The statutory audit process

Question 1

The statutory audit process Underlying concepts 1.1 Quality management

Answer 1

Good quality management ensures that the audit firm adheres to ISAs and
fundamental ethical principles which help to reduce audit risk. It includes:
 having appropriate firm procedures in place and ensuring staff know about them
and adhere to them
 staff training and CPD
 performance assessment and feedback/reward/discipline on a timely basis
 delegation of work to those with appropriate seniority and competence
 direction, supervision and review of work by a sufficiently senior staff member.
In the exam, quality management is most commonly tested in a
practical scenario, where we are provided with the work of a junior audit
team member and are required to identify weaknesses. This is
considered in more detail later in this chapter.

Question 2

The statutory audit process Underlying concepts 1.2 Professional scepticism

Answer 2

Definition: An attitude that includes a questioning mind, being alert to
conditions which may indicate possible misstatement due to error or
fraud, and a critical assessment of audit evidence.
The examiner considers this to be a key principle. In audit scenarios
there is often an incentive to misstate the financial statements. This can
often explain some of the more unusual figures or treatments adopted.
Auditors must:
 question who gave them information and whether they are in a position to have
the requisite knowledge, or motivated to misrepresent the facts
 be alert to conditions that indicate fraud
 seek corroborative evidence for information and explanations obtained in the
course of their work
 be alert to inconsistencies between different sources of evidence
 question the reliability of documents and responses to enquiries to be used as
audit evidence
 keep sufficient documentation that includes both the auditor’s conclusions and
also the rationale underlying those conclusions

Areas of particular risk:
 Cut-off: Transactions recorded in the wrong accounting period
 Subjective areas: By definition, these require judgement. Such
areas are open to manipulation and sometimes the available
evidence may be limited where it depends upon management
intentions or perhaps a future event.
Examples include:
– impairment of assets (e.g. estimates of future cash flows and risk adjusted
discount rates when determining value in use)
– revenue recognition (e.g. degree of completion when recognising revenue over
time, or the point at which control is transferred if recognising revenue at a point
in time)
– share-based payment vesting conditions (e.g. whether the vesting conditions
are likely to be satisfied and with how many employees)
– determination of FV (e.g. revaluation of PPE or investment property)
– provisions (probability and measurement of expected outflows)
– depreciation (e.g. useful life and residual values)
– leases (e.g. finance lease or operating lease when lessor accounting)
– deferred tax (e.g. profits expected to be available in future to off-set losses against).

Question 3

The statutory audit process Ethics, bribery and money
laundering 2.1 Fundamental principles

Answer 3

Ethics represents 5 – 10% of the exam and so will be tested. This can
be in the context of an auditor, or as the preparer of the financial
statements.
2.1 Fundamental principles
When faced with ethical issues, the professional accountant must keep
in mind the ICAEW’s fundamental principles. Referring to the following
principles will help to explain our response to the issue:
 integrity
 objectivity
 professional competence and due care
 confidentiality
 professional behaviour.

Question 4

The statutory audit process Ethics, bribery and money
laundering 2.2 Ethical threats

Answer 4

The FRC Ethical Standard sets out six general threats to objectivity and
independence:
 self-interest
 self-review
 advocacy
 familiarity
 intimidation
 management.
All of these threats are relevant to the auditor, but in a question where
you are the preparing accountant, the most common scenario is that
you are being pressurised into manipulating the financial statements.
In these scenarios there is often a positive incentive given, such as a
bonus (which is a self-interest threat) or a negative incentive, such as
a threat to not renew your temporary employment contract (which is an
intimidation threat).

Question 5

The statutory audit process Ethics, bribery and money
laundering 2.3 Actions/Safeguards Auditor:

Answer 5

Auditor:
The actions required of the auditor can usually be found in the Auditing
Standards open book text. In particular, the FRC Revised Ethical
Standard part B.
A summary of the content is given below:
 Section 1 – General requirements and guidance
– Ethics partner
– Threats
 Section 2 – Financial, business, employment and personal relationships
– Shareholdings and loans
– Business relationships
– Employment with client or vice-versa
– Family relationships
 Section 3 – Long association with engagements and with entities relevant to
engagements
– Rotation of partners and staff
 Section 4 – Fees, remuneration and evaluation policies, gifts and hospitality,
litigation
 Section 5 – Non-audit/additional services
– Audit related services
– Internal audit
– IT
– Valuations
– Actuarial services
– Tax
– Litigation support
– Legal services
– Recruitment and remuneration
– Corporate finance
– Transaction services (incl. due diligence)
– Restructuring
– Accounting services
 Section 6 – Provisions available for audits of small entities.

