AAA TECHNICAL ARTICLE SUMMARY MARCH 2024

Technical articles (A)

Professional and Ethical Considerations (B)
Quality Management (C)
Planning and conducting an audit of historical financial information (D)
Completion, review and reporting (E)
Other assignments (F)
Current Issues and Developments (G)
Covers multiple areas

Technical articles (A)

Corporate governance and its impact on audit practice
Basic principles of  Corporate governance is the system by which organisations are directed and
controlled.
corporate  It encompasses the relationship between the board of directors, shareholders and
governance – a other stakeholders, and the effects on corporate strategy and performance.
reminder  Many regulatory authorities, including the UK, use a code of best practice, often
termed a ‘comply or explain’ approach to corporate governance. (PRINCIPAL
BASED)
 In some jurisdictions, such as the US, a more prescriptive approach is used,
whereby corporate governance requirements are set by legislation (RULE BASED)
The main The Code comprises five sections, each containing main principles:
 Leadership :
principles of the  Every company should be headed by an effective board which is
UK Corporate collectively responsible for the long-term success of the company, and
Governance Code should lead and control the company’s operations.
 clear division of responsibilities at the head of the company, which will
ensure a balance of power and authority
 The board should include a balance of executive and non-executive
directors such that no individual or small group of individuals can dominate
the board’s decision taking.
 Effectiveness :
 The board and its committees should have the appropriate balance of
skills, experience, independence and knowledge of the company to enable
them to discharge their respective duties and responsibilities effectively.
 There should be a formal, rigorous and transparent procedure for the
appointment of new directors to the board. All directors should receive
induction on joining the board and should regularly update and refresh their
skills and knowledge.
 Accountability :
 The board should present a balanced and understandable assessment of
the company’s position and prospects.
 The board should maintain sound risk management and internal control
systems.
 The board should establish formal and transparent arrangements for
considering how they should apply the corporate reporting and risk
management and internal control principles and for maintaining an
appropriate relationship with the company’s auditor.
 Remuneration :
 Levels of remuneration should be sufficient to attract, retain and motivate
directors of the quality required to run the company successfully, but a
company should avoid paying more than is necessary for this purpose
 Relations with Shareholders :
 There should be a dialogue with shareholders based on the mutual
understanding of objectives.
 The board as a whole has responsibility for ensuring that a satisfactory
dialogue with shareholders takes place
 The board should use the Annual General Meeting to communicate with
investors and to encourage their participation.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Laws and regulations

Covered in Chapter 1 & 2 full

Professional and Ethical Considerations (B)

Ethics in the AAA exam

Answering ethics questions at AAA

 Identify the ethical threat
 Evaluate and understand how it arises and the implication of the threat
 Apply the knowledge to the specific scenario to determine the safeguards or course of action required. When the
professional accountant determines that appropriate safeguards are not available or cannot be applied to eliminate the
threats or reduce them to an acceptable level, the professional accountant should consider whether to accept or
continue with the engagement.
Note : Read the scenario carefully, credit is awarded for appropriate application of the knowledge (referencing the scenario or
specific issues from it, not just stating knowledge).

Auditor liability (related to UK- some important points covered)

 Types of liability :
o Criminal offences : when individuals or organisations breach a government imposed law
o Civil offences : deals with disputes between individuals and/or organisations.
 Types of Civil Laws : two pieces of civil law of particular significance to the audit profession; contract law and the law
of tort. These establish the principles for auditor liability to clients and to third parties, respectively.
o contract law : parties can seek remedy for a breach of contractual obligations. Therefore shareholders can
seek remedy from an auditor if they fail to comply with the terms of an engagement letter.
o law of tort : auditors can be sued for negligence if they breach a duty of care towards a third party who
consequently suffers some form of loss.
 Note : The application of the law of tort in the auditing profession, and the way in which auditors seek to limit their
exposure to the ensuing liabilities, has been shaped by a number of recent landmark cases.
o Caparo Industries Plc (Caparo) v Dickman (1990) : The claim was unsuccessful; the House of Lords
concluded that the accounts were prepared for the existing shareholders as a class for the purposes of
exercising their class rights and that the auditor had no reasonable knowledge of the purpose that the
accounts would be put to by Caparo.
o Royal Bank of Scotland (RBS) vs Bannerman Johnstone MacLay (Bannerman) (2002) :
Bannerman, through their audit of the banking facility letter of APC, would have been aware of RBS’s
intention to use the audited accounts as a basis for lending decisions. For this reason it was upheld that they
owed RBS a duty of care. The judge in the Bannerman case also, and crucially, concluded that the absence of
any disclaimer of liability to third parties was a significant contributing factor to the duty of care owed to
them.
 Managing exposure to liability : Already covered in workbook summary

Massaging the figures

 What is ‘earnings management’?
o Earnings management occurs when companies deliberately manipulate their revenues and/or expenses in
order to inflate (or deflate) figures relating to profits and earnings per share. In other words, it is when
companies use ‘creative accounting’ to construct reported figures that show the position and performance
that management want to show.
o Earnings management does not always mean that the applicable financial reporting framework has not been
followed. It may be that the manipulation of published figures is the result of selecting an accounting policy
which is allowed under the financial reporting framework, but which does not reflect economic reality.
o For example, changing the estimated life of a non-current asset is allowed under financial reporting
standards, but if it is done purely to manipulate the depreciation charge (and therefore earnings), then it
becomes an example of earnings management.
o The problem for the auditor is that financial reporting standards allow a degree of flexibility in application,
and all financial statements will include balances and disclosures that are subject to judgment and
estimations. This means that it is sometimes difficult to decide if an accounting treatment is within accepted
accounting principles, or whether the treatment is in breach of the rules – in which case it represents
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
fraudulent financial reporting.
 When does earnings management become fraud?
o Fraudulent financial reporting is a deliberate misstatement in the financial statements. It include :
 deliberate falsification of underlying accounting records
 intentionally breaching an accounting standard.
 knowingly omitting transactions or required disclosures in the financial statements.
 For example, deliberately not disclosing a contingent liability, or significant going concern
problems, in the notes to the financial statements means that the disclosures required (under IAS
37 and IAS 1 respectively) have intentionally not been made. According to ISA 240 (Redrafted), The
Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, this is an example of
fraudulent financial reporting.
o ISA 240 (Redrafted) states that ‘incentive or pressure to commit fraudulent financial reporting may exist
when management is under pressure, from sources outside or inside the entity, to achieve an expected (and
perhaps unrealistic) earnings target or financial outcome – particularly since the consequences to
management for failing to reach financial goals can be significant’
 What are the implications to the auditor?
o Professional scepticism : an attitude which should be heightened if there is a suspicion of
fraudulent financial reporting.
o Discussion among the audit team : audit team should have a discussion about those factors that
indicate that the financial statements may be susceptible to misstatement due to fraud.
o Evaluation of accounting policies: attention should focus on those policies relating to complex
transactions, and to subjective matters. All accounting policies and estimates should be carefully
reviewed for potential bias. The circumstances resulting in any bias may represent a risk of
misstatement due to a fraudulent financial reporting.
o Completeness of disclosures : The auditor must therefore consider whether all relevant
information has been disclosed in the financial statements in compliance with accounting standards.
o Audit report : where financial statements appear to have been misstated due to earnings
management or fraudulent financial reporting, auditor will have be to decide whether any earnings
management is within generally accepted accounting principles or it is in breach of accepted
accounting practice and therefore fraudulent. In both case consider implication on AR.
o Reporting to those charged with governance : instances of fraudulent financial reporting
o Other reporting responsibilities : ISA 240, communications with regulatory and enforcement
authorities. In many jurisdictions, it would also be appropriate to communicate with shareholders,

Quality Management (C)

International Standards on Quality Management – part 1 (ISQM 1)
Note : Same as covered in chapter 4 – no need point.

 Key principles underlying the quality standards: The SoQM must address eight components :
o 1. Firm’s risk assessment process
o 2. Governance and leadership
o 3. Relevant ethical requirements
o 4. Acceptance and continuance of client relationships
o 5. Engagement performance
o 6. Resources
o 7. Information and communication
o 8. Monitoring and remediation process
 Conclusions :
o ISQM 1 provides a focus on audit quality and a process of risk management with respect to quality that aims
to ensure all firms have quality as a priority when performing audits and other assurance engagements.
o The standard is principles driven with a focus on scalability, flexibility and continuous improvement.
o Quality management is core to audit, and a detailed understanding of the importance of both audit quality
and quality management underlies the performance of an audit.
o Quality is a key part of ensuring that audits are fit for purpose and retain the public trust. As such, it is key to
every audit and every stage of the audit process and candidates should expect to see aspects of quality
management examined at all stages of an audit in exam questions and in either section of the exam.

International Standards on Quality Management – part 2 (ISQM 2 and ISA 220 (Revised))
 ISQM 2, Engagement Quality Reviews
 ISA 220 (Revised), Quality Management for an Audit of Financial Statements
Note ISQM 2 is same as covered in chapter 2
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024

ISA 220 (Revised), Quality Management for an Audit of Financial Statements : Covered in Ch 2.

Planning and conducting an audit of historical financial

information (D)

Group audits
Risk and understanding the entity
Auditing in specialised industries
 Airline, banking, insurance, oil extraction
 these industries specialised because either to have specific financial reporting
standards applicable to them, or to have distinct accounting policies
Audit considerations
 Competence :
 Knowledge of relevant auditing standards.
 IESBA International Code of Ethics for Professional Accountants (the Code) requires :
auditor should have an appropriate understanding of the nature and complexity of the
client’s business, as well as knowledge of relevant industrial regulatory or reporting
requirements
 ISA 220 (Revised) Quality Management for an Audit of Financial Statements requires the
auditor to assess whether there are sufficient and appropriate resources to perform the
engagement and that there is the ‘appropriate competence and capabilities’
 Audit Planning : Identification of the risk of material misstatement in a specialised industry- by
obtaining appropriate understanding of the business and its environment.
 audit firm is likely to have additional resources available.
 briefing notes or internal technical guidance on how financial reporting standards should be
applied within the sector
 Reliance on Expert : the auditor may plan to use an auditor’s expert to obtain audit evidence.
 ISA 620, Using the Work of an Auditor’s Expert which deals with matters including the
evaluation of the objectivity, competence and capabilities of the auditor’s expert, determining
and communicating the scope and objectives of their work, and assessing their findings .

Auditing disclosures in financial statements

Disclosures in financial statements
Auditors are required to express an opinion on the financial statements as a whole. This includes the notes to the financial
statements which are an integral part of the accounts, providing additional information on balances and transactions and other
relevant information. Therefore, it is important that during all stages of the audit the auditor gives appropriate consideration to, and
plans to obtain sufficient and appropriate audit evidence in relation to the disclosures made in the notes to the financial statements.
ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on
Auditing specifies that the financial statements include related notes which ‘comprise a summary of the significant accounting
policies and other explanatory information’.
The notes to financial statements contain different types of information, some quantitative and some qualitative, as required by
IFRS. Some examples are given below:
Quantitative disclosures:
 Disaggregation and analysis of balances and transactions included in the financial statements, for example of property,
plant and equipment, intangible assets, provisions, lease obligations, financial instruments.
 Segmental analysis of revenue, profit and certain other items, and information about major customers (for listed
companies).
 Summarised financial information in relation to associates and joint ventures.

Qualitative disclosures:
 Descriptions of significant accounting policies and areas where critical accounting judgement has been exercised, and
rationale for any changes in accounting policies.
 Confirmation that the going concern assumption is appropriate, or discussion of significant doubt over going concern.
 Information on related parties, and related party transactions.
 Explanation of impairment losses recognised in the year.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
 Discussion of areas of risk, for example those relating to financial instruments.

