Planning the audit

3 assignment

this chapter covers . . .

In this chapter we describe the procedures auditors should carry out before they accept
a new audit client, and how they assess audit risk. We explain how auditors document
their clients financial systems and how they identify internal controls.

The chapter covers:

accepting appointment as an auditor

the engagement letter, which formally appoints the auditors
knowledge of the clients business
assessing audit risk
documenting the systems
the internal control systems of the client
internal control questionnaires drawn up by the auditor

NVQ PERFORMANCE CRITERIA COVERED

unit 17 IMPLEMENTING AUDITING PROCEDURES

element 17.1
contribute to the planning of an audit assignment
A ascertain accounting systems under review and record them clearly in appropriate
working papers
B identify control objectives correctly
C assess risks accurately
D record significant weaknesses in control correctly
H follow confidentiality and security procedures
I formulate the proposed audit plan clearly in consultation with the appropriate personnel
J submit the proposed audit plan to the appropriate person for approval
 planning the audit assignment 37

ACCEPTING AN APPOINTMENT

Accepting an appointment as auditor is a serious step and one which should not
be taken without a full consideration of all of the issues involved.
ISA 220 Quality control for audits of historical financial information
states
Acceptance of client relationships and specific audit engagements
includes considering
the integrity of the principal owners, key management and those
charged with governance of the entity (ie the directors)
whether the engagement team is competent to perform the audit
engagement and has sufficient time and resources
whether the firm and the engagement team can comply with ethical
requirements

The process that the auditors need to go through before they can accept the
appointment is best described by a series of steps as illustrated on the diagram
on page 39.

We will discuss each step separately in detail.

step 1 legal and ethical problems

Before accepting any audit assignment the auditors have to decide whether
there are any legal or ethical problems which might prevent them from
accepting the assignment. We looked at these in some detail in Chapter 2. To
remind you, the main considerations are:
does anyone in the audit firm hold shares in the potential client?
does anyone in the audit firm have a close relative in a senior position at
the potential client?
is the potential fee so large that would be more than 15% of total practice
income?

step 2 practical problems

Providing there are no legal or ethical problems preventing their appointment,
auditors should then consider whether they have adequate resources and
sufficient expertise to carry out the proposed audit successfully.
38 implementing auditing procedures

For example:
the potential client may have branches and departments located in
different parts of the country, which all need to be visited at the same time
the auditors must be sure that they have sufficient staff with the
appropriate ability to carry out the work
the potential client might operate a highly complex IT-based business
requiring sophisticated computer-based auditing tools and technically
skilled staff in order to carry out their audit work satisfactorily
Providing the auditors are satisfied that there are no practical problems
which might prevent them from carrying out their work, they are free to
move to the next step on the appointment ladder.

step 3 contact existing auditors

The ethical rules state that incoming auditors must write to any outgoing
auditors to:
inform them of the proposed change

ask them if there are any reasons why the appointment should not be
accepted
This gives the outgoing auditors a chance to notify potential new auditors of
any issues they have had with the audit or any problem they have had with
the client.
Before any information is exchanged the client must give permission to:
the incoming auditors to contact the outgoing auditors

the outgoing auditors to discuss the clients affairs freely with the
incoming auditors
Failure on the part of the client to give permission for either of the above to
happen would mean that the incoming auditors should refuse to accept the
appointment.
If the exchange of information does take place then the incoming auditors
must decide if anything they are told will prevent them from accepting the
audit engagement.
This is best illustrated by a Case Study, which follows on page 40.
The explanation of Step 4 then follows on page 41.
 planning the audit assignment 39

the process for the appointment of auditors

Are there any legal or ethical decline

STEP 1 YES
problems preventing appointment? appointment

NO

Are there any practical problems decline

STEP 2 YES appointment
related to carrying out the work?

NO

Write to outgoing auditors (if there

STEP 3
are any)

decline
Does the client object? YES
appointment

NO

Do the outgoing auditors indicate

that there are serious problems decline
YES
appointment
with the client?

NO

Find out as much as possible

decline
STEP 4 about the client. Does this provide YES
appointment
any doubts or problems?

NO

Agree terms of Engagement Letter

STEP 5
with the client.
40 implementing auditing procedures

Case
Study B I G B O LT L I M I T E D : TA K I N G O N T H E A U D I T

situation
Stamper & Co have been approached to take over the audit of a manufacturing
company, Bigbolt Ltd.

The client is similar in size to existing clients of Stamper & Co and there are no ethical
problems which might prevent Stamper being appointed.

Stamper writes to the outgoing auditors Blotter & Co to ask them if there are any
reasons why they should not accept the appointment.

Blotter & Co have written back saying:

On two occasions they were refused access to the minutes of directors meetings.

The financial statements originally included a large provision for damages. When
asked for evidence to justify this provision the managing director refused to supply
it. It was eventually excluded from the accounts after the auditors threatened to
include details in their auditors report.

There were many problems surrounding the stock valuation. After the stock take,
a number of count sheets went missing, and the auditors had doubts about the
value of a significant number of items. Some of these problems were never fully
dealt with but it was not considered that they would materially affect the stock
figures.

required
After reading the comments from Blotter & Co, you are to decide whether Stamper &
Co should accept the appointment as auditors to Bigbolt Ltd?

answer
The letter from Blotter & Co is clearly a cause for concern. The relationship between
Bigbolt Ltd and Blotter has obviously completely broken down, which is presumably
why Bigbolt are looking for new auditors.

It would seem from Blotters letter that the management of Bigbolt is reluctant to
disclose information and, in one case, had to be pressured by Blotter to remove or
justify a provision in the accounts.

On the face of it, the management of Bigbolt does not appear to have very high ethical
standards and the best advice would be that Stamper should decline the appointment
as auditors of Bigbolt.
 planning the audit assignment 41

step 4 investigate the client

Assuming that the letter from the outgoing auditors does not show up any
significant problem areas, the next step is for the audit firm to find out as
much as they can about their potential client from as many sources as
possible. Sources of information could include:
the latest financial statements - which should be reviewed to find out if
there could be any particular problem areas involved in the audit
discussions with third parties such as bankers, legal advisors or members
of the business community who might have knowledge of the prospective
client there clearly might be issues of confidentiality here which the
prospective auditors and the other professionals will have to bear in mind
relevant databases searches or the internet for additional information
about the client
the clients own publicity material or other information which they are
able or willing to provide
The whole point of this process is to help the auditor to find out as much as
they possibly can about the client and its management before they accept the
appointment.
When all these steps have been completed and the auditors have decided to
accept, they need to formalise their appointment as auditors. This is done by
sending an engagement letter to the client.

