Chapters 1 & 2

Definition of auditing
Auditing is the accumulation and evaluation of evidence
about information to determine and report on the degree of
correspondence between the information and established
criteria. Auditing should be done by a competent,
independent person who observes due professional care.

Chapters 1 & 2
We realize the following from the above
definition:
The auditor's final result is to judge the degree of
correspondence between the information and
established criteria. The information is mainly
the financial statements and their related notes.
Established criteria are the accounting
standards used, such as International Financial
Reporting Standards (IFRS) or US GAAP.

The auditor cannot always be expected to

audit every single transaction for the client, as
this may be prohibitive in terms of time and
cost. Therefore the auditor analyses the
client's risks and plans and executes an audit
program that includes accumulation of
evidence and testing and evaluating it to arrive
at the desired conclusion.
The conclusion of the auditor's work is then
formally stated in the auditor's report.

Three things must be possessed by the

auditor. First, he should be competent (in
terms of having university degrees,
professional certificates, practice
experience, and continuous education on
contemporary issues. Second, he should
be independent from the client. Third, he
should apply due professional care when
performing the audit and when writing the
report.

Services that can be provided by

audit firms:
Assurance services: which include a first party (audit
firm) issuing a report on a second party (ex. the client) to
a third party (ex. The shareholders or a regulatory party).
These services include:
Audit of historical financial statements.
Review of historical financial statements.
Audit of prospective financial statements.
Review of prospective financial statements.
Forensic (fraud) auditing.
Reporting on internal control effectiveness.
Reporting on compliance with financial regulations.

 Non-assurance services: which include a first

party (audit firm) providing a service to a second
party (the client). These services include:
Assistance in preparing financial statements.
Tax consulting
Other managerial consulting, such as designing
an accounting information system, internal
auditing, or valuation services.

General information about audit

firms:

Audit firms may be of different sizes. There are:

Small audit firms that can include only one or two practicing
auditors. These are the majority but usually deal with very small
clients.
Small audit firms with few auditors.
National audit firms who practice only in one country.
Regional audit firms who practice in a region of countries.
International audit firms, who include the Big Four firms and other
international firms.
The Big Four audit firms are PricewaterhouseCoopers, Deloitte,
Ernst & Young, and KPMG. Other international firms include Grant
Thornton and BDO.

 Traditionally audit firms operated as

partnerships. This gives them some secrecy
about their financial affairs, but unlimited liability
for their partners. However, some services are
currently provided on a limited liability basis.
Audit firms have different hierarchies, but in
general, the lowest rank is a junior, then there
are seniors, managers, and partners,
respectively.

 International Standards on Auditing (ISA)

is the title of auditing standards issued by
the International Federation of
Accountants (IFAC)(through the
International Auditing and Assurance
Standards Board IAASB), and required in
many countries, including Jordan.

Generally Accepted Auditing

Standards (GAAS)
These are general guidelines for audit practice in the
USA. Much more detail is provided in detailed auditing
standards. These guidelines include ten issues grouped
into three groups:
General standards: about competence, independence,
and due professional care.
Field Work standards: about planning the audit,
analyzing the client's risks, accumulation and evaluating
evidence, and other issues on execution of the audit
program.
Reporting standards: about the content of the audit
report.
For more detail, see table 2-3 page 55.

Quality control:

This means methods used to ensure that the audit firm meets its
professional responsibilities to clients and others. Main issues a
quality control program contains include:
Leadership responsibilities for quality within the firm.
Compliance with relevant ethical requirements.
Policies and procedures for acceptance and continuation of clients
and engagements.
Policies and procedures for human resources.
Policies and procedures for engagement performance.
Policies and procedures for monitoring effective application of other
quality control elements.
See table 2-4 page 60 for additional detail on quality control issues.

 In addition, audit firms frequently apply

peer review, with one partner reviewing
the work of another partner to ensure that
it is up to the required quality of
performance level.

Chapter 3
Audit reports

The standard unqualified audit report

(unmodified report according to ISA):

The AICPA standard unqualified audit

report includes eight parts:
The report title: which includes mentioning
that the report is about an audit and that
the auditor is independent.
Audit report address: which is usually to
the shareholders or the board of directors
of the client (but not to the client's
management !!).

Introductory paragraph: which includes two general

items: the fact that there was an audit and the items
that were audited (financial statements and related
notes)
Management responsibility paragraph: which includes
the nature of the management's responsibilities
regarding the audit. Management's responsibilities
include selecting appropriate accounting policies, using
reasonable accounting estimates, and maintaining an
effective internal control system over financial
reporting.

Auditors responsibility paragraph: which includes that

the auditor's responsibilities are to express an opinion
on the audited financial statements that is based on
the audit, the mentioning of the audit standards used,
a summary of their requirements, and the fact that the
opinion is based on the audit being performed.
Opinion paragraph: which includes the opinion on the
fairness of presentation of the financial statements and
their conformity with the required accounting
standards.

The name of the audit firm and/or the

related audit partner responsible for the
audit.
Report date: which is the date the auditor
completed the audit procedures in the
field.

 An example of the standard unqualified

audit report is on page 69, while an
example of the standard unqualified audit
report as per the International Standards
on Auditing (ISA) can be attached to this
summary. The ISA report is very similar to
the AICPA report.

 Note: For many large USA companies, the audit

is now required to report on two issues:
The freedom of the financial statements from
material misstatements.
The effectiveness of the company's internal
control.
The report discussed above and the ISA report
concentrate only on the first point.

Unqualified report with

explanatory paragraph
This type of report can be used when the auditor
does not qualify his opinion, but nevertheless
wants to emphasize a matter in the report. There
might even be more than one matter to
emphasize in more than one explanatory
paragraph.
The explanatory paragraph is added after the
opinion paragraph, since it does not affect the
opinion, which is unqualified.
Note: Explanatory paragraphs may also be
added to other types of reports (not only
unqualified reports).

 Main reasons that may require the addition of an

explanatory paragraph:
Lack of consistent application of accounting standards:
such as lack of consistency with inventory valuation
methods or depreciation methods.
Auditor agrees with the departure from accounting
standards.
The existence of significant related party transactions.
Important events occurring after the balance sheet date.

Accounting matter affecting the comparability of

financial statements with those of the preceding
year.
Material uncertainties disclosed in the
footnotes.
Substantial doubt about going concern: such as
recurring losses, recurring negative operating
cash flows, and inability to repay debt on time.
The latter is emphasized in ISA as very important
and definitely needs an emphasis of a matter
paragraph.

 Reports involving other auditors:

If there were other audit firms involved in auditing part of
the financial statements, and the auditor wanted to
mention that, the standard unqualified report paragraphs
are modified to accommodate this issue. The
introductory paragraph includes mentioning what part
was audited by other auditors, while the scope
paragraph includes that the opinion is based on the
audits of both the main auditor and the other auditors.
The main auditor may qualify the report if he cannot
adequately judge the quality of the work done by the
other auditor, or the other auditor qualified his own report
on the portion he is responsible for.
See page 77 for an example report.

Materiality and the audit report

In the context of audit reports, materiality
means:
A misstatement in the financial statements
can be considered material if knowledge
of the misstatement will affect a decision
of a reasonable user of the statements.

 Materiality is not defined in US GAAS or in ISA

and is a matter of personal judgment by the
auditor, who carries the responsibility for
materiality decisions. Materiality can be
Quantitative: such as a percentage of a given
number (ex. Total assets, net income, sales).
Qualitative: relating to the nature of the item
rather than its amount.

 As regarding audit reports

The departure from accounting standards
or the scope restriction is immaterial: It is
unlikely to affect the decision of a
reasonable user.

The departure from accounting

standards or the scope restriction is
material: It is likely to affect some
decisions or some reasonable users and
affect part of the financial statements
and their related notes, without
overshadowing the fair presentation of
the financial statements as a whole.

The departure from accounting

standards or the scope restriction is very
material or pervasive: it is likely to affect
decisions of all users and be important
and overshadow the fair presentation of
the financial statements as a whole.

Scope restriction
Scope restriction means that the auditor, after
fulfilling his professional responsibilities and due
professional care, cannot judge part of the
financial statements as to whether or not it
contains material misstatements. Scope
restriction may be imposed by the client or be a
result of the circumstances of the audit.
If the scope restriction is immaterial the auditor
issues a standard unqualified opinion. He does
not mention the scope restriction in his report.

 If the scope restriction is material the auditor

issues a qualified opinion. The introductory
paragraph is not changed, and the auditors
responsibilities paragraph includes that the
auditing standards were followed except in the
restricted portion of the financial statements or
their notes. After that, a paragraph or more is/are
added to illustrate the scope restriction. The
opinion paragraph states that except for the
matters illustrated in the added paragraph before
it, in case they include material misstatements,
the financial statements present fairly etc.

 If the scope restriction is very material or pervasive the

auditor issues a disclaimer of opinion report. The
introductory paragraph starts with "we were engaged to
audit" rather than "we have audited", and the auditors
responsibilities paragraph is partially eliminated (since
there was no actual audit). After that, a paragraph or
more is/are added to illustrate the scope restriction. The
opinion paragraph states that due to the very material
scope restriction stated in the above paragraph, the
auditor is unable to express an opinion on the financial
statements, and therefore he does not express it.

 See example reports page 83-84.

Note: In the USA, lack of independence by
members of the audit team leads to a
disclaimer of opinion, regardless of the
quality of the financial statements and
their notes.

Departure from accounting

standards
Departure from accounting standards
means that the client has committed
accounting errors and that the financial
statements contain material misstatements
(whether related to error or fraud).
If the misstatements are immaterial the
auditor issues a standard unqualified
opinion, he does not mention the
misstatements in his report.

 If the misstatements are material the auditor

issues a qualified opinion. The introductory and
responsibility paragraphs are unchanged. He
then adds a paragraph or more to report the
material misstatements (and the correct
treatment that should have been made, if
possible). The opinion paragraph states that
except for the misstatements referred to in the
above paragraph, the financial statements
present fairly etc.

 If the misstatements are very material or

pervasive the auditor issues an adverse opinion.
The introductory and responsibility paragraphs
are unchanged. He then adds a paragraph or
more to report the very material misstatements
(and the correct treatment that should have
been made, if possible). The opinion paragraph
states that because the misstatements referred
to in the above paragraph, the financial
statements do not present fairly etc.

 See example reports page 84-85

See table 3-2 page 86 for a summary.

Chapter 5: Professional Ethics

Independence
Independence is important for the auditor in
order to enhance the credibility of the audit.
In order to be independent, an auditor
should be
Independent of mind: He should be independent and
free from bias in his attitude (independent in fact).
Independent in appearance: He should be seen and
perceived by the public as being independent.

 The following issues are likely to have a positive or

negative effect on auditor independence:
1) Nonaudit services: Nonaudit services include
accounting, management information system services,
internal audit, valuation of some financial statement
items, etc. The provision of nonaudit services to audit
clients is useful because the auditor is the one who
knows more about the client, compared to external
consultants. However, the provision of nonaudit services
is considered to have a negative effect on auditor
independence because:

A-The auditor probably receives relatively

high fees for consulting (compared to
auditing), and may impair his
independence so that he does not lose the
consulting income.
B-The auditor will probably be in a situation
to audit something he has consulted the
client on, and may be reluctant to say that
he was wrong.

 An issue related to nonaudit services is

shopping for audit principles, where an
auditor may be hired by a client because
he gave the client a desired accounting
treatment. The auditor may later find out
that he was wrong and be reluctant to act
correctly since he was hired in place of
another auditor based on that opinion.

2- Audit committees: An audit committee is

usually made from a number of non-executive
members of the board of directors of a client. It
has several duties including mediating between
the management and the auditor on accounting
disagreements. Its presence and effectiveness is
therefore positive for the external audit function,
as it strengthens the position of the auditor in
cases of conflicts with management of the client.

 In the USA, in some cases the audit committee

should be comprised of financially literate
individuals, and one at least being a financial
expert. Also, the responsibility of hiring, firing,
and determining fees of auditors is given to the
audit committee. This is likely to be positive for
auditor independence, as the auditor is
appointed by the audit committee, but audits on
the executive management, which is entirely a
different party.

3- Conflicts arising from employment

relationships: In general, it is bad for
auditor independence if a high-rank audit
officer takes a high position at a client, or a
high rank client officer takes a high position
at the audit firm. The audit by this audit firm
of that client may have to stop for a year or
more in order to regain some independence.

4- Partner rotation: This means changing the

partner (and audit team) responsible for the
audit of a particular client from time to time (in
Jordan four years for public listed clients). This is
good for independence since the long-term
relations' effects are reduced. However, it may
be more costly (the new team needs to incur
more costs to study the client and plan the
audit).

5- Ownership interests: Auditor

independence is negatively affected if
there is a financial relation between the
auditor team members (or their close
relatives) and the client (such as an
investment in shares or bonds). This may
make the auditor reluctant to report the
truth about the client if it was bad news in
order not to harm the financial interest.

Other rules of conduct:

1) Integrity and objectivity: The auditor
should maintain integrity and objectivity in
performing the audit, and should be free of
conflicts of interest and not knowingly
misrepresent facts.
2) Technical standards: The auditor should
follow the required auditing standards.

3)Confidentiality: The auditor should keep any information

he knows about the client confidential and not disclose it
to any party. Some exceptions to this rule include:
A-If auditing standards require him to disclose the
information (such as the audit report).
B-Under authorized peer review.
C-If he is called as witness in court.
D-If he is charged with inadequate technical performance
and wants to defend himself.

4) Contingent fees: An auditor must not

accept fees that are contingent on the
outcome of the audit (such as the type of
report issued). This is bad for his
independence as he may be inclined to
produce the outcome that gives him the
highest fees.

5-Discreditable acts: The auditor should not

engage in acts that are discreditable to the audit
profession. These include retention of the
client's records, discrimination and harassment
in employment practices, negligence in
performing the audit, disclosure of CPA
examination questions and answers, etc.

5) Advertising and solicitation: The auditor

should not engage into advertising or solicitation
that:
A-Includes false, misleading, or deceptive
information.
B-Uses coercion, overreaching, or harassment.
C-Insults competitors.
D-Includes scenes that are impolite or otherwise
discredit the profession.

6) Commission and referral fees: The

auditor should not receive from audit
clients commissions or referral fees to
either:
recommend a client's product or service to
a third party, or
recommend a third party's product or
service to a client.

7) Form of organization and name: While

non-auditors (such as legal and other
experts) may be sometimes allowed to be
owners in an audit firm, they must not
carry ultimate responsibility for the
financial statements' audit or call
themselves auditors.

Chapter 6: Audit responsibilities and objectives

The objective of the ordinary audit of financial

statements by the independent auditor is the
expression of an opinion on the fairness with
which they present, in all material respects,
financial position, results of operations, and cash
flows in conformity with required accounting
standards. This is expected to enhance the
confidence of intended users in the financial
statements.

 The responsibility for adopting sound

accounting policies, maintaining adequate
internal control, and making fair
representations in the financial statements
rests with management rather than the
auditor.

 The auditor has a responsibility to plan and perform the

audit to obtain reasonable assurance about whether the
financial statements are free of material misstatement,
whether caused by error or fraud. Because of the nature
of audit evidence and the characteristics of fraud, the
auditor is able to obtain reasonable, but not absolute,
assurance that material misstatements are detected. The
auditor has no responsibility to plan and perform the
audit to obtain reasonable assurance that
misstatements, whether caused by errors or fraud, that
are not material to the financial statements are detected .

The auditor is responsible for reasonable, but not absolute,

assurance for several reasons:
Most audit evidence is based on sampling, so some
misstatements may occur in the not sampled part.
Audit evidence is persuasive, rather than conclusive.
Accounting treatments include a large portion of
estimation and personal judgment.
Fraudulent financial statements may be very well
prepared that normal audit practices may be unable to
discover it, especially when collusion occurs between
several perpetrators.

 Errors are unintentional, while fraud is

intentional. Fraud may include
misappropriation of assets, fraudulent
financial statements, or a mix of both.

 The audit must be designed to provide reasonable

assurance of detecting both material errors and fraud.
The auditor must plan and perform the audit with an
attitude of professional skepticism in all aspects of the
engagement. Professional skepticism is an attitude
that includes a questioning mind and a critical
assessment of audit evidence. Auditors should not
assume that management is dishonest, but the
possibility of dishonesty must be considered. At the
same time, auditors should not assume that
management is unquestionably honest.

Six suggested characteristics of skepticism:

1- Questioning mindset
2- Suspension of judgement until
appropriate evidence is obtained.
3- Search for knowledge
4- Interpersonal understanding
5- Autonomy
6- Self-esteem

When auditors find something suspicious or

a fraud risk factor, they must increase their
audit work on that issue until they discover
the fraud or get assured that there is no
fraud. If they still cannot detect the fraud,
they may use the services of forensic
auditors.

 If auditors know about the existence of a fraud,

they should report it to the managerial level
higher than that where it was committed. If
management is involved in the fraud, the
auditors should write to those charged with
governance (such as the audit committee and
the board of directors). If even these parties are
involved in the fraud, the auditor should seek
legal advice on what to do to report the fraud
outside the client.

Management assertions and audit objectives

Management gives the auditor assertions about:
transactions and events for the period under
audit
account balances at period-end.
Presentation and disclosure.

Issues involved in such transactions include:

1- Occurrence/existence: Recorded transactions
have actually occurred and recorded balances
actually exist, and disclosed issues have
occurred.
2- Completeness: All transactions and accounts
and disclosures that should be included in the
financial statements are actually included.

3- Accuracy/valuation/allocation: All amounts

recorded for transactions and balances
and disclosures are valued accurately and
in conformity with accounting standards.
4- Classification: Transactions and balances
and disclosures are classified properly in
the financial statements.

5- Cutoff: Transactions are recorded in the

proper accounting period.
6- Rights and obligations: The client actually
has rights to the assets and is obliged to
pay the liabilities.
7- Understandability: Disclosures are
understandable.

 The auditor then plans his audit objectives

(whether general or specific) to ensure
that these assertions are correct.

Chapter 7: Audit evidence

Audit evidence is any information used by the auditor to determine

whether the information being audited is stated in accordance with
the established criteria.

Auditors use various types of evidence. Some are generated by the

auditor, some by the client, and some by third parties. The evidence
is expected to provide high levels of assurance about the
conclusions, which generally are one of several alternative types of
audit reports. The consequences of incorrect decisions from
evidence include users of audited financial statements making
incorrect decisions, and the possibility of the auditor being sued.

Major audit evidence

decisions:
Deciding on the audit procedures to use:
This includes the types of audit evidence to
be collected and the audit tests to be
performed on them.
Deciding on the sample size: This includes
what quantity of each type of evidence to be
collected and tests to be performed. There
are many ways of selecting sample types and
sizes.

 Deciding on the items to select: This includes what

the components of each sample should consist of. For
example, if we are selecting a sample of accounts
receivable, should we select randomly, or select only
overdue accounts, or select the largest balances.
Deciding on the timing of audit procedures: This
includes deciding when to perform a procedure. An
auditor may find it less costly if he can distribute the
evidence procedures over the year rather than doing
all of them near the year-end. This depends on his
previous risk analysis of the client and how much he
trusts the internal controls of the client.

 Deciding on the individuals to perform the

procedures: This includes deciding on the
required ranks and experiences of the audit
firm employees involved in performing the
audit evidence procedures, and evaluating the
need for external experts.

Persuasiveness of evidence:

Audit evidence, due to its nature, is generally considered

persuasive, rather than conclusive. To be persuasive, audit
evidence should be appropriate (in terms of quality) and
sufficient (in terms of quantity).
To be appropriate, audit evidence should be relevant and
reliable. Being relevant means that the audit evidence
should relate to fulfilling the audit objective the auditor is
testing. Being reliable means that the audit evidence can be
believable or worthy of trust. The following general
guidelines are useful in understanding reliability of audit
evidence:

 Evidence is generally considered higher in reliability

(compared to the opposite case) if:
1- The provider of evidence is independent from the
client.
2- The clients internal controls are effective.
3- The auditor collects the evidence personally
4- The provider of information is qualified.
5- The evidence is objective (does not require
considerable personal judgement).
6- The evidence is timely obtained.

 To be sufficient, audit evidence should be

of a quantity that enables the auditor to
perform reliable tests and therefore make
reliable conclusions. A very important
issue here is the sample size.

Types of audit evidence

1- Physical Examination:
This means the inspection or count by the auditor of a
tangible asset. Main assets in this category include cash,
inventory, and fixed assets.
Physical examination is considered reliable in that the
auditor collects the evidence by himself, and that it can
be used to test the existence objective. However, it fails
to test the rights objective (whether the asset is owned or
controlled by the client) and the valuation (including the
condition and possible impairment) objective for the
asset.

2- Confirmation:

This includes the receipt of a direct written

response by an independent third party
verifying the accuracy of information
requested by the auditor. The auditor
generally has to have the acceptance of
the client before contacting many third
parties (lack of this acceptance is a scope
restriction).

 Main types of third parties include accounts receivable,

accounts payables, banks and insurance companies,
clients of banks and insurance companies, lawyers, and
government agencies. Information verified may include
balances of accounts or other issues.
Confirmations are generally considered reliable because
of the independence of the provider of information
(clients should not control the sending or receiving of the
information), but they can be very costly and may cause
inconvenience to the individuals being asked.

 Confirmations can be open or closed.

Open confirmations (those that require an
open answer) are more useful because the
respondent has to search for an answer,
but likely to generate a lower response
rate. Closed confirmations (those that
require ticking a box as an answer) are
less useful and less reliable, but likely to
generate a higher response rate.

3- Inspection:
This is the auditor's inspection of the client's documents and
records to substantiate the information that is, or should be,
included in the financial statements. There are too many
documents available for testing, and the auditor tests the
document itself and its relation to recorded figures and accounts.
Internal documents (those that have been prepared by the client
and never leaving the client) are considered less reliable than
external documents (those that have been prepared by the client
but seen by at least one external party, or have been prepared by
an external party).

4- Inquiries of the client:

This means obtaining written or oral information from the client in
response to questions from the auditor.
This type of information might sometimes be low in reliability
because it is being provided by the clients employees (possibly
lacks independence), but many types of information cannot be
collected in any other way. It is also useful to check the reliability of
other types of gathered information (as corroboration of evidence).
Inquiries of the client need many skills by the auditors for
interviewing individuals. Inquiries can be used for collecting
information, assessing information, and interrogating about
information

5- Observation:

This is the use of senses to assess client

activities. Here the auditor may tour the
clients premises or watch employees during
performing their jobs.
The reliability of this method is high because
the auditor does it himself, but also low
because observed people may change their
behavior because of this knowledge.

6- Recalculation and reperformance:

Recalculation involves rechecking a sample of calculations made
by the client for arithmetic accuracy. Reperformance involves
independent tests by the auditor of the clients accounting
procedures or controls that were originally done as part of the
entitys accounting and internal control system. Therefore,
recalculation involves checking a computation, while
reperformance involves checking a procedure. Both types are
reliable because the auditor collects the evidence by himself, but
less reliable because the items checked may be poor due to poor
effectiveness of the internal control and accounting information
system of the client.

7- Analytical procedures:

Analytical procedures use comparisons

and relationships (including ratio analysis)
to assess whether account balances or
other data appear reasonable compared
to the auditors expectations.

The main sources for auditor expectations are:

Client industry data and data of competitors.
Similar prior-period data for the client.
Client-determined expectations (such as budgets or
press releases).
Analyst forecasts.
Expected results using nonfinancial data.

 Analytical procedures are mandatory in

the planning and client understanding
phase and in the final checking phase,
while they are optional (depending on their
reliability and the auditors willingness to
use them) in the substantive testing
auditing phase.

Analytical procedures may help in the following issues:

Understanding the clients industry and business.
Assessing the clients ability to continue as a going
concern.
Indicating the presence of possible misstatements in the
financial statements (some unexplained numbers may
be observed and analyzed).
Reducing detailed audit tests (if the results of analytical
procedures were satisfactory and the internal control and
accounting information system producing the numbers
were effective).

 Therefore, analytical procedures get

reliability from the fact that the auditor
does them himself, but this reliability is
weakened if the internal control and
accounting information system producing
the numbers were not effective.

Corroboration of evidence
In many cases, the use of one of the above audit
evidence types alone is not enough. Therefore, a piece
of evidence collected from a source is later checked by
collecting information related to it from other sources.
This may either confirm the previous information (if
results and conclusions are similar) or question it (if
results and conclusions are different).

Cost of evidence
As an audit firm aims for profit, it is
expected for it to try to cut cost. This is
considered acceptable as long as the
auditor does not compromise the quality of
the audit and the fulfillment of his
professional and legal responsibilities.

Audit documentation
Audit documentation is the principal
record of auditing procedures applied,
evidence obtained, and conclusions
reached by the auditor in conducting the
audit.

The purposes of audit documentation are:

A basis for planning the audit
A record of the evidence accumulated and the results of the
tests.
Data for determining the proper type of the audit report.
A basis for review by supervisors or partners who do not
perform detailed procedures of the audit.

The ownership of audit working papers rests with the audit firm, but
rules of confidentiality apply as there are client secrets in the
working papers.

CHAPTER EIGHT: Audit Planning

Client acceptance and continuance
A first step in an audit is to decide whether to accept a
new client, or to continue with an old client. This decision
should be made with care and under a quality control
system, and not every client should be accepted
regardless of any selection criteria.
A new client should be investigated regarding its
acceptability. This includes its standing in the business
community, financial stability, and its reputation.

 In summary, a prospective client should be screened as

to:
The client's suitability for the audit firm: This includes the
nature of the client's business and whether the audit firm
wants to be involved with clients in this business, the
reputation of the client and its senior managers and
directors, and the client's financial stability.
The audit firm's suitability for the client: This includes the
audit firm's size and knowledge and experience, and its
independence from the client.

 A main issue in the new client acceptance is that

the audit firm should communicate with the
client's predecessor auditor in order to evaluate
whether to accept the engagement. Issues that
may be considered here include reasons for the
predecessor auditor leaving the client, and
whether the client lacks integrity or had
accounting disputes with the predecessor
auditor.

 Although the successor auditor is the one

responsible to initiate the communication
with the predecessor auditor, the latter
should seek permission from the client
before giving the information. However, if
the client refuses to give this permission,
the successor auditor will consider this as
a scope limitation and might decline to
accept the client.

 In the case there was no predecessor

auditor, or the predecessor auditor does
not provide information, or if this
information shows potential problems, the
successor auditor may seek more
information from other sources before
making the acceptance or rejection
decision.

 As for continuing clients, issues considered

before making the continuance decision
include conflicts over the scope of the audit,
disputes over accounting issues, lack of client's
integrity, the client having very high risks, nonpayment of audit fees, or an assessment that
the previous fees were not sufficient and the
client unwilling to increase them.

 Obtaining an understanding with the client is

important before starting the audit in order to
reach an agreement between the audit firm
and the client on what is to be done. To
document this agreement, the auditor sends
to the client an engagement letter, asking
the client to sign it to confirm agreement with
its contents. The contents of the engagement
letter is likely include the following:

The objectives of the engagement

The responsibilities of the auditor and the management
The limitations of the engagement
Restrictions imposed on the audit work, if any
Deadlines for completing the audit
Assistance to be provided by the client's personnel in
obtaining records and documents.
The amounts and method of payment of audit fees.

 Having accepted the engagement, the

auditor now develops an audit strategy,
selects appropriate staff for the
engagement, and evaluates the need for
outside specialists.

Understanding the client's business

and industry
A thorough understanding of the client's business and
industry and knowledge about the company's
operations are essential for the auditor to conduct
an adequate audit. The nature of the client's
business and industry affects client business risk
and the risk of material misstatements in the
financial statements. Recent changes in the clients'
businesses (such as globalization, information
technology, and the global financial crisis) increase
the importance of understanding the client's
business and industry.

 The three most important external reasons

for understanding the client's industry and
environment are:

1- Some industries may be too risky and

therefore affect the auditor's assessment
of the client's business risk and its
acceptable audit risk. In some cases, audit
firms may consider some industries as too
risky to select clients from.

2- The auditor should be familiar with certain

inherent risks that affect all businesses in
the same industry (for example,
obsolescence in the clothes industry, or
problems with collecting accounts
receivable in the consumer loan industry).

3- Many industries (such as construction

companies and financial institutions) have
unique accounting requirements that the
auditor should understand to evaluate
whether the client's financial statements
are in accordance with the required
financial reporting standards.

 As for internal issues the auditor is likely to

need to consider, these include:
1- Learning about the client's business
operations and processes, and possibly
touring the client's facilities and operations
to gain first-hand knowledge about some
risks the audit might face.

2- Identifying related parties. A related party is a party with

which the client deals, where one of the two sides can
influence the management or operating policies of the other
(such as a parent company, a member of the senior executive
management or the board of directors or their close relatives,
a major supplier or a major customer). Transactions with
related parties are not arm's-length transactions, and may
involve some accounting problems. The main issues to
consider here are whether the transactions are properly
accounted for and disclosed in accordance with required
accounting standards, and whether there is a significant risk
of fraud in collusion with a related party.

3- Learning about the management and corporate

governance systems in the company. The auditor
should evaluate management's philosophy and operating
style and its response to risks. In addition, the auditor
should evaluate the company's governance system,
including its organizational structure, the role of the board
of directors and the audit committee, and the role of other
corporate governance parties, such as the internal auditors
and the institutional investors. The codes of ethics and
minutes of meetings of the board of directors and executive
management and shareholders assembly may give an
indication of how the client is managed and governed.

4- Learning about the client's objectives and

strategies. A good client should have clear
objectives and have put clear and reasonable
strategies to achieve its objectives. Auditors
should in particular understand the client's
objectives regarding reliability of financial
reporting, effectiveness and efficiency of
operations, and compliance with laws and
regulations. Such issues help in assessing the
client's business risk.

5- Learning about the client's measurement

and performance system. This includes key
performance indicators that the client's
management uses to measure progress towards
its objectives. These measures can be financial
statement figures or other figures, such as
market share. Unreasonable indicators or those
tied to accounting figures must be treated with
care as they increase the risk of material
misstatements in the financial statements .

 Having completed the above steps in

understanding the client's business and
industry, the auditor is ready to assess the
client's business risk, which is the risk that
the client will not achieve its objectives.
Failure to achieve objectives can turn into
a risk of material misstatements in the
financial statements, whether intentional
or unintentional.

 After assessing the client's business risk,

the auditor performs preliminary analytical
procedures to better understand the
client's business and to assess the
possibility of material misstatements in the
financial statements. (This was discussed
earlier in chapter 7).

CHAPTER NINE: Materiality and Risk

Materiality
Materiality is the magnitude of an omission or
misstatement that, in the light of surrounding
circumstances, makes it probable that the
judgment of a reasonable person relying on the
information would have been changed or
influenced by the omission or misstatement.

 The auditor starts by setting preliminary

judgement about materiality, then he allocates
this preliminary judgement to segments, then he
estimates the total misstatement in the segment
and estimates the combined misstatement.
Finally, he compares the combined estimate with
his preliminary or revised judgement about
materiality. Tolerable misstatement is the
amount of misstatement the auditor is willing to
tolerate (that is, to consider it immaterial).

 Risk
The audit function includes some risk or uncertainty. A
popular method of dealing with risk is called the audit
risk model, which can be summarised as:
AAR = IR * CR * PDR
Where AAR stands for acceptable audit risk, IR for inherent
risk, CR for control risk, and PDR for planned detection
risk.

 Audit risk is the risk that an unqualified

audit opinion is issued on the financial
statements, while in fact they contain
material misstatements.

 Acceptable audit risk is the risk the auditor

is willing to accept that the financial
statements may be materially misstated
after the audit is completed and an
unqualified opinion has been issued. The
smaller the AAR is, the less willing the
auditor is to accept the risk of material
misstatements. This risk level is set by the
auditor after considering certain factors.

 Inherent risk is the risk that the financial

statements may include material
misstatements due to the nature of the
company or the account(s) involved. The
auditor cannot affect inherent risk, but he
assesses it due to its effect on the
planning and conducting of the audit. The
higher the IR is, the more risky the audit
is.

 Control risk is the risk that the financial

statements may include material misstatements
that will not be prevented or detected by the
client's internal control system on a timely
basis. The auditor cannot directly affect control
risk, but he assesses it due to its effect on the
planning and conducting of the audit. The
higher the CR is, the more risky the audit is.

 Planned detection risk is the risk that the financial

statements may include material misstatements that will
not be detected by the auditor's own procedures (such
as evidence collection and testing). This risk is related to
the other three in the audit risk model, and is collected
using the equation after determining the other three. It is
directly related to the amount of audit procedures to be
performed (such as evidence collection and testing), in
that the lower the PDR is, the more are the audit
procedures that have to be performed, and vice-versa.

 Assessing Acceptable Audit Risk

Engagement risk is the risk that the auditor or audit firm will
suffer harm after the audit is finished, even though the audit
report was correct. If the client fails in achieving its
objectives or becomes bankrupt, the audit firm is likely to fall
in trouble even if the audit was of high quality. For example,
it may face numerous lawsuits and loss of reputation and
loss of clients. There is a relation between acceptable audit
risk and what likely negative consequences may happen to
the audit firm in case of such trouble. Therefore, to assess
AAR, the following issues are taken into consideration:

1- The degree to which external users rely on the

statements: AAR is generally lowered if external
users place heavy reliance on the financial
statements and the audit. External users are
significantly more likely to file lawsuits or cause
other damage to the audit firm's reputation than
internal users, who may themselves be a main
reason of the collapse of the client. The following
factors are likely to indicate the degree to which
financial statements are relied on by external users:

A- Size: In general, the larger the client's size, the more widely its
financial statements are used by external parties.
B- Distribution of ownership: The financial statements of publicly held
companies (especially when there are many small shareholders) are
generally more widely used by external parties than those of closely
held companies, such as those with a small number of large
investors, those with family ownership, or partnerships.
C- Nature and amount of liabilities: The more the client's liabilities are,
the more likely its financial statements will be used by external
creditors, such as banks, bondholders, and trade creditors.

2- The likelihood that a client will have financial

difficulties after the audit report is issued: When a
client goes bankrupt or has significant financial
problems after the audit is completed, the audit firm is
likely to face more challenges to the quality of its audit
(such as lawsuits). This will likely cause AAR to be set
at a lower level if the likelihood of the client's financial
difficulties is higher. Some indicators of a client's
financial difficulties include poor liquidity, continuing
losses, financing growth only by debt, taking high
risks, and poor competence of management.

3- The auditor's evaluation of management's

integrity: If the auditor considers that the
client's management lacks integrity, and still
accepts the engagement, he is likely to set
the AAR at a significantly low level.

Assessing Inherent Risk

The following factors may affect the auditor's
assessment of inherent risk:
1- Nature of the client's business: The more risky the
nature of the client's business is, the higher is IR.
2- Results of previous audits: An auditor may discover
some misstatements in previous audits of the client that
are likely to recur in future audits because they are
systematic and the client cannot, or has not done
something to, stop them. The more these types of
misstatements exist, the higher is IR.

3- Initial versus repeat engagements:

Having audited the client's financial
statements for several years, the audit firm
gains knowledge and experience about
the likelihood of occurrence of some
misstatements. Therefore, new clients
have a higher IR compared to old ones.

4- Related parties: IR is higher when there

are more related parties and more
transactions with them, because these are
generally more likely to include
misstatements due to the nature of the
relationship among the related parties.

5- Nonroutine transactions: Transactions that

are unusual for a client are more likely to be
incorrectly recorded than routine transactions
because the client often lacks experience
recording them. In addition, nonroutine
transactions may be questionable and may
contain some type of fraud concealment.
Therefore, the more and the larger nonroutine
transactions are, the larger is IR.

6- Judgment required to correctly record

account balances and transactions:
The more the financial reporting of the
client includes personal judgements and
estimates (such as allowances or fair
valuation), the higher is IR due to the
possible intentional and unintentional
material misstatements.

7- Makeup of the population: The makeup

of the population for some accounts or
transactions may affect IR. For example,
IR is higher for accounts receivable if a
larger percentage of them (in number or
amount) are overdue.

8- Factors related to fraudulent financial

reporting and misappropriation of
assets: The presence of fraud risk factors
increases the IR. (It also affects CR)

Chapter Ten: Audits of Internal

Control and Control Risk

Internal control has the following objectives:

Reliability of the financial reporting
process and outcomes.
Efficiency (in terms of cost and revenue)
and effectiveness (in terms of achieving
intended goals) of operations.
Ensuring compliance with laws and
regulations.

 Internal control only provides reasonable (not

absolute) assurance about the fairness of
financial statements. Reasons include:
1-The cost-benefit relation: In general, the cost of
implementing an internal control system should
not exceed the expected benefit from it. This
means that some errors may still occur since the
benefit of preventing them may be less than the
cost of implementing the improved system.

2- The human factor: Internal control

systems are operated by humans. If
humans do not understand the system or
act carelessly, the system will not
operate effectively.
3- Collusion: The system may separate
several jobs to reduce the chance of
error or fraud. If employees collude to
beat the system, they might succeed.

COSO components of internal

control
The COSO framework is one of the most
regarded frameworks used worldwide to
discuss effective internal control systems. It
has five components:
Control environment
Risk assessment
Control activities
Information and communication
Monitoring

Control environment
The control environment consists of the actions, policies,
and procedures that reflect the overall attitudes of top
management, directors, and owners of an entity about
internal control and its importance to the entity. It has
several subcomponents:
1- Integrity and ethical values: Such as managements
actions to remove or reduce incentives and temptations
that might prompt personnel to engage in dishonest,
illegal, or unethical acts. It also includes communicating
entity values and behavioral standards to employees
through policy statements, codes of conduct, and by
example.

2- Commitment to competence: Managements

consideration for specific jobs and how those
levels translate into requisite skills and
knowledge.
3- Board of directors and audit committee
participation: The more effective this is the
better is the internal control environment.
4- Management philosophy and operating style:
Such as the risk appetite, performance targets,
bureaucracy, etc, and their effects on internal
control.

5- Organizational structure: Controls should

be implemented taking into account the
entitys lines of responsibility and
authority.
6- Human resource policies and practices:
In areas of hiring, training, promoting,
compensating, dealing with personal
problems, etc.

Risk assessment
Risk assessment for financial reporting is
managements identification and analysis
of risks relevant to the preparation of
financial statements in conformity with
accounting standards. It is important to
evaluate the significance of the risk and its
likelihood of occurrence, and decide the
actions needed to address the risks.

Control activities
Control activities are policies and procedures
that help ensure that necessary actions are
taken to address risks facing the achievement of
the entitys objectives. They generally fall into
five categories:
Adequate separation of duties: Such as separation of
the duties of custody of assets and accounting,
authorization of actions and custody of related assets,
operational responsibility and record-keeping
responsibility, and information technology duties and
user departments.

 Proper authorization of transactions and

activities: whether it is general authorization
or specific authorization for individual
actions.
Adequate documents and records: including
prenumbering similar documents
consecutively, preparing documents as
quickly as possible when transactions take
place, designing documents for multiple use,
and constructing documents in a manner
that encourages correct preparation.

Physical control over assets and records, such as

using safes, emergency alarms, and password
access.
Independent checks on performance: This is
important in order for the other above mentioned
four to perform well and not be forgotten or
neglected. An internal auditing department is part of
this function, as may be forcing employees to take
vacations when they are replaced by others.

Information and communication

This includes maintaining an information
and communication system to initiate,
record, process, and report the entitys
transactions and to maintain accountability
for the related assets. Your accounting
information systems course is likely to give
you deeper information on this issue.

Monitoring
Monitoring activities deal with ongoing or
periodic assessment of the quality of internal
control by management to determine that
controls are operating as intended and that they
are modified as appropriate for changes in
conditions. Several sources of information are
used here, including studies of existing internal
controls, internal auditor reports, exception
reporting on control activities, reports by
regulators, feedback from operating personnel,
and complaints from customers.

 See Table10-2 (p. 320-321) for a

summary of COSO components of internal
control.

Obtaining and documenting

understanding of internal control
An auditor starts by obtaining and
documenting understanding of internal
control design and operation. He then
assesses control risk, designs, performs,
and evaluates tests of controls, and finally
decides on planned detection risk and
substantive tests of details.

 There are three types of methods used to

obtain and document the auditors
understanding of the design if internal
control. These are:
Narrative: This is a written description of a clients
internal controls. It includes the origin of every
document and record in the system, all processing
that takes place, the disposition of every document
and record in the system, and an indication of the
controls relevant to the assessment of control risk.

Flowchart: This is a diagram of the clients

documents and their sequential flow in the
organization. It also includes the origin of every
document and record in the system, all processing
that takes place, the disposition of every document
and record in the system, and an indication to the
controls relevant to the assessment of control risk.
Questionnaire: This asks a series of questions
about the controls in each audit area as means of
identifying internal control deficiencies.

It may be applicable to use more than one of

the above methods together to get a
clearer idea about the internal control
system and its actual application in the
client.

In addition to understanding the internal control

system, the auditor has to evaluate the systems
implementation. Some methods used here are:
Update and evaluate the auditors previous
experience with the entity.
Make inquiries of client personnel.
Examine documents and records.
Observe entity activities and operations.
Perform walkthroughs of the accounting system.

Assessing control risk

Having documented and initially made a view on the
internal controls of the client, the auditors next step is to
assess control risk. This is made in several steps:
1- Assess whether the financial statements are auditable
This includes assessing whether there are any very
significant issues that may make the financial statements
in general not auditable, such as very poor management
integrity, or very poor internal controls. In such cases, the
auditor may consider quitting from this audit. If not, the
auditor proceeds to the next step.

Determine assessed control risk supported by the

understanding obtained, assuming the controls are
being followed
After obtaining an understanding of the clients internal
control and initially evaluating it, the auditor makes a
preliminary assessment of control risk based on what
he currently already knows, which includes what the
client claims to be there. This assessment is a
measure of the auditors expectation that internal
controls will prevent material misstatements from
occurring or detect and correct them if they have
occurred. This preliminary assessment is made for the
specific related audit objective.

3- Use of a control risk matrix to assess control risk

A control risk matrix is a method often employed by
auditors to assess control risk by tying audit objectives
to internal controls. The steps in doing so include:

a- Identifying audit objectives for classes of

transactions, account balances, and presentation and
disclosure to which the control risk assessment
applies.

b- Identifying existing controls aimed at satisfying the

audit objectives. The auditor determines what controls
should exist in order to achieve the audit objectives.

 c- Associating controls with related audit objectives

d- Identifying and evaluating control deficiencies (in the
design or operation of the controls), significant
deficiencies (one or more control deficiencies exist and
the issue merits attention by those responsible for
oversight of the companys financial reporting), and
material weaknesses (one or more significant
deficiencies make it reasonably possible that internal
control will not prevent or detect material financial
statement misstatements on a timely basis).

 Control deficiencies, significant deficiencies, and

material weaknesses are assessed on two horizons:
likelihood of occurrence and significance of outcome.
Control deficiencies, significant deficiencies, and
material weaknesses are identified by (1) identifying
existing controls, then (2) identifying the absence of key
controls, then (3) considering the possibility of
compensating controls, then (4) deciding whether there
is a significant deficiency or material weakness, then (5)
determine potential misstatements that could result from
a deficiency or a weakness.

 e- Associating significant deficiencies and material

weaknesses with related audit objectives.
f- Assessing control risk for each related audit objective.
After the previous steps are undertaken, the auditor now
makes a subjective assessment of control risk for each
audit objective. This may be in the form of (high
moderate low) or percentage or numerical levels. This
assessment may be amended as a result of the tests of
controls and substantive tests of details.

Communications to those charged with governance

and management letters:
Auditing standards require the auditor to report some
control issues to those charged with governance (such
as the clients board of directors and audit committee).
Those charged with governance can then interfere and
improve the control problems, and therefore help both
the client and the auditor. Auditors may (but are not
required to) report recommendations on less
significant internal control issues to the client as a
value-added service.

Tests of controls
If the auditor decides to consider relying on the
internal controls of the client (the assessed
control risk is low or medium), he has to test the
controls in order to justify the previously made
assessment of control risk. If the results of the
tests of controls supports the previous
assessment of control risk, then they can be
used to reduce substantive testing evidence
collection. If not, the previous assessment of
control risk is to be reconsidered.

The operational effectiveness of internal

controls can be tested using the following
four procedures:
Making inquiries of appropriate client
personnel.
Examining documents, records, and
reports.
Observing control-related activities.
Reperforming client procedures.

 The extent of use of these tests of control

procedures depends on the desired level
of control risk to be depended on by the
auditor. The lower the level of control risk
the auditor wants to use, the more
extensive the tests of controls procedures
will be.

After performing tests of controls and

determining a final assessment of control
risk, this assessment is lined to audit
objectives and integrated into the
determination of planned detection risk,
and therefore the types of audit evidence
to be collected and evaluated and the
types of substantive tests of details to be
performed.

Chapter 11: Fraud Auditing

Types of fraud

Fraudulent financial reporting is an intentional misstatement or

omission of amounts or disclosures with the intent to deceive users.
Most fraud includes an attempt to overstate income, but also there is
fraud that intends to understate income, if this leads to lower income
tax or to create earnings reserves. Some forms of fraud include
earnings management, involving deliberate actions taken by
management to meet earnings objectives. A form of that is income
smoothing, where revenues and expenses are shifted between
periods to reduce fluctuations in earnings.

Misappropriation of assets involves theft of the entity's

assets. While this usually involves internal parties,
such as employees and members of the executive
management and the board of directors, it may
sometimes involve external parties, such as customers
(ex. shoplifting) or suppliers (ex. cheating in products).

Conditions for fraud

According to the fraud triangle principle, three conditions should be

available in order for fraud to occur. These are:
Incentives / Pressures: Management or other employees have
incentives or pressures to commit fraud.
Opportunities: Circumstances provide opportunities for
management or employees to commit fraud.
Attitudes / Rationalization: An attitude, character, or set of ethical
values exists that allows management or employees to commit a
dishonest act, or they are in an environment that imposes sufficient
pressure that causes them to rationalize committing a dishonest act.

See page 356 and page 358 and the appendixes of

ISA240 for examples of risk factors concerning the
above three conditions, in the cases of fraudulent
financial reporting or misappropriation of assets.

 In the case of fraudulent financial reporting,

incentives and pressures include a decline in the
company's prospects, such as low profitability or
low ability to repay debt, and a willingness to
meet budgets or analysts' forecasts or
conditions of debt covenants. Another important
factor here is the willingness of managers to
earn higher bonuses through manipulating
financial statements.

 As for opportunities, risk factors include the existence of

significant judgements and estimates in accounting,
weakness of accounting information systems and
internal control, and high turnover of accounting and
information technology employees.
As for attitudes and rationalization, risk factors include a
managerial disregard of the financial reporting process,
desire to meet overly optimistic forecasts, and lack of
ethics.

 In the case of misappropriation of assets, incentives and

pressures include financial pressures on employees, or
their dissatisfaction with the company they work at.
Opportunities include weakness of internal controls, such
as easy access to cash or inventory or other valuable
assets, and lack of adequate separation of duties or lack
of keeping adequate records and documents. Attitudes
and rationalization include management's attitudes
towards ethics (if managers cheat then lower-level
employees may consider this acceptable).

Assessing the risk of fraud

An auditor should act towards fraud in a manner of
professional scepticism, neither assuming that
management is dishonest or that it is unquestionably
honest. This includes approaching the audit with a
questionable mind throughout the audit to identify fraud
risks and critically evaluate audit evidence. If auditors
come across a possibility of a material misstatements
due to fraud, they must thoroughly probe the issues,
acquire additional evidence and perform additional tests,
and consult with other team members.

Sources of information to assess fraud risks

1 -Communication among the audit team: Discussions
among the members of the audit team may reveal some
issues related to fraud, such as the opportunities of its
occurrence due to poor controls, or the existence of
some suspicious observations by some members.
Sometimes, lower-level auditors (who do most of the
daily work) may not be aware of the risk of something
that the higher-level auditors may, due to experience,
perceive as important.

2-Inquiries of management: Sometimes

management may be aware of the
existence of fraud or suspecting it in the
company, and tell the auditor about that
and about its plans to deal with it. The
auditor is required to ask the client's
management about their knowledge about
any fraud in the entity and what they have
done in response to this issue.

3-Risk factors: The auditor has to evaluate risk

factors in order to consider whether there are
significant possibilities of fraud in the company,
whether through fraudulent financial reporting or
through misappropriation of assets. The
existence of one or more risk factors does not
definitely mean that there is fraud, but the
auditor has to give more attention to the issue.

4-Analytical procedures: Analysis using

analytical procedures may show that there
are differences between the reported
figures and the auditor's expectations. In
this case, this issue may be the result of a
hidden fraud.

5- Other information: This information may

be obtained through other risk assessment
activities or from other sources, such as the
reputation of management on integrity and
honesty. Another source is receiving tips
from employees or other people about the
possible existence of fraud or suspicious
activities in the client.

After assessing fraud risks, auditors have to

document their discussions and findings in their
working papers. In evaluating fraud risk factors,
auditors have to consider whether the fraud risk
may be reduced through better corporate
governance oversight, including management's
fulfilment of their responsibilities towards fraud,
and the oversight of the audit committee.

Responding to the risk of fraud

After identification of risks of material misstatements due to
fraud, auditors should discuss the findings with
management and see whether management have
applied controls to deal with the risks. Having discussed
that, auditors' response to fraud risks include:
1- Changing the overall conduct of the audit: Such as
including fraud specialists and adding unpredictability to
audit procedures to meet fraudsters' possible familiarity
with the traditional procedures.

2- Designing and perform audit procedures to

address fraud risks.
3- Designing and perform procedures to address
management override of controls: such as
examining journal entries and other adjustments
for evidence of possible misstatements due to
fraud, reviewing accounting estimates for biases,
and evaluating the business rationale for
significant unusual transactions.

Responsibilities when fraud is suspected

If fraud is suspected, the auditor gathers additional information to

determine whether fraud actually exists. A popular method here is
additional inquiries of management and other parties. Inquiries may
be informational (to obtain new information) or assessment (to
corroborate or contradict prior information) or interrogative (to
determine whether individuals are deceptive this method requires
sufficient experience by auditors). After that, auditors evaluate the
responses to inquiry, and may perform follow-up inquiries and
interviews. In interviews, auditors should observe with attention
verbal and nonverbal cues used by interviewees that may indicate
possible deception. (See tables 11-6 and 11-7 pages 376-377 for
examples).

 Other practices in response to the

suspicion of fraud existence include using
audit software analysis [such as
Computer-Aided Audit Techniques
(CAATs)] and the use of expanded
substantive testing.

Specific fraud risk areas

Revenue and accounts receivable fraud risks
Revenue is usually the largest item in the
income statement, and it therefore directly
affects reported income, and is also easy to
manipulate because of the ambiguity of the
application of the revenue recognition principle,
especially regarding the timing of the
recognition.

Main types of revenue manipulation regarding fraudulent

financial reporting include:
A- Fictitious revenues (the creation of fake revenues that
do not exist)
B- Premature revenue recognition (recognizing revenue in
periods before the periods it should be recognized in)
C- Manipulation of adjustments to revenues (such as not
recording sales returns and allowances, or manipulating
the bad debt expense).

 Main types of revenue manipulation regarding

misappropriation of assets include:
A- Failure to record a sale (stealing the inventory or the
cash receipts and not recording the transaction in the
books).
B- Theft of cash receipts after a sale is recorded: (This may
be committed through recording a sale return or
allowance, writing-off the customer's account as bad
debt, and closing the customer's account through
opening another one and repeating this practice).

Purchases and accounts payable fraud risks

This usually includes the understatement of

accounts payable or purchases and costs of
goods sold to make the financial statements look
better. Some methods used here for fraudulent
financial reporting include:
A- Not recording accounts payable until
subsequent periods.
B- Recording fictitious reductions to accounts
payable.

As for misappropriation of assets,

some methods used here include:
A- Issuing payments to fictitious
vendors and stealing the amounts.
B- Stealing payments to real
vendors.

 Fraud risks in fixed assets

These risks include the subjectivity of
valuing fixed assets (including revaluation
and impairment) and the wrong
capitalisation or expensing of assets and
expenses. Also, some fixed assets may be
subject to theft, such as computers.

Fraud risks in payroll accounts

Some methods used in payroll fraud include:
A- Overstating inventory by increasing direct labour and
indirect labour costs in it.
B- Overstating the costs of assets by wrong capitalising of
labour used to construct them.
C- Manipulating fringe benefits, such as retirement benefits.
D- Creation of fictitious employees and stealing their salaries.
E-Overstating individual's working hours to steal some money
as additional wages.

 Auditors must be aware of the above

mentioned examples, and the warning
signs of their existence. Some methods
used here are careful analytical
procedures and careful examination of
document discrepancies and weaknesses
in internal control systems.

 CHAPTER 12: The Impact of

Information Technology on the Audit
Process

 Currently, a very large number of businesses of different

sizes rely on IT to record and process transactions.
Various types of IT functions, including the internet, exist.
IT integration into accounting systems has led to:
Computer controls replacing manual controls, with the
lower possibility of random errors, and the ability to
handle too many transactions quickly and costeffectively.
Higher quality information is available at a larger
quantity and speed.

Assessing risks of information

technology
IT may be better for internal control of
companies, but it has its own problems and
risks which the company and its auditors
must be aware of. These include:
1-Reliance on the functioning capabilities
of hardware and software: If the
hardware or software were limited in their
features or not well maintained or carried
viruses, their functioning may be impaired.

2-Systematic versus random errors:

While the errors that occur in manual
systems tend to be random, errors
occurring in IT systems tend to be
systematic. For example, if there was an
error in designing an IT system, this is
likely to lead to errors in all transactions
processed through this system.

3- Unauthorized access: In addition to

physically unauthorized access by people
having access to the IT machines, there is
the risk of unauthorized access through
misusing passwords or hacking.
4- Loss of data: A simple delete process
may lead to a loss of a large amount of
data stored electronically.

5- Invisibility of audit evidence: This occurs

through computer functions reducing or
eliminating, or at least hiding, the evidence the
auditor can use, leading to significantly less
evidence to test (especially documents and
records).
6- Reduced human involvement: This implies that
many individuals who deal with the system may
never have the access to the results of their work,
and therefore cannot verify the accuracy of it.

7- Lack of traditional authorization: This is because in IT

systems, there are less procedures like authorised
signatures and seals. In this case, the entity should be
careful with IT authorisation of transactions.
8- Reduced separation of duties: IT environments often
lead to reduced separation of duties through combining
many functions that were traditionally separated in one
centralized IT function. If an individual has large access
to many functions on the system, he/she might act
dishonestly.

9- Need for IT experience: IT environments

need special knowledge that not every
employee possesses. If employees
dealing with IT are not qualified, this may
lead to high IT risks.

General internal controls

General controls apply to all aspects of the IT function,
including IT administration, separation of IT duties,
systems development, physical and online security over
access to hardware, software, and related data, backup
and contingency planning in the event of unexpected
emergencies, and hardware controls. Because general
controls often apply on an entity-wide basis, auditors
evaluate general controls for the company as a whole.

Main general controls include:

A- Administration of the IT function: This includes the
board of directors' and senior management's attitude
about IT and the perceived importance of it in the
organisation from their point of view. Important topics
here include oversight, resource allocation, and
involvement in key IT decisions. The management
may establish special committees reporting to them
regarding important IT issues. The chief of IT reports
to the senior management and the board of director s.

B- Separation of IT duties: Main responsibilities

to be separated in an IT environment include IT
management, systems development, operations,
and data control. In general, those who perform
programming, operating, and data controlling
should be different people.

C- Systems development: This includes

purchasing or developing in-house software to
meet the organization's needs, and testing all
software to ensure that the new software is
compatible with existing hardware and software
and determine whether the hardware and
software can handle the needed volume of
transactions.

D- Physical and online securities: IT systems

need physical securities in terms of, for
example, keys, cameras, security personnel,
and cooling and humidity circumstances to
protect the machines. The systems also need
online securities to reduce the likelihood of
unauthorised use and misuse, such as firewall
and encryption programs.

E- Backup and contingency planning: This

means having plans to deal with issues such as
power failures, fire, water damage, or even theft
of machines, all of which can lead to a big loss
of data.
F- Hardware controls: These controls are built
in the computer equipment by the computer
manufacturers to detect and report equipment
failures.

Application internal controls

Application controls apply to processing
transactions, such as controls over the processing
of sales or cash receipts. Auditors must evaluate
application controls for every class of transactions
or account in which the auditor plans to reduce
assessed control risk, because IT controls will be
different across classes of transactions and
accounts. Application controls are likely to be
effective only when general controls are effective.
Application controls can be classified into:

A- Input controls: These controls are designed to ensure

that the information entered into the computer is
authorised, accurate, and complete. These are important
as a wrong entry would normally lead to a wrong output.
Examples of input controls include management's
authorisation of transactions, adequate preparation of
input source documents, competent personnel,
adequately designed input screens with pull-down menu
lists and computer-performed validation tests, and online based input controls for e-commerce transactions
with external parties.

B- Processing controls: These controls

are designed to prevent and detect errors
while transaction data are processed.
They include tests for validation,
sequence, arithmetic accuracy, data
reasonableness, and completeness.

C- Output controls: These controls focus on detecting

errors after processing is completed, rather than on
preventing errors. The most important issue here is the
reasonableness of the results. Controls that may apply
here include reconciling computer-generated totals to
manual control totals, comparing the number of units
processed to the number of units submitted for
processing, comparing some transaction output to its
input source documents, and verifying data and times of
processing to identify any out-of-sequence-processing.

 Impact of information technology on the

audit process
Auditors involved in auditing entities with
excessive IT use should possess adequate
knowledge on this issue. They should evaluate
the effectiveness of, first, general controls and,
second, application controls and consider their
effect on control risk assessment. In doing so,
auditors obtain an understanding of client
general controls by using methods that include:

 Interviews with IT personnel and key

users.
Examination of system documentation
such as flowcharts, user manuals,
program change requests, and system
testing results.
Review of detailed questionnaires
completed by IT staff.

After this, a preliminary control risk

assessment is done, having reviewed the
IT system's control weaknesses and
deficiencies and their possible effects on
not meeting related audit objectives and
the possible existence of material
misstatements in the financial statements
and their related notes.

 CHAPTER THIRTEEN: Audit Plan and

Audit Program

Types of tests
In developing an overall audit plan, auditors use five
types of tests to determine whether financial statements
are fairly stated. Auditors use risk assessment
procedures to assess the risk of material misstatements.
The other four types of tests represent further audit
procedures performed in response to the risk identified.
Each audit procedure falls into one, and sometimes
more than one, of these five categories. The five types of
audit tests are:

 Risk assessment procedures: The auditor is required

to obtain an understanding of the entity and its
environment, including its internal control, to assess the
risk of material misstatement in the client's financial
statements. The other four audit tests (discussed below)
are performed in response to the auditor's assessment
of the risk of material misstatements. According to the
audit firm's approach to risk assessment, several
different types and quantities of risks may be assessed
(although there are minimum requirements). This
selection of risks, and its results, significantly affects the
mix of other tests performed in the audit program.

 Tests of controls: The auditor's understanding of internal

controls is used to assess control risk for each transactionrelated audit objective (the assessment may be different for
each objective). If the preliminary control risk assessment is,
for example, low or medium, and the auditor wants to rely on
internal controls to reduce substantive audit procedures, he
has to perform tests of controls. Tests of controls are
performed to obtain sufficient appropriate evidence to support
the preliminary assessment of control risk. Tests of controls
may include making inquiries of appropriate client personnel,
examining documents and records and reports, observing
control-related activities, and reperforming client procedures.

 Tests of control can be either manual or automated.

They are also used to determine whether the controls
are effective (by testing a sample of the controls). The
amount of additional evidence required for tests of
controls depends on the extent of evidence obtained in
gaining the understanding of internal control, and the
planned reduction in control risk. Tests of controls may
be performed separately, but it may be cost-effective to
do them at the same time as doing substantive tests of
transactions, especially if the same procedure is applied
for both types of tests.

 Substantive tests of transactions: Substantive tests

are procedures designed to test for monetary
misstatements that directly affect the correctness of
financial statement balances. These tests are
substantive tests of transactions, substantive tests of
details of balances, and substantive analytical
procedures.
Substantive tests of transactions are used to determine
whether all six transaction-related audit objectives
(occurrence, completeness, accuracy, posting and
summarization, classification, timing) have been satisfied
for each class of transactions.

 Substantive tests of details of balances: These

tests focus on the ending general ledger balances
for both balance sheet and income statement
accounts. Typical types of such tests include
confirming payable and receivable accounts and
physical examination of tangible assets. These tests
are performed to satisfy all balance-related audit
objectives (existence, completeness, accuracy,
classification, cutoff, detail tie-in, realizable value,
rights and obligations) for each significant account.

 Substantive analytical procedures: Analytical

procedures involve comparisons of recorded amounts to
expectations developed by the auditor. They are required
by audit standards during the stages of planning and
completing the audit, but they can also be used as a
substantive auditing procedure in order to provide
substantive evidence and indicate possible
misstatements in the financial statements. If auditors
believe that analytical procedures indicate a reasonable
possibility of misstatement, they may perform additional
analytical procedures or decide to modify tests of details.

 However, if the results of analytical procedures make

the auditor conclude that the client's ending balances
in certain accounts appear reasonable, certain tests
of details of balances may be eliminated or sample
sizes reduced. The extent to which an auditor may be
willing to rely on analytical procedures in support of
account balances depends on several factors,
including the precision of the expectation developed
by the auditor, materiality, the risk of material
misstatement, and the effectiveness of the client's
internal control.

Selecting which types of tests to perform

Typically, auditors use all five types of tests when
performing an audit of the financial statements, but
certain types may be emphasised, depending on the
circumstances. Several factors influence the auditor's
choice of the types of tests to select, including the
availability of the different types of evidence, the relative
costs of each type of evidence, the effectiveness of
internal controls, inherent risks, fraud risks, and business
risks.

 Availability of types of evidence for

further audit procedures
See Table 13-2, page 426.

 We can see from the table that six out of eight

possible types of evidence are available for
testing balances, four for testing transactions,
four for testing controls, and only two for
analytical procedures. Certain types of
evidence, including physical examination and
confirmation, can only be used to test a balance,
while inquiries of the client can be used in all
types of tests.

 Relative costs of audit procedures

Audit procedures are different in costs. The rule is that
auditors have to fulfil their responsibilities according to
laws and regulations and auditing standards. This
includes collecting sufficient appropriate evidence. There
are general requirements for the use of certain types of
audit procedures, but after that the extent of use of each
type is a matter of personal judgement. The audit firm is a
profit-seeking entity, and therefore would like to fulfil its
legal and professional responsibilities at the lowest
possible cost. This influences the mix of audit procedures
it uses.

In general, the audit procedures are classified

below, according to their relative costs, with the
least costly first:
Analytical procedures
Risk assessment procedures (including
obtaining an understanding of the entity)
Tests of controls
Substantive tests of transactions
Substantive tests of details of balances

 It is clear that the least expensive type is analytical

procedures, which may include making only a few
comparisons per case or using a software program,
while the most expensive is substantive tests of
balances, which may include too many complications in
the account components, and the need to use expensive
confirmation and physical examination. Tests of controls
are more expensive than risk assessment procedures
due to the need for more extensive testing procedures in
the former.

CHAPTER 24: Completing the

Audit
In this chapter, some procedures done at the end of the audit, but
before the issuance of the audit report are discussed.
Review for contingent liabilities and commitments
A contingent liability is a potential future obligation to an outside party
for an unknown amount resulting from activities that have already taken
place. Three conditions are required for a contingent liability to exist:
1- There is a potential future payment to an outside party or the
impairment of an asset that resulted from an existing condition.
2- There is uncertainty about the amount of the future payment or
impairment.
3- The outcome will be resolved by some future event or events.

If the likelihood of occurrence of the future outcome is probable and

the amount can be reasonably estimated, financial statement
accounts are adjusted (a debit to a loss/expense and a credit to a
liability).
If the likelihood of occurrence of the future outcome is probable and
the amount cannot be reasonably estimated, note disclosure is
necessary.
If the likelihood of occurrence of the future outcome is reasonably
possible, note disclosure is necessary.
If the likelihood of occurrence of the future outcome is remote, no
disclosure is necessary.

 Certain contingent liabilities include, for

example:
Pending litigation.
Income tax disputes
Product warranties
Guarantees of obligations of other parties.

Main objectives in verifying contingent liabilities are:

Evaluating the accounting treatment of known contingent liabilities.
Identifying (to the extent practical) any contingent liabilities not
already identified by the client.

Examples of commitments include agreements to purchase raw

materials or lease assets at a certain price or sell merchandise at a
fixed price, or bonus plans or pension plans. These are
characterised by the existence of an agreement to commit the client
to a set of fixed conditions in the future. Commitments generally
need to be disclosed in notes.

 To find unidentified contingencies/commitments or

evaluate known contingencies/commitments, the
following procedures can be performed (for example):
Inquiry of management about contingencies and
commitments.
Reviewing income tax reports.
Reviewing minutes of meeting of shareholders, directors,
and management.
Reviewing documents
Obtaining letters from attorneys.

 The last procedure (letters from attorneys)

is a major audit procedure used to
evaluate litigation. See page 777 for an
example of an inquiry of an attorney on
legal matters. The refusal of an attorney to
cooperate with the auditor may probably
lead to a modification of the audit report.

 Review for subsequent events

The auditor must review transactions and events that
occurred after the balance sheet date do determine
whether any of these transactions or events affects the
fair presentation and disclosure of the current period
statements. Normally, this responsibility extends up to
the date of the auditor's report, which corresponds to the
completion of the important auditing procedures.

 Subsequent events are of two types:

1- Those that have a direct effect on the financial statements and require
adjustments. This generally means events that make issues that were
unclear (probably estimated) at year-end clearer, such as a settlement
of litigation or a sale of an impaired asset. In these cases, an
adjustment to the financial statements of the previous year is required.
2- Those that do not have a direct effect on the financial statements but for
which disclosure is required. These are significant events that do not
affect the balances at the year-end but are significantly material to
require a disclosure to mention their existence. These include a major
loss of uninsured buildings caused by fire, or the occurrence of a
merger or acquisition.

Subsequent events are tested both as procedures normally integrated as

part of the verification of year-end account balances, and procedures
performed specifically for the purpose of discovering events or
transactions that must be recognized as subsequent events. The first
procedures are done along with other audit tests (see cutoff and
valuation objectives), while the second may include procedures such as:
Reviewing records prepared subsequent to the balance sheet date.
Reviewing internal statements prepared subsequent to the balance
sheet date.
Examining minutes issued subsequent to the balance sheet date.
Corresponding with attorneys.
Inquiring of management.
Obtaining a letter of representation.

 Perform final analytical procedures

It is required from auditors to perform analytical
procedures during the completion of the audit. This is
useful as a final review for material misstatements or
financial problems not noted during other testing and to
help the auditor take a final objective look at the financial
statements. This procedure at this stage is usually
performed by a partner who usually has more knowledge
than other auditors in the team, and may therefore
discover issues they did not discover. The partner reads
the financial statements and notes considering:

 The adequacy of evidence gathered about

unusual or unexpected account balances or
relationships identified during planning or while
conducting the audit.
Unusual or unexpected account balances or
relationships that were not previously identified.
The results of this analytical procedure may
indicate that additional audit evidence and tests
are necessary.

 Evaluate going concern assumption

Although evaluating going concern can occur at different
stages of an audit, it may be desirable to perform an
evaluation after all evidence has been accumulated and
tested and any required adjustments to the financial
statements are made. If a substantial doubt over going
concern exists, the auditor should evaluate managements
plans to avoid bankruptcy and the feasibility of achieving
these plans. After that, the auditor makes a decision on
adding a paragraph in the report to mention the going
concern doubt.

 Obtain management representation letter

The auditor is required to obtain a letter from the clients
management documenting managements most important oral
representations made during the audit. Refusal to give this letter
may lead to qualification or disclaimer of opinion. The main
reasons for this letter:
To impress upon management its responsibility for the
assertions in the financial statements.
To remind management of potential misstatements or
omissions in the financial statements.
To document the responses from management to inquiries
about various aspects of the audit.

Issues in this letter may include, for example:

Managements acknowledgement of its responsibility for
the fair presentation of the financial statements
Managements belief that the financial statements are
presented fairly and in conformity with required
accounting standards.
Completeness of the documents required by the auditor.
Information concerning fraud
Information about subsequent events.

 Considering other information

This includes other information in the annual report
apart from the financial statements and their related
note disclosures. If the auditor finds information that
contradicts with the financial statements, and the client
refuses to make amendments, the auditor may consider
adding a paragraph to emphasise that in the audit report
(or qualify the opinion if the error was in the financial
statements or their notes).

After doing all that, the auditor evaluates the

final results and issues the report. He also
communicates with the audit committee
on:
fraud and illegal acts
internal control deficiencies
other communication

This is to
communicate auditor responsibilities in the audit of financial
statements
provide an overview of the scope and timing of the audit
provide those charged with governance with significant findings
arising during the audit.
Obtain from those charged with governance information relevant to
the audit.
Also, the auditor writes to the client about his recommendations about
any part of the clients business.