A key driver for the IAASB’s consultation and the exposure draft, Addressing Disclosures in the Audit of Financial Statements,
issued in May 2014, is that in recent years, IFRS requirements in relation to disclosures in the notes to financial statements have
become more onerous. The exposure draft states that ‘over the past decade, financial reporting disclosure requirements and
practices have evolved. They now provide more extensive decision-useful information that is more detailed and often deals with
matters that are subjective such as assumptions, models, alternative measurement bases and sources of estimation uncertainty.
As these financial reporting disclosures continue to evolve, challenges have arisen for preparers and auditors in addressing new
types of quantitative and non-quantitative information’.
The challenges for auditors

Risk of irrelevant disclosures and determining materiality

The IAASB is concerned that in some financial statements excessive disclosure is being provided, sometimes of immaterial matters
that do not need to be disclosed. This makes it difficult for the reader of the financial statements to focus on the important matters
due to the ‘information overload’. This is a difficult area for the auditor because often judgement is needed to decide whether or not
a matter should be disclosed. Companies might prefer to provide too much information rather than too little, in the aim of full
transparency, but end up providing irrelevant or unnecessary disclosures which obscure the rest of the information included.
Linked to the point above, it can be very difficult to apply materiality to disclosures, especially those of a quantitative nature. The
IAASB has considered whether additional guidance should be given to auditors to help them to determine whether qualitative
disclosures are material or not by making a preliminary determination at the planning stage of the audit of those disclosures that
could reasonably be expected to influence the economic decisions of users. This would help the auditor to better identify
disclosures material by their nature or their monetary value, and to plan appropriate audit procedures.

Sources of information
A key concern of the IAASB is that the information included in the notes to the financial statements, whether quantitative or
qualitative in nature is derived from systems and processes that are not part of the general ledger system. Examples could include,
forward looking statements, descriptions of models used in fair value measurements, descriptions of risk exposures and other
narrative disclosures. This gives rise to several potential problems to the auditor, and respondents involved in the IAASB’s
consultations noted that this issue poses some of the most challenging aspects of preparing and auditing disclosures.
One problem is whether the system or process from which information is derived, when it is outside of normal accounting
processes, has any internal control to provide assurance on the completeness, accuracy and validity of the information. For
example, information on financial instruments may be provided by a company’s treasury management function, which could have
very different systems and procedures to the accounting function, with a different level of control risk attached. The systems and
controls may be deficient, creating higher audit risk. This may particularly be the case when dealing with one-off disclosures, for
example in relation to the situation causing an impairment loss. In some cases, due to lack of the documentation that would
normally be expected for more routine transactions or events captured by the accounting system, it may be difficult to obtain
sufficient, appropriate audit evidence on disclosures.

Timing considerations
The IAASB notes that often disclosures are prepared by management very late in the audit process. Often, when the auditor is
planning the audit, draft disclosures are not available, so it is not possible for the auditor to plan the audit of disclosures until much
later in the audit process. This could lead to higher audit risk in that there may not be much time to assess the risk relating to
disclosures and to perform the necessary audit procedures. This is especially the case where disclosures are complex, for example
in relation to financial instruments, or subjective, for example in relation to fair value measurement.
The IAASB proposals
The IAASB has proposed additional guidance to help establish an appropriate focus on disclosures in the audit and encourage
earlier auditor attention on them during the audit process. There is also a proposal to amend the definition of financial statements
contained in the ISAs, to ensure an appropriate emphasis on the importance of disclosures as part of the financial statements.
Proposed changes to the ISAs include new application material to:
 Amend the term ‘financial statements’ as used in the ISAs to include all disclosures subject to audit and to include that
such disclosures may be found in the related notes, on the face of the financial statements, or incorporated by cross-
reference as allowable by some financial reporting frameworks.
 Emphasise the importance of giving appropriate attention to, and planning adequate time for addressing disclosures in the
same way as classes of transactions, events and account balances, and early consideration of matters such as significant
new or revised disclosures.
 Focus auditors on additional matters relating to disclosures that may be discussed with those charged with governance, in
particular at the planning stage of the audit.
 Emphasise that, when agreeing the terms of engagement, the auditor should emphasise management’s responsibility,
early in the audit process, to make available information relevant to disclosures.
 Provide additional examples of misstatements in disclosures to highlight the types of misstatements that may be found in
disclosures, and to clarify that identified misstatements, including those in disclosures and irrespective of whether they
occur in quantitative or non-quantitative information, need to be accumulated and evaluated for their effect on the financial
statements.

In terms of specific planning considerations, the IAASB recommends improvements to some aspects of risk assessment and
materiality determination in order to encourage a more robust risk assessment relating to disclosures:
 Expanding the guidance on matters to consider when the auditor is obtaining an understanding of the entity and its
environment, including the entity’s internal control, and assessing the risks of material misstatement for disclosures,
including materiality considerations for non-quantitative disclosures.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
 Highlighting disclosures, including examples of relevant matters, for consideration during the discussion among the
engagement team of the susceptibility of the entity’s financial statements to material misstatement, including from fraud.
 Integrating the separate category for assertions relating to presentation and disclosure into the categories for account
balances and transactions to promote their more consistent and effective use.
 Acknowledging, and giving prominence to, disclosures where the information is not derived from the accounting system,
and related considerations pertaining to this source of audit evidence.
 In relation to materiality, clarifying that the nature of potential misstatements in disclosures, in particular non-quantitative
disclosures, is also relevant to the design of audit procedures to address the risks of material misstatement.

Using the work of internal auditors

External and internal auditors
Much of the work performed by a company’s internal audit function can overlap with the work conducted by the external auditor, specifically
in areas dealing with the assessment of control processes. It is likely that in carrying out detailed work evaluating and reviewing the company’s
internal control framework internal audit perform procedures on financial controls relevant to the external audit. As such, the external auditor,
rather than duplicating these procedures, may be able to place reliance on the work carried out by the internal auditor.
This article focuses on the provision of direct assistance by the internal auditors, which historically has been a very controversial issue. Internal
auditors are the employees of the entity, which could result in threats to independence (either in fact or perceived) if direct assistance is
provided by the internal auditors. On the other hand, the following benefits relating to provision of direct assistance by the internal auditors
cannot be ignored:
 There will be a strengthened relationship between the external and internal auditors through a more effective dialogue
 With the knowledge of the internal auditors, the external auditor can gain additional insights into the entity
 The external auditor can use internal auditors who may have relevant expertise in particular areas, and
 The external audit team can focus on the more significant audit issues.

Where such use is not prohibited by law or regulation, the ISA provides a robust framework to ensure that direct assistance is obtained only in
appropriate circumstances, that the external auditor considers the relevant limitations and safeguards, and that the auditor’s responsibilities
are clearly set out.

Guidance on determining if it is appropriate for internal auditors to provide direct assistance

When can internal auditors be used to provide direct assistance?
The external auditor, in the course of discharging their responsibilities must decide if it is appropriate in the circumstances to use internal audit
to provide direct assistance. The ISA identifies a number of steps that the external auditor should work through when determining to what
extent, if any, direct assistance can be provided.

Step 1: Prohibition by law or regulation

The external auditor may be prohibited by law or regulation from obtaining direct assistance from internal auditors; therefore, the first task is
to understand the law or regulation of the jurisdiction in which the auditor is operating. In the United Kingdom for example, the Financial
Reporting Council (FRC) prohibits external auditors from using internal auditors as ‘direct assistance’ members of the audit team in order to
enhance the principle of auditor independence. Consequently the guidelines in relation to direct assistance are irrelevant to audits conducted
in accordance with ISAs (UK).
Step 2A: Evaluation of the existence and significance of threats to objectivity of the internal auditors
This is considered as an important element in the external auditor’s judgment as to whether internal auditors can provide direct assistance.
Objectivity is regarded as the ability to perform the tasks without allowing bias, conflict of interest or undue influence of others to override
professional judgment. The following factors are relevant to the external auditor’s evaluation of objectivity:
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024

It should be noted that the main purpose here is to evaluate threats to objectivity. Take the first factor as an example – if evidence shows that
the internal audit function’s organisational status supports the objectivity of the internal auditors, the external auditor will feel more
comfortable using direct assistance from the internal auditors. The following situations are likely to support the objectivity of the internal
auditors:
 The internal audit function reports to those charged with governance (eg the audit committee) rather than solely to management (eg
the chief finance officer)
 The internal audit function does not have managerial or operational duties that are outside of the internal audit function
 The internal auditors are members of relevant professional bodies obligating their compliance with relevant professional standards
relating to objectivity.

Step 2B: Evaluation of the level of competence of the internal auditors

Competence of the internal audit function is likely to be deemed satisfactory where it can be evidenced that the function as a whole operates
at the level required to (i) enable assigned tasks to be performed diligently and (ii) in accordance with applicable professional standards. To
make such evaluation, the external auditor can take into consideration the following factors:
 Whether there are established policies for hiring, training and assigning internal auditors to internal audit engagements
 Whether the internal auditors have adequate technical training and proficiency in auditing (eg with relevant professional designation
and experience)
 Whether the internal auditors possess the required knowledge relating to the entity’s financial reporting and the applicable financial
reporting framework
 Whether the internal audit function possesses the necessary skills (for example, industry-specific knowledge) to perform work related
to the entity’s financial statements.

Points to note in the evaluation

The above evaluation regarding the internal auditors’ objectivity and competence should not be new to candidates as it forms the basis for any
assessment by the external auditor when determining if reliance can be placed on the work of internal auditors. The external auditor should
bear in mind that the assessment of competence and objectivity are of equal importance, and should be assessed individually and in
aggregate. For example if the internal auditors are deemed appropriately competent but the external auditor identifies significant threats to
objectivity it is unlikely that the external auditor will be able to use the internal auditors to provide direct assistance and vice versa.

What can be assigned to internal auditors providing direct assistance?

Following the above detailed evaluation, if the external auditor determines that internal auditors, can be used to provide direct assistance for
purposes of the audit, the next decision to be made by the external auditor is to determine the nature and extent of work that can be
assigned to internal auditors.
This is a matter that requires the auditor to exercise professional judgment, due to the fact that extensive use of direct assistance could affect
perceptions of the independence of external auditors. ISA 610 (Revised 2013) limits the circumstances in which direct assistance can be
provided. The external auditor is advised to consider the following factors in such determination:
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
The external auditor should have performed the assessment of the first two factors when determining whether the internal auditors can
provide direct assistance in the first instance. The less persuasive the evidence regarding the internal auditors’ objectivity and competency, the
more restrictive the nature and extent of work that can be assigned.
As a starting point the external auditor should consider the amount of judgment needed in (i) planning and performing relevant audit
procedures and (ii) evaluating audit evidence gathered. The greater the level of judgment required, the narrower the scope of work that can
be assigned to internal auditors. The following activities are deemed to involve significant judgment and therefore are not expected to be
assigned to internal auditors providing direct assistance:
 Assessing risks of material misstatements
 Evaluating the sufficiency of tests performed
 Evaluating significant accounting estimates, and
 Evaluating the adequacy of disclosures in the financial statements and other matters affecting the auditor’s report.

For any particular account balance, class of transaction or disclosure, the external auditor has to take into consideration the assessed risk of
material misstatement when determining the nature and extent of work that they propose to assign to internal auditors. The higher the
assessed risk, the more restricted the nature and extent of work that should be assigned to internal auditors. If the risk of material
misstatement is considered to be anything other than low, the more judgment that has to be involved and the more persuasive the audit
evidence required. Therefore, in these circumstances, in order to reduce audit risk to an acceptably low level it is expected that the external
auditor has to perform more procedures directly and place less reliance on assistance provided by internal auditors when collecting sufficient
appropriate evidence. The ISA provides some specific examples of areas where reliance should be restricted.
ISA 610 (Revised 2013) states that internal auditors cannot carry out procedures when providing direct assistance that:
 Involve making significant judgment in the audit
 Relate to higher assessed risks of material misstatements where the judgment required in performing the relevant audit procedures
or evaluating the audit evidence gathering is more than limited
 Relate to decisions the external auditor makes in accordance with ISA 610 (Revised 2013) regarding the internal audit function and
the use of its work or direct assistance
 Relate to work with which the internal auditors have been involved and which has already been or will be reported to management
(or those charged with governance) by the internal audit function. This restriction intends to minimise self-review threats.