THE ENGAGEMENT LETTER

ISA 210 Terms of audit engagements states:

It is in the interest of both client and auditor that the auditor sends an
engagement letter, preferably before the commencement of the
engagement, to help in avoid misunderstandings with respect to the
engagement.
The engagement letter documents and confirms the auditors
acceptance of the appointment, the objective an scope of the audit , the
extent of the auditors responsibilities to the client and the form of any
reports.
The legal basis of the auditors relationship with their client is written down
in a formal document known as an engagement letter.
This is an extremely important document because:
it confirms the auditors acceptance of the appointment, and

it sets out the responsibilities of each of the parties involved to ensure that
there is no misunderstanding between the auditor and the client.
42 implementing auditing procedures

The engagement letter forms a legally binding contract between the auditor
and the client.
You should look at the sample engagement letter in the Appendix on pages
xx-xx. You are not expected to remember the contents in detail, but you
should have a broad idea of what the engagement letter contains.

contents of an engagement letter

The engagement letter is an agreement between the directors and the
auditors that each of them will play their part in preparing and auditing the
financial statements.
As a minimum requirement it should include the following:
1 The directors agree to be responsible for:
maintaining proper accounting records
preparing the financial statements which must comply with the
appropriate legislation and Accounting Standards
making all the books and records available to the auditors as they
need them
giving any explanations and providing any additional information
the auditors need

2 The auditors agree to:

express an opinion on the financial statements
conduct the audit in accordance with the appropriate Auditing
Standards

3 The letter will give a general indication of the nature and extent of the
audit work to be carried out. This might include:
confirmation that the auditors will visit branches or subsidiaries
confirmation that they will attend stock counts
the use of specialist software to evaluate computer systems

4 The letter will also give an indication

if any other firms of auditors are to be involved in a secondary role,
eg auditing remote branches or subsidiaries
whether independent experts, eg expert valuers, are to be used
 planning the audit assignment 43

5 The letter should also confirm that the responsibility for detecting fraud
and for safeguarding the clients assets is the responsibility of the
company management and not the auditors.
In addition to these key points the letter is likely to include:
a statement to the effect that any weaknesses in controls identified during
the audit will be reported to management
arrangements regarding fees
the nature and scope of any additional work to be carried out, eg taxation
calculations
At this point the auditors should also ensure that their appointment has been
agreed by the directors. They do this by obtaining a copy of the signed
minutes of the directors meeting at which their appointment was confirmed
and putting it on their Permanent File. (We will look in more detail at the
Permanent File later in this chapter.)
When auditors have accepted the audit and have been officially appointed,
their real audit work can begin.

KNOWLEDGE OF THE BUSINESS

We have already said that the auditors must find out as much as possible
about a potential client before they can accept the appointment as auditors.
When they have been appointed, they must take this a stage further and find
out as much detailed information as they can about their new client, its
management and staff, and the business environment in which it operates
ISA 315 Understanding the entity and its environment and assessing
the risks of material misstatement states:
The auditor should obtain an understanding of the entity and its
environment, including its internal control, sufficient to identify and
assess the risk of material misstatement of the financial statements
whether they are due to fraud or error, and sufficient to design and
perform further audit procedures.

the business environment

During the course of the relationship with the client, the auditor should
constantly gather information about the business environment in which the
client operates. This will include:
information about the clients position and reputation within its industry
sector
44 implementing auditing procedures

the general economic conditions within the industry sector, including the
level of competitiveness and political or economic factors
the possible effect of technological change or environmental factors

any cyclical or seasonal aspects of the business or any vulnerability to

factors such as changes in fashion
any major legislative or regulatory impacts which might affect the client

economic conditions such as interest rates or inflation

Information can be gathered from a variety of sources including:

industry specific publications, trade journals and websites

previous experience of other clients in the same industry

discussions with previous auditors

government publications, statistics, surveys

financial journals

the business, its management and staff

Auditors cannot begin to carry out any work on verifying the financial
statements unless they have a complete understanding of the following:
the structure of the organisation its divisions, departments or
subsidiaries
the management structure
the products and processes
the accounting systems
This type of information can only be successfully obtained by direct contact
with the clients management and staff. They are the only real source of the
detailed information that will allow the auditors to fully understand the
who what why, where and when of the clients day-to-day activities
The auditors should have a clear understanding of:
the client
the clients business activities
the internal and external environments in which the client operates
The auditors will then be in a position to decide what audit work is required
to ensure that the correct audit opinion is reached.
 planning the audit assignment 45

ASSESSING AUDIT RISK

The correct assessment of audit risk is vital, and is probably one of the most
important aspects of audit that you have to study.
The whole approach that the auditors take to their audit work is based on how
they assess the level of risk that their audit client represents. Basically, if the
auditors think that the client represents a high level of risk they will need to
carry out much more detailed audit work than if they assess it as being low
risk.
We will now look at what we mean by risk in the context of auditing.

what is audit risk?

Audit risk is the risk that after carrying out all the audit work the
auditors give the wrong opinion of the clients accounts.
They may say that the accounts do not give a true and fair view when in fact
they do. Or conversely, more worryingly, they may say that the accounts do
give a true and fair view when they do not. In either case, the auditors do not
want to get it wrong in the worst scenario the matter could end up in the
courts with serious legal consequences.

audit risk and fraud

One thing that must be stressed is that audit risk has nothing directly to do
with fraud. It is not the auditors job to set out to detect fraud. As we have
seen, they are not bloodhounds but watchdogs. Therefore, when auditors
are assessing risk they are not assessing the risk that they might fail to detect
a fraud.
Note, however, that ISA 240 The Auditors responsibility to consider
fraud in an audit of financial statements requires auditors to approach
any audit assignment with a degree of professional scepticism and says that
they must bear the possibility of fraud in mind when planning audit work.
This means that auditors should identify areas where the companys assets
are at greatest risk or where its controls are weakest.

risk assessment
ISA 315 Obtaining an understanding of the entity and its environment
and assessing the risks of material misstatement requires auditors to
identify and document areas of significant audit risk where they consider
there could be a material misstatement, for example:
46 implementing auditing procedures

in the financial statements as a whole

for individual disclosures within the financial statements
Auditors have to understand and identify risk arising both out of the
companys operations and from its systems of internal control by carrying
out a risk assessment.
This is done by a combination of
analytical review procedures, ie identifying inconsistencies in the figures
being audited (see Chapter 4)
discussions with management and other relevant people in the company
observation and inspection of the companys procedures and controls
A quick planning meeting with the financial director is not sufficient!
When the risks have been identified, the auditors have to design audit
procedures so that these risks are reduced to an acceptable level. Auditors
also have to identify whether there are risks which are so great that they
deserve special audit consideration, ie so significant that normal audit testing
processes will not be sufficient to validate the disclosures in the financial
statements.
Auditors must fully document all the steps in their risk assessment.
One important point which ISA 315 stresses is that the risk assessment must
be communicated and discussed with the whole audit team so that everyone
on the assignment is aware of potential areas of risk.