Question 6

The statutory audit process Ethics, bribery and money
laundering 2.3 Actions/Safeguards Preparing accountant:

Answer 6

The examiner has commented that some students suggest resignation
as a first resort. However, if other actions can be taken, then they
should be.
Actions which may be appropriate include:
 discussions with your line manager
 follow internal complaints processes
 report to the board (or audit committee if available)
 seek support from the ICAEW
 seek legal advice.

Question 7

The statutory audit process 2.4 Bribery Act 2010

Answer 7

Penalties exist for both individuals and organisations for the
offences of offering a bribe, accepting a bribe, or bribing a
foreign public official.
Organisations can be penalised for failing to prevent bribery
by employees or agents.
As a result, organisations should design and implement bribery prevention
policies Note: this also applies to audit firms.
The policy should focus on:
 top level culture in which bribery is unacceptable
 risk assessment
 due diligence procedures, taking a risk-based approach
 communication to staff, including training
 monitoring and review.
Auditors need to consider the effectiveness of bribery prevention policies at their
clients and the audit firm should also comply with the Act.
The auditor should carry out procedures to identify misstatement caused by
non-compliance with the Bribery Act, such as:
 assess risk of non-compliance with the Bribery Act
 exercise professional scepticism
 assess bribery prevention policies of the client.
The auditor should report suspicions of bribery to the National Crime Agency
(NCA) under the Proceeds of Crime Act 2002.

Question 8

The statutory audit process 2.5 Money laundering

Answer 8

You were introduced to money laundering in your Assurance studies and will also
receive training at work on this important area.
Money laundering aims to disguise the origins of funds from
criminal conduct so that they can be used. The definition in
the Proceeds of Crime Act 2002 includes using, acquiring,
retaining, controlling, concealing, disguising, converting,
transferring and removing from the UK the proceeds of
criminal conduct.
As well as dealing with obvious criminal behaviour, such as using the
proceeds from the sale of illegal drugs, money laundering includes the
following examples more commonly seen in the exam:
 tax evasion
 saving costs by failing to comply with laws and regulations
 offences committed overseas that are criminal offences in the UK
e.g. bribes that would be covered by the Bribery Act 2010.
Your responsibilities – The auditor should report actual knowledge, or
reasonable grounds for suspicion, of money laundering:
 to the audit firm’s money laundering nominated officer (note: ISA 250 refers to
this officer as a money laundering reporting officer – MLRO)
 the money laundering nominated officer will consider whether it is necessary to
report to the National Crime Agency (NCA).
Offences include:
 failure to report
 failure to provide suitable training for staff
 tipping-off the money launderer.
The most severe penalty is imprisonment for up to 14 years.

Question 9

The statutory audit process Risk and materiality

Answer 9

Audit risk is the risk of the auditor giving an inappropriate opinion when
the financial statements are materially misstated. The audit must be
planned and performed in such a way as to reduce audit risk so that the
auditor gives reasonable assurance.
Business risk is the risk that a company fails to meet its objectives.
In your Audit and Assurance studies, you considered two approaches to identify audit
risks, which were:
 the business risk approach
 the audit risk model.
Most exam questions will focus on audit risk, but it is important to
clearly identify whether you are being asked to identify audit risk or
business risk.

Question 10

The statutory audit process Risk and materiality 3.1 Business risk approach

Answer 10

An auditor needs to understand the business risks that the company is exposed to, in
order to assess the effectiveness of the internal controls to mitigate those risks, and
to aid detecting the risk of material misstatement in the financial statements.
There are three principal areas of business risk.
 Financial risk
– financial consequences of operating activity and risk associated with the
company’s finance.
 Operational risk
– risks associated with the company’s trading activity.
 Compliance risk
– risks resulting from non-compliance with law and regulations.
Note: Remember that transition and physical risks related to climate change also
generate business risk (see Chapter 1).
 Business risks can be managed using good corporate governance, including
the design, implementation and monitoring of internal controls.
Business risk impacts on the audit in a number of ways, assisting the auditor to:
 identify motives to deliberately manipulate the financial statements
 have a better understanding of the context of the financial statements having
performed analytical procedures
 assess the going concern status of the company
 understand the regulatory and legal environment in which the company
operates to assess the risk of non-compliance
 identify complex accounting issues for further evaluation.