ISA 610 (Revised 2013) also states that the following should not be assigned to or involve internal auditors providing direct assistance:
(i) discussion of fraud risks
(ii) determination of unannounced (or unpredictable) audit procedures as addressed in ISA 240, The Auditor’s Responsibilities Relating
to Fraud in an Audit of Financial Statements, and
(iii) maintaining control over external confirmation requests and evaluation of results of external confirmation procedures.

Responsibilities of the external auditor using internal auditors to provide direct assistance
The external auditor should note the following responsibilities at different stages of the audit when using internal auditors to provide direct
assistance:
(1) After determining the use of internal auditors to provide direct assistance
The external auditor has to:
 Communicate the nature and extent of the planned use of internal auditors with those charged with governance (in accordance with
ISA 260, Communication with Those Charged with Governance) so as to reach a mutual understanding that such use is not
excessive in the circumstances of the engagement. This communication not only dispels any perception that the external auditor’s
independence might be compromised by the use of direct assistance but also facilitates appropriate dialogue with those charged with
governance.
 Evaluate whether the external auditor is still sufficiently involved in the audit.

(2) Prior to the use of internal auditors to provide direct assistance

The external auditor has to obtain written agreement from two parties:
 From an authorised representative of the entity stating that: (i) the internal auditors will be allowed to follow the external auditor’s
instructions, and (ii) the entity will not intervene in the work the internal auditor performs for the external auditors.
 From internal auditors stating that they will: (i) keep confidential specific matters as instructed by the external auditor and (ii) inform
the external auditor of any threat to their objectivity.

(3) During the audit

The external auditor has to:
 Direct, supervise and review the work performed by internal auditors on the engagement, bearing in mind that the internal auditors
are not independent of the entity. It is therefore expected that such supervision and review will be of a different nature and more
extensive than if members of the audit engagement team perform the work.
 Remind the internal auditors to bring accounting and auditing issues identified during the audit to the attention of the external
auditors.
 Check back to the underlying audit evidence for some of the work performed by the internal auditors.
 Make sure the internal auditors have obtained sufficient appropriate audit evidence to support the conclusions based on that work.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
(4) Documenting the audit evidence
The documentation requirements evidencing the application of the important safeguards in ISA 610 (Revised 2013) have been expanded when
the external auditor uses the internal auditors to provide direct assistance. The external auditor should document the following in the working
papers:
 Evaluation of the existence and significance of the threats to the objectivity of the internal auditors and the level of competence of
the internal auditors used to provide direct assistance
 The basis for the decision regarding the nature and extent of the work performed by the internal auditors
 Who reviewed the work performed and the date and extent of that review in accordance with ISA 230, Audit Documentation
 The written agreements obtained from an authorised representative of the entity and the internal auditors
 The working papers prepared by the internal auditors providing direct assistance on the audit engagement.

Audit risk
What is audit risk?
‘The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a
function of material misstatement and detection risk.’
Why is audit risk so important to auditors?
Audit risk is fundamental to the audit process because auditors cannot and do not attempt to check all transactions. Students should refer to
any published accounts of large companies and think about the vast number of transactions in a statement of comprehensive income and a
statement of financial position. It would be impossible to check all of these transactions, and no one would be prepared to pay for the auditors
to do so, hence the importance of the risk-based approach toward auditing. Traditionally, auditors have used a risk-based approach in order to
minimise the chance of giving an inappropriate audit opinion, and audits conducted in accordance with ISAs must follow the risk-based
approach, which should also help to ensure that audit work is carried out efficiently, using the most effective tests based on the audit risk
assessment. Auditors should direct audit work to the key risks (sometimes also described as significant risks), where it is more likely that errors
in transactions and balances will lead to a material misstatement in the financial statements. It would be inefficient to address insignificant risks
in a high level of detail, and whether a risk is classified as a key risk or not is a matter of judgment for the auditor.
Relevant ISAs
There are many references throughout the ISAs to audit risk, but perhaps the two most important audit risk-related ISAs are as follows:
ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with ISAs
ISA 200 sets out the overall objectives of the auditor, and the standard explains the nature and scope of an audit designed to enable an auditor
to meet those objectives. References to audit risk are frequently made by ISA 200, and the standard also requires that the auditor shall plan
and perform an audit with professional scepticism, recognising that circumstances might exist that may cause the financial statements to be
materially misstated. Professional scepticism is defined as an attitude that includes a questioning mind and a critical assessment of evidence.
ISA 315, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment
ISA 315 deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements through an
understanding of the entity and its environment, including the entity’s internal controls and risk assessment process. The first version of ISA
315 was originally published in 2003 after a joint audit risk project had been carried out between the IAASB, and the United States Auditing
Standards Board. Changes in the audit risk standards have arguably been the single biggest change in auditing standards in recent years, so the
significance of ISA 315, and the topic of audit risk, should not be underestimated by auditing students.
The requirements of ISA 315 are summarised in the following table.

(1). The auditor shall perform risk assessment procedures in order to provide a basis for the identification and assessment of the risks
of material misstatement.
(2). The auditor is required to obtain an understanding of the entity and its environment, including the entity’s internal control
systems.
(3). The auditor shall identify and assess the risks of material misstatement, and determine whether any of the risks identified are, in
the auditor’s judgement, significant risks. This is in order to provide a basis for designing and performing further audit procedures.
(4). ISA 330 then deals with the required responses to assessed risks.

Let us consider each of these four stages in more detail.

1. Risk assessment procedures

ISA 315 gives an overview of the procedures that the auditor should follow in order to obtain an understanding sufficient to assess audit risks,
and these risks must then be considered when designing the audit plan. ISA 315 goes on to require that the auditor shall perform risk
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and
assertion levels. ISA 315 goes on to identify the following three risk assessment procedures:
Making inquiries of management and others within the entity
Auditors must have discussions with the client’s management about its objectives and expectations, and its plans for achieving those goals.
Analytical procedures
Analytical procedures performed as risk assessment procedures should help the auditor in identifying unusual transactions or positions. They
may identify aspects of the entity of which the auditor was unaware, and may assist in assessing the risks of material misstatement in order to
provide a basis for designing and implementing responses to the assessed risks.
Observation and inspection
Observation and inspection may also provide information about the entity and its environment. Examples of such audit procedures can
potentially cover a very broad area, including observation or inspection of the entity’s operations, documents, and reports prepared by
management, and also of the entity’s premises and plant facilities.
ISA 315 requires that risk assessment procedures should, at a minimum, comprise a combination of the above three procedures, and the
standard also requires that the engagement partner and other key engagement team members should discuss the susceptibility of the entity’s
financial statements to material misstatement. Key risks can be identified at any stage of the audit process, and ISA 315 requires that the
engagement partner should also determine which matters are to be communicated to those engagement team members not involved in the
discussion.
2. Understanding an entity
ISA 315 gives detailed guidance about the understanding required of the entity and its environment by auditors, including the entity’s internal
control systems. Understanding of the entity and its environment is important for the auditor in order to help identify the risks of material
misstatement, to provide a basis for designing and implementing responses to assessed risk (see reference below to ISA 330, The Auditor’s
Responses to Assessed Risks), and to ensure that sufficient appropriate audit evidence is collected. Given that the focus of this article is audit
risk, however, students should ensure that they also make themselves familiar with the concept of internal control, and the components of
internal control systems.
3. Identification and assessment of significant risks and the risks of material misstatement
In exercising judgement as to which risks are significant risks, the auditor is required to consider the following:
Whether the risk is a risk of fraud.
Whether the risk is related to recent significant economic, accounting or other developments, and therefore requires specific attention.
The complexity of transactions.
Whether the risk involves significant transactions with related parties.
The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide
range of measurement uncertainty.
Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be
unusual.

4. ISA 330 and responses to assessed risks

The requirements of ISA 330, The Auditor’s Responses to Assessed Risks, will be covered in a future article, but essentially ISA 330 gives
guidance about the nature and extent of the testing required, based on the risk assessment findings.
Audit risk and business risk
For the purposes of the F8 exam, it is important to make a distinction between audit risk and business risk (which is not examinable in F8), even
though ISA 315 itself does not make such a distinction clear. ISA 315(2) defines business risk as follows:
‘A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve
its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.’
Hence, business risk is a much broader concept than audit risk. Students are reminded that business risk is excluded from the FAU and F8
syllabus, although it is examinable in P7.
The audit risk model
Finally, it is important to make reference to the so called traditional audit risk model, which pre-dates ISA 315, but continues to remain
important to the audit process. The audit risk model breaks audit risk down into the following three components:
Inherent risk
This is the susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material,
either individually or when aggregated with other misstatements, before consideration of any related controls.
Control risk
This is the risk that a misstatement could occur in an assertion about a class of transaction, account balance or disclosure, and that the
misstatement could be material, either individually or when aggregated with other misstatements, and will not be prevented or detected and
corrected, on a timely basis, by the entity’s internal control.
Detection risk
This is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that
exists and that could be material, either individually or when aggregated with other misstatements.

The interrelationship of the three components of audit risk is outside the scope of this current article. F8 students, however, will typically be
expected to have a good understanding of the concept of audit risk, and to be able to apply this understanding to questions in order to identify
and describe appropriate risk assessment procedures
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Audit working papers
The auditing standards
ISA 230, Audit Documentation states that the objective (1) of the auditor is to prepare documentation that provides:
1. A sufficient and appropriate record of the basis for the auditor’s report, and
2. Evidence that the audit was planned and performed in accordance with ISAs and applicable legal and regulatory requirements.

The auditor should prepare the audit documentation on a timely basis and in such a way so as to enable an experienced auditor, having no
previous connection with the audit, to understand:
1. The nature, timing, and extent of the audit procedures performed to comply with ISAs and applicable legal and regulatory
requirements
2. The results of the audit procedures and the audit evidence obtained, and
3. Significant matters arising during the audit, the conclusions reached and significant judgments made in reaching those conclusions.

In documenting the nature, timing, and extent of audit procedures performed, the auditor should record the identifying characteristics of the
specific items or matters being tested.

The auditor should document discussions of significant matters with management and others on a timely basis.

If the auditor has identified information that contradicts or is inconsistent with the auditor’s final conclusion regarding a significant matter, the
auditor should document how the auditor addressed the contradictions or inconsistency in forming the final conclusion.

Where, in exceptional circumstances, the auditor judges it necessary to depart from a basic principle or an essential procedure that is relevant
in the circumstances of the audit, the auditor should document how the alternative audit procedures performed achieve the objective of the
audit, and, unless otherwise clear, the reasons for the departure.

In documenting the nature, timing, and extent of audit procedures performed, the auditor must record:
1. The identifying characteristics of the specific items or matters tested
2. Who performed the audit work and the date such work was completed, and
3. Who reviewed the audit work and the date and extent of such review (2).

The auditor should complete the assembly of the final audit file on a timely basis after the date of the auditor’s report.

After the assembly of the final audit file has been completed, the auditor should not delete or discard audit documentation before the end of
its retention period.

When the auditor finds it necessary to modify existing audit documentation or add new audit documentation after the assembly of the final
file has been completed, the auditor should, regardless of the nature of the modifications or additions, document:
1. The specific reasons for making them, and
2. When and by whom they were made and reviewed.

When exceptional circumstances arise after the date of the auditor’s report that require the auditor to perform new or additional audit
procedures, or that lead the auditor to reach new conclusions, the auditor should document:
1. The circumstances encountered
2. The new or additional audit procedures performed, audit evidence obtained, and conclusions reached, and their effect on the
auditor’s report
3. When and by whom the resulting changes to audit documentation were made, and (where applicable) reviewed.

The requirements of the ISA guide the auditor to produce audit documentation that is of an acceptable standard. Understanding and applying
the requirements will protect the auditor from unwelcome and unnecessary litigation.
Importance of working papers
Working papers are important because they:
 are necessary for audit quality control purposes
 provide assurance that the work delegated by the audit partner has been properly completed
 provide evidence that an effective audit has been carried out
 increase the economy, efficiency, and effectiveness of the audit
 contain sufficiently detailed and
 up-to-date facts which justify the reasonableness of the auditor’s conclusions
 retain a record of matters of continuing significance to future audits.

