
Evidence stage substantive analytics, not mandatory. SUBSTANTIVE ANALYTICS
Completion stage conclusion analytics, mandatory. OVERALL CONCLUSION

4 Step Process


Assess reliability of data, and develop a independent expectation. Ex. Ensure you have ITGCs evidence.
Define a significant diference of threshold. Tolerable threshold is usually based on materiality. You must
quantify the tolerable threshold, not simply applying a percentage variance between the expectation and
actual. If you disaggregate two revenue streams for your analytics, and performance materiality is your
threshold, you cannot apply full performance materiality to each disaggregated element.
Compute diference. You must compute the diference between your original expectation and the actual
client figures.
Investigate significant diferences and draw conclusions. You must investigate all diferences from your
expectation. You must explain the full variance from expectation to actual, not just the variance above the
threshold. Evidence must be corroborated sufficiently and independently with evidence obtained to
support client explanations for variances

You can use this for Depreciation expense, Payroll and Interest income / expense. Outside of these three areas,
the substantive analytics check point (AA.28) must be used.
Substantive analytical procedures:


Trend analysis

Determine suitability, assess reliability of underlying data and develop and independent expectation
Define a significant diference or threshold.
Compute diferences
Investigate significant diferences and corroborate with evidence

Test of Details


Targeted Testing aims at establishing if there is a material monetary misstatement, items to be tested are
selected based on monetary value or higher risk, applied to either a specific part of an account or the
whole of the account, results should not be projected to the untested items in a population, preferred
method of testing at PwC.
Accept-reject Testing Used when we are interested in a particular attribute or characteristic, used when
we are not testing monetary values, used when we do not project misstatements to the entire population.
Audit Sampling (Non-statistical sampling)- Application of auditing procedures to a representative group of
less than 100% of the items for the purpose of evaluating the entire population tested. Usually used on
populations with homogeneous items when we cannot target any items and based on risk or coverage. Can
be applied in combination with Targeted testing.

Six steps for targeted testing:


State the test objective(s) (ex. Confirm A/C receivable balance)

Define the population (is population complete?)
Define misstatement and audit procedures.
Document basis for selection.
Document results of testing performed.
Evaluate misstatement.

Klaus 2015

Five stages for accept-reject testing

Random =/= Haphazard

Determine and document the assertion(s) that are being tested.

Define the population. Ex. All sales recorded in last week of year.
Define Exceptions. What would we reject?
Determine the number of items to test and select items for testing. Tolerable exceptions.
Perform testing and evaluate results. Any rejected? New pop, more testing otherwise if insufficient consult

Eight steps for Audit Sampling


Determine test objective(s).

Define the population and sampling unit.
Define misstatement.
Determine sample size.
Determine sample selection method.
Perform testing.
Project misstatements to the population. (Homogeneous!)
Evaluate results.

Two Step Revenue Testing

Determine if pre-conditions met. Then partial or full target testing. Must meet 5 preconditions.

Risk assessed at normal and no specific fraud risks identified.

Do not anticipate misstatements based on prior year results.
Level of target testing already performed.
Evidence related to A/R is moderate or high.
Other procedures performed on the presumed risk of fraud.

Cash and Cash Equivalents

Balance per cash book
Bank charges not in cash
Un-presented cheques
Outstanding deposits
Cheques run prior to
year-end and un-cleared
Balance per bank
Auditing a bank reconciliation top tips (AF.60)
Bank accounts are approved
Signatories are authorised
Bank reconciliations are

Wire transfers are reviewed

and approved


Existence (of bank and cash assets)
Existence (of bank and cash assets)
Completeness (of bank and cash assets)
Accuracy (of related P&L transactions from reconciling cash items)
Rights and Obligations
Accuracy (of related cash transaction)
Existence (of bank and cash assets)

Klaus 2015

Tests of Details and related assertions

Test bank reconciliations

Test bank account

Test translation of
foreign currency
Test cash on hand

Completeness (of bank and cash assets)
Accuracy (of related P&L transactions from reconciling cash items)
Cut-of (of bank and cash assets)
Existence (of bank and cash assets)
Completeness (of bank and cash assets)
Cut-of (of transfer transaction)
Valuation (of bank and cash assets)

Accuracy (of related P&L transactions from reconciling cash items)

Existence (of bank and cash assets)
Confirm bank accounts
Completeness (of bank and cash assets)
and special
Accuracy (of related P&L transactions from reconciling cash items)
Cut-of (of related P&L transactions)
Existence (of bank and cash assets)
Rights & Obligations (to bank and cash assets)
Presentation & Disclosure (of bank and cash assets)
Inventory - The Importance of Inventory counts



To the client Inventory is normally their biggest liquid asset. They not only need to manage the
investment but they also need to ensure that they manage Inventory level so that they can meet
customer needs / orders on a timely basis performing inventory counts help them to manage their
inventory levels. Inventory counts represent a strong deterrent to theft. Inventory counts verify the
quantity of inventory which, after valuation, will be included in the financial statements.
To the audit Inventory is often a material area on the balance and has a direct efect on the profit or
loss for the year. Inventory counts provide a strong source of audit evidence for Existence, as
inventory can easily be misstated and depending on the type of inventory there may be potential for
fraud through misappropriation. Attendance at the inventory count is compulsory in many countries.
To you You cant repeat the inventory count later if you have a query or forget something. You must
get everything right at the inventory count. It may be your first job alone. You may need to take
decisions or react quickly to circumstances. You may need to make decisions under pressure from
client staf. Attending the inventory count gives you an opportunity to tour the clients site and gain a
good understanding of the clients business. You will probably come into close contact with client staf
outside the financial department and, therefore, can develop your understanding of the business and
build networks outside the finance function.

Common EGAs PPE


Lead Schedule
Obtain movement schedule and detailed listings
Test additions
Test disposals

Purchases and Payable


Ordering (Purchase Order)

Receipt of goods / service (Goods received note)
Receipt of invoice (Purchase Invoice)
Recording of expense (P&L) or stock (B/S) and creditor (B/S) (Journal)
Cash payment (Remittance advice)

Controls (Authorisation, Review, Matching)

Are all purchases included?

Are we liable to pay the year-end creditor?
Have pre year-end purchases been recorded post year-end?
Are creditors due in less than or more than one year?

It is important to understand the entire flow of transactions from when they are initiated to the accounting
records that capture them. The walkthrough enables you to identify the points within the companys process at
which a material misstatement could arise. There should be controls in place to address these risks. It is

Klaus 2015

necessary to identify/confirm all the attributes of the control activities that the company has implemented.
Through walkthrough, we can better understand how IT afects the transactional flow and what the relevant IT
dependencies are. A walkthrough is performed by following the flow of an actual transaction using the clients
documents and IT systems. At the point where the important processing procedures occur we should ask
sufficiently probing questions that allow a complete understanding of the process under consideration. During
the walkthrough we verify the implementation of control activities through a combination of inquiry,
observation and examination.

Search for Unrecorded Liabilities

Liabilities and related expenses are more likely to be understated or omitted from the accounts than overstated
because the account balances usually consist of items that have been reviewed and approved as valid payables
before being recorded and because eforts to improve timeliness of financial reporting may result in a failure to
completely and accurately recognise all valid liabilities and expenses. We typically perform a search for
unrecorded liabilities as part of a financial statement audit to obtain evidence that liabilities and expenses are
not understated (completeness).

Targeted testing of cash disbursements made subsequent to year end, unpaid invoices and open
receiving documents
May involve targeting both significant value invoices and those subject to higher risk of exclusion
(close to year-end or certain vendors)
How long after year-end should our search for unrecorded liabilities extend? ->Professional judgment.
When target testing a subsequent payment, the payment may relate to multiple invoices. Should we
examine evidence for all invoices or is there another way to structure the targeted test? What audit
work should be performed on the untested portion of the population of subsequent disbursements,
unpaid invoices and open receiving documents?
Factors to consider in determining the time period for the search for unrecorded liabilities: RoMM
related to the completeness of liabilities and expenses, history of misstatements due to cut-of errors,
length of time the client keeps its accounts open after year-end to process transactions, typical invoice
payment terms for suppliers and service providers and the clients payment practices, efectiveness of
controls, possibility that there may be material unrecorded liabilities only settled after the selected
time period, sufficiency of audit evidence obtained through substantive analytics and other tests of
details that provide comfort on the completeness, accuracy, and existence/occurrence of liabilities and

Accounts Payable Lead Schedule
Accounts Payable Test accounts payable
Accounts Payable Search for unrecorded liabilities
Accounts Payable Test inventory receipts cut-of
Accounts Payable Verify information for disclosures

Presentation and Disclosure
Completeness, Accuracy, Cut-of,
Completeness, Accuracy, Valuation, Rights
&obligations and Cut-of
Completeness and Cut-of
Presentation & Disclosures

Revenue and Receivables


Ordering (Customer Order)

Dispatch (Goods Despatched Note)
Invoicing (Sales Invoice)
Recording of sale (P&L) and debtor (B&S) (Journal)
Cash Receipt (Remittance Advice)

Controls (Authorisation, Review, Matching


Are all sales transactions genuine?

Have sales returns been included
Is the customer going to pay the debt?
Are sales genuine and in the correct period?
Have foreign currency balances been converted properly?

Klaus 2015

Accounts Receivable Lead Schedule

Accounts Receivable Test accounts receivable
Accounts Receivable Confirm accounts receivable
Accounts Receivable Test sales/accounts receivable
Accounts Receivable Verify information for

Presentation and Disclosure

Completeness, Accuracy, Existence/Occurrence,
Rights & Obligations
Completeness and Cut-of
Presentation & Disclosures