categories of risk
Auditors will measure the levels of audit risk so that they can estimate how
likely it is that they will give a wrong audit opinion. They therefore find it
easier to break the audit risk down into different types ie categories of
risk.
There are three main categories of risk:
inherent risk the risk is in the nature of the business or the item or
system being investigated
control risk the internal control system of the company may be have
weaknesses
detection risk the auditors may not pick up a significant error or
misstatement
The combination of these three types of risk will determine the overall level
of audit risk and allow the auditors to assess how much audit testing they will
need to do.
 planning the audit assignment 47

THE AUDIT RISK MODEL

The formula that links the three aspects of audit risk inherent, control and
detection is known as the audit risk model and is the only audit formula
that you have to remember:
audit risk = inherent risk x control risk x detection risk
As we will see below, the items in the formula are not normally given
numerical values, but a risk rating of high or low.
It is clear that the auditors will want to ensure that the overall level of audit
risk is as low as possible so that they will be able to come to the correct
opinion. We will first explain in detail the three types of risk and show how
the auditors can assess them and the extent to which they can control them

inherent risk
Inherent risk is the risk that an item or items in the accounts will contain a
material error or misstatement, simply because of the characteristics of the
company or the characteristics of the particular item.
The following tables show the key signs of inherent risk that the auditors will
look out for and the effect those factors may have.

INHERENT RISK

management & ownership of the business

potential risk areas the effect

domineering owner or director may influence the attitude of other directors and senior
management towards disclosure in the financial statements or
in the operation of the business

relationships between managers direct relationships (eg in family companies) between managers
or directors could reduce the effectiveness of the internal
controls

level of management expertise inexperienced or unqualified management may not appreciate

the likelihood of error

expectations of stakeholders expected levels of dividends by shareholders

guarantees about profit levels given to lenders when applying for
credit
48 implementing auditing procedures

the business

potential risk areas the effect

nature of the business over-dependence on a single customer, product or supplier

business operating a trade which involves cash or goods which

are easy to steal

products which are out of fashion or obsolete (this can give

problems with finished goods stock valuations)

industry factors a highly competitive trading environment

regulatory requirements which result in substantial cost to the

business

theft of assets stock or other assets which could be easily stolen and converted
into cash, eg computers, alcohol and cigarettes

large amounts of cash held in the business

information technology lack of computer systems documentation

reliance on a few key experts
security issues

staffing constant staff changes

low staff morale
little or no training

the accounts of the business

potential risk areas the effect

complex accounts complex financial structures involving subsidiary or associated

businesses

companies engaged in complex trade eg foreign currency or

share trading, freight forwarding, high tech businesses

items relying on judgement this requires objectivity on the part of the client staff making the
judgements (eg high levels of provisions at the year end)

cash transactions tracing cash transactions is always more difficult than tracing
credit transactions
 planning the audit assignment 49

There are, of course, many more inherent risks unique to specific companies.
As auditors it is important to remember that if some aspect of the business
appears unusual or poses a significant inherent risk, then it must be
considered when assessing the level of audit risk.
If a company has several areas of inherent risk, the auditor is likely to
grade the level of inherent risk as high. Read the Case Study that follows.

Case
Study INHERENT RISK MUCKERS LIMITED
situation
You have been approached to be the new auditors of Muckers Limited

Muckers Ltd is a construction company engaged in the construction of housing

projects, small office complexes and factory units.

Its main trade is in acquiring disused or derelict land and buildings (brownfield sites)
at a low cost and building developments which they then sell to businesses looking for
premises. They have been quite successful as the Development Director, Roger
Random has been able to find attractive sites which the company can acquire quite
cheaply. They also build new housing developments, mostly on greenfield sites in
development areas on the edge of town.

The Development Director, Roger Random has recently handed in his notice as he is
leaving to join a larger construction firm.

Muckers is owned and run by the Mucker family. Cyril Mucker, Chairman and Chief
Executive owns 60% of the shares. The only other director apart from Roger Random,
is Cyrils brother, Hugo Mucker who is responsible for overseeing the building
contracts.

The financial accounting section is run by Paula Poppett who is unqualified and
produces a set of management accounts quarterly. There are no budgets or
management accounts as Cyril Mucker believes that watching the bank balance is the
way to run the business.

The company has recently had some difficulty with two of its sites. On the brownfield
site inspectors have discovered contamination from an old asbestos factory and have
forbidden any further development until it is decontaminated by specialist contractors.
Muckers will have to pay for this. On a greenfield housing project Muckers built twelve
houses but have only sold two, as there are rumours that the local authority have
decided to put in plans to central government for a dual carriageway bypass next to
the new development.

The company employs a large number of temporary casual staff who are paid weekly
in cash.

required
Before you take on this client what would be your assessment of inherent risk?
50 implementing auditing procedures

solution
The inherent risk involved in this client is high for a number of reasons, including:

The company is under the control of a very small group of shareholders all of
whom are related. One of them, Cyril Mucker, is a major shareholder.

Cyril is also the chairman and chief executive, so this makes him a dominant force
in the company.

There is a very weak finance function, with no representative at director level.It

seems unlikely that Paula Poppett could stand up to Cyril Mucker if there was any
dispute about the figures.

There is no proper management accounting system or budgeting.

They have recently lost a key employee, Roger Random, who was responsible for
much of the companys success in the past.

They have problems with two of their building developments. It is not known what
the financial effect might be, but is likely to be substantial. The business might then
come under financial pressure.

The business trades in a highly-regulated environment, particularly with regard to

planning constraints, health & safety and environmental rules about disposal of
materials. This requires constant monitoring to ensure that the company complies
with all the appropriate statutory regulations.