Avoiding unnecessary papers

Before deciding to prepare a particular audit working paper, the auditor should be satisfied that it is:
 necessary either because it will serve an essential or useful purpose in support of the auditor’s report, or because it will provide
information needed for tax or other client-related statutory/regulatory purposes
 not practicable for the client staff to prepare the working paper, or for the auditor to make copies of papers that the client staff
(including internal auditors) have prepared as part of their normal regular duties.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Content
Typically each audit working paper must be headed with the following information:
 The name of the client
 The period covered by the audit
 The subject matter
 The file reference (3)
 The initials (signature) of the member of staff who prepared the working paper, and the date on which it was prepared
 In the case of audit papers prepared by client staff, the date the working papers were received, and the initials of the audit team
member who carried out the audit work
 The initials of the member of staff who reviewed the working papers and the date on which the review was carried out
 Each audit paper should meet the characteristics of a good working paper, as detailed later in this article.

Papers prepared by client

Certain working papers required by the auditor may have already been prepared by client staff. The auditor should make arrangements,
whenever possible, for copies of these to be made available to the audit team. If client staff prepare working papers which are to be retained
by the auditor, the auditor should agree the form of the working papers with client staff at an early stage in the audit, and include this
information in the audit timetable.
When arranging for working papers to be prepared, the auditor should take care to ensure that the working papers will give all the information
required. All such working papers should normally be clearly identified as having been prepared by the client. The member of audit staff
directly responsible for an audit area in which working papers prepared by client staff are included should sign those papers – this will show
that they have been checked and that they can be reviewed by the manager and the partner, and by subsequent reviewers. The signature of
the audit team member indicates that the working paper (prepared by client staff) has been ‘audited’.
Some characteristics of a good working paper
On the basis of the discussion above, a good working paper should meet the requirements of ISA 230 by displaying the following
characteristics:
 It should state a clear audit objective, usually in terms of an audit assertion (for example, ‘to ensure the completeness of trade
payables’).
 It should fully state the year/period end (eg 31 October 20X9), so that the working paper is not confused with documentation
belonging to a different year/period.
 It should state the full extent of the test (ie how many items were tested and how this number was determined). This will enable the
preparer, and any subsequent reviewers, to determine the sufficiency of the audit evidence provided by the working paper.
 Where there is necessary reference to another working paper, the full reference of that other working paper must be given. A
statement that details of testing can be found on ‘another working paper’ is insufficient.
 The working paper should clearly and objectively state the results of the test, without bias, and based on the facts documented.
 The conclusions reached should be consistent with the results of the test and should be able to withstand independent scrutiny.
 The working paper should be clearly referenced so that it can be filed appropriately and found easily when required at a later date.
 It should be signed by the person who prepares it so that queries can be directed to the appropriate person.
 It should be signed and dated by any person who reviews it, in order to meet the quality control requirements of the review.

The reviewer of audit working papers should ensure that every paper has these characteristics. If any relevant characteristic is judged absent,
then this should result in an audit review point (ie a comment by the reviewer directing the original preparer to rectify the fault on the working
paper).

Auditing in a computer-based environment

The accounting systems of many companies, large and small, are computer-based; questions in all ACCA audit
papers reflect this situation.

Students need to ensure they have a complete understanding of the controls in a computer-based environment, how these
impact on the auditor’s assessment of risk, and the subsequent audit procedures. These procedures will often involve the use of
computer-assisted audit techniques (CAATs).

The aim of this article is to help students improve their understanding of this topic by giving practical illustrations of computer-
based controls and computer-assisted techniques and the way they may feature in exam questions.

Relevant auditing standards

References will be made throughout this article to the most recent guidance in standards:
ISA 300 (Redrafted) Planning an Audit of Financial Statements
ISA 315 (Redrafted) Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its
Environment
ISA 330 (Redrafted) The Auditor’s Responses to Assessed Risks.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Internal controls in a computer environment
The two main categories are application controls and general controls.

Application controls
These are manual or automated procedures that typically operate at a business process level and apply to the processing of
transactions by individual applications. Application controls can be preventative or detective in nature and are designed to
ensure the integrity of the accounting records.

Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial
data. These controls help ensure that transactions occurred, are authorised and are completely and accurately recorded and
processed (ISA 315 (Redrafted)).

Application controls apply to data processing tasks such as sales, purchases and wages procedures and are normally divided into
the following categories:

(i) Input controls

Examples include batch control totals and document counts, as well as manual scrutiny of documents to ensure they have been
authorised. An example of the operation of batch controls using accounting software would be the checking of a manually
produced figure for the total gross value of purchase invoices against that produced on screen when the batch-processing option
is used to input the invoices. This total could also be printed out to confirm the totals agree.

The most common example of programmed controls over the accuracy and completeness of input are edit (data validation)
checks when the software checks that data fields included on transactions by performing:
reasonableness check, eg net wage to gross wage
existence check, eg that a supplier account exists
character check, eg that there are no alphabetical characters in a sales invoice number field
range check, eg no employee’s weekly wage is more than $2,000
check digit, eg an extra character added to the account reference field on a purchase invoice to detect mistakes such as
transposition errors during input.

When data is input via a keyboard, the software will often display a screen message if any of the above checks reveal an anomaly,
eg ‘Supplier account number does not exist’.

(ii) Processing controls

An example of a programmed control over processing is a run-to-run control. The totals from one processing run, plus the input
totals from the second processing, should equal the result from the second processing run. For instance, the beginning balances
on the receivables ledger plus the sales invoices (processing run 1) less the cheques received (processing run 2) should equal the
closing balances on the receivable ledger.

(iii) Output controls

Batch processing matches input to output, and is therefore also a control over processing and output. Other examples of output
controls include the controlled resubmission of rejected transactions, or the review of exception reports (eg the wages exception
report showing employees being paid more than $1,000).

(iv) Master files and standing data controls

Examples include one-for-one checking of changes to master files, eg customer price changes are checked to an authorised list. A
regular printout of master files such as the wages master file could be forwarded monthly to the personnel department to
ensure employees listed have personnel records.

General controls
These are policies and procedures that relate to many applications and support the effective functioning of application controls.
They apply to mainframe, mini-frame and end-user environments. General IT controls that maintain the integrity of information
and security of data commonly include controls over the following:
data centre and network operations
system software acquisition, change and maintenance
program change
access security
application system acquisition, development, and maintenance (ISA 315 (Redrafted))

‘End-user environment’ refers to the situation in which the users of the computer systems are involved in all stages of the
development of the system.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
(i) Administrative controls
Controls over ‘data centre and network operations’ and ‘access security’ include those that:
prevent or detect errors during program execution, eg procedure manuals, job scheduling, training and supervision; all these
prevent errors such as using wrong data files or wrong versions of production programs
prevent unauthorised amendments to data files, eg authorisation of jobs prior to processing, back up and physical protection of
files and access controls such as passwords
ensure the continuity of operations, eg testing of back - up procedures, protection against fire and floods.

(ii) System development controls

The other general controls referred to in ISA 315 cover the areas of system software acquisition development and maintenance;
program change; and application system acquisition, development and maintenance.

‘System software’ refers to the operating system, database management systems and other software that increases the efficiency
of processing. Application software refers to particular applications such as sales or wages. The controls over the development
and maintenance of both types of software are similar and include:
Controls over application development, such as good standards over the system design and program writing, good
documentation, testing procedures (eg use of test data to identify program code errors, pilot running and parallel running of old
and new systems), as well as segregation of duties so that operators are not involved in program development
Controls over program changes – to ensure no unauthorised amendments and that changes are adequately tested, eg password
protection of programs, comparison of production programs to controlled copies and approval of changes by users
Controls over installation and maintenance of system software – many of the controls mentioned above are relevant, eg
authorisation of changes, good documentation, access controls and segregation of duties.

Exam focus
Students often confuse application controls and general controls. In the June 2008 CAT Paper 8 exam, Question 2 asked
candidates to provide examples of application controls over the input and processing of data. Many answers referred to
passwords and physical access controls – which are examples of general controls – and thus failed to gain marks.

Computer-assisted audit techniques

Computer-assisted audit techniques (CAATs) are those featuring the ‘application of auditing procedures using the computer as an
audit tool’ ( Glossary of Terms ). CAATs are normally placed in three main categories:
(i) Audit software
Computer programs used by the auditor to interrogate a client’s computer files; used mainly for substantive testing. They can be
further categorised into:
Package programs (generalised audit software) – pre-prepared programs for which the auditor will specify detailed
requirements; written to be used on different types of computer systems
Purpose-written programs – perform specific functions of the auditor’s choosing; the auditor may have no option but to have this
software developed, since package programs cannot be adapted to the client’s system (however, this can be costly)
Enquiry programs – those that are part of the client’s system, often used to sort and print data, and which can be adapted for
audit purposes, eg accounting software may have search facilities on some modules, that could be used for audit purposes to
search for all customers with credit balances (on the customers’ module) or all inventory items exceeding a specified value (on
the inventory module).

Using audit software, the auditor can scrutinise large volumes of data and present results that can then be investigated further.
The software consists of program logic needed to perform most of the functions required by the auditor, such as:
select a sample
report exceptional items
compare files
analyse, summarise and stratify data.

The auditor needs to determine which of these functions they wish to use, and the selection criteria.

Exam focus
Sometimes, questions will present students with a scenario and ask how CAATs might be employed by the auditor. Question 4 in
the December 2007 Paper F8 exam required students to explain how audit software could be used to audit receivables balances.
To answer this type of question, you need to link the functions listed above to the normal audit work on receivables. Students
should refer to the model answer to this question.

The following is an example of how this could be applied to the audit of wages:
Select a random sample of employees from the payroll master file; the auditor could then trace the sample back to contracts of
employment in the HR department to confirm existence
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Report all employees earning more than $1,000 per week
Compare the wages master file at the start and end of the year to identify starters and leavers during the year; the auditor would
then trace the items identified back to evidence, such as starters’ and leavers’ forms (in the HR department) to ensure they were
valid employees and had been added or deleted from the payroll at the appropriate time (the auditor would need to request
that the client retain a copy of the master file at the start of the year to perform this test)
Check that the total of gross wages minus deductions equates to net pay.

(ii) Test data

Test data consists of data submitted by the auditor for processing by the client’s computer system. The principle objective is to
test the operation of application controls. For this reason, the auditor will arrange for dummy data to be processed that includes
many error conditions, to ensure that the client’s application controls can identify particular problems.

Examples of errors that might be included:

supplier account codes that do not exist
employees earning in excess of a certain limit
sales invoices that contain addition errors
submitting data with incorrect batch control totals.

Data without errors will also be included to ensure ‘correct’ transactions are processed properly.

Test data can be used ‘live’, ie during the client’s normal production run. The obvious disadvantage with this choice is the danger
of corrupting the client’s master files. To avoid this, an integrated test facility will be used (see other techniques below). The
alternative (dead test data) is to perform a special run outside normal processing, using copies of the client’s master files. In this
case, the danger of corrupting the client’s files is avoided – but there is less assurance that the normal production programs have
been used.

(iii) Other techniques

There are increasing numbers of other techniques that can be used; the main two are:
Integrated test facility – used when test data is run live; involves the establishment of dummy records, such as departments or
customer accounts to which the dummy data can be processed. They can then be ignored when client records are printed out,
and reversed out later.
Embedded audit facilities (embedded audit monitor) – also known as resident audit software; requires the auditor’s own
program code to be embedded into the client’s application software. The embedded code is designed to perform audit functions
and can be switched on at selected times or activated each time the application program is used. Embedded facilities can be
used to:
– Gather and store information relating to transactions at the time of processing for subsequent audit review; the selected
transactions are written to audit files for subsequent examination, often called system control and review file (SCARF)
– Spot and record (for subsequent audit attention) any items that are unusual; the transactions are marked by the audit code
when selection conditions (specified by the auditor) are satisfied. This technique is also referred to as tagging.