Question 11

The statutory audit process Risk and materiality 3.2 Audit risk approach

Answer 11

In the CR exam we can expect to be asked to identify and explain audit
risks. Audit risk can be broken down into 3 elements. Usually, we are
not asked to categorise the risks but, if we are, then inherent risk tends
to be the main area of focus, with detection risk the residual item
(because it can be managed by the auditor).
AR = IR × CR × DR
Audit risk Inherent risk Control risk Detection risk
The auditor assesses the risk of material misstatement, which is the
inherent risk and the control risk combined. The risk of material
misstatement then dictates the acceptable level of detection risk.
Note: If the risk of material misstatement is high, then detection risk is
rendered low, by changing the nature, extent and timing of procedures
(see later).

Question 12

The statutory audit process Risk and materiality Inherent risk

Answer 12

The susceptibility of balances and transactions to material misstatement
irrespective of related controls.
Examples:
 motives for management to manipulate the financial statements
 doubts about client integrity
 inexperienced client staff
 complex or subjective accounting areas
 cash-based businesses

Question 13

The statutory audit process Control risk

Answer 13

The risk that the entity’s controls will not prevent or detect material error
on a timely basis.
For the purposes of the exam, the key issues are:
 control environment i.e. Attitude, Awareness, Actions of those charged with
governance and management. Includes:
– segregation of duty
 control activities/procedures. Examples include:
– authorisation and review of transactions
– sequence checks on documentation
– matching of documentation within a transaction cycle:
 e.g. purchase order matched to a goods received note and matched
to a purchase invoice
– checking sequence of documentation
– recalculations
– analytical review on management accounts
– performance of reconciliations
– physical and IT security.
Detection risk
The risk that the auditor’s procedures fail to detect material
misstatement.

Question 14

The statutory audit process 3.3 Analytical procedures

Answer 14

Analytical procedures are used throughout the audit. Analytical procedures include:
 simple year-on-year comparisons
 examining related accounts
 reasonableness tests, comparing the actual value with a calculated expectation
 trend analysis
 ratio analysis.
At the planning stage, the output of these procedures may identify areas which
conflict with the auditor’s understanding of the business, raising concerns of
misstatement, and therefore highlighting risk areas for the audit.
Analytical procedures are most effective when:
 the underlying data used is reliable
 there are plausible relationships between the items being compared.

Question 15

The statutory audit process 3.4 Data analytics

Answer 15

Data analytics is a term used to describe the process of analysing large sets of data
in order to identify patterns. The output is often given in a visual form, such as a bar
chart.
The auditor can interrogate the data in whichever way is the most appropriate. In
particular, data analytics allows the auditor to use filters and therefore focus on risk
areas.
In the exam, part of one question will involve data analytics
representing approximately 15 – 20 marks. You will be expected to
interrogate a data set using Inflo software. The ICAEW will issue
advance information in the form of a pdf document containing details
about a company’s first 11 months of trading. In the exam itself you will
then be provided with the full 12 months of data.
Example:
The auditor may use data analytics to analyse journals posted. The analysis
identifies:
 the total number of journals posted
 the number of journals posted manually
 the number of journals posted automatically by the system
 the number of people processing journals
 the time of day the journals are posted.
The auditor may conclude there is a higher risk of fraud this year compared with last
if:
 the number of manual versus automatic journals increases significantly
 the number of people processing journals increases
 journals are posted outside of normal working hours.

Question 16

The statutory audit process 3.5 Materiality

Answer 16

‘Misstatements, including omissions, are considered material if
they, individually or in the aggregate, could reasonably be
expected to influence the economic decisions of users taken on
the basis of the financial statements’ ISA 320, para 2
It follows that materiality is a judgement that must be made in the
context of the effect that an error or omission will have on the users.
Auditors must therefore, consider the nature of the error/omission but also its size.
Size thresholds:
 Revenue approx. 1%
 Total assets 1 – 2%
 PBT approx. 5%
Performance materiality
In order to address the risk that individually immaterial misstatements prove to be
material in aggregate, auditors will typically apply a lower materiality threshold during
the performance of the audit – this is known as ‘performance materiality’.
Clearly trivial amounts
These amounts are much smaller than materiality. The auditor may set a “clearly
trivial” level and any error/omission below this level is not recorded in a schedule of
uncorrected misstatements (See section 9.2 later).