A large number of staff are paid in cash, which results in a higher risk of theft.

control risk
Control risk the second element of audit risk is the risk that the internal
controls of the company being audited are not operating properly, and so do
not prevent or detect material errors or misstatements. This could mean:
a significant error may pass through the system undetected
transactions may be missed out completely
transactions may be wrongly recorded
Internal controls are the safeguards that the client has built into his/her
systems and processes to minimise the risk or error. This will include
procedures such as matching invoices to orders and delivery notes before the
invoice is processed and authorising the invoice before it is paid.
A key part of the auditors preliminary work is to evaluate these internal
controls. Later in this chapter we will see how auditors go about doing this.
If the auditors are satisfied that the internal controls are working well, then
they may be able to assess the control risk as low.
Significant weaknesses in the internal controls would lead to the auditors
assessing the control risk as high.
 planning the audit assignment 51

detection risk
Detection risk is the risk that the auditors own tests will fail to detect
material errors or misstatements in the financial statements.
If we think about inherent and control risk, neither of these can be influenced
by the auditor. Detection risk is different in that it is the only element of audit
risk which is within the auditors control.
If we go back to the audit risk model . . .
audit risk = inherent risk x control risk x detection risk
Suppose that, after carrying out their assessment, the auditors set the value
of inherent risk and control risk as follows:
inherent risk = high control risk = high

In order to make the level of audit risk acceptable, the auditors will have to
do a large amount of audit testing in order to make the detection risk low.
So, in this case:
audit risk = inherent risk x control risk x detection risk
acceptable = high x high x low
On the other hand, if, after carrying out their risk assessment, the auditors
judge inherent and control risk to be low, they will be able to reduce their
audit work to an acceptable level, making the detection risk high.

numerical scoring of risk

As accountants, you are used to attaching numerical values to things, so you
may well look at this system of risk assessment and think it is a bit vague.
Auditors sometimes use a numerical scoring system for each of the
categories of risk in order to arrive at an overall estimate. Remember that in
every case the evaluation of risk ultimately requires skill and judgement on
the part of the auditor which is gained through training, qualification and
experience. Read the following Case Study:

Case
Study A U D I T R I S K M O D E L I M P O RT E R S L I M I T E D
situation
You work for an auditing firm which has taken on a new client, Importers Limited. This
company imports and sells electronic toys manufactured in China.
Your audit firm has set overall acceptable audit risk at a level of 5%.
Inherent risk in the case of Importers Limited is assessed as being high: 90%
The client appears to have strong internal controls and control risk has been assessed
as being low: 40%
52 implementing auditing procedures

required
What level of detection risk is acceptable in this case?

solution
Audit risk = Inherent risk x Control risk x Detection risk
5% = 90% x 40% x ?

By calculation it can be found that detection risk is 14%*. This means that a 14%
chance that audit procedures will not pick up errors or omissions is acceptable.

*Calculation: Detection risk = 0.05 (0.90 x 0.40) = 0.14 = 14%

Lastly, it is very important to remember that risk must be constantly

reviewed during the course of the audit. Factors may come to light during
audit testing that will change the level of risk, and this will have an
immediate impact on the amount and focus of audit work.

dealing with fraud

ISA 240 The auditors responsibility to consider fraud in an audit of
financial statements states:
The auditor should maintain an attitude of professional scepticism
throughout the audit, recognising the possibility that a material
misstatement due to fraud could exist, notwithstanding the auditors
past experience with the entity about the honesty and integrity of
management and those charged with governance ( ie the directors)
We have seen in Chapter 2 that the auditor is not responsible for setting out
to detect fraud. ISA 240 does not change the position.What it does is to
increase the emphasis on the auditors approach to fraud during the risk
assessment and planning stages of the audit.
Auditors need to separate deliberate fraud from accidental error. The simple
fact that something has been misstated in, or omitted from, the financial
records isnt necessarily fraud. What the good auditor does is consider the
possibility that it might be.
There are two types of fraud identified in ISA 240: theft and misstatement.

FRAUD

deliberate misstatement
theft of assets
in the accounts
 planning the audit assignment 53

Theft is the straightforward misappropriation of assets. Examples include:

theft of cash or company property
diverting company funds into a personal account

Misstatement is a deliberate misrepresentation in the accounts in other

words, disguising the true nature of a transaction in order to present the
accounts in a more favourable light. Examples of this might include:
suppressing details of claims against the business
falsifying the valuation of contracts in progress
accounting for sales revenues in periods earlier than the ones they really
relate to
suppressing costs or deliberately not matching costs with revenues

Auditors should be alert to the possibility of fraud when carrying out the
audit. The possibility of a serious fraud occurring should form part of the
assessments of risk discussed above. In addition, during the course of the
audit the audit team should discuss these possibilities among themselves and
evaluate the likelihood of serious fraud occurring.
It must be remembered that many of the most spectacular business failures
caused by fraud have involved collusion by senior management. Audit teams
must be alert to the possibility that systematic and widespread fraud, of
sufficient size to distort the reported results, could be carried out by the
directors and management conspiring together.

T H E A U D I TO R S P E R M A N E N T F I L E

Before the auditors can decide on the nature and volume of audit work they
have to carry out, they need to gain a clear understanding of the way in which
the client operates. This will include an understanding of the clients
business, its management and its financial systems. Much of this information
will remain unchanged from one year to the next, and once recorded by the
auditor, will require only minimal updating each year.
Information that remains permanent for the business is recorded in the
Permanent Audit File. We referred to this earlier in the section on the
Engagement Letter and will look at it in more detail now.

the permanent file

As its name suggests, the permanent file is used to document those aspects
of the clients business which are expected to remain more or less unchanged
from year to year.
54 implementing auditing procedures

The permanent file should contain sufficient information so that any member
of the audit team who has no previous knowledge of the client can pick it up
and gain a clear picture of the client company, its ownership, management,
activities, and very importantly, its financial systems.
The information included in the permanent file will be obtained largely from
the clients management and staff. Before recording any information in the
permanent file, the auditors must satisfy themselves that all information to be
included is accurate. Consequently, at the planning stage of each annual audit
visit, the permanent file must be reviewed to ensure that it continues to be
relevant, up-to-date and accurate.

gathering information for the permanent file

Auditors can obtain information about their client by
touring the clients premises and asking questions about what is going on
talking to the employees
interviewing directors, managers and other key personnel
reviewing original documentation such as minutes of meetings, internal
reports and management accounts
approaching banks and other lenders for details of finance arrangements
always with permission from the client
It is important that, wherever possible, the auditors obtain information from
as wide a range of sources as possible and obtain independent evidence to
support the information included on the permanent file. Any copies of
documents to be included in the file should be taken directly by the auditors
from the original documents. These copies should then be initialled and
dated to evidence that the original of the document has been inspected.

contents of the permanent file

The permanent file should include:
a description of the clients business activities
details of ownership, including lists of shareholders, if relevant
details of group structure, divisions or branches where appropriate
management structure including relationships between the clients
owners/directors and other senior executives
financial structure, including details of loan and overdraft arrangements
significant stakeholders other than owners and lenders who might
influence business activities, eg a major customer or supplier
the auditors view of the business approach adopted, eg risk-taking and
unplanned, or conservative and planned
 planning the audit assignment 55

relationships with other auditors or specialists involved in the audit

an overall risk assessment (see page xx)
an assessment of the control environment (see pages xx-xx)
the signed engagement letter
detailed descriptions of the accounting systems
A typical index to a permanent file is shown in the Appendix on page xx.