The attraction of embedded audit facilities is obvious, as it equates to having a perpetual audit of transactions. However, the set-
up is costly and may require the auditor to have an input at the system development stage. Embedded audit facilities are often
used in real time and database environments.

Impact of computer-based systems on the audit approach

The fact that systems are computer-based does not alter the key stages of the audit process; this explains why references to the
audit of computer-based systems have been subsumed into ISAs 300, 315 and 330.

(i) Planning
The Appendix to ISA 300 (Redrafted) states ‘the effect of information technology on the audit procedures, including the
availability of data and the expected use of computer - assisted audit techniques’ as one of the characteristics of the audit that
needs to be considered in developing the overall audit strategy.

(ii) Risk assessment

'The auditor shall obtain an understanding of the internal control relevant to the audit.’ (ISA 315 (Redrafted))

The application notes to ISA 315 identify the information system as one of the five components of internal control. It requires the
auditor to obtain an understanding of the information system, including the procedures within both IT and manual systems. In
other words, if the auditor relies on internal control in assessing risk at an assertion level, s/he needs to understand and test the
controls, whether they are manual or automated. Auditors often use internal control evaluation (ICE) questions to identify
strengths and weaknesses in internal control. These questions remain the same – but in answering them, the auditor considers
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
both manual and automated controls.

For instance, when answering the ICE question, ‘Can liabilities be incurred but not recorded?’, the auditor needs to consider
manual controls, such as matching goods received notes to purchase invoices – but will also consider application controls, such
as programmed sequence checks on purchase invoices. The operation of batch control totals, whether programmed or
performed manually, would also be relevant to this question.

(iii) Testing
‘The auditor shall design and perform further audit procedures whose nature, timing and extent are based on and are responsive
to the assessed risks of material misstatement at the assertion level.’ (ISA 330 (Redrafted))

This statement holds true irrespective of the accounting system, and the auditor will design compliance and substantive tests
that reflect the strengths and weaknesses of the system. When testing a computer information system, the auditor is likely to use
a mix of manual and computer-assisted audit tests.

‘Round the machine (computer)’ v ‘through the machine (computer)’ approaches to testing
Many students will have no experience of the use of CAATs, as auditors of clients using small computer systems will often audit
‘round the machine’. This means that the auditor reconciles input to output and hopes that the processing of transactions was
error-free. The reason for the popularity of this approach used to be the lack of audit software that was suitable for use on
smaller computers. However, this is no longer true, and audit software is available that enables the auditor to interrogate copies
of client files that have been downloaded on to a PC or laptop. However, cost considerations still appear to be a stumbling block.

In the ‘through the machine’ approach, the auditor uses CAATs to ensure that computer - based application controls are
operating satisfactorily.

Specific aspects of auditing in a computer-based environment

Information technology (IT) is integral to modern accounting and management information systems. It is, therefore, imperative that auditors
should be fully aware of the impact of IT on the audit of a client’s financial statements, both in the context of how it is used by a client to
gather, process and report financial information in its financial statements, and how the auditor can use IT in the process of auditing the
financial statements.
The purpose of this article is to provide guidance on following aspects of auditing in a computer-based accounting environment:
 Application controls, comprising input, processing, output and master file controls established by an audit client, over its computer-
based accounting system and
 Computer-assisted audit techniques (CAATs) that may be employed by auditors to test and conclude on the integrity of a client’s
computer-based accounting system.

Exam questions on each of the aspects identified above are often answered to an inadequate standard by a significant number of students –
hence the reason for this article.
Dealing with application controls and CAATs in turn:
Application controls
Application controls are those controls (manual and computerised) that relate to the transaction and standing data pertaining to a computer-
based accounting system. They are specific to a given application and their objectives are to ensure the completeness and accuracy of the
accounting records and the validity of entries made in those records. An effective computer-based system will ensure that there are adequate
controls existing at the point of input, processing and output stages of the computer processing cycle and over standing data contained in
master files. Application controls need to be ascertained, recorded and evaluated by the auditor as part of the process of determining the risk
of material misstatement in the audit client’s financial statements.
Input controls
Control activities designed to ensure that input is authorised, complete, accurate and timely are referred to as input controls. Dependent on
the complexity of the application program in question, such controls will vary in terms of quantity and sophistication. Factors to be considered
in determining these variables include cost considerations, and confidentiality requirements with regard to the data input. Input controls
common to most effective application programs include on-screen prompt facilities (for example, a request for an authorised user to ‘log-in’)
and a facility to produce an audit trail allowing a user to trace a transaction from its origin to disposition in the system.
Specific input validation checks may include:
Format checks
These ensure that information is input in the correct form. For example, the requirement that the date of a sales in voice be input in numeric
format only – not numeric and alphanumeric.
Range checks
These ensure that information input is reasonable in line with expectations. For example, where an entity rarely, if ever, makes bulk-buy
purchases with a value in excess of $50,000, a purchase invoice with an input value in excess of $50,000 is rejected for review and follow-up.
Compatibility checks
These ensure that data input from two or more fields is compatible. For example, a sales invoice value should be compatible with the amount
of sales tax charged on the invoice.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Validity checks
These ensure that the data input is valid. For example, where an entity operates a job costing system – costs input to a previously completed
job should be rejected as invalid.
Exception checks
These ensure that an exception report is produced highlighting unusual situations that have arisen following the input of a specific item. For
example, the carry forward of a negative value for inventory held.
Sequence checks
These facilitate completeness of processing by ensuring that documents processed out of sequence are reject ed. For example, where pre-
numbered goods received notes are issued to ac knowledge the receipt of goods into physical inventory, any input of notes out of sequence
should be rejected.
Control totals
These also facilitate completeness of processing by ensure that pre-input, manually prepared control totals are compared to control totals
input. For example, non-matching totals of a ‘batch’ of purchase invoices should result in an on-screen user prompt, or the production of an
exception report for follow-up. The use of control totals in this way are also commonly referred to as output controls (see below).
Check digit verification
This process uses algorithms to ensure that data input is accurate. For example, internally generated valid supplier numerical reference codes,
should be formatted in such a way that any purchase invoices input with an incorrect code will be automatically rejected.
Processing controls
Processing controls exist to ensure that all data input is processed correctly and that data files are appropriately updated accurately in a timely
manner. The processing controls for a specified application program should be designed and then tested prior to ‘live’ running with real data.
These may typically include the use of run-to-run controls, which ensure the integrity of cumulative totals contained in the accounting records
is maintained from one data processing run to the next. For example, the balance carried forward on the bank account in a company’s general
(nominal) ledger. Other processing controls should include the subsequent processing of data rejected at the point of input, for example:
 A computer produced print-out of rejected items.
 Formal written instructions notifying data processing personnel of the procedures to follow with regard to rejected items.
 Appropriate investigation/follow up with regard to rejected items.
 Evidence that rejected errors have been corrected and re-input.

Output controls
Output controls exist to en sure that all data is processed and that output is distributed only to prescribed authorised users. While the degree
of output controls will vary from one organisation to another (dependent on the confidentiality of the information and size of the
organisation), common controls comprise:
 Use of batch control totals, as described above (see ‘input controls’).
 Appropriate review and follow up of exception report information to ensure that there are no permanently outstanding exception
items.
 Careful scheduling of the processing of data to help facilitate the distribution of information to end users on a timely basis.
 Formal written instructions notifying data processing personnel of prescribed distribution procedures.
 Ongoing monitoring by a responsible official, of the distribution of output, to ensure it is distributed in accordance with authorised
policy.

Master file controls

The purpose of master file controls is to ensure the ongoing integrity of the standing data contained in the master files. It is vitally important
that stringent ‘security’ controls should be exercised over all master files.
These include:
 appropriate use of passwords, to restrict access to master file data
 the establishment of adequate procedures over the amendment of data, comprising appropriate segregation of duties, and authority
to amend being restricted to appropriate responsible individuals
 regular checking of master file data to authorised data, by an independent responsible official
 processing controls over the updating of master files, including the use of record counts and control totals.

Computer Assisted Audit Techniques (CAATs)

The nature of computer-based accounting systems is such that auditors may use the audit client company’s computer, or their own, as an
audit tool, to assist them in their audit procedures. The extent to which an auditor may choose between using CAATs and manual techniques
on a specific audit engagement depends on the following factors:
 the practicality of carrying out manual testing
 the cost effectiveness of using CAATs
 the availability of audit time
 the availability of the audit client’s computer facility
 the level of audit experience and expertise in using a specified CAAT
 the level of CAATs carried out by the audit client’s internal audit function and the extent to which the extern al auditor can rely on this
work.

There are three classifications of CAATs – namely:

 Audit software
 Test data
 Other techniques
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Dealing with each of the above in turn:
Audit software
Audit software is a generic term used to describe computer programs designed to carry out tests of control and/or substantive procedures.
Such programs may be classified as:
Packaged programs
These consist of pre-prepared generalised programs used by auditors and are not ‘client specific’. They may be used to carry out numerous
audit tasks, for example, to select a sample, either statistically or judgementally, during arithmetic calculations and checking for gaps in the
processing of sequences.
Purpose written programs
These programs are usually ‘client specific ’ and may be used to carry out tests of control or substantive procedures. Audit software may be
bought or developed, but in any event the audit firm’s audit plan should ensure that provision is made to ensure that specified programs are
appropriate for a client’s system and the needs of the audit. Typically, they may be used to re-perform computerised control procedures (for
example, cost of sales calculations) or perhaps to carry out an aged analysis of trade receivable (debtor) balances.
Enquiry programs
These programs are integral to the client’s accounting system; however they may be adapted for audit purposes. For example, where a system
provides for the routine reporting on a ‘monthly’ basis of employee starters and leavers, this facility may be utilised by the auditor when
auditing salaries and wages in the client’s financial statements. Similarly, a facility to report trade payable (creditor) long outstanding balances
could be used by an auditor when verifying the reported value of creditors.
Test data
Audit test data
Audit test data is used to test the existence and effectiveness of controls built into an application program used by an audit client. As such,
dummy transactions are processed through the client’s computerised system. The results of processing are then compared to the auditor’s
expected results to determine whether controls are operating efficiently and systems’ objectiveness are being achieved. For example, two
dummy bank payment transactions (one inside and one outside authorised parameters) may be processed with the expectation that only the
transaction processed within the parameters is ‘accepted’ by the system. Clearly, if dummy transactions processed do not produce the
expected results in output, the auditor will need to consider the need for increased substantive procedures in the area being reviewed.
Integrated test facilities
To avoid the risk of corrupting a client’s account system, by processing test data with the client’s other ‘live’ data, auditors may instigate
special ‘test data only’ processing runs for audit test data. The major disadvantage of this is that the auditor does not have total assurance that
the test data is being processed in a similar fashion to the client’s live data. To address this issue, the auditor may therefore seek permission
from the client to establish an integrated test facility within the accounting system. This entails the establishment of a dummy unit, for
example, a dummy supplier account against which the auditor’s test data is processed during normal processing runs.
Other techniques
This section contains useful background information to enhance your overall understanding.
Other CAATs include:
Embedded audit facilities (EAFs)
This technique requires the auditor’s own program code to be embedded (incorporated) into the client’s application software, such that
verification procedures can be carried out as required on data being processed. For example, tests of control may include the reperformance
of specific input validation checks (see input controls above) – selected transactions may be ‘tagged’ and followed through the system to
ascertain whether stated controls and processes have been applied to those transactions by the computer system. The EAFs should ensure
that the results of testing are recorded in a special secure file for subsequent review by the auditor, who should be able to conclude on the
integrity of the processing controls generally, from the results of testing. A further EAF, of ten overlooked by students, is that of an analytical
review program enabling concurrent performance of analytical review procedures on client data as it is being processed through the
automated system.
Application program examination
When determining the extent to which they may rely on application controls, auditors need to consider the extent to which specified controls
have been implemented correctly. For example, where system amendments have occurred during an accounting period, the auditor would
need assurance as to the existence of necessary controls both before and after the amendment. The auditor may seek to obtain such
assurance by using a software program to compare the controls in place prior to, and subsequent to, the amendment date.

