CGA-CANADA

ADVANCED EXTERNAL AUDITING [AU2] EXAMINATION

June 2015
Marks
30

Time: 4 Hours
Question 1
Select the best answer for each of the following unrelated items. Answer each of these items in your
examination booklet by giving the number of your choice. For example, if the best answer for item (a)
is (1), write (a)(1) in your examination booklet. If more than one answer is given for an item, that item will
not be marked. Incorrect answers will be marked as zero. Marks will not be awarded for explanations.
Note:
11/2 marks each

a.

Which of the following is an example of an application control?

1)
2)
3)
4)

The client uses access security software to restrict access to each of the accounting applications.
Employees are assigned a unique user ID and a password that is changed quarterly.
Systems programmers are restricted from performing application programming functions.
The sales system automatically computes the total sales amount and posts the total to the sales
journal master file.

b. A relevant financial ratio historically has a low standard deviation. What does this fact imply about its
usefulness in analysis?
1)
2)
3)
4)
c.

The historical trend of the standard deviation is not important.

A low standard deviation decreases the usefulness of a ratio.
A low standard deviation increases the usefulness of a ratio.
A ratio with a low standard deviation can be used in a test of controls.

What evidence does tracing copies of sales invoices to shipping documents provide?
1)
2)
3)
4)

Evidence that all shipments to customers were recorded as receivables

Evidence that all debits to the subsidiary accounts receivable ledger are for sales shipped
Evidence that all shipments to customers were invoiced
Evidence that all billed sales were shipped

d. As the acceptable level of detection risk increases, what is an auditor most likely to change?
1)
2)
3)
4)
e.

The assessed level of control risk from below the maximum to the maximum level
The assurance provided by tests of controls by using a larger sample size
The timing of substantive tests from year end to an interim date
The nature of substantive tests from a less effective to a more effective procedure

If an accountant accepts an engagement to compile a financial projection, what would the accountant
most likely make the client aware of?
1) The projection may not be included in a document with audited historical financial statements.
2) The accountants responsibility to update the projection for future events and circumstances is
limited to one year.
3) The projection omits all hypothetical assumptions and presents the most likely future financial
position.
4) The engagement does not include an evaluation of the support for the assumptions underlying the
projection.

Continued
EAU2J15

CGA-Canada, 2015

Page 1 of 7

f.

Which of the following characteristics would most likely heighten an auditors concerns about the risk
of material misstatement arising from fraudulent financial reporting?
1)
2)
3)
4)

Management has no interest in maintaining an earnings trend.

Computer hardware is usually sold at a loss before it has been fully depreciated.
Management had frequent disputes with the auditor over accounting matters.
Monthly bank reconciliations usually include several large outstanding cheques.

g. Which of the following matters is an auditor required to communicate to those charged with
governance?
1) Adjustments that were suggested by the auditor and recorded by management that have a
significant effect on the entitys financial reporting process
2) A schedule of time spent on the audit showing unfavourable variances by audit area
3) The results of the auditors analytical procedures performed in the review stage of the engagement
that indicate significant variances from expected results
4) Changes in the auditors preliminary judgment about materiality that were a result of projecting
the results of statistical sampling for tests of transactions
h. Which of the following is least likely to be an audit concern when using the test data approach as a
system-oriented CAAT?
1)
2)
3)
4)
i.

Ensuring that all possible error conditions are included in the test data
Ensuring that the clients files are not corrupted by the test data
Ensuring that the test data is prepared in the normal client format
Ensuring that each test data record verifies only one specific error condition

When the auditor uses a test data approach to test the internal controls of a computerized accounting
system, which of the following is true?
1) Test data are coded to a dummy subsidiary so they can be extracted from the system under
operating conditions.
2) Test data programs need not be tailor-made by the auditor for each clients computer applications.
3) Test data programs usually consist of combinations of all valid and invalid conditions regarding
compliance with internal controls.
4) Test data are processed with the clients computer and the output is compared with the auditors
predetermined results.

j.

About which of the following factors should the external auditor obtain updated information when
assessing the internal auditors competence?
1) The reporting status of the internal auditor within the client organization
2) The educational level and professional experience of the internal auditor
3) Whether client company policies prohibit the internal auditor from auditing areas where relatives
are employed
4) Whether the board of directors, audit committee, or owner-manager oversees employment
decisions related to the internal audit function

k. In an online point-of-sale system, which of the following automated controls would most likely be
employed to prevent accuracy errors in the processing of a transaction?
1)
2)
3)
4)

Date entered must be the current system date.

Sales returns require a separate password that must be entered by the shift supervisor.
Prices are retrieved from the inventory master file.
When an item is scanned, information about the product is not displayed onto the screen (such as
shoe description, colour, size, and price).

Continued
EAU2J15

CGA-Canada, 2015

Page 2 of 7

l.

Which of the following would a practitioner most likely do as part of a specified audit procedures
engagement in accordance with the Canadian standards for specified audit procedures?
1)
2)
3)
4)

Express negative assurance on the findings of work performed.

Issue a report on findings based on specified procedures performed.
Report the differences between specified procedures and audit procedures.
Assess whether the procedure meets the needs of the parties.

m. Which of the following would most likely be used by a manufacturing company wishing to place
orders more efficiently?
1)
2)
3)
4)

Electronic cheque transmittal

Automated clearinghouse
Electronic funds transfer
Electronic data interchange

n. Which of the following is not one of the items of information to be included in the auditors report by
the International Auditing & Assurance Standards Board (IAASB) as part of the new proposed section
of the audit report identifying key audit matters?
1) Areas identified by the auditor as significant risk or involving significant auditor judgment
2) Areas in which the results of initial audit tests indicated significant deviations from expectations
3) Circumstances that required significant modification to the auditors planned approach to the
audit, including as a result of the identification of a significant deficiency in internal control
4) Areas in which the auditor encountered significant difficulty during the audit, including with
respect to obtaining sufficient appropriate audit evidence
o. If, during the course of an audit, an auditor discovers evidence of an illegal act by the client, what is
the first thing the auditor should do?
1)
2)
3)
4)

Inform the legal authorities.

Inform client management.
Consider the potential impact of the consequences of the illegal act on the financial statements.
Resign from the engagement.

p. Which of the following is not an aspect of information risk?

1)
2)
3)
4)

The audit report

Remoteness of users from information
Complexity of data
Quantity of data

q. Which of the following is an example of fraudulent financial reporting?

1) Company management falsifies inventory count tags, thereby overstating inventory and
understating cost of sales.
2) An employee diverts customer payments for his personal use, concealing his actions by debiting
an expense account, thus overstating expenses.
3) An employee steals inventory and the shrinkage is recorded as cost of goods sold.
4) An employee borrows small tools from a company and neglects to return them; the cost is
reported as a miscellaneous expense.

Continued
EAU2J15

CGA-Canada, 2015

Page 3 of 7

r.

Which of the threats to independence identified in the CGA-Canada Independence Standard would
most likely occur as a result of an auditor deliberately underbidding (lowballing) to obtain an audit
engagement?
1)
2)
3)
4)

s.

Which of the following actions by an audit firm would most likely not be an effective protection
against the possibility of lawsuits from third parties?
1)
2)
3)
4)

t.

Intimidation threat
Self-review threat
Advocacy threat
Self-interest threat

Instituting sound quality control and review procedures

Obtaining an engagement letter from the management of the auditee
Ensuring that members of the firm are independent
Following professional standards

In planning for the use of a clients internal auditors to help in performing the audit, which of the
following would the external auditor most likely do?
1) Plan to decrease the extent of the tests of controls needed to support the assessed level of
detection risk.
2) Plan to increase the extent of procedures needed to reduce control risk to an acceptable level.
3) Plan to place some reliance on the work of the internal auditor.
4) Plan to avoid using the work performed by the internal auditor.

18

Question 2
The following are six independent situations involving possible violations of the CGA-Canada Code of
Ethical Principles and Rules of Conduct (CEPROC) and/or standards for the performance of audits,
reviews, other forms of assurance engagements, and/or related services.
For each situation, analyze the CGAs actions and state, with respect to those actions, whether or not the
CGA has violated CEPROC and/or other standards. Explain your reasoning.
Required
3

a.

June, CGA, is the sole proprietor of a small chain of retail stores, located in malls, that sell high-end
exercise and sports apparel. She is also a partner in a successful CGA firm, which has a number of
fairly large review clients. Each year, her firm performs a compilation of the financial statements of
the store chain, and prepares the tax returns as well. This relationship is disclosed in the compilation
engagement report. In each of the retail outlets, her qualifications and the name of her CGA firm are
prominently displayed along with a contact number for her firm and a brief list of the services they
can provide for clients.

b. Raj, CGA, a partner in a CGA firm, is meeting with his audit senior Lim, to prepare the audit plan for
the audit of a new client, Envirosafe, Inc. Envirosafe has contracts with manufacturing companies to
handle toxic waste produced in their factories. Recent publicity (newspaper articles, television news
stories, and so on) has suggested that Envirosafe has contravened environmental laws and regulations
in its waste disposal activities. Lim asks if she should include any special audit procedures related to
the possible violations by Envirosafe. Raj responds that since their objective is to ensure that the
financial statements present fairly the financial position and results of operations of the company, the
question of whether Envirosafe has engaged in illegal activities is not relevant to that objective, and
Lim should not concern herself with that.

Continued
EAU2J15

CGA-Canada, 2015

Page 4 of 7

c.

Afton, CGA and partner in a public CGA firm, has just signed off on the audit report of Hyperion Ltd.
Hyperion is web-based and uses e-commerce for its sales receipts and for payments to the majority of
its suppliers. Almost all of the engagement was performed using CAATs and the evidence and
working papers are in electronic form. Afton is having a post-audit debriefing with the audit senior of
the Hyperion audit. The audit senior wishes to revise some information in the electronic audit files, as
he feels that the information could be misinterpreted and cast into doubt the thoroughness of his audit
work in a particular section. Afton informs him that it is not appropriate to make any changes to the
contents of the electronic files.

d. Masood, CGA, has performed engagements for his client, Xantu Ltd., for six years. The first five
engagements were review engagements. Last year, in anticipation of going public, Xantu requested
that Masood perform an audit. Masood did so, observing the appropriate standards. Xantu has now
asked Masood for assistance in preparing a forecast for inclusion in a prospectus for a public share
offering. Masood, based on his work, believes that the assumptions underlying the forecast are
reasonable and the forecast properly reflects the most probable outcomes under the assumptions made
and that the forecast complies with appropriate presentation and disclosure standards. Accordingly, he
issues a report, to be included in the prospectus, including an unmodified opinion that the forecasted
amounts are fairly stated, although I do not express an opinion as to whether the forecasted events will
occur as forecast.

e.

Zoltan, CGA, has been the auditor of Good Sounds Ltd., a closely held retailer of high-end audio
products, for several years. Zoltan also prepares annual tax returns for the company and for the
owner-manager, Mr. Good. Mr. Good is aware of Zoltans expertise in IT, and asks him to design a
computerized inventory control system, integrated with point-of-sale terminals, to upgrade his
outdated manual-based system. Zoltan does so, and because the job requires significant time to
complete, he bills Mr. Good for an amount equal to approximately four times his usual audit fee.
Mr. Good pays the bill without question and is so pleased with the result that he offers to personally
pay for a weeks honeymoon trip to Jamaica for Zoltan and his new bride. Zoltan accepts the paid
honeymoon trip.

f.

Thomas, CGA, has been performing review engagements for Tong Lu Music, a chain of music stores
in the metropolitan area, for several years. Tong Lu Music is required to have annual review
engagements by the bank, with which it has a revolving line of credit. Because Thomas is familiar
with Tong Lu Music, to whom he has given a standard review report each year previously, his review
this year consists of computing a large number of financial and operating ratios for Tong Lu, and
comparing them to past years performance, this years budget, and industry statistics (there is a
Canada-wide association of music stores). All of the ratios are in line with expectations. Thomas
proceeds to issue a standard unmodified review report, conspicuously stamping each page of the
financial statements, Unaudited.

Continued
EAU2J15

CGA-Canada, 2015

Page 5 of 7

16

Question 3
The following are eight independent statements concerning certain auditing issues.
Required
For each statement, indicate whether you agree or disagree. Explain your reasoning.
2

a.

After completion of the audit fieldwork and approval by the board of directors, an event that has a
material effect on the financial statements occurs as a result of a circumstance that existed prior to the
end of the clients fiscal year. The auditor should request that the client adjust the financial statements,
perform a subsequent event review for the specific item, and amend the date of the auditors report to
the date of the end of the subsequent event review.

b. In the audit of a small business, the auditor discusses the internal control system with the ownermanager. If the auditor is satisfied that the owner-managers oversight of the accounting system is
vigilant, it is appropriate to assess the level of control risk as low.

c.

d. The expectation gap refers to the difference between the publics perception of the level of assurance
offered by audits and the actual level of assurance provided. According to the Macdonald Report, in
order to eliminate this gap, the auditor should improve communication so that the public expectations
of the outcome of audits are reasonable.

e.

If an audit client makes extensive use of electronic data interchange (EDI) in its business (for
example, for sales, purchases, payments, receipts, and so on) this will likely have the greatest negative
effect on the auditors ability to employ confirmation as an evidence-gathering technique.

f.

Consider the audit of a client engaged in e-commerce, such as a company that uses a website to record
sales, receive payment, and deliver services, with transactions automatically transferred to the
accounting systems. If the website has received a security seal from a reputable organization, the
auditor can rely on the security seal as guarantee of the strength of the internal control system, and
proceed directly to substantive testing.

g. If, in the course of audit testing involving the sampling of transactions, the auditor discovers
indications of fraud, it is usually appropriate for the auditor to extend his sample of transactions.

h. An increasing trend in recent years has been for companies to provide corporate responsibility reports.
In the majority of cases, the financial statement auditor is engaged to audit the companys
responsibility report in addition to auditing the companys financial statements. The results of the
corporate responsibility audit are added as an Other Matters paragraph at the end of the independent
auditors report.

When issuing an audit opinion on financial statements, if the comparative figures in the financial
statements were previously audited by another auditor, and if the previous auditor issued an
unmodified opinion, the current auditor is not required to do anything in respect of the previous
financial statements and audit opinion.

Continued
EAU2J15

CGA-Canada, 2015

Page 6 of 7

16

Question 4
Xian Lee will be your audit senior for the upcoming audit of Wrenches & Chisels (W&R) Ltd. W&R is a
small business that manufactures and distributes small tools to retail chains such as Home Depot,
Canadian Tire, and so on. W&R has a highly integrated IT system. Xian has asked you to prepare a
preliminary report on the controls in W&Rs IT functions.
Required
10

a.

20

Identify three IT general control categories that contribute to a strong general control environment.
For each category, identify a control objective and a control policy or procedure directed at satisfying
that objective.

b. Identify and briefly describe two categories of access controls, including the risks that arise to the IT
system related to each control category. Give an example of an access control in each category, and
for each example, identify an audit test that the auditor could use to verify the existence of that
control.
Question 5
It is July 31 and this years list of promotions has just been released you are pleased to see that you
have been promoted to audit senior in your CGA firm, which has been in public practice in your city since
1995. After a celebratory luncheon with the other new audit senior, you find a message in your e-mail
from Susan, one of the senior partners. The e-mail offers you congratulations and ends with when you get
back to the office, come to see me. I need your expertise on an interesting job.
In your meeting with Susan, she explains that she would like you to put your highly regarded
communication skills to work and prepare two memos, one internal and one external. Internally, you are to
prepare a memo for your audit team, related to the audit of Xalto Ltd., a new audit client, and externally,
Susan asks you to draft a memo that she will present to the CEO of Xalto.
Susan goes on to say:
With respect to the audit team memo, this new client has a sophisticated IT system and I want you to
brief the audit team on issues related to auditing in an IT environment. I would like you to prepare a memo
that addresses the different types of audit evidence that we need to obtain and, in particular, the impact of
the IT system on how we collect evidence that allows us to assess Xaltos internal control risk. I would
like you to briefly explain the steps in the process we would use to assess Xaltos internal control system,
and how we would use test data and/or an integrated test facility, considering their respective strengths and
weaknesses, to aid us in collecting the types of evidence we need to assess Xaltos internal control risk.
With respect to the second memo, the CEO of Xalto tells me that at a CGA Association dinner to which
he was recently invited by a good friend who is a partner in another CGA firm in town, the after-dinner
speakers topic was to be a discussion of the concepts of client business risk and how the auditors
consideration of client business risk affects the planning and performance of an audit. The after-dinner
speakers flight from Winnipeg was delayed by winter weather and the speech had to be cancelled. The
CEO has an MBA rather than a professional accounting degree, but he was intrigued by the whole concept
of a business risk-based approach to an audit, and he asked me if I could provide him with some
information on the concept.
Required

a.

Prepare the requested memo to the audit team.

b. Prepare the requested memo to the CEO of Xalto Ltd.

Note:
3 marks are allocated for clarity, logic and, persuasiveness.

END OF EXAMINATION
100
EAU2J15

CGA-Canada, 2015

Page 7 of 7

ADVANCED EXTERNAL AUDITING [AU2]

EXAMINATION

AU2
Before starting to write the examination, make sure that it is complete and that there are no
printing defects. This examination consists of 7 pages. There are 5 questions for a total of
100 marks.

READ THE QUESTIONS CAREFULLY AND ANSWER WHAT IS ASKED.

To assist you in answering the examination questions, CGA-Canada includes the following glossary of terms.
Glossary of Assessment Terms
Adapted from David Palmer, Study Guide: Developing Effective Study Methods (Vancouver: CGA-Canada, 1996).
Copyright David Palmer.
Calculate

Compare

Contrast

Criticize

Define

Describe
Design

Determine

Diagram

Discuss

Evaluate

Mathematically determine the amount

or number, showing formulas used
and steps taken. (Also Compute).
Examine qualities or characteristics
that resemble each other. Emphasize
similarities, although differences may
be mentioned.
Compare by observing differences.
Stress the dissimilarities of qualities
or characteristics. (Also Distinguish
between)
Express your own judgment
concerning the topic or viewpoint in
question. Discuss both pros and cons.
Clearly state the meaning of the word
or term. Relate the meaning
specifically to the way it is used in the
subject area under discussion.
Perhaps also show how the item
defined differs from items in other
classes.
Provide detail on the relevant
characteristics, qualities, or events.
Create an outcome (e.g., a plan or
program) that incorporates the
relevant issues and information.
Calculate or formulate a response that
considers the relevant qualitative and
quantitative factors.
Give a drawing, chart, plan or graphic
answer. Usually you should label a
diagram. In some cases, add a brief
explanation or description. (Also
Draw)
This calls for the most complete and
detailed answer. Examine and
analyze carefully and present both
pros and cons. To discuss briefly
requires you to state in a few
sentences the critical factors.
This requires making an informed
judgment. Your judgment must be
shown to be based on knowledge and
information about the subject. (Just
stating your own ideas is not
sufficient.) Cite authorities. Cite
advantages and limitations.

Explain

In explanatory answers you must

clarify the cause(s), or reasons(s). State
the how and why of the subject.
Give reasons for differences of
opinions or of results. To explain
briefly requires you to state the
reasons simply, in a few words.
Identify
Distinguish and specify the important
issues, factors, or items, usually based
on an evaluation or analysis of a
scenario.
Illustrate
Make clear by giving an example, e.g.,
a figure, diagram or concrete example.
Interpret
Translate, give examples of, solve, or
comment on a subject, usually making
a judgment on it.
Justify
Prove or give reasons for decisions or
conclusions.
List
Present an itemized series or
tabulation. Be concise. Point form is
often acceptable.
Outline
This is an organized description. Give
a general overview, stating main and
supporting ideas. Use headings and
sub-headings, usually in point form.
Omit minor details.
Prove
Establish that something is true by
citing evidence or giving clear logical
reasons.
Recommend Propose an appropriate solution or
course of action based on an
evaluation or analysis of a scenario.
Relate
Show how things are connected with
each other or how one causes another,
correlates with another, or is like
another.
Review
Examine a subject critically, analyzing
and commenting on the important
statements to be made about it.
State
Clearly provide a position based on an
evaluation, e.g., Agree/Disagree,
Correct/Incorrect, Yes/No. (Also
Indicate)
Summarize Give the main points or facts in
condensed form, like the summary of a
chapter, omitting details and
illustrations.
Trace
In narrative form, describe progress,
development, or historical events from
some point of origin.

CGA-CANADA
ADVANCED EXTERNAL AUDITING [AU2] EXAMINATION
June 2015
SUGGESTED SOLUTIONS
Marks
30

Time: 4 Hours
Question 1
Note:
11/2 marks each

Sources:
a.

4) Topic 4.6 (Level 1)

b. 3) Topic 2.5 (Level 1)

c.

4) Topic 2.5 (Level 1)

d. 3) Topic 2.4 (Level 1)

e.

4) Topic 9.10 (Level 2)

f.

3) Topics 7.1 and 7.2 (Level 1)

g. 1) Topic 8.3 (Level 1)

h. 1) Topic 5.7 (Level 2)
i.

4) Topic 5.5 (Level 1)

j.

2) Topic 3.3 (Level 1)

k. 3) Topic 4.6 (Level 1)

l.

2) Topic 9.5 (Level 1)

m. 4) Topic 6.2 (Level 2)

n. 2) Topic 10.5 (Level 1)
o. 2) Topics 7.4 and 8.3 (Level 1)
p. 1) Topic 1.1 (Level 1)
q. 1) Topic 7.1 (Level 1)
r.

4) Topic 1.6 (Level 1)

s.

2) Topic 10.2 (Level 1)

t.

3) Topic 3.3 (Level 1)

Continued
SAU2J15

CGA-Canada, 2015

Page 1 of 8

18

Question 2
Source: (a) Topic 1.6 (Level 1); (b) Topics 1.2 and 7.2 (Level 1); (c) Topic 6.4 (Level 1); (d) Topic 9.10
(Level 2); (e) Topic 1.6 (Level 1); (f) Topic 9.1 (Level 1); CGA-Canadas Code of Ethical Principles and
Rules of Conduct (CEPROC)
3

a.

b. Violation. Raj has violated generally accepted auditing standards because his dismissal of the
environmental issues ignores the potential for material financial statement effects of his clients
alleged illegal activities. Although the CGAs responsibility to detect illegal acts by a client is limited,
Raj has knowledge of possible illegal acts, so to comply with standards he must investigate them. The
reasoning is that illegal acts could have a material effect on the financial statements. If the illegal
activity were discovered and prosecuted by the authorities in the future, it could result in a large fine,
which creates a contingent liability. This may require the actual accrual or perhaps footnote disclosure
of a contingent liability. In addition, given this knowledge, standards require the auditor to assess the
inherent risk of illegal acts, and if the risk is deemed to be other than low, to perform additional audit
procedures. Raj instructed his audit senior not to do so.

c.

d. Violation. It is appropriate for Masood to assist the client in preparing a forecast for inclusion in a
prospectus. However, it is inappropriate for Masood to express an opinion on the forecasted financial
statements. The fact that he stated that he expressed no opinion on the likelihood of the forecast being
achieved may or may not be an appropriate qualifier to put into the report, but in any event it is not
sufficient. Rather than giving an opinion that the amounts are fairly stated, the report should have
stated that in his opinion the assumptions used in the forecast are suitably supported, consistent with
the plans of the company, and provide a reasonable basis for the forecast; that the forecast relates to
the stated assumptions; and that the forecast complies with disclosure and presentation standards for
such forecasts.

e.

Violation. Zoltans actions regarding the provision of systems design to the client is not a violation of
standards. If the company was publicly listed, the systems design work would be a violation but since
the company is closely held, it is not. The fact that the fee was very large relative to Zoltans normal
audit fee is, of itself, not an issue. However, Zoltans acceptance of the paid honeymoon to Jamaica is
a clear violation. Zoltan has impaired his independence the trip creates a serious familiarity threat
to Zoltans independence, both in fact and in appearance.

f.

Violation. Thomas has violated the standards for performing review engagements. He has failed to
properly plan the engagement and has not obtained sufficient appropriate evidence on which to base
his conclusion. While Thomas may feel confident because of his ongoing association with
Tong Lu Music, to comply with the standards, he must assess engagement risk, obtain at least a basic
understanding of the clients accounting system, and obtain sufficient appropriate evidence by means
of enquiry, discussion, and analysis. Thomas may have done sufficient analysis, but even if the results
were in line with expectations, it is not appropriate to dispense with the other evidence-gathering
techniques. Thomass marking each page of the reviewed financial statements as Unaudited was
correct.
Continued

SAU2J15

Violation. June is not violating any standards by being a partner in a CGA firm and, at the same time,
owning a store. It is acceptable for Junes firm to compile the financial statements as long as there is
disclosure of the lack of independence, and it is also acceptable to prepare the tax returns for the store.
However, CEPROC requires that the two businesses be kept separate and it is not appropriate for June
to advertise her professional qualifications as a CGA in the store.

No violation. Afton is correct. Auditing standards state that after the audit report date, there should not
be any changes to the audit documentation. It would be acceptable if the changes were administrative
such as obtaining original copies of confirmations when only e-mails were available earlier, or
re-organizing electronic files so that working papers are organized more effectively. The standards
also state that there can be no deletions or removals from the audit file until the end of its retention
period (a minimum of five years).

CGA-Canada, 2015

Page 2 of 8

16

Question 3
Source: (a) Topic 8.1 (Level 1); (b) Topic 8.7 (Level 1); (c) Topic 8.2 (Level 1); (d) Topic 1.2 (Level 1);
(e) Topic 6.1 (Level 2); (f) Topic 6.3 (Level 1) and Topic 6.7 (Level 2); (g) Topic 7.4 (Level 1);
(h) Topic 10.4 (Level 1)
2

a.

Disagree. While a subsequent event that requires a material adjustment to the financial statements
should result in management adjusting the financial statements, the appropriate course of action for
the auditor is to do a subsequent event review for the specific item only and double-date the auditors
report. The first date will be the completion of fieldwork and the second date will be the date of the
completion of the review pertaining to the subsequent event.

b. Disagree. Before assessing control risk as low, the auditor must perform tests of the control system to
confirm or disconfirm the representations of the owner-manager. Small businesses usually have weak
controls due to the small number of employees and management override control.

c.

d. Agree. While the Macdonald Report suggests that communication with the public would help to
reduce the gap, it says that the expectation gap is also made up of the standards gap, which represents
the difference between the public expectation of audits and what is currently required of auditors by
their professional standards, and the performance/information gap, which represents the difference
between what the present professional standards require and the publics perception of actual auditor
performance. Efforts are needed in all three areas to address the expectation gap.

e.

Disagree. If the client conducts its business using EDI, it usually means that documentation may not
exist in hard copy form. This will likely impair the auditors ability to inspect a clients records and
vouch transactions to source documents, but it will have little impact on the use of confirmations to
gather audit evidence.

f.

Disagree. The auditors responsibility to assess control risk is no different in the audit of a company
engaged in e-commerce. Even if the website has received a security seal from a reputable
organization, the auditor is required by auditing standards to evaluate the design of the relevant
controls, verify their implementation, and test the operating effectiveness of the controls.

g. Disagree. Audit standards require that if the auditor does discover evidence of fraud during an audit, it
is appropriate to extend procedures related to any accounts that may be involved in the fraud.
Extending sampling procedures is not sufficient the auditor should examine all similar transactions
or accounts to determine the extent of the fraud.

h. Disagree. While it is true that the majority of companies worldwide are providing assurance reports
on corporate responsibility information, they generally opt for a limited level of assurance, resulting in
a negative opinion (similar to that of a review engagement). This is likely because corporate
responsibility reporting is not mandatory and the costs associated with obtaining a higher level of
assurance are prohibitive.

Disagree. If a different auditor audited the comparative figures the current auditor should state in an
other matters paragraph that a predecessor auditor audited the prior period financial statements. Also,
the other matter paragraph must include the type of opinion expressed by the predecessor auditor, and
the date of that report. In addition, the current auditor should investigate the prior periods financial
statements to determine what accounting principles were followed in that period and whether there has
been a change.

Continued
SAU2J15

CGA-Canada, 2015

Page 3 of 8

16

Question 4
Source: Topic 4.3 (Level 1)
10

a.

Three IT general control categories, and related objectives and policies/procedures that contribute to a
strong general control environment are:
Control Category

Control Objective

Control Procedure

Organization and
management controls

Private data is to be
accessible on a need-to-know
basis only

Provide job descriptions that clearly

identify the information individuals
need to access to effectively complete
their work.
Require that new access or changes to
access rights be approved by both the
employees manager and the human
resources manager; if the employee is in
the human resources area, approval is
required by the corporate controller.

Systems acquisition,
development and
maintenance controls

Changes to the secure

website are to be consistent
with organizational needs
and match the information
that is available from other
information systems (for
example, sales prices on the
website must match sales
prices in the accounting
software package).

Appropriate individuals are assigned to

approve changes to the website. For
example, the sales manager must approve
sales prices and product descriptions, the
corporate controller must approve other
financial information that is posted, and a
professional editor is paid to review all
material for grammar and clarity.

Operations and
information systems
support controls

The intranet and supporting

systems are to be accessible
during normal business
hours, with the sales and
inventory management
systems having the highest
priority.

The corporate controller is responsible for

ensuring that the backup and recovery
processes for these systems are kept
current and tested. The controller is to
coordinate with software and hardware
suppliers and check every quarter that
appropriate hardware and software that
have been arranged for backup and
recovery are still compatible with
organizational systems.

Note:
1 mark each for identifying each control category, 1 mark each for identifying a related control objective and 1 mark each for valid
examples of control policies or procedures to a maximum of 10 marks

Continued
SAU2J15

CGA-Canada, 2015

Page 4 of 8

b. Topic 5.1 (Level 1)

In general terms, access controls are controls that help to limit unauthorized access to resources or
assets of an organization. Logical access control refers to controls that prevent unauthorized
personnels ability to access information stored in the computer, either directly or from a remote
location. The risk of inadequate control over logical access relates particularly to unauthorized access
to information, often confidential information, stored in the system, or to malicious modification of
information or programs in the system. Physical access control refers to controls that prevent
unauthorized personnels ability to physically gain access to the computer installation. The risk of
inadequate control over physical access relates particularly to the risk of unintentional or intentional
damage to the installation itself or to access to the results of previous processing held in any storage
medium in the same locale as the installation. There is some overlap between the two concepts, but
they are distinct and there should be controls for each.
An example of a logical access control is requiring passwords for access to the computer system, and
ensuring that only authorized personnel know the password. A possible audit test would be for the
auditor to try to gain access to the system without a password.
An example of a physical access control is locating the IT installation in a separate, locked part of the
premises, and ensuring, through passcards or some sort of ID badging system, that only authorized
personnel may enter. An audit test would be for the auditor to observe the installation and note the
existence of a control over physical access (locked door, passcard system, and so on.)
Note:
1 mark for describing each category of access; 1 mark for an example of each type of access control, 1 mark for an audit test for
each type of control.

Continued

SAU2J15

CGA-Canada, 2015

Page 5 of 8

20

Question 5
Source: Topics 2.2, 2.4, 2.5, 3.1, 3.2, and 5.5 (level 1)
Note:
The major issues to be addressed and the allocation of marks are shown in these example memoranda. Candidates will provide different
solutions. A response will receive marks for addressing the requirements of the question in a reasoned, logical and professional manner.

a.

MEMORANDUM
CGA Firm
Date:
To:
From:
Re:

August 2, 2015
The audit team
Audit senior
Auditing in an IT environment

We will soon be commencing the audit of Xalto Ltd., and Susan has asked me to give you a brief
outline of what Xaltos information system means for us as auditors.
Note:
Maximum 1 mark for format/introduction

Notwithstanding that Xalto has a sophisticated IT system, it is important to remember that the
evidence we need does not change in an IT environment. Ultimately, we are still seeking evidence that
supports the assertions embedded in the financial statements in other words, existence, occurrence,
validity, and so on. The difference is that in this environment, the evidence exists in different forms
and we will need to employ different techniques to obtain the evidence.
Our approach to the collection of evidence regarding Xaltos internal control system will follow
essentially the same sequence in this audit as in any other. We will first obtain an understanding of the
relevant internal controls, evaluate their design effectiveness, assess control risk the risk that the
system will not prevent, or detect and correct, material misstatements and assess the resulting risk
of material misstatement. If we are satisfied that reliance can be placed on the internal control system,
we will design tests of controls to obtain evidence that the system functions as described.
In this environment, we will rely on what is known as system-oriented computer-assisted audit
techniques (CAATs) to obtain that evidence. These techniques allow us to interface with Xaltos IT
system to ascertain whether the system has controls in place to ensure that it captured and processed
information properly.
System-oriented CAATs are of two main types those that use the auditors data on the clients
system (called the test data approach) and those that use the clients data on the auditors system
(called integrated test facilities). Each has its advantages and disadvantages.
Using the test data approach, we will first identify the controls that are supposed to be in place to
ensure that data is processed correctly. For example, we understand from our review of the IT controls
in the purchases/accounts payable system that when an invoice from a supplier is entered into the
system, there are supposed to be checks on information items such as the suppliers identity, the
correct pricing of the invoice, the quantities of merchandise, and so on. We can create fictitious
transactions that contain deliberate errors in those items of information to make sure that the system
does in fact check those errors and will not process transactions that contain erroneous information.
We must be careful not to contaminate or damage the clients system by entering these fictitious
transactions, but with care, they can be a valuable tool for us to use to obtain evidence about whether
the IT system internal controls function as they are supposed to do.

Continued
SAU2J15

CGA-Canada, 2015

Page 6 of 8

Using the integrated test facility approach, we can actually observe how the client processes its own,
rather than fictitious, data. The integrated test facility is a program that essentially directs a duplicate
of the output of the processing of the clients transactions to a separate location (physical or virtual)
where the auditor can review it to see that the transactions were processed correctly. This is in some
ways stronger evidence in that it is better to see what did happen than what did not happen, and it also
has the advantage that there is no risk of corrupting the clients system with erroneous information. It
requires more knowledge on the part of the auditor in that he or she must be sure that the ITF program
is the same as the production program and that it is secure from any tampering by anyone outside the
audit team, but on a continuing engagement it has the real strength that it can allow us to observe a
sample of transaction processing from throughout the period of reliance, rather than simply at a point
in time, as is the case with the test data approach.
Regardless of the technique used to obtain information about the IT internal control system, we will
use the results to assess the strength of that system and plan our substantive tests of the related
financial statement balances.
Note:
Maximum 4 marks each for discussion of each type of CAAT. Marks awarded for other valid, relevant comments.

b.

MEMORANDUM
CGA Firm
Date:
To:
From:
Re:

July 31, 2015

CEO, Xalto Ltd.
Audit senior
The impact of business risk in the audit

My purpose in preparing this memo is to provide you with information to help you understand the
concept of the business risk-based approach to the audit of financial statements. It would be fair to say
that the auditors consideration of business risk-related factors influences, directly or indirectly,
everything that the auditor does in an audit of financial statements. My approach will be to start with
the broadest considerations and proceed to the more specific.
Note:
Maximum 1 mark for format/introduction

Auditors consider the different dimensions of risk in order to plan an efficient and effective audit.
Identifying areas of high risk allows them to target those areas where it is important to focus their
audit work to obtain sufficient evidence that the financial statement information is not materially
misstated. In general, identifying low-risk areas identifies areas where the auditors feel that there is
less likelihood of financial statement material misstatements. Resources, in the form of audit
personnel and audit time, can therefore be directed towards those areas identified as high risk. This is
beneficial for the client in that it means that audit resources are being used efficiently and it is
beneficial for the auditors in that it allows them to maximize the likelihood that they will identify any
areas of financial statement misstatement.

Continued

SAU2J15

CGA-Canada, 2015

Page 7 of 8

Business risk-based auditing is used to build a client profile in order to assess client business risk and
auditor business risk. In business risk-based auditing, the auditor focuses on auditing the business as
management operates it, from the top down. Client business risk can be characterized as the risk that
the client will fail to achieve its business objectives, leading to business failure. The reasons for that
failure may be external, such as broad economic factors or changes in technology eroding a clients
technological advantage, or internal, such as a clients failing to execute its strategies as well as its
competitors. The auditors consideration of this factor helps in planning where to focus audit effort
and what types of audit evidence to obtain to reduce the risk that the financial statements may be
materially misstated. A more concrete example may help: if one of the clients objectives is to
demonstrate consistent growth, and external economic factors threaten that objective, the auditor may
be concerned that the client may use improper sales revenue recognition techniques to inflate its
revenue numbers in order to achieve its objective. As a result, the auditor may focus more effort
towards collecting evidence that sales revenue was properly recognized and recorded.
An important feature of business risk-based auditing is the explicit consideration of the relationship
between different aspects of the business. The auditor can use knowledge of the client and the industry
to build expectations about financial statement items and relationships before assessing audit
objectives and preparing the audit plan.
Canadian auditing standards require that, in order to properly plan the audit of a business, the auditor
should obtain an understanding of such elements as the industry and regulatory environment in which
the business operates, its business operations and processes, including key objectives and strategies,
its ownership and governance structures, and the ways in which the performance of the entity is
measured. Consideration of all these elements allows the auditor to create a profile of the auditees
business that allows the auditor to consider whether the financial information reflects the expected
relationships and links between the systems in the clients business, again enhancing the efficiency
and effectiveness of the audit.
To return to the example of sales, sales also link into the supply system and other systems in the
business such as supply chain, industry, regulatory, internal quality control, and others. Understanding
these links creates a profile of the client and an understanding of the relationships and flows between
the systems. The auditor can assess whether the amounts in the financial statements are consistent
with the expectations that are implied by the relationships and flows between the systems.
This approach to auditing allows the auditor to focus his or her attention and effort during the audit
examination, by obtaining more evidence or more persuasive evidence in support of the information in
the financial statements and facilitates an efficient and effective audit.
Note:
Maximum 7 marks for discussion of client business risk and its impact on the audit approach. Marks awarded for other valid,
relevant comments.

Note:
3

The final 3 marks are allocated for clarity, logic, and persuasiveness.

END OF SOLUTIONS
100

SAU2J15

CGA-Canada, 2015

Page 8 of 8

CGA-CANADA
ADVANCED EXTERNAL AUDITING [AU2] EXAMINATION
June 2015
EXAMINERS COMMENTS

General Comments
Overall, performance on this examination was weaker than in recent sessions.
Areas in which responses were weak included the following:

Understanding the role of environmental/general controls in IT systems

Familiarity with applications of computer-assisted audit techniques for testing client internal control
Understanding the professional rules regarding acceptable professional activities and violations of
independence (what is, and especially what is not, a violation)
Practical audit implications of client business risk

Specific Comments
Question 1 Multiple choice (Levels 1 and 2)
Parts (d) and (h) had the weakest results.
Question 2 CEPROC/Auditing standards (Level 1)
Question 2 contained six independent situations involving possible violations of the CGA-Canada Code of
Ethical Principles and Rules of Conduct (CEPROC) and/or standards for the performance of audits,
reviews, other forms of assurance engagements, and/or related services. The candidates were asked to
identify and discuss violations, if any. The following topic areas were covered:

a.

Advertising and referrals

Auditor responsibilities regarding audit working papers
Auditor responsibilities regarding forecasts
Auditor independence
GARS
Many candidates did not consider advertising to be a violation. Most candidates correctly identified
that the compilation was not a violation.

b. Most candidates correctly identified this as a violation on Rajs part.

c.

A majority of candidates recognized that it was not appropriate to revise the working papers,
electronic or not, but a significant number missed this.

d. Many candidates saw the violation as one of independence, a self-review threat, for doing the audit
and/or for being involved in the forecast. Some candidates realized that the problem was with the
format of the reporting.
e.

Many candidates saw all or almost all of the stated facts (the tax preparation, the IT work, the fee) as
violations, as well as the acceptance of the gift. There were also a few who did not feel that accepting
the gift was a violation.

f.

Many candidates saw the violation as one of independence, a self-review threat, and missed the point
that the review was insufficient and a violation of GARS. Some did catch this point.

Continued
AU2J15

CGA-Canada, 2015

Question 3 Auditing issues (Level 1)

This question required the candidates to agree or disagree with independent statements concerning
auditing issues and explain their reasoning.
a.

Most candidates identified this as a Type I subsequent event requiring financial statement adjustment,
but most did not know the correct procedure for double-dating the audit report.

b. Many candidates saw this as sufficient. This is clearly not acceptable under GAAS.
c.

Many candidates responded that the new auditor needed to obtain and review the predecessor
auditors working papers (to ensure that the previous auditor did a competent job). However, working
papers are an auditors proprietary information. The auditor would not be willing to hand them over to
another auditor and is not required to do so in a change of auditor situation.

d. Most candidates correctly identified this as the expectation gap.

e.

Many candidates answered this correctly, but some did not seem to be familiar with a confirmation.

f.

Most candidates realized that a security seal was not a substitute for internal control testing.

g. Most candidates felt that continuing sampling was appropriate. The auditor should stop sampling and
do 100% testing at this point.
h. Many candidates showed a basic understanding that this was not the normal procedure for the
client/auditor to undertake.
Question 4 CAATs for system testing of client internal control (Level 1)
a. This part was answered well by some candidates but poorly by others. It required candidates to
identify three general/environmental controls in an IT system and an objective and procedure for each.
This was straight from the course notes. Many candidates did not know the categories of
general/environmental controls, nor related objectives and audit procedures.
b. This part required candidates to identify two categories of access controls. Some candidates identified
physical and logical access controls correctly, but some students were unable to do so.
Question 5 Case question (Levels 1 and 2)
a. This part was answered well by some but poorly by many. Some candidates wrote everything they
could think of related to business risk, inherent risk, control risk, detective risk, and an assortment of
other factors. Some candidates mentioned test data and ITF (which were identified in the case) but
they were confused between the two of them, or they discussed substantive testing.
b. This part required a memo to the client CEO regarding business risk and its effect on audit planning.
Beyond saying that increased business risk increases audit risk, answers tended to be weak in making
connections between considerations of business risk, and how the auditor actually plans and performs
the audit. A few candidates were able to discuss how specific areas of business risk translated into
specific plans for the audit.

AU2J15

CGA-Canada, 2015