DOCUMENTING THE CLIENTS ACCOUNTING SYSTEMS

The final point on the list of items included in the permanent file is probably
the most important. In order for the auditors to plan their audit work they
must have a thorough understanding of the clients financial systems. To that
end the auditors must prepare detailed descriptions of these systems.
The main client systems that need to be documented are:
sales
purchases
wages and salaries
fixed assets
stock
investments
Documentation of the systems should include as much information as
possible relating to:
all documents involved including where they are kept
the way in which transactions are verified
the personnel involved in the various systems and their roles
levels of responsibility of staff
reporting schedules
. the books of accounts maintained and where they are located
There are two main methods of documenting the clients systems
narrative notes
flow charts

narrative notes
Compiling a series of narrative notes is the simplest way of recording the
clients systems. It is best to record the final version on computer file, as it
makes them easier to update. A set of handwritten notes prepared on previous
audit visits can be time-consuming to revise and are not recommended.
56 implementing auditing procedures

Auditors must ensure that the notes that they produce describing the client
systems contain sufficient detail for the user to gain a good understanding of
how the system operates.

flow charting
The danger of using complex narrative notes to document an accounting
system is that they can become extremely detailed and ultimately may
become confusing to the reader, who gets lost in the detail.
It is much easier for the reader to have a diagram showing how the
accounting system operates. With this in mind, auditors will often use
flowcharts, together with brief narrative notes, where necessary, to describe
and explain the system.
Flowcharts show the systems in picture form with common symbols used to
represent particular documents, and their physical movement. Flowcharts
can be used to show the flow of information as well as documents.
As with narrative notes, the auditors will review these charts each year and
update for changes and developments in the systems.
The basic flow charting symbols commonly used are shown below.

flowchart symbols for accounting systems

document flow purchase

operation document
order

information flow

operation with a 3
time flow of 2 document
yes/no choice 1
document produced in
invoice
YES NO multiple copies

documents
check or
crossing account book
inspection

TA to a file
PM A = alphabetical
N = numerically sorted
connecting to (eg to a D = date order
person or a computer file) T = temporary + A,N,D
 planning the audit assignment 57

flowcharting rules
There are some key rules for flowcharting:
use standard flowcharting symbols wherever possible
keep the charts simple unless the system is very simple do not try to get
it all on one sheet; break the chart up into a series of sub-systems and link
them together
document flows should start at the top left of the sheet and finish at the
bottom right
chart all documents from cradle to grave ie from their origination to
their final filing, and do not leave any loose ends
connecting lines should not cross unless this is unavoidable
A simple flowchart of a goods received and invoice processing system is
shown on the next page.
You should notice three things when you look at this flowchart:
each operation within the flowchart is separately numbered with a brief
narrative where required
the chart is divided by functional departments, making it easier to see
which department is responsible for which function, and where
responsibility for checking transactions lies.
the chart does not attempt to describe the whole system at once, for
example it does not deal with payments which would be included in a
different chart; this simplifies reporting and makes identification of
internal controls easier

advantages and disadvantages of flow charts

The advantages of flow charts are:
they can be prepared relatively quickly
by linking flowcharts even quite complex systems can be described
relatively clearly
as standard symbols are used they can be easily followed by anyone
familiar with flowcharting procedures
flowcharts make any weaknesses or gaps in the system or sub-system
being described relatively easy to spot
there are a number of computerised flowcharting software packages
available
58 implementing auditing procedures

flowchart for receipt of documentation from supplier

narrative no. Goods Inward Purchase ledger

Goods received note 1 2

1
(GRN) raised by Goods GRN
Inwards Department
supplier
invoice
Copy filed in Goods 2 D

Inwards Department

Suppliers invoice given 3

sequential number and
checked for arithmetical
accuracy.

Invoice matched and 4

attached to GRN

If not all goods received, 5

file in temporary file
YES NO

TA

Documents checked to 6
see that all items have
been checked and
initialled.

Passed to purchasing 7
manager for authorisation
PM

The disadvantages of flow charts are:

they have to be redrawn if systems change, even to a limited extent
they are fine for standard systems but for non-standard transactions they
may become unwieldy and require too many narrative notes
they are fine for describing accounting processes where documents are
moving through the system, but once the documents stop moving they
cannot describe controls for example, flow charts can describe
procedures for controlling goods inward and goods outward but not the
controls over stock in the stores
 planning the audit assignment 59

walk through tests

When the flow charts and accompanying narrative descriptions have been
drafted, the auditors should test out the systems to ensure that they work as
documented. These tests are known as walk through tests. To carry out a
walk through test you should:
choose a small sample of transactions, two or three, from the part of the
system being verified
follow them through the system, using the flow charts as a guide
ensure that the flow chart and any notes accurately record the system as
it operates in practice
A walk through test should be performed each year before any audit testing
begins to ensure that there have been no changes since the preceding audit.
Auditors must document their walk through tests, recording details of the
transactions they have chosen to follow through the system, and keep the
details on their permanent file.
As soon as the auditors consider that they have a sufficient understanding of
the clients systems they can create a programme of audit work to test the
internal controls within the system.
The way in which the auditors produce the audit programme will be covered
in detail in Chapter 4 but at this point we must ensure that you have clear
understanding of what is meant by internal control.

INTERNAL CONTROL

ISA 315 Obtaining an understanding of the entity and its

environment and assessing the risks of material misstatement states:
internal control consists of the following components
(a) the control environment
(b) the entitys risk assessment process
(c) the information system, including the related business processes
relevant to financial reporting and communication
(d) control activities; and
(e) monitoring of controls

As you will appreciate at some time or another, everybody makes mistakes.

A good financial system has within it a series of checks and procedures
designed to prevent, detect and correct mistakes or errors that could occur
during the processing of transactions. The prime aim of these checks is to
60 implementing auditing procedures

ensure that as many errors as possible are picked up so that there are no
material errors in the financial statements.
In all but the very smallest companies there will be a number of layers of
management, each with their own role in supervising and directing areas of
the business and its workforce. The managers will therefore be the key to the
effective operation of these controls within the companys systems. They
will be the individuals responsible for the checks, authorisations and
approvals that will make up the internal controls of the business.
It is important for you to understand that internal controls are not there
primarily to detect fraud.
The purpose of internal control is to provide assurance to managers that
the risk of serious error or mis-statement in the accounting records is
minimised
the assets of the business are safeguarded
all liabilities are identified and properly recorded
accounting records are kept up to date and as accurately as possible.
Internal control is made up of two elements:
the control environment
control activities and procedures

INTERNAL CONTROL

control environment control activities/procedures

the control environment

ISA 315 Obtaining an understanding of the entity and its

environment and assessing the risks of material misstatement states:
The control environment includes the attitudes, awareness and actions
of management and those charged with governance (ie the directors)
concerning the entitys internal control and its importance in the entity.
The control environment also includes the governance and management
 planning the audit assignment 61

functions and sets the tone of an organisation, influencing the control

consciousness of its people. It is the foundation of internal control,
providing discipline and structure.
The control environment is, fundamentally, the philosophy and operating
style of the organisation as set by its directors and senior management, ie the
managerial attitude to, and awareness of, internal controls.
In order to assess the internal controls, auditors must to able to understand
the culture of an organisation and the way it is reflected in:
the attitude of its management and staff, and
the effect this attitude has on the organisations procedures
What makes a good internal control environment?
It should have the following characteristics:
competent, reliable staff who demonstrate a high level of integrity and
commitment in their attitude to work
a clear, well-understood management structure with defined authority
limits
involvement by the management in the day-to-day activities of the
business
operating procedures which are understood and accepted by the
employees who have to implement them
It is important that you are familiar with key aspects of evaluating a control
environment, as this often forms the basis for tasks set in the Skills Tests for
Unit 17.
The following Case Study will illustrate these main points.

Case
Study COUNTIT & CO: THE CONTROL ENVIRONMENT
situation
You are an audit manager for Countit & Co, a firm that has recently gained two new
audit clients of a similar size.
Your audit staff have completed their preliminary investigations of the two clients. You
are reviewing their notes which can be summarised as follows:

Client 1 - Floggers Ltd

Floggers Ltd is an old fashioned family company which has been in business for over
a hundred years and trades as wholesalers of fruit and vegetables.
Its management structure is divided into five layers ranging from supervisor, deputy
manager, manager, senior manager and director. The senior managers and directors
have been with the company for many years.
62 implementing auditing procedures

Each level of management has clear authority limits set down in the company manual,
which also sets out detailed written procedures for every job.
Management at all levels generally has an unforgiving attitude to errors and
inefficiencies.
Most of the systems are paper-based, although the accounting ledgers are maintained
on a computer and there are rigid systems of authorisation before transactions can be
processed.
Staff turnover in clerical posts and at supervisor and deputy manager level is high.

Client 2 - Creatit Ltd

Creatit Ltd is a new company set up six months ago. It trades as a website design
business and as an advertising agency .
Creatit Ltd is run by two brothers who manage the business jointly.
Creatit Ltd mostly employs creative people but it does have a small clerical staff to
deal with billing and time recording.
The approach to work is casual, spontaneous and rather uncontrolled.
Error detection is not seen as a priority. The managements view is that they will deal
with errors and problems when they arise.
Staff are happy and so staff turnover is low.

required
In your review of the control environment for each of these clients, what conclusions
would you draw about the risk of error arising in the accounts?

solution
Floggers Ltd
The key points are as follows:

Floggers has very rigid systems with a high level of internal control where error
detection is seen as a priority and mistakes are not tolerated

the senior management of Floggers is separated from the day-to-day activities of

the business by several layers of administrative hierarchy

Floggers has a high level of staff turnover which may indicate that staff have a low
level of commitment to the company

following on from the point above there is a higher risk that frequent mistakes
could be made by new, untrained staff

there may be a temptation for staff to hide mistakes because of the attitude of the
management

Floggers management may take a negative approach to the audit and see it as an
intrusion into their business
 planning the audit assignment 63

Creatit Ltd
The key points are as follows:

Creatit has a much more hands on approach to management and a more

forgiving attitude to errors; their priority is the product rather than the accounts

Creatits financial systems will contain little in the way of formal internal control
checks, but managers are much more aware of what is happening on a day-to-day
basis as they are actively involved in the company

the low level of staff turnover indicates that the employees are loyal to the
business and have a strong commitment to the company
Your conclusions from an audit point of view are:

1 Providing the systems at Floggers are working correctly there would be very little
likelihood of mistakes being made when recording transactions in the financial
systems. The risk is more likely to be transactions which are not being recorded at
all. Consequently the audit approach would focus on omissions rather than errors.

2 The business that Floggers operates involves processing large numbers of

transactions of easily identifiable goods. Their systems have been in existence for
years which means that the risk of posting errors can be assessed as low.

3 As far a Creatit is concerned, the financial statements may well contain errors or
omissions and the lack of formal procedures might give cause for concern.
However the close involvement of the management and the commitment of the
staff to the organisation would indicate that they will take a positive approach to
the audit rather than see it as an intrusion.

4 The trade of Creatit is project work which carries a higher level of audit risk.

Your estimate is that the control environment in both companies is generally

good, although the focus of your audit work in each business will differ.

control activities and procedures

ISA 315 Obtaining an Understanding of the Entity and its Environment
and Assessing the Risks of a Material Misstatement states:
Control activities are the policies and procedures that help to ensure
management directives are carried out Control activities, whether
within IT or manual systems, have various objectives and are applied
at various organisational and functional levels
These are the detailed policies and procedures which are designed to:
minimise the possibility of mistakes or fraud
detect errors within the accounting system
When documenting the systems of internal control, the auditors will need to
highlight these control activities as they become apparent. It is important to
remember that, in order for these control activities to operate effectively,
there must also be a good internal control environment.
64 implementing auditing procedures

In practice, if the management and staff of the client company do not have a
positive attitude towards the control environment, they will not be carrying
out the relevant internal checks effectively, even if good control procedures
are in place. This will lead to an increased risk of error or fraud.

forms of internal control

The internal controls that are present in the clients systems will take a
number of different forms.
Examples are shown in the table below:

FORMS OF INTERNAL CONTROL what they involve

Organisational controls Defined management structure

Clear responsibilities for supervision
Authority limits for expenditure
Written procedures

Segregation of duties The involvement of a number of different people or

departments in recording a transaction to minimise the
risk of error or fraud.

Physical controls Restricting access to information or assets

Authorisation and approval of documents Fixed levels of authority to authorise specifc

transactions or sign cheques to specified levels
Documented procedures
Evidence of authorisation

Competency and reliability of staff Staff training based on identified training need
Clear Human Resources policies about recruitment
and retention of staff

Arithmetical and accounting checks Month-end routines to balance and reconcile accounts
Regular payment routines to ensure that correct
amounts being paid
 planning the audit assignment 65

examples of control activities and procedures

Examples of specific control activities and procedures that relate to the forms
of internal control listed on the previous page are set out in the table below.

INTERNAL CONTROL CONTROL ACTIVITIES AND PROCEDURES

Organisational controls Company Procedures Manual

Company registered under a quality standard eg ISO 9001
with documented procedures
Internal auditors operating as part of the internal control
environment

Segregation of duties Staff responsible for sales invoices are not responsible for
recording cash received
Staff responsible for purchase ordering are not responsible
for checking delivery notes or purchase invoice processing

Physical controls Limiting access to computer applications and processes

Menus on computers limiting areas to which operators

have access
Password controls
Regular physical verification of fixed assets by managers
Restricted access to ownership documents eg title deeds,
vehicle log books

Authorisation & approval of documents Authorisation of orders

Approval of invoices for payment
Matching invoices to delivery notes and original orders
Two signatures on cheques

Competency and reliability of staff Regular staff training

Encouraging staff to achieve professional qualifications
Clear guidelines for recruitment of staff
Staff appraisal and review systems

Arithmetical and accounting checks Checking calculations on invoices

Bank reconciliations
Reconciliation of suppliers statements with purchase
ledger
Maintaining control accounts
Monthly trial balance
Comparison of financial records with actual counts of
stocks and cash
66 implementing auditing procedures

INTERNAL CONTROL QUESTIONNAIRES

As we have seen, auditors have to identify the internal checks operating

within the financial system and test them to ensure that they are operating
efficiently. One technique is to use an Internal Control Questionnaire
(ICQ). This consists of a series of questions drawn up by the auditors and
designed to identify all internal checks present in each departments systems.
The example below assesses the purchasing system of a client company.

INTERNAL CONTROL QUESTIONNAIRE

Client name Bobupandown Ltd prepared by JT date 28/09/05

period to 31 March 2005 reviewed by DB date 12/10/05

Purchases System Purchase Ordering

Process Yes No Comments

1 Are all purchases made as a result of written

orders?
2 Are all orders sequentially numbered?

3 Are all numbers accounted for? Spoiled orders destroyed

4 Do all orders have to be authorised by a senior MD, Purchasing manager

manager?
5 Are orders only sent to approved suppliers?

6 If there is no approved supplier, is the Only recognised suppliers

procedure for approving a new supplier carried used
out before the order is placed?

7 Do all purchase orders show:

quantities
prices
terms
initials of authoriser
date

8 Is there a limit to individual order values? MD- no limit, Purchasing

Manager 50,000
9 Are copies of the purchase order sent to
Purchase ledger
Stores
10 Are purchase orders matched to invoices?
11 Are all orders retained in the Purchasing
Department?
 planning the audit assignment 67

Chapter Before accepting an assignment, auditors must consider any legal ethical or
Summary practical problems, including the size and resources of the audit firm.

The arrangement between the auditors and the client should be agreed and
formalised in an engagement letter, which sets out the responsibilities of
each party and sets out the precise scope of the auditors duties.

Auditors must obtain sufficient knowledge of the client to be able to

understand the nature of the business and its transactions and should make
themselves aware of the general environment in which the client operates.

The auditors are required to assess and document significant areas of audit
risk, both at the level of the financial statements and also at the individual
item disclosure level.

Auditors have to evaluate the risks involved in undertaking the audit. These
are based on three types of risk:
- the inherent risk, which is based on the clients activities, operations,
and management
- the control risk, based on the ability of the internal controls of the
accounting system to detect and correct errors or misstatements
- the detection risk, which is the risk that an error or misstatement will not
be detected by the audit procedures carried out

The audit risk model is an assessment of combined risks using the formula:
inherent risk x control risk x detection risk

The overall audit risk is the probability of auditors giving an incorrect

opinion; if the level of audit risk is high, the amount of detailed testing the
auditors will carry out will be greater than it would be if the risk were low

The auditors document the clients system using a combination of methods

including narrative notes, flow charts and internal control questionnaires.
Auditors can confirm their system documentation using walk through tests.

General client documentation will be retained on the permanent file and

reviewed annually.

Auditors have to evaluate their clients internal control by examining the

control environment and control procedures.

The control environment is the overall attitude of the organisation towards

control procedures and activities including the audit.

Control procedures are designed to minimise the possibility of errors or

misstatements and to safeguard the assets of the business.

Control procedures and activities should include the segregation of duties,

limiting access to information, authorisation of transactions, checking and
reconciliations.
68 implementing auditing procedures

Key engagement letter a formal letter signed by the company directors and
Terms the auditors, setting out the basis of the agreement
between the client and the auditors, establishing
their respective responsibilities
permanent file ongoing information about the client which will be
used for successive audits; it includes a copy of the
engagement letter and provides a clear picture of the
client company, its ownership, management,
activities, and its financial systems
audit risk the risk that an auditor might give an inappropriate
opinion on the financial statements the higher the
risk the greater the investigative work that will have
to be carried out
risk assessment a documented process by which auditors assess the
likelihood of a material misstatement in the accounts
going undetected
inherent risk the risk that the accounts will contain a material error
or misstatement because of the nature of the clients
business, activities, operations and management
control risk the risk that the clients internal controls will fail to
detect errors or mis-statements
detection risk the risk that audit procedures will fail to detect errors
or mis-statements
audit risk model the formula that links the types of risk: Audit risk =
inherent risk x control risk x detection risk
flow charts a system of documenting financial procedures using
standardised symbols to create a diagram of the
system
walk through test a test involving a small number of transactions which
an auditor follows through the system to confirm that
the systems notes and flow charts are a true
representation of what actually happens
internal controls the policies, procedures, attitudes and internal
checks which together combine to ensure that the
likelihood of significant error or material
misstatement is minimised
control environment the overall context within which internal controls and
internal checks operate, founded on management
attitude and awareness of internal controls
control procedures detailed procedures operating within the control
environment which minimise the risk of an error or
mis-statement going undetected
internal control a series of questions which auditors use to identify
questionnaire (ICQ) the internal checks operating in various parts of the
clients financial system
 planning the audit assignment 69

Student Activities

3.1 A trainee auditor has been asked to prepare a briefing for clients as to how an audit assignment is
planned. Among other things the briefing contained the following statements

(a) Engagement letters exist so that both the client and the auditors understand who is
responsible for what.

(b) The engagement letter is the basis for agreeing the how much work the auditor has to do.

(c) Control procedures are what the auditor relies on. If these exist the auditor can sign the report
without worrying about the financial statements being wrong

(d) Walk through tests are there to support flow charts. If these tests are satisfactory, the auditor
can feel confident that the control procedures are working satisfactorily

(e) Audit risk is the risk of being sued.

(f) Auditors need to find out all about their clients so they can make a decision about the level of
inherent risk.

(g) Segregation of duties is an important part of the control environment.

Which of these statements are correct?

70 implementing auditing procedures

3.2 You are working on the audit of your client Sweetie Ltd for the year ended 31 March 200X. The
company employs one hundred workers in a doughnut manufacturing plant. Wages are paid
weekly. The following procedures are carried out:

Wages are paid weekly on a Friday afternoon.

Staff are paid a consistent weekly wage for the standard hours that they work. Overtime is paid for
on the Friday following the week in which it is worked.

Employees clock cards are signed by supervisors and brought to the wages office every Monday
morning

Hours worked in the week are taken from the cards. Overtime hours are calculated and entered on
an overtime sheet which is then used to calculate overtime payments.

The overtime sheet is authorised by the production manager

Wages are prepared using a standard computerised Sage payroll software package.

Standard hours and overtime hours are entered into the payroll by the wages clerk using the input
screen.

Any amendments to employees details, eg changes of personal details, tax code or deductions are
entered on each employees computer file by a member of the personnel department and approved
by the personnel manager.

Details of any new starters are notified to the wages department by personnel. Once the have been
entered on to the system they are reviewed by the personnel manager to ensure that they are
accurate.

Leavers are removed from the system once their final weeks wages have been calculated.

When all the information has been entered into the payroll system, it is then processed and
authorised by the production manager.

The data is then passed to the accounts department who prepare BACs payments for each
employee.

Wages are paid on Friday, so the payroll has to be prepared in time to ensure employees are paid
promptly.

An ICQ was prepared for last years audit and used again for this years audit.

You are to:

Assess the payroll system details set out above and complete the ICQ on the next page.
 planning the audit assignment 71

INTERNAL CONTROL QUESTIONNAIRE

Client name...................................................

Period to ................................... Reviewed by .................................................... Date .......................

WAGES SYSTEM CONTROL PROCEDURES

Process Yes No N/A Comments

Is there an individual file recording each

employees details?

Are rates of pay authorised by a responsible

official?

Are there procedures to remove leavers from

the payroll as soon as they have been paid their
final wages?

Are there procedures to ensure new starters are

included on the payroll correctly?

Are there procedures to ensure that changes in

employees details are properly recorded?

Is the payroll software a standard package?

(Record details of the package used)

Is there a timetable for preparing and

calculating wages?

Do employees have to record start and finish

times?

Are overtime rates approved by a responsible

official?

Are hours worked authorised by a responsible

official of the company (record details)

Is the payroll approved by a responsible official

before wages are paid?

Is the payroll reconciled on a month basis to net

pay and deductions?

Are employees paid by bank transfer?

Are the people involved in making the payments

different to those who prepare the payroll?
72 implementing auditing procedures

3.3 Your audit firm has recently merged with another firm and you are reviewing the audit files of some
of their clients.
(a) Castles in the Air Ltd is a recently formed IT consultancy controlled by two brothers who are
the only directors. Neither has any financial experience.
(b) Wheels Ltd is a long established motor dealership which has been the client of your audit
firm for ten years. During that time there have been no changes to their financial and
management systems and no significant audit problems
(c) Tightly Ltd is a large manufacturing business owned and managed by Vera Tightly. Within
the factory are six production lines which use state of the art equipment to manufacture high
precision drilling equipment. The company has three main clients and the contracts they
have with these companies sometimes take over a year to complete
(d) Swizzles is a small chain of caf bars selling wines and food from sites in three towns in the
region. The chain is owned and managed by Antonio Swizzler who has an office in the
central site in Newtown. The majority of the companys transactions are for cash as they do
not accept credit or debit cards.
Based on the information set out above what would be your assessment of the level of inherent risk
for each business? Give reasons for your answers.

3.4 You have been approached to take over the audit of a manufacturer of high quality, high
specification components for nuclear reactors.
The components are made from specialised metals and are made to very fine tolerances. There is
only one other such manufacturer in the world which is based in the USA. Contracts for component
manufacture can sometimes last for two to three years.
In order to finance these contracts the company has a series of complex financial arrangements
with banks and investors.
You wish to take on the assignment but are worried about what risks taking on such a client might
pose.
Using the information set out above state three audit areas which appear to have high inherent risk.
For each area state the factors that have led you to this assessmentthe factors which this
assessment .

3.5 You have just taken over the audit of a new client and are in the process of assessing audit risk.
You have identified the following factors
The client runs a chain of twenty public houses and restaurants spread throughout England.
The businesses have been acquired piecemeal and each business operates their own stand alone
financial system.
Your clients senior management consists of a managing director, sales director and operations
director.
During the last two years four managers have been caught defrauding the business and were
sacked but not prosecuted.
The previous auditor was a smaller firm than yours which meant that they had to rely on local firms
to audit several of the restaurant and pubs. None of these small firms have expressed any doubt
as to the truth and fairness of the accounts.
 planning the audit assignment 73

Your firm is big enough to audit all of the businesses without using the small local firms mentioned
earlier.
The head office has a team of internal accountants and stock checkers who from time to time turn
up unannounced at one of the businesses and perform stock checks and audits. It is they who
caught the four managers who were defrauding the businesses.
You have a great deal of experience in the industry as you have three other similar clients
Using the background information set out above,
(a) Set out two factors you would take into account when evaluating each of the following
components of audit risk: inherent risk, control risk and detection risk.
(b) Set out the main areas of the audit where errors are likely to arise and where audit work
should be concentrated.

3.6 You are the audit manager on the audit of Piccolo Ltd, a firm of house builders whose business
consists of:
the construction of small housing developments in association with a local architects firm
and a property developer
small building contracts and household repairs.
You are reviewing the audit file, before sending it to the audit partner, and you notice a number of
items which have been recorded by staff during the audit. They immediately raise concerns in your
mind and you consider the partner should be made aware of them. They are as follows:
As part of the audit work on sales, the numbering of invoices was checked to ensure they
were complete. During the period selected six invoices for small building work and repair
jobs could not be traced. These types of invoices are raised by the building contracts
manager who often receives payment directly from the customer when the job is completed.
A review of the complaints file revealed letters from two customers who complained about
being sent an invoice when they had already paid the contracts manager. In each case he
claimed a mistake had been made and issued credit notes to cancel the invoices.
Analytical review (ratio analysis) revealed that the gross margin on small building and repair
work had dropped by nearly 5% from 14.8% last year to 9.9% for the current year. The
company prices all these jobs on a cost plus basis and never gives discount. There is a
standard mark up of 20% on materials and labour cost.
There were three building contracts in progress at the year end. One was a conversion of
an old cinema into offices. The contract, which was for a fixed price, had been subject to
major problems and costs had been escalating. Examination of the cost accounts revealed
two journal entries transferring costs to another, newer contract. The journals simply said
Transfer. The Production Director, who was responsible for these types of contract, could
not give a satisfactory explanation for these journal entries.
Examination of the cost ledger indicated that cash payments have been made to building
workers employed by the company. The production director stated that these were a bonus
for working over weekends to finish off a contract.
(a) Draft a memo to the audit partner setting out any concerns raised by these situations.
(b) Describe what course of action should be taken by the auditors in relation to the potential
problems you have identified.