Completion, review and reporting (E)

Evaluation of misstatements
ISA 450 – Objectives and definitions
According to ISA 450, the objectives of the auditor are to evaluate:
 The effect of identified misstatements on the audit, and
 The effect of uncorrected misstatements, if any, on the financial statements

A misstatement occurs when something has not been treated correctly in the financial statements, meaning that the applicable financial
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
reporting framework, namely IFRS, has not been properly applied. Examples of misstatement, which can arise due to error or fraud, could
include:
 An incorrect amount has been recognised – for example, an asset is not valued in accordance with the relevant IFRS requirement.
 An item is classified incorrectly – for example, finance cost is included within cost of sales in the statement of profit or loss.
 Presentation is not appropriate – for example, the results of discontinued operations are not separately presented.
 Disclosure is not correct or misleading disclosure has been included as a result of management bias – for example, a contingent
liability disclosure is missing or inadequately described in the notes to the financial statements.

Specific requirements and application of ISA 450

ISA 450 requires that ‘the auditor shall accumulate misstatements identified during the audit, other than those that are clearly trivial’.
The auditor should set a monetary benchmark below which misstatements are considered to be clearly trivial and would not need to be
accumulated because the auditor expects that the accumulation of such amounts clearly would not have a material effect on the financial
statements. The application notes to ISA 450 make it clear that ‘clearly trivial’ is not another expression for ‘not material.’ The auditor will
need to use judgement to decide whether matters are clearly trivial, and this may be affected by a range of issues including but not limited to
the monetary size of the matter, for example, the level of audit risk being applied in the situation.
ISA 450 also requires that ‘The auditor shall communicate on a timely basis all misstatements accumulated during the audit with the
appropriate level of management, unless prohibited by law or regulation. The auditor shall request management to correct those
misstatements.’
Simply put, this means that the auditor keeps a note of all misstatements (other than those which are clearly trivial), raises them with
management and asks for the misstatements to be corrected in the financial statements.
It is useful, when evaluating misstatements and in making requests to management for misstatements to be corrected, to consider and apply
the framework as laid out in ISA 450, which categorises misstatements as follows:
 Factual misstatements are misstatements about which there is no doubt. An example would be a clear breach of an IFRS
requirement meaning that the financial statements are incorrect, for instance if a necessary disclosure is missing – for example, non-
disclosure of EPS for a listed company.
 Judgmental misstatements are differences arising from the judgments of management concerning accounting estimates that the
auditor considers unreasonable, or the selection or application of accounting policies that the auditor considers inappropriate. There
are of course many examples of using judgement in financial reporting, for instance, when determining the fair value of non-current
assets, the level of disclosure necessary in relation to a contingent liability, or the recoverability of receivables.
 Projected misstatements are the auditor’s best estimate of misstatements in populations, involving the projection of misstatements
identified in audit samples to the entire populations from which the samples were drawn.

For the auditor it is important to distinguish between these types of misstatements in order to properly discuss them with management, and
ask for the necessary corrections, where relevant, to be made. For example, with a factual misstatement, there is little room for negotiation
with management, as the item has simply been treated incorrectly in the financial statements. With judgemental misstatement there is likely
to be more discussion with management. The auditor will need to present their conclusion based on robust audit evidence, in order to explain
the misstatement which has been uncovered, and justify a recommended correction of the misstatement.
With projected misstatements, because these are based on extrapolations of audit evidence, it is normally not appropriate for management to
be asked to correct the misstatement. Instead, a projected misstatement should be evaluated to consider whether further audit testing is
appropriate.

Correction of Misstatements
Management is expected to correct the misstatements which are brought to their attention by the auditor. If management refuses to correct
some or all of the misstatements, ISA 450 requires the auditor to obtain an understanding of management’s reasons for not making the
corrections, and to take that understanding into account when evaluating whether the financial statements as a whole are free from material
misstatement.
Evaluating the Effect of Uncorrected Misstatements
The auditor is required to determine whether uncorrected misstatements are material, individually or in aggregate. At this point the auditor
should also reassess materiality to confirm whether it remains appropriate in the context of the entity’s actual financial results. This is to
ensure that the materiality is based on up to date financial information, bearing in mind that when materiality is initially determined at the
planning stage of the audit, it is based on projected or draft financial statements. By the time the auditor is evaluating uncorrected
misstatements at the completion stage of the audit, there may have been many changes made to the financial statements, so ensuring the
materiality level remains appropriate is very important.
Some misstatements may be evaluated as material, individually or when considered together with other misstatements accumulated during
the audit, even if they are lower than materiality for the financial statements as a whole. Examples include, but are not restricted to the
following:
 Misstatements which affect compliance with regulatory requirements
 Misstatements which impact on debt covenants or other financing or contractual arrangements
 Misstatements which obscure a change in earnings or other trends
 Misstatements which affect ratios used to evaluate the entity’s financial position, results of operations or cash flows
 Misstatements which increase management compensation
 Misstatements which relate to misapplication of an accounting policy where the impact is immaterial in the context of the current
period financial statements, but may become material in future periods

Communication with those charged with governance

AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
ISA 450 requires the auditor to communicate uncorrected misstatements to those charged with governance and the effect that they,
individually or in aggregate, will have on the opinion in the auditor’s report. The auditor’s communication shall identify material uncorrected
misstatements individually and the communication should request that uncorrected misstatements be corrected. The auditor may discuss with
those charged with governance the reasons for, and the implications of, a failure to correct misstatements, and possible implications in
relation to future financial statements. Perhaps the key issue here is that that auditor should discuss the potential implications for the
auditor’s report, which is likely to contain a modified opinion, if material misstatements are not corrected as requested by the auditor.
In addition the auditor is required to request a written representation from management and, where appropriate, those charged with
governance with regard to whether they believe the effects of uncorrected misstatements are immaterial, individually and in aggregate, to the
financial statements as a whole.
Documentation
Finally, ISA 450 requires certain documentation in relation to misstatements:
 The amount below which misstatements would be regarded as clearly trivial
 All misstatements accumulated during the audit and whether they have been corrected, and
 The auditor’s conclusion as to whether uncorrected misstatements are material, individually or in aggregate, and the basis for that
conclusion.
This is an important part of the audit working papers, as it shows the rationale for the auditor’s opinion in relation to material
misstatements.

Completing the audit

Review of audit files and evaluation of misstatements
All audit work should be subject to review. This is a basic quality control requirement of ISA 220, Quality Control for an Audit of Financial
Statements, and serves to ensure that sufficient appropriate audit evidence has been obtained in respect of transactions and balances included
in the financial statements.

From an exam point of view, candidates who have reviewed past Paper P7 exams will be familiar with exam requirements that ask candidates
‘the matters to consider and the evidence they expect to find’ when conducting an audit file review in relation to various matters, and such a
requirement is clearly set in the completion stage of an audit.

In performing a file review, the reviewer should consider the sufficiency of evidence obtained and may need to propose further audit
procedures if evidence is found to be insufficient or contradictory. ISA 230, Audit Documentation requires that documentation of the review
process includes who reviewed the audit work completed and the date and extent of such review.

ISA 450, Evaluation of Misstatements Identified during the Audit is relevant during an audit file review. The objective of the auditor when
following the requirements of this ISA are to evaluate both the effect of identified misstatements on the audit, and the effect of uncorrected
misstatements, if any, on the financial statements.

ISA 450 requires that all misstatements identified (other than those that are clearly trivial) shall be accumulated during the audit. The auditor
may need to perform further audit procedures in response to an identified misstatement – for example, to determine whether further
misstatements exist – and it is required that all misstatements are communicated to management on a timely basis, along with a request to
amend the misstatement identified.

Typically, the auditor will present the client with a list of misstatements (often referred to as the ‘audit error schedule’), quantifying the
amount of each misstatement, and proposing the necessary adjustment to the financial statements. The proposed adjustment may be in the
form of a journal entry, an amendment to the presentation of the financial statements, or a correction to a disclosure note. When
management makes the necessary adjustments to the financial statements, the auditor should confirm that the adjustments have been made
correctly.

When misstatements remain uncorrected by management, the auditor is required to reassess the level of materiality to confirm that it
remains appropriate, and should then determine if the uncorrected misstatements are material individually or in aggregate. The uncorrected
misstatements must be communicated to those charged with governance, and the potential implications for the auditor’s report must also be
communicated. The auditor must also obtain an understanding of management’s reasons for not making the necessary corrections to the
financial statements.

ISA 450 also requires that the auditor must request that management provides a written representation as to whether management believes
the effects of uncorrected misstatements are immaterial, both individually and in aggregate, to the financial statements taken as a whole. A
summary of uncorrected misstatements should also be included within, or attached to, the written representation.

Final analytical procedures

During the completion stage of the audit, the client should prepare the final version of the financial statements, which, as discussed above,
should incorporate any adjustments of misstatements proposed by the auditor. The financial statements should be reviewed according to the
requirements of ISA 520, Analytical Procedures. One of the objectives of the auditor in complying with ISA 520 is to design and perform
analytical procedures near the end of the audit that assist in forming an overall conclusion as to whether the financial statements are
consistent with the auditor’s understanding of the entity.

The analytical procedures performed at this stage of the audit are not different to those performed at the planning stage – the auditor will
perform ratio analysis, comparisons with prior period financial statements and other techniques to confirm that trends are as expected, and to
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
highlight unusual transactions and balances that may indicate a risk of misstatement. The key issue is that, near the end of the audit, the
auditor should have sufficient audit evidence to explain the issues highlighted by analytical procedures, and should therefore be able to
conclude as to the overall reasonableness of the financial statements.

When the analytical procedures performed near the end of the audit reveal further previously unrecognised risk of material misstatement, the
auditor is required to revise the previously assessed risk of material misstatement and modify the planned audit procedures accordingly. This
means potentially performing further audit procedures in relation to matters that are identified as high risk.

As well as reviewing the main elements of the financial statements, the auditor must at this stage carefully review the notes to the financial
statements for completeness and compliance with the applicable financial reporting framework. In many situations, this will be the first
opportunity for the auditor to review this information, as clients often prepare the notes to the financial statements towards the end of the
audit process.

At this stage, the auditor should also read the other information to be issued with the financial statements for consistency with the financial
statements. This is important as inconsistencies may have implications for the auditor’s report. Specific items of other information are subject
to specific regulation in some jurisdictions – for example, in the UK and Ireland the auditor’s report must state whether the Directors’ Report is
consistent with the financial statements.

Subsequent events and going concern procedures

There are two ISAs that are particularly relevant near the end of the audit. The first is ISA 560, Subsequent Events, which requires the auditor
to perform audit procedures to obtain sufficient appropriate audit evidence that all events occurring between the date of the financial
statements and the auditor’s report that require adjustment of, or disclosure in, the financial statements have been identified.

Typically, the auditor will follow a specific work programme dealing with subsequent events, including procedures such as reviewing internal
accounting records and minutes of management meetings since the year-end and discussing subsequent events with management –
particularly the extent to which management has established procedures adequate to identify relevant subsequent events. It is important that
procedures dealing with subsequent events are performed up to the date of the auditor’s report. If they are performed too early and not
updated close to the date of the auditor’s report, then a significant event may not be identified by the auditor.

Secondly, ISA 570, Going Concern states that the auditor shall remain alert throughout the audit for audit evidence of events or conditions that
may cast doubt on the entity’s ability to continue as a going concern. Therefore, the auditor will conclude on going concern matters near the
end of the audit having reviewed all evidence obtained and after reviewing the final version of the financial statements.

Written representations and communication with those charged with governance

Towards the end of the audit, the auditor must consider the matters to be included in management’s written representation, according to ISA
580, Written Representations . This is a matter to be de alt with towards the conclusion of the audit because it is a requirement of ISA 580 that
the date of the written representation shall be as near as possible to, but not after, the date of the auditor’s report. Written representations
are necessary audit evidence, and therefore the auditor’s opinion cannot be expressed and the auditor’s report cannot be dated before the
date of the written representations. Significant subsequent events may come to light very late in the audit, and therefore the written
representations should cover all of the subsequent events period, right up to the date at which the audit report is dated.