Question 17

The statutory audit process Responding to audit risks

Answer 17

Nature of audit testing
 Substantive vs tests of control
 Detailed audit procedures focussing on the risk area
 Seek evidence from a more reliable source
 Seek corroborative evidence from an alternative source
Extent
 Take bigger samples
 Consider 100% testing
Timing
 Interim audit
 Continuous use of data analytic software
 Longer period between the year-end date and final audit to allow more use of
subsequent events

Question 18

The statutory audit process Designing audit procedures to collect
audit evidence 5.1 Quality of audit evidence

Answer 18

Audit evidence must be:
Sufficient
 Covering all aspects of the financial statements
 Sample sizes should be adequate to represent the population as a
whole
 Samples should be taken from appropriate populations
(homogenous items).
Reliable
 3rd party evidence is better than internally generated
 Original documents are better than copies
 Written/printed evidence is better than oral (if oral reps are relied upon, include
them in the letter of representation)
 Triangulation – auditors should obtain complimentary evidence from different
sources, and assess whether evidence from different sources is consistent.
Relevant
 Consider the assertion being tested
 Directional testing – test assets for overstatement: valuation and existence and
test liabilities for understatement: valuation and completeness.

Question 19

The statutory audit process Designing audit procedures to collect
audit evidence 5.2 Types of audit procedure

Answer 19

The examiner has commented that some students are unable to
distinguish different types of audit procedure. In particular, that
analytical procedures qualify as substantive testing, but not tests of
detail.

Audit procedures
Tests of controls
‘Designed to evaluate the operating effectiveness of controls’
Tests of detail
Substantive procedures
‘An audit procedure designed to detect material misstatement at the assertion level’
Analytical procedures

Question 20

The statutory audit process Designing audit procedures to collect
audit evidence 5.3 Tests of controls

Answer 20

 Inspection of documents for evidence of internal controls
 Enquiries
 Re-performance of control procedures
 Examine evidence of management attitude
 Observation
 Test computer controls.
Consider issues such as:
 how controls were applied
 consistency of the application of controls
 who applied the controls.
5.4 Analytical procedures
Planning stage:
Use analytical procedures to identify audit risks and to concentrate work on key
areas.
Substantive testing stage:
Use analytical procedures to test an account balance for reasonableness. The
following approach is methodical:
1 set expectations
2 compare actual with expected
3 obtain possible reasons for variances
4 evaluate the impact of any unresolved differences between expected and
recorded amounts.
Proof-in-total can be used to prove a figure in the financial statements.

Question 21

The statutory audit process Designing audit procedures to collect
audit evidence Final review stage:

Answer 21

Read through the financial statements and ensure that:
 the financial statements are consistent with the auditor’s knowledge of the
business
 the financial statements adequately reflect the information and explanations
obtained during the course of the audit and the conclusions reached
 any new factors that need further investigation are identified
 the total unadjusted errors identified are not material in aggregate.

Question 22

The statutory audit process Designing audit procedures to collect
audit evidence 5.5 Tests of detail

Answer 22

A test of detail is any substantive procedure other than analytical procedures.
A common requirement in the exam is to identify audit risks from a
scenario, and to generate a list of audit tests which should be carried
out to mitigate those risks. A good quality answer will link these two
requirements, proposing audit procedures based upon the risks
identified.
In the exam you will have to recommend appropriate audit procedures and there is
likely to be a significant number of marks allocated to this in the marking guide.
It is vital that these procedures are clear and detailed enough to score the marks
available.
Quoting from the examiner’s comments on a past exam question:
‘Candidates who used active verbs such as evaluate – challenge – inspect – observe
– calculate – using appropriate evidence achieved high marks. Weaker candidates
who used repeatedly review – consider – discuss (without saying what or why or
how?) and set out procedures which were not relevant and reliable scored less well.
Weaker candidates produced generic audit procedures using vague terms such as
‘review’ or ‘obtain’ – without explaining what and why they are reviewing and what
they are going to do with the information that they obtain.
Weaker candidates failed to apply concepts of reliability of audit evidence (no
attempts to obtain third party evidence) and a lack of appreciation that ‘checking that
the transaction has been accounted for properly’ has no actual practical credibility.
Candidates should illustrate an appreciation of why they are performing certain tests
and inspecting certain documents.’

Question 23

The statutory audit process Designing audit procedures to collect
audit evidence Audit procedures have three elements

Answer 23

Verb/action
 Inquire
 Observe
 Inspect
 Recalculate
 Reperform
 Confirm to an external
source
 Challenge

Object/source
 Asset
 Document
 Entity
 Person

Objective
e.g. financial
statement
assertions
Note: you need to state
the purpose of your
procedure although
you do not have to use
the exact terminology
of the financial
statement assertions.

Question 24

The statutory audit process Designing audit procedures to collect
audit evidence 5.6 Financial statement assertions

Answer 24

Transactions
 Occurrence
 Completeness
 Accuracy
 Cut-off
 Classification
 Presentation

Account balances
 Existence
 Rights and obligations
 Completeness
 Accuracy, valuation and allocation
 Classification
 Presentation

Question 25

The statutory audit process Audit evidence – reliance on the work
of others

Answer 25

The auditors are responsible for obtaining sufficient appropriate evidence. If they
have relied on others’ work, the auditor will still take full responsibility for the audit
opinion. The auditor will not make reference to anyone they have relied upon in the
audit report.

Question 26

The statutory audit process Audit evidence – reliance on the work
of others 6.1 Use of experts

Answer 26

Step 1: Consider whether it
is appropriate to rely on the
expert
Consider expert’s qualifications,
competence, experience, objectivity
and reputation.

Step 2: Contract
Agree in writing
 Nature, scope and objective
of expert’s work
 Roles and responsibilities
 Nature, timing and extent of
communications and reports
 Confidentiality.

Step 3: Assess the expert’s
work
 Consistency of findings with
other audit evidence
 Underlying assumptions and
source data.

Question 27

The statutory audit process Audit evidence – reliance on the work
of others 6.2 Reliance on internal auditors

Answer 27

How much should the
external auditor rely on the
internal auditors’ work?
Depends on
 Nature and scope of IA’s
work
 Risk
 Degree of subjectivity.

Assess IA function
 Organisational status
 Scope of function
 Technical competence
 Due professional care.

Evaluate IA work on which
the external auditor wants
to place reliance
 Adequate training
 Sufficient appropriate
evidence
 Conclusions appropriate
 Exceptions are resolved.

Question 28

The statutory audit process Audit evidence – reliance on the work
of others 6.3 Reliance on component auditors (group audits)

Answer 28

Component auditor – An auditor who performs audit work related to a
component for purposes of the group audit. A component auditor is a part
of the engagement team for a group audit.

Understand the
component
auditor
 Independence, professional competence, ethical
considerations
 Whether the group audit engagement team will be
able to be involved in the component auditor’s work
if necessary
 The results of any regulatory monitoring or
inspection of the component auditor
 Obtain confirmation that the component auditor will
cooperate with the group auditor.

Materiality
Group audit team set materiality level for group
financial statements
 Materiality should also be set (at lower level) for
components which are individually significant.

Extent of work
required
 Significant components require full audit based on
component materiality level
 If a component includes significant risks of material
misstatement of the group financial statements due
to nature/circumstances:
– full audit using component materiality
– audit of specified balances related to
significant risks
– specified audit procedures related to
significant risks
 Components that are not significant should be
subject to analytical review at group level.

Communication
Group auditors must communicate the work to be
performed, materiality, list of significant risks and
list of related parties
 Component auditor must communicate the matters
relevant to the group team’s conclusion regarding
the group audit.

Evaluation
 Has the component auditor performed the work
requested and complied with ethical requirements.
 Identify:
– instances of non-compliance with law and
regulations by the component
– indicators of management bias or fraud
– going concern threats to the group as a
whole
 Obtain:
– a schedule of corrected and uncorrected
misstatements
– a summary of control deficiencies
 Review component auditor’s findings and
conclusions
Based on this evaluation, determine whether the
component auditor’s work is adequate for the purposes
of the group audit and whether additional procedures
should be performed by the component or group
auditor.

Question 29

The statutory audit process Audit evidence – reliance on the work
of others 6.4 Service organisations

Answer 29

Service organisations can be part of an entity’s information systems.
e.g. third party website operators, payroll function providers.
If the organisation provides a service that relates to an item that is
material in the context of the financial statements then the auditor will
need to obtain sufficient, appropriate evidence relating to that area.
 Gain an understanding of the nature of the services provided by the service
organisation, the impact on the financial statements and whether the client or
service organisation keeps sufficient records for the auditor’s use.
 Assess the controls over the affected areas:
– at the entity
– at the service organisation.
 Gain evidence over the relevant assertions:
– from the records kept at the entity if possible
– if not sufficient, then will also need to perform procedures on the service
organisation’s records.
 May rely on a service auditor to confirm and test controls of the service
organisation
 Consider the implications for the audit report – do not refer to the service
organisation or the service auditors in the report.

Question 30

The statutory audit process Information technology 7.1 Internal controls in the IT environment

Answer 30

Computer controls fall into two categories:

General controls – over the whole
computer system
Examples:
 Environmental controls
 Hierarchical password access
 Firewalls
 Anti-virus protection
 Staff training
 Back-ups
 Segregation of duties
 Logging all usage

Application controls – over a specific
programme
Examples:
 Exception reports
 Authorisation controls
 Required fields
 Balance check on journals
 Formatted fields
 Batch totals (compare total of list of
figures on list to total inputted)
 Hash totals (same as batch totals
but for other figs e.g. supplier
numbers)
 Check digits (mathematical
formulae e.g. on bar codes)
 Standing data with restricted
access to amend

Question 31

The statutory audit process Information technology 7.2 Cyber security

Answer 31

Businesses need to keep their data secure such as customer details, or
internal company information. As significant amounts of data are held
electronically, a business needs to address cyber threats as part of its
internal controls.
Cyber threats
 Cyber criminals
 Hactivists (agenda driven)
 Nation states
 Insiders/partners
 Competitors
 Skilled individual hacker.
Implications
The different threats can lead to a number of different risks to the business, which
could lead to a misstatement in the financial statements.
 Theft of intellectual property/strategic plans
 Financial fraud
 Reputational damage
 Business disruption
 Destruction of critical infrastructure
 Threats to health and safety
 Breach of data protection regulations such as GDPR (General Data Protection
Regulation).

Question 32

The statutory audit process Information technology Addressing cyber security threats

Answer 32

 Cyber-security should become the responsibility of a board member
 There should be clear identification of responsibility for cyber security amongst
individuals involved in operational areas open to cyber security threats
 As part of the business’s risk assessment, critical business data and associated
risks should be identified
 Joining industry networks to share intelligence
 Subject to cost constraints, employ in-house IT professionals or out-source to
external experts who can help identify risks and suggest means to mitigate the
risks
 Ensure that non-executive directors and audit committee members have
appropriate knowledge and training to hold management to account in a
meaningful way regarding cyber risks
 Improve the understanding between board members and IT specialists
 Introduce monitoring mechanisms to identify suspect behaviour by disgruntled
staff (insider risk)
 Develop incident response procedures and procedures for business
continuity/disaster recovery
 Ensure that standard IT controls are implemented, enforced and reviewed, such
as:
– firewalls
– use of strong passwords regularly updated
– two-factor security (e.g. confirming identity when accessing sensitive
information by way of text message and input of code)
– appropriate training of staff in identification of cyber threats such as
phishing e-mails
– data back-ups
– anti-virus protection.

Question 33

The statutory audit process Information technology 7.3 Cloud computing

Answer 33

Cloud computing involves the hosting of data on remote servers accessed via the
internet to store, manage and process that data.
It has become a common part of everyday life with individuals and businesses using
cloud services such as Google drive, Apple icloud and Microsoft office 365.
Many businesses also use cloud accounting services.
The ICAEW has produced an IT Faculty document, ‘Cloud Adoption: Understanding
the Risk of Cloud Services’. It is aimed at small businesses but the issues raised are
relevant to an auditor in appraising such systems.
The auditor should consider the following:
Back-ups
 Does the cloud service take regular back-ups of client data?
 Does the client have its own back-up strategy?
 Is the cloud service’s process for restoring data regularly tested?
 Is there a service level agreement regarding data assurance and does the cloud
service perform exercises to ensure that these can be met?

Question 34

The statutory audit process Information technology 7.3 Cloud computing Security

Answer 34

 Is the platform regularly given to third-party ‘penetration testers’ for potential
vulnerabilities, who vigorously test the platform to determine whether an
attacker could gain unauthorised access?
 Is there an adequate process in place in the event of identification or notification
of a security breach?
 Is data held on the platform stored in an encrypted format?
 Is payment data held on a PCI-DSS compliant platform?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security
standards designed to ensure that ALL companies that accept, process, store or
transmit credit card information maintain a secure environment.
 Are there recognised standard working processes and procedures in place and
adopted?
 Is the platform protected against ‘denial of service’ attacks, where attackers
could prevent access to the service indefinitely by flooding the platform with
erroneous traffic or requests for information?

Question 35

The statutory audit process Information technology Compensation for loss

Answer 35

Are compensation levels for loss of data written into agreements, and are they
adequate?

Question 36

The statutory audit process Information technology Using the service

Answer 36

 Are there contractual commitments regarding availability of service and
performance levels?
 What is the provider’s capability to develop new features i.e. is there a realistic
roadmap?
 To what extent are features integrated?
 Are responsibilities for ongoing support documented?

Question 37

The statutory audit process Information technology 7.4 Artificial Intelligence

Answer 37

Artificial intelligence (AI) is technology to help improve decisions made by
machines, based on machine learning, in an attempt to make better decisions than
humans can. AI requires pattern recognition and learning, rather than relying on a
series of complex rules. This is an advantage of AI over expert systems which failed
to grasp the complexities of the real world and were unable to adapt to dynamic
situations.
AI and auditors
There is an increasing role for AI as part of audit data analytics, in automated and
smart auditing of populations, not just samples, thus reducing human error.
Accountancy applications
Increased automation in transaction processes and systems, greater analysis of data
to differentiate between ‘rogue’ (e.g. fraud) and ‘normal’ activity and better predictions
and forecasts on complex areas such as revenue.
Limitations
AI may struggle to cope with unusual situations, particularly if there is little past data
to learn from.
Developing AI systems require significant investment, particularly when the
technology is so new.

Question 38

The statutory audit process Completion 8.1 Reviewing another team member’s work

Answer 38

Here is an example of a typical exam requirement:
For each matter in Exhibit 1:
 set out and explain the appropriate financial reporting treatment for
the financial statements for the year ended …
 identify and explain any weaknesses in the audit procedures
completed by the audit junior/senior, and
 set out any additional audit procedures that should be performed
to provide assurance for the audit opinion.
As always, you must be specific to the scenario, but there are some common
weaknesses to look out for.
 Has everything been tested? e.g. balances might be omitted from testing.
 Is there enough evidence? e.g. sufficient sample tested (and has the sample
size been justified in terms of audit risk, materiality, and the size of the
population tested).
 Was the method of sample selection appropriate or has it resulted in an
unrepresentative sample?
 Was the evidence reliable? Consider the extent of reliance that may be placed
on the evidence – e.g. external is better than internal, written is better than oral.
Note: often a junior member of staff will accept explanations provided by a client
and fail to corroborate with other evidence.
 Applying the wrong materiality level – e.g. applying group materiality to a
subsidiary’s individual company audit.
 Complex issues e.g. junior may not fully not understand the issue(s).
 Failure to consider all relevant financial statement assertions – e.g. confirming
the existence of an asset but not ownership, or performing procedures on
balances and transactions that have been recorded, but failing to consider
whether those items are complete – e.g. failing to consider the potential
understatement of payables balances through omission.
 Agreeing the client’s figures to schedules produced by the client rather than
other evidence – e.g. agreeing the purchase accruals balance to the client’s list
of purchase accruals, without checking items on the list are genuinely goods
received not invoiced.
If the audit documentation provided has insufficient detail for you to conclude on a
test then request additional information. Remember that if it’s not documented it’s not
done!

Question 39

The statutory audit process Completion 8.2 Schedule of uncorrected misstatements

Answer 39

During the course of the audit, misstatements will be identified which
may be material or immaterial to the financial statements.
The client will adjust the financial statements to take account of some,
or all, of these misstatements during the course of the audit.
At the end of the audit, however, some misstatements may still be uncorrected. The
auditors will summarise these uncorrected misstatements in order to conclude as to
whether a material misstatement remains.

Question 40

The statutory audit process The auditors’ report 9.1 Audit report modifications

Answer 40

Audit reports

Unmodified report

Modified report
Modified opinion on FS
Qualified
A material error is present in the FS or a limitation of scope over a material matter
Adverse
A disagreement over an error which is material and pervasive
Disclaimer
A limitation on scope over a matter which is material and pervasive

Unmodified opinion on FS
Other matter
Draws attention to a matter outside of the FS (e.g. prior year FS notaudited)
Emphasis of matter
Draws attention to a matter inside the FS (such as a significant litigation)

Question 41

The statutory audit process The auditors’ report 9.2 Reporting on other information Directors’ and strategic reports

Answer 41

The Companies Act 2006 requires the auditor to report on
whether the information contained in the directors’ report and
strategic report is consistent with the financial statements.
This opinion is included in a section of the auditor’s report
entitled ‘Opinion on other matters prescribed by Companies
Act 2006’.
The auditor is required to read the information and, if any inconsistencies are
identified:
 Discuss the matter with management
 If the inconsistency is not resolved, amend the auditor’s report

Question 42

The statutory audit process The auditors’ report 9.2 Reporting on other information Any other information

Answer 42

ISA (UK) 700 requires the audit report to include a separate section with a heading
‘Other information’ addressing any additional information provided with the
company’s financial statements (other than the directors’ and strategic reports).
ISA (UK) 720 states that if the other information contains a material misstatement
and the directors refuse to correct it, the uncorrected misstatement must be
described in the ‘other information’ section of the audit report.

Question 43

The statutory audit process The auditors’ report 9.3 Reporting on going concern

Answer 43

Scenario
The company is a going concern and
no material uncertainties regarding
going concern.
Impact on the auditor’s report
Unmodified opinion.
Include a ‘Conclusions relating to going
concern’ section.

The company is not a going concern,
but the directors have prepared the
financial statements on the going
concern basis.
Material and pervasive misstatement.
Do not include the ‘Conclusions relating to
going concern’ section.
Instead, issue an Adverse opinion.

The company is not a going concern
and the directors have prepared the
financial statements on the break-up
basis, with adequate disclosure of the
basis of preparation.
The financial statements are not misstated.
Do not include the ‘Conclusions relating to
going concern’ section.
Unmodified opinion.
An emphasis of matter paragraph is used to
highlight:
 the alternative basis of preparation
 reasons for doing so
 the disclosure
to the users of the financial statements.

The going concern status of the
company is uncertain and the
directors have made adequate
disclosure of the uncertainty
The financial statements are not misstated.
Do not include the ‘Conclusions relating to
going concern’ section.
Unmodified opinion.
A separate section is included in the
auditor’s report under the heading ‘Material
Uncertainty Related to Going Concern’ to:
 draw attention to the disclosure note
 state that the material uncertainty may
cast significant doubt on the entity’s
ability to continue as a going concern
 state that the auditor’s opinion is not
modified in this respect.

The going concern status of the
company is uncertain and the
directors have not made adequate
disclosure of the uncertainty.
The financial statements are misstated.
Do not include the ‘Conclusions relating to
going concern’ section.
This could be considered material or
pervasive.
Qualified (‘except for’) opinion OR adverse
opinion.
Explain in the ‘Basis for qualified/adverse
opinion’ section that the material uncertainty
exists and it is not disclosed adequately.

Question 44

The statutory audit process The auditors’ report The statutory audit process The auditors’ report

Answer 44

ISA 701 Communicating Key Audit Matters in the Independent Auditor’s Report
requires auditors of listed companies to determine key audit matters and to
communicate those matters in the auditor’s report.
Auditors of non-listed entities may voluntarily, or at the request of management or
those charged with governance, include key audit matters in the auditor’s report.
Key audit matters are those that in the auditor’s professional
judgment were of most significance in the audit and are
selected from matters communicated to those charged with
governance.
The purpose of including these matters is to assist users in understanding the entity,
and to provide a basis for the users to engage with management and those charged
with governance about matters relating to the entity and the financial statements.
Each key audit matter should describe why the matter was considered to be
significant and how it was addressed in the audit.
Key audit matters include:
 areas of higher assessed risk of material misstatement, or significant risks
identified in accordance with ISA 315 (Revised) Identifying and Assessing the
Risks of Material Misstatement Through Understanding the Entity and its
Environment
 significant auditor judgments relating to items in the financial statements that
involved significant management judgment, including accounting estimates that
have been identified as having high estimation uncertainty
 the effect on the audit of significant events or transactions that occurred during
the period.

Question 45

The statutory audit process Communicating weaknesses in
internal controls

Answer 45

Auditors must communicate to those charged with governance any significant
deficiencies discovered during the course of the audit in the management letter. This
communication will typically have two parts – each is considered in turn.
1 A covering letter
– Addressed to management
– Dated as soon as possible after the audit is completed
– Includes a disclaimer which states that it is:
 not a comprehensive list of weaknesses
 for management use only
 not to be disclosed to third parties without prior written consent of the
auditor
– Thanks staff for their cooperation.

An appendix detailing the weaknesses identified and recommending
improvements, usually in tabular format:
Weakness
State the facts

Implications
These items must be
commercial, e.g. lose money,
increased costs, decreased
efficiency, loss of customer or
staff goodwill, reduced
revenue etc.

Recommendation
This must be:
 Specific
 Relevant
 Reasonable