Chapter 15 The statutory audit process

Question 1

1.1 Underlying concepts: quality management

Answer 1

This ensures that the audit firm adheres to ISAs and fundamental ethical principles which help to reduce audit risk. It includes:
- Having appropriate firm procedures in place and ensuring staff know about them and adhere to them
- Staff training and CPD
- Performance assessment and feedback/reward/discipline on a timely basis
- Delegation of work to those with appropriate seniority and competence
- Direction, supervision and review of work by a sufficiently senior staff member

Question 2

1.2 Professional scepticism

Answer 2

An attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence. Auditors must question who gave them information, be alert to conditions that indicate fraud, seek evidence for information, be alert to inconsistencies, question the reliability of documents and responses and keep sufficient documentation.
Areas of particular risk include cut-off (transactions recorded in wrong accounting period) and subjective areas (require judgement and open to manipulation).

Question 3

2.1 Ethics, bribery and money laundering

Answer 3

Fundamental principles are integrity, objectivity, professional competence and due care, confidentiality and professional behaviour. The threats to objectivity and independence are self-interest, self-review, advocacy, familiarity, intimidation and management.

Question 4

2.2 Actions/safeguards

Answer 4

• Section 1 – General requirements and guidance: ethics partner and threats
• Section 2 – Financial, business, employment and personal relationships: shareholdings and loans, business relationships, employment with client or vice-versa and family relationships
• Section 3 – Long association with engagements and with entities relevant to engagements: rotation of partners and staff
• Section 4 – Fees, remuneration and evaluation policies, gifts and hospitality, litigation
• Section 5 – Non-audit/additional services: audit related services, internal audit, IT, valuations, actuarial services, tax, litigation support, legal services, recruitment and remuneration, corporate finance, transaction services, restructuring and accounting services
• Section 6 – Provisions available for audits of small entities

Question 5

2.3 Bribery act 2010

Answer 5

Penalties exist for individuals and organisations for offering a bribe, accepting a bribe or bribing a foreign public official. Organisations can be penalised for failing to prevent bribery by employees or agents. Organisations should focus on top level culture in which bribery is unacceptable, rusk assessment, due diligence procedures, tasking a risk based approach, communication to staff, including training and monitoring and review. The auditor should carry out procedures to identify misstatement caused by non-compliance with the Bribery Act, such as:
- Assess risk of non-compliance with the Bribery Act
- Exercise professional scepticism
- Assess bribery prevention policies of the client
The auditor should report suspicions of bribery to the national crime agency under Proceeds of Crime Act 2002.

Question 6

2.4 Money laundering

Answer 6

Money laundering aims to disguise the origins of funds from criminal conduct so they can be used. It includes using, acquiring, retaining, controlling, concealing, disguising, converting, transferring and removing from the UK the proceeds of criminal conduct. The auditor should report actual knowledge, or reasonable grounds for suspicion, of money laundering:
- To the audit firm’s money laundering nominated officer
- The money laundering nominated officer will consider whether it is necessary to report to the NCA
Offences include failure to report, failure to provide suitable training for staff and tipping off the money launder. Penalties are up to imprisonment for up to 14 years.

Question 7

3.1 Risk and materiality

Answer 7

Audit risk is the risk of the auditor giving an inappropriate opinion when the accounts are materially misstated. The audit must be planned and performed in a way to reduce audit risk so the auditor gives reasonable assurance. Business risk is the risk the company fails to meet its objectives.

Question 8

3.2 Business risk approach

Answer 8

There are three principal areas of business risk:
- Financial risk: financial consequences of operating activity and risk associated with the company’s finance
- Operational risk: risks associated with the company’s trading activity
- Compliance risk: risks resulting from non-compliance with law and regulations
Business risk impacts on the audit in a number of ways, assisting the auditor to:
- Identify motives to deliberately manipulate the accounts
- Have a better understanding of the context of the accounts having performed analytical procedures
- Assess the going concern status of the company
- Understand the regulatory and legal environment in which the company operates to assess the risk of non-compliance
- Identify complex accounting issues for further evaluation

Question 9

3.3 Audit risk approach

Answer 9

Audit risk is inherent risk x control risk x detection risk
Inherent risk: susceptibility of balances and transactions to material misstatement irrespective or related controls.
Control risk: the risk that the entity’s controls will not prevent or detect material error on a timely basis. Key issues are control environment and control activities/procedures.
Detection risk: the risk that the auditor’s procedures fail to detect material misstatement

Question 10

3.4 Analytical procedures

Answer 10

These include: simple year-on-year comparisons, examining related accounts, reasonableness tests, comparing the actual value with a calculated expectation, trend analysis and ratio analysis. At the planning stage, the output of these procedures may identify areas with conflict with the understanding of the business, therefore highlighting risk areas for the audit. The procedures are most effective when:
- The underlying data used is reliable
- There are plausible relationships between the items being compared

Question 11

3.5 Materiality

Answer 11

Misstatements including omissions, are considered material if they, individually or in the aggregate could reasonably be expected to influence the economic decisions of users taken on the basis of the accounts. The size thresholds are 1% of revenue, 1-2% of total assets and 5% of PBT.
Performance materiality: a lower materiality threshold during the performance of the audit.

Question 12

4.1 Responding to audit risks

Answer 12

The nature of audit testing includes substantive vs tests of control, detailed audit procedures focussing on the risk area, seek evidence from a more reliable source and seek corroborative evidence from an alternative source.
The extent is to take bigger samples and consider 100% testing.
Timing includes interim audit, continuous use of data analytic software and longer period between the year-end date and final audit to allow more use of subsequent events.

Question 13

5.1 Designing audit procedures to collect audit evidence

Answer 13

Audit evidence must be:
- Sufficient: covering all aspects, sample sizes should be adequate and samples taken from appropriate populations
- Reliable: 3rd party evidence is better than internally generated, original documents better than copies, written/printed evidence better than oral and triangulation (auditors obtain complimentary evidence from different sources)
- Relevant: consider the assertion being tested and directional testing (overstatement/understatement)

Question 14

5.2 Types of audit procedure

Answer 14

The two types of audit procedures are tests of control (designated to evaluate the operating effectiveness of controls) and substantive procedures (audit procedure designed to detect material misstatement at the assertion level, these includes tests of detail and analytical procedures).

Question 15

5.3 Tests of controls

Answer 15

These include inspection of documents for evidence of internal controls, enquiries, re-performance of control procedures, examine evidence of management attitude, observation and test computer controls. Consider issues such as how the controls were applied, consistency of the application of controls and who applied the controls.

Question 16

5.4 Analytical procedures

Answer 16

Planning stage: use analytical procedures to identify audit risks and to concentrate work on key areas.
Substantive testing stage: used to test an account balance for reasonableness. The approach is to set expectations, compare actual with expected, obtain possible reasons for variances, evaluate the impact of any unresolved differences between expected and recorded amounts.

Question 17

5.5 Tests of detail

Answer 17

A test of detail is any substantive procedure other than analytical procedures. Audit procedures have three elements:
- Verb/action: inquire, observe, inspect and reperform etc
- Object/source: asset, document, entity and person
- Objective: financial statement assertions

Question 18

5.6 Financial statement assertions

Answer 18

Transactions Account balances
Occurrence, completeness, accuracy,
cut-off, classification and presentation

                                                  Existence, rights and obligations, 
                                                completeness, accuracy, valuation and 
                                              allocation, classification and presentation

Question 19

6.1 Audit evidence – use of experts

Answer 19

• Steps 1: Consider whether it is appropriate to rely on the expert. Consider qualifications, competence, experience, objectivity and reputation
• Step 2: Contract. Need to agree in writing, nature, scope and objective of expert’s work. Roles and responsibilities. Nature, timing and extent of communications and reports. Confidentiality
• Step 3: Assess the expert’s work. Consistency of findings with other audit evidence. Underlying assumptions and source data

Question 20

6.2 Reliance on internal auditors

Answer 20

• How much should the external auditor rely on the internal auditors’ work? This depends on nature and scope of work, risk and degree of subjectivity
• Assess internal audit function: Organisational status, scope of function, technical competence and due professional care
• Evaluate IA work on which the external auditor wants to place reliance. Adequate training, sufficient appropriate evidence, conclusions appropriate and exceptions are resolved.

Question 21

6.3 Reliance on component auditors

Answer 21

• Understand the component auditor: independence, professional competence, ethical considerations. Whether the group audit engagement team will be involved in their work. The results of any regulatory monitoring or inspection of the component auditor. Obtain confirmation that the component auditor will cooperate with the group auditor
• Materiality: group audit team set materiality level for group accounts. Materiality should be set for components which are individually significant
• Extent of work required: significant components require full audit based on component materiality level. If a component includes significant risks of material misstatement of the group accounts a full audit using component materiality is needed.
• Communication: group auditors must communicate the work to be performed, materiality, list of significant risks and list of related parties. Component auditor must communicate the matters relevant to the group team’s conclusion regarding the group audit
• Evaluation: has component auditor performed the worm requested. Identify instances of non-compliance with law and regulations, indicators of management bias or fraud and ging concern threats to the group as a whole. Obtain a schedule of corrected and uncorrected misstatement and a summary of control deficiencies. Review component auditor’s findings and conclusions.

Question 22

6.4 Service organisations

Answer 22

Service organisations can be part of an entity’s information systems. If the organisation provides a service that relates to an item that is material in the context of the accounts then the auditor will need to obtain sufficient, appropriate evidence relating to that area.
Gain an understanding of the nature of the services provided by the service organisation, the impact on the accounts and whether the client or service organisation keeps sufficient records for the auditor’s use. Assess the controls over the affected areas at the entity and at the service organisation.
Gain evidence over the relevant assertions. May rely on a service auditor to confirm and test controls of the service organisation. Consider the implications for the audit report – do not refer to the service organisation or the service auditors in the report.

Question 23

7.1 Information technology and internal controls

Answer 23

Computer controls fall into two categories. The first is general controls over the computer system and the second is application controls over a specific programme.

Question 24

7.2 Cyber security

Answer 24

A business needs to address cyber threats as part of its internal controls. Cyber threats include cyber criminals, hacktivists, nation states, insiders/partners, competitors and skilled individual hackers. The different threats can lead to a number of different risks to the business, which could lead to a misstatement in the accounts.
- Theft of intellectual property/strategic plans
- Financial fraud
- Reputational damage
- Business disruption
- Destruction of critical infrastructure
- Threats to health and safety
- Breach of data protection regulations such as GDPR
Cyber security should become the responsibility of a board member. As part of the business’s risk assessment, critical business data and associated risks should be identified. Ensure that NEDs and audit committee have knowledge and training to hold management to account in a meaningful way. Introduce monitoring mechanisms to identify suspect behaviour by disgruntled staff. Develop incident response procedures and procedures for business continuity/disaster recovery. Ensure standard IT controls are implemented, enforced and reviewed.

Question 25

7.3 Cloud computing

Answer 25

Involves the hosting of data on remote servers accessed via the internet to store, manage and process that data. The auditor should consider:
- Does the cloud service take regular back-ups of client data
- Does the client have its own back-up strategy
- Is the cloud service’s process for restoring data regularly tested
- Is there a service level agreement regarding data assurance and does the cloud service perform exercises to ensure that these can be met

Question 26

7.4 AI

Answer 26

AI is technology to help improve decisions by machines, based on machine learning. AI requires pattern recognition and learning. There is an increasing role for AI as part of audit data analytics in automated and smart auditing of populations, thus reducing human error.
Increased automation in transaction processes and systems, greater analysis of data to differentiate between rogue (fraud) and normal activity and better predictions and forecasts on complex areas such as revenue.
Limitations: AI may struggle to cope with unusual situations, particularly if there is little past data to learn from. Developing AI systems require significant investment, particularly when the technology is new.

Question 27

8.1 Completion

Answer 27

During the course of the audit, misstatements will be identified which may be material or immaterial to the accounts. The client will adjust the accounts to take account of some, or all, of these misstatements during the course of the audit. At the end of the audit, some misstatements may be uncorrected. The auditors will summarise these uncorrected misstatements in order to conclude as to whether a material misstatement remains.

Question 28

9.1 The auditors’ report

Answer 28

A report can be unmodified or modified. A modified report can have a modified opinion on the FS and an unmodified opinion on FS.
A modified opinion on FS can be qualified (a material error is present in the FS or a limitation of scope over a material matter), adverse (a disagreement over an error which is material and pervasive) and a disclaimer (a limitation on scope over a matter which is material and pervasive).
An unmodified opinion on FS can be other matter (draws attention to a matter outside of the FS) and an emphasis of matter (draws attention to a matter inside the FS).

Question 29

9.2 Reporting on other information

Answer 29

The companies act requires the auditor to report on whether the information contained in the directors’ report and strategic report is consistent with the accounts. This opinion is included in a section of the auditor’s report entitled ‘Opinion on other matters prescribed by Companies Act 2006’.
The auditor is required to identify any inconsistencies and discuss with management. If the inconsistency is not resolved, amend the auditors report.

Question 30

9.3 Reporting on going concern

Answer 30

Scenario Impact on the auditor’s report
The company is a going concern and no material uncertainties regarding going concern. Unmodified opinion. Include a ‘Conclusions relating to going concern’ section.
The company is not a going concern, but the directors have prepared the financial statements on the going concern basis. Material and pervasive misstatement. Do not include the ‘Conclusions relating to going concern’ section. Instead, issue an Adverse opinion.
The company is not a going concern and the directors have prepared the financial statements on the break-up basis, with adequate disclosure of the basis of preparation. The financial statements are not misstated. Do not include the ‘Conclusions relating to going concern’ section.
Unmodified opinion. An emphasis of matter paragraph is used to highlight: the alternative basis of preparation, reasons for doing so and the disclosure
to the users of the financial statements.
The going concern status of the company is uncertain and the directors have made adequate disclosure of the uncertainty. The financial statements are not misstated. Do not include the ‘Conclusions relating to going concern’ section. Unmodified opinion. A separate section is included in the auditor’s report under the heading ‘Material Uncertainty Related to Going Concern’ to: draw attention to the disclosure note, state that the material uncertainty may cast significant doubt on the entity’s ability to continue as a going concern and state that the auditor’s opinion is not modified in this respect.
The going concern status of the company is uncertain and the directors have not made adequate disclosure of the uncertainty. The financial statements are misstated. Do not include the ‘Conclusions relating to going concern’ section. This could be considered material or pervasive. Qualified (‘except for’) opinion OR adverse opinion. Explain in the ‘Basis for qualified/adverse opinion’ section that the material uncertainty exists and it is not disclosed adequately.

Question 31

9.4 Key audit matters (listed companies)

Answer 31

ISA 701 requires auditors of listed companies to determine key audit matters and to communicate those matters in the auditor’s report. Auditors of non-listed entities may voluntarily, or at the request of management or those charged with governance, include key audit matters in the auditor’s report.
Key audit matters are those that in the auditor’s professional judgement were of most significance in the audit and are selected from matters communicated to those charged with governance. Key audit matters include:
- Areas of higher associated risk of material misstatement, or significant risks identified in accordance with ISA 315
- Significant auditor judgments relating to items in the accounts that involved significant management judgment including accounting estimates that have been identified as having high estimation uncertainty
- The effect on the audit of significant events or transactions that occurred during the period

Question 32

10.1 Communicating weaknesses in internal controls

Answer 32

Auditors must communicate to those charged with governance any significant deficiencies discovered during the course of the audit in the management letter. this will include a covering letter addressed to management, dated as soon as possible after the audit is completed and includes a disclaimer which states that it is not a comprehensive list of weaknesses, for management use only and not to be disclosed to third parties without prior written consent of the auditor.
They should also include an appendix detailing the weaknesses identified and recommending improvements. Normally in a tabular format including weakness, implications and recommendation.