Important outputs of the audit are the matters to be communicated in accordance with ISA 260, Communication with Those Charged with
Governance. The matters to be communicated include significant findings from the audit and matters relating to auditor’s independence. In
addition, the auditor must also consider whether the two-way communication between the auditor and those charged with governance has
been adequate for an effective audit, and have taken appropriate action if not.

Audit clearance meeting

At the conclusion of the audit, a meeting will usually be held between the auditor and management and/or those charged with governance of
the client. At this clearance meeting the audit or will explain the various matters that have been discussed in this article, and any other matters
to be discussed in respect of the financial statements and the audit. Typically, at the clearance meeting the following matters may be
discussed:
 The adequacy of the entity’s internal controls and process of preparing the financial statements,
 any proposed adjustments to the financial statements
 any difficulties encountered during the audit process
 the details of ethical matters that may need to be clarified with the client
 confirmation of the matters to be included in management’s written representations
 an update on changes in financial reporting or other regulations that may impact the client’s financial statements, and
 confirmation that the client’s accounting policies are appropriate.

The audit clearance meeting is not a requirement of ISAs, but is often used as a means to ensure that there are no misunderstandings
regarding the financial statements, the auditor’s report and any of the other matters discussed.

Going concern
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
The auditor's objectives in relation to going concern
ISA 570 (Revised) Going Concern, contains well-established guidance on going concern, including the following objectives for the auditor:
 to obtain sufficient appropriate audit evidence regarding, and conclude on, the appropriateness of management's use of the going
concern basis of accounting in the preparation of the financial statements
 to conclude, based on the audit evidence obtained, whether a material uncertainty exists related to events or conditions that may
cast significant doubt on the entity's ability to continue as a going concern, and
 to determine the implications for the auditor's report in accordance with ISA 570.

All audits should involve an assessment of the appropriateness of management’s use of the going concern basis of accounting, and it is obvious
to say that the auditor may well have to perform additional procedures when there are heightened risks relating to going concern, caused by
difficult economic and market conditions or specific industry considerations affecting the company. But going concern should be considered at
all stages of the audit, not just in terms of specific procedures, and the auditor is required to remain alert to events or conditions which may
cast significant doubt on the company’s ability to continue as a going concern. This requires the auditor to exercise high levels of professional
judgement.
In the exam it is important to remember that going concern is therefore not just something considered at a particular stage in the audit cycle,
but should be an issue that permeates the whole performance and review of an audit.
Auditors should consider going concern indicators and their impact on a particular audit when:
 assessing risk at the planning stage of the audit, and when re-assessing risk as the audit progresses
 designing and performing audit procedures to respond to the assessed risks
 evaluating and concluding on the results of audit procedure, and
 forming an audit opinion.

Paragraph A3 of ISA 570 provides good examples of financial, operational and other indicators which may individually or collectively cast
significant doubt on the entity’s ability to carry on as a going concern. This is where the auditor’s judgement is critical as it is not conclusive
that one or more of these items always signifies that a material uncertainty exists.
Assessing risk at the planning stage of the audit
Auditors are required by ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its
Environment, to gain an understanding of the audit client's business and the economic environment in which it operates. This understanding
should then lead to the identification of business risks, which are then evaluated in terms of any risks of material misstatement in the financial
statements.
Business risks include risks that could reduce the company's profit and/or cash inflows, and could ultimately mean that either a company is not
a going concern, or that there are significant doubts over its ability to continue as a going concern. Identification of this heightened risk at this
initial stage in the audit cycle means that additional audit procedures can be planned as a response to the specific risks identified.
All of this means that the auditor must gain a detailed understanding of the environment in which a company is operating, and more
specifically, an understanding of the particular market conditions affecting its operations. Risks can arise from many factors, including reduced
demand for goods and services, customers' inability to pay for goods and services already provided, an inability to raise necessary finance and
the need and renewal of specific operating licences. Such factors must be assessed for their specific impact on a company's operations. It is
important to remember that difficult economic or market conditions do not automatically mean that a material uncertainty exists about a
company's ability to continue as a going concern but these must be considered by the auditor in order to gain a full understanding.
The evaluation of business risks should lead to the assessment of specific financial statement risks. For a company facing going concern
difficulties, the fundamental financial statement risk is whether the financial statements have been prepared on the correct basis of
accounting, or whether any significant uncertainties have been disclosed in the financial statements. However, there are more specific
financial statement risks including:
 potential overstatement of non-current assets if impairments caused by reduced market value or value in use have not been
recognised
 potential overstatement of inventory if net realisable value has fallen due to reduced demand
 potential overstatement of receivables if irrecoverable debts are not provided for
 incorrect measurement and recognition of gains or losses on financial instruments due to inactive markets
 incorrect measurement and disclosure of assets held for sale or discontinued operations
 incorrect measurement or disclosure of provisions or contingent liabilities caused by restructuring of operations.

Designing, performing and evaluating audit procedures

Where risks, such as the ones mentioned above, have been identified, the auditor must respond to the risks by designing and performing
appropriate audit procedures. Clearly the procedures should address the specific risks identified, and so extra procedures may be needed on
many balances and transactions such as the ones outlined above.
More generally, audit procedures are necessary in order to evaluate how the key management personnel have satisfied themselves that it is
appropriate to adopt the going concern basis in preparing the financial statements. Procedures should include:
 analysing and discussing cash flow, profit and other relevant forecasts with management
 reviewing the terms of loan agreements and determining whether they have been breached
 reading minutes of board meetings and relevant committees for any discussion of financing difficulties
 reviewing events after the year end to identify factors relevant to the going concern assumption as a basis for the preparation of the
financial statements.

Paragraph A16 of ISA 570 contains examples of additional procedures that may be used.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Analysis of cash flow is usually a key feature of any going concern evaluation. In this evaluation the auditor should pay particular attention to
the reliability of the company's systems for generating the cash flow information, and whether the assumptions underlying the cash flow
appear reasonable, applying professional scepticism and challenging those assumptions where needed.
In evaluating going concern, the auditor will consider whether necessary borrowing facilities are in place and in doing so will attempt to obtain
confirmations from the company's bankers. However, the bankers may be reluctant to confirm whether the borrowing facilities will be
available, in which case the auditor should consider the significance of this to the entity's ability to continue as a going concern, and also
consider, through discussion with management, whether there are other strategies or sources of finance available.
Forming an audit opinion
In forming the audit opinion, the auditor should consider two issues: have the financial statements been prepared using the appropriate basis
of accounting and is there adequate disclosure of any material uncertainty regarding going concern.
First, the auditor may conclude that management's use of the going concern basis is inappropriate. This means that the financial statements
are effectively rendered meaningless, and ISA 570 requires the auditor to express an adverse opinion on the financial statements.
In rare circumstances, where the financial statements have not been prepared under the going concern basis of accounting (for example, using
a liquidation basis), and the auditor agrees with the use of this alternative basis for the preparation of the financial statements, the audit
opinion may be unmodified. This is so long as the auditor has also concluded that there is adequate disclosure in the financial statements
regarding the basis of accounting. However, the auditor may consider it necessary to include an Emphasis of Matter paragraph in accordance
with ISA 706 (Revised) Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report, to draw the user’s
attention to the alternative basis of accounting and the reasons for its use.
It is much more likely that the auditor concludes that the level of disclosure in relation to material uncertainties is inadequate rather than
concluding that the going concern basis of accounting is wholly inappropriate. ISA 570 contains detailed guidance in this area, which is briefly
summarised below:
 Where the disclosure of material uncertainty is considered adequate, the auditor will express an unmodified opinion and will also
include a separate section in the auditor’s report entitled ‘Material Uncertainty Related to Going Concern’. This section will draw
attention to the note in the financial statements which discloses the uncertainties. This section will also state that these events or
conditions as disclosed constitute a material uncertainty but the auditor’s opinion is not modified in respect of the matter.

 Where the disclosure of material uncertainty is not considered adequate, the auditor should express either a qualified or adverse
opinion in accordance with ISA 705 (Revised) Modifications to the Opinion in the Independent Auditor’s Report. In the Basis for
Qualified/Adverse Opinion section of the auditor’s report, the auditor should state that a material uncertainty exists which may cast
significant doubt on the entity’s ability to continue as a going concern and that the financial statements do not adequately disclose
this matter.

Ethical matters
In situations where entity’s are facing significant economic or operational pressure, auditors may find themselves being asked by audit clients
to perform non-audit services which may create self-review or advocacy threats to objectivity or which would involve assuming management
responsibilities For example for a client who is suffering financial pressure and is seeking to raise additional or alternative finance or
restructure, the audit firm may be asked to perform:
 a review of the business including advising on restructuring options
 a review of prospective financial information, possibly for presentation to potential providers of finance
 advising on corporate finance options or negotiating such options.

The problem created is that the audit firm may not be able to objectively assess going concern factors when in addition becoming involved
with non-audit services pertaining to the going concern status of the company. The audit firm should carefully consider the appropriateness of
providing such non-audit services in these circumstances.
Safeguards may be able to reduce the threats to objectivity and independence to an acceptable level. Safeguards may include:
 a review of the going concern assessment and conclusion reached by a partner who is not a member of the audit team
 additional procedures as part of an Engagement Quality Control Review
 confirmation from the audit client that they remain responsible for any decisions or actions taken as a result of the non-audit service
provided.

Auditors' reports to those charged with governance

Relevant persons
The first step is to consider to whom the communication should be directed. ISA 260 does not specify this exactly, but
states that ‘governance is the term used to describe the role of persons entrusted with the supervision, control and
direction of an entity’. This implies that the communication should be with the highest level of management, including
the executive and non-executive directors, and the audit committee, where relevant. The identity of the relevant
person(s) to whom the communication will be addressed may be clarified in the engagement letter.

Matters to be communicated
In the second step, the auditor should consider the type of issues that should be communicated. ISA 260 provides
some guidance as to the matters which ordinarily could be incorporated in the communication, including:
 the overall approach and scope of the audit, including any limitations on the scope of the audit
 the accounting policies, and any changes to them, that could materially affect the financial statements
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
 adjustments arising as a result of audit procedures which could materially impact the financial statements
 material events or uncertainties which could jeopardise the going concern status, and which require disclosure
within the financial statements
 disagreements with management over accounting treatments or disclosures
 any expected modifications to the audit report
 material weaknesses discovered in the internal systems and controls.

All of the above are referred to as ‘findings from the audit’ (also often called ‘management letter points’).
The reason for communicating such matters is to ensure that the auditors have brought them to the attention of the
people responsible for the accounting and financial reporting function of the entity. Those responsible can then
discuss the matters and decide any actions that need to be taken in respect of them. For example, if the management
of the entity was totally unaware of the matters regarding control weaknesses, it then has the opportunity to implement
corrective action. It could also be the case that the management lacks technical knowledge; for example, it may not be
appreciated that a specific accounting policy is in breach of acceptable accounting practice. Again, armed with
information from the auditor, management can then resolve the problem by deciding on a new accounting policy.
It is important that material errors found in the financial statements are highlighted to management; if they are left
uncorrected, the audit opinion will be modified. Management must be made aware of this and given the opportunity to
correct the financial statements if necessary, in order to avoid a modified audit report.

Other relevant matters to be communicated

The communication to those charged with governance should not just contain findings from the audit, but should cover
the range of issues related to the audit, which the auditor may want to raise with management. Such matters may
include:
 details of any threats to independence and objectivity, and of any safeguards adopted
 explanations of the audit approach used (for example, the concept of materiality and its application to the
audit process)
 a summary of business risks identified, including an assessment of the likelihood of the risks materialising
 a review of the contents of the management’s representation letter
 recommendations, where relevant, to help improve the entity’s internal systems and controls.

The timing and form of communication

The auditor should communicate matters to those charged with governance on a timely basis, in order for
management to react to the matters raised as soon as possible. Findings from the audit relevant to the accounting and
financial reporting function should be communicated before the approval of the financial statements by management.
This means that material errors can be corrected by management prior to the audit report being issued, thus avoiding
a modification of the report.
ISA 260 discusses the various forms that the communication should take. In most cases, the communication will be in
writing, and in the UK and Ireland this is a requirement of the standard. A communication should be issued even if
there are no matters that the auditor wishes to bring to the attention of those charged with governance, stating that
there are no significant findings from the audit to be communicated.
Outside the UK and Ireland, the communication could be made orally. In this situation, it is important that the auditor
has a written record within the audit working papers of the discussion of significant matters with management.
Whichever method is used to formally communicate the matters, oral or written, the process should be seen as a two-
way dialogue. Management should have the opportunity to respond to the auditor regarding the matters raised.

Examining evidence
Audit procedures versus audit evidence
Audit procedures are actions that auditors carry out during the audit. Paper 2.6 questions typically ask candidates to describe
audit procedures, also known as ‘audit tests’ or ‘audit work’.
Audit evidence is obtained by the auditor as a result of the audit procedure. For example, ‘performing a circularisation of
receivables/debtors’ is an audit procedure, whereas ‘replies from customers’ is audit evidence. It is very important to be aware
of the difference. If a question asks for audit evidence and candidates state audit procedures, then the question hasn’t been
answered, and gains no marks.
Which of the following are procedures and which are evidence?
1. Inspecting non-current/fixed assets for signs of obsolescence
2. An item of inventory/stock that is present at the inventory/stock count
3. A bank statement
4. Counting petty cash
5. A working paper showing a re-calculation of depreciation
6. A sales invoice
7. Attending a wages pay out.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Answer
Items 1, 4 and 7 are procedures (because procedures are actions, notice the use of verbs such as ‘inspecting’, ‘counting’, and
‘attending’). The other items are evidence, as they are the result of audit procedures.
However, note that the phrasing is ‘state the audit evidence that you should expect to find in undertaking your review of the
audit working papers and financial statements’. Item 5 meets this criterion because it is a working paper, but items 3 and 6 are
not necessarily included in audit working papers, so one would need to phrase the answer in such a way as to make this clear.
For example, one could say ‘a copy sales invoice’ and ‘a copy bank statement with the balance cross-referenced to the bank
reconciliation’.
Item 2 is definitely not evidence normally seen in working papers, since it is an item of physical inventory/stock. This could be
rephrased as ‘a schedule showing items test-counted at the inventory/stock count’ to make it into a correct answer.
Identifying appropriate audit evidence
Substantive testing questions can be quite tricky, as they can cover a range of accounting standards, and therefore are more
varied than questions on topics such as inventory/stock, receivables/debtors, payables/creditors, or non-current/fixed assets.
Candidates need to be able to think on their feet and develop a ‘sensible answer’ approach to a wide variety of questions, even
if they have never considered the subject previously. One way to do this is to use the financial statement assertions as a starting
point.
The financial statement assertions are those assertions that are implicit or implied when the directors make an explicit
statement that the financial statements give a true and fair view. In other words, they are attributes of the financial statements
that must be true if the financial statements are to give a true and fair view.
Assertions include completeness (all assets, liabilities, transactions, and events are included) and valuation (assets and liabilities
are included at an appropriate carrying value). Auditors design their audit programmes to ensure – as far as possible – that each
of these assertions are true, in order to gain evidence that proves that the financial statements give a true and fair view.
Using the assertions as a starting point to answer a question can be useful if the question is general – for example ‘describe how
you would audit leases’. Candidates could consider what assertions are relevant to leases and then describe audit tests and/or
evidence (depending on the question) to prove each of these assertions.
Example
You are the manager in charge of the audit of Yummy Mummy Co., a listed company with a European-wide chain of fashion
stores for babies and expectant mothers. The audit for the year ended 30 September 2006 is nearing completion. The draft
financial statements show a profit before tax of $50.6m (2005: $95.3m).
The audit senior has produced a schedule of ‘Points for the attention of the audit manager’ as follows:
(a) Due to the falling birth rate, the performance of the stores in Italy has been worse than expected. An impairment review was
performed on 15 October 2006, treating the Italian stores as a single cash-generating unit, which indicated that the recoverable
amount of the assets (based on value in use) was $23m lower than the carrying value. (6 marks)
(b) The company self-manufactures many of its clothing lines, and has a factory in Manchester, UK. Research has shown that the
company could achieve substantial cost savings by outsourcing to south east Asia, and the factory in Manchester is to be closed.
A provision of $3.2m to cover redundancy costs has been included in the 2006 draft financial statements. (7 marks)
(c) The company is planning to open 20 new stores in south east Asia in the next year. To assist in financing the expansion, the
company sold a number of its properties on 28 September 2006 for $200m and leased them back under operating leases. (7
marks)
Required:
For each of the above points:
(i) Comment on the matters that you should consider; and
(ii) State the audit evidence that you should expect to find, in undertaking your review of the audit working papers and financial
statements of Yummy Mummy Co. (20 marks)
The mark allocation is shown against each of the three points.
Formulating an answer
Note the format of the question. There are three mini-case studies, and for each the candidate has to (i) comment on the
matters that should be considered and (ii) state audit evidence. As this article is about audit evidence, we will only consider Part
(ii) of the question. However, the examiner has given guidance on how she wants candidates to answer Part (i), and has said that
matters to consider will normally include risk, materiality, and accounting treatment. In many answers, there is also a
requirement to comment on the type of audit report that would be needed if the company refuses to amend an erroneous
treatment.
Deciding on audit evidence
For each scenario:
1. Think about how the accountant would have calculated the numbers in the financial statements, the source documents
used and the systems followed, and then write about the documents etc, that one would expect to see.
2. Think about how to verify the other relevant facts in each case.
3. Consider the accounting/disclosure requirements of each scenario, and say how one can check if they are being met.

Remember, as the question is about evidence, not procedures, I would advise candidates to begin their answers to each part
with the words ‘I would expect to see’, and then list out the evidence as bullet points. This should stop candidates talking about
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
procedures.

Here is an example answer – the bracketed text in italics is not part of the answer, but simply explanation where required.

(a) (Accounting issues in this scenario are subsequent events (adjusting) and impairment.)
I would expect to see:
 extracts from the management accounts showing the performance of the Italian stores compared to budget, and the
most recent budget for 2007
 a copy of the board minutes detailing management’s plans to improve performance or to sell the stores (if performance
continues to be poor it could affect going concern, if stores are to be sold they may need to be re-categorised as assets
held for sale)
 a schedule comparing the carrying value of the assets with the recoverable amount, annotated to show that carrying
value has been agreed to the non-current/fixed assets register, and that any allocation of central assets and goodwill
was reasonable
 a completed audit programme for non-current/fixed assets (as the appropriateness of the value of the assets has
already been checked during the audit of non-current/fixed assets, there is no need to check it again)
 a calculation of value in use, annotated to show that the cash flows have been compared with budgets for 2007 and
beyond, and with actual cash flows (to see if they are reasonable).

(b) (The obvious accounting issue is provisions, but issues which are not mentioned – but which are potentially relevant – include
assets held for sale and discontinued operations.)
I would expect to see:
 a copy of the announcement of the restructuring (has to be before the year end in order for a provision to be made)
 a working paper detailing whether redundancy payments are being made in accordance with contractual, statutory, or
constructive obligations, and how the constructive obligations, if any, have been derived (in some countries, companies
are required under statute to pay certain levels of compensation to redundant employees)
 a schedule detailing the amount to be paid to each redundant employee. This schedule should be annotated to show
that all relevant employees have been included and that the calculations have been checked for a sample of employees,
including agreement of their pay/service to their contracts where relevant
 a point in the management representation letter as to any other costs to be provided for in closing the factory (eg
penalties for cancellation of leases)
a point in the management representation letter detailing whether the factory is to be sold or abandoned (if a decision
is made to sell, then assets are valued as assets held for sale, but not if it is to be abandoned)
 a copy of the invitation to tender for the outsourcing contract, and notes of discussions with management as to how the
manufacturer was selected and how quality is to be assured.

(c) (Candidates need to focus on checking whether the leaseback is really an operating lease rather than a finance lease.)
I would expect to see:
 a copy of the leasing contract
 a schedule comparing the present value of the minimum lease payments with the fair value of the leased assets
 a note comparing the length of the lease with the estimated useful life of the assets, and stating whether Yummy
Mummy Co. is responsible for maintenance and insurance
 a schedule calculating the amounts that should appear in the financial statements, if the audit team believes this to be a
finance lease
 an estimate of the carrying value of the assets at the date of sale, if the lease is an operating lease (if selling price is not
fair value, it affects how profit on sale is recognised)
 a point in the management representation letter on the purchaser of these properties, and whether they are related to
Yummy Mummy Co. and, if necessary, a draft of the related party disclosures that will appear in the financial
statements.

This is just one possible answer – there are many other valid points that could be made. Notice that this sample answer reflects
the three points mentioned above:
1. Evidence to show that the accountant has worked out the figures correctly (eg the calculation of the redundancy
payment, the calculation of value in use).
2. Evidence to prove other relevant facts (eg performance in Italy, outsourcing contract, lease agreement).
3. Evidence to prove that accounting standards have been complied with (eg date of closure announcement, comparison
of payments, fair value of leased assets).
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Other assignments (F)

Proposed International Standard on Sustainability Assurance 5000

General requirements for sustainability assurance engagements
Increasingly shareholders, especially institutional investors, are demanding more information so they can evaluate the impact of
an organisation’s activities on the environment and society. In addition, organisations may see a competitive advantage in
publishing their ‘green credentials’ as key performance indicators, driving a wider range of sustainability disclosures in published
corporate information.
For the profession, there is an increased demand for independent assurance to be provided on this information. For example, in
the European Union, the Corporate Sustainability Reporting Directive requires organisations that fall within its scope to report
sustainability information and over the next few years they will also be required to obtain assurance on their reported
sustainability information.
For assurance providers, increased demand for assurance provides a commercial opportunity. There are challenges in
undertaking such engagements, but there are there are steps that the assurance provider can take to mitigate these. One
specific area of potential difficulty relates to ethics, and this article will also consider how assurance providers should identify
and respond to ethical threats.
The proposed standard – key principles
Proposed ISSA 5000 (ED) General Requirements for Sustainability Assurance Engagements was issued by the International
Auditing and Assurance Standards Board (IAASB) in August 2023. On issuing the Exposure Draft, the IAASB commented that ‘this
proposed standard will serve as a comprehensive, stand-alone standard suitable for any sustainability assurance engagements. It
will apply to sustainability information reported across any sustainability topic and prepared under multiple frameworks. The
proposed standard is also profession agnostic, supporting its use by both professional accountant and non-accountant assurance
practitioners’.
There are two key principles to highlight:
Multiple frameworks
 ISSA 5000 (ED) is intended to apply under ‘multiple frameworks’. There are many different reporting frameworks which
organisations may be required, or choose to, comply with. Reporting frameworks such as the Global Reporting Initiative,
Integrated Reporting, and the Task Force on Climate-Related Financial Disclosures (TCFD) have developed over time. The
International Sustainability Standards Board (ISSB) has issued two Sustainability Reporting Standards – IFRS S1 and IFRS
S2. There are local regulations too, for example the EU has endorsed European Sustainability Reporting Standards
(ESRS). Many organisations report under the scope of several frameworks, which is why it is important that ISSA 5000
(ED) can be applied whichever framework(s) are being applied.

Use by non-accountancy professionals

The second point to note is that ISSA 5000 (ED) is ‘profession agnostic’. This means that it can be used by any assurance
practitioner as long as:
1. They adhere to relevant ethical requirements, and
2. Apply a system of quality management system which is at least as rigorous as those used by accounting practitioners.

This means that non-accountancy professionals can use ISSA 5000, for example, experts in environmental matters or scientists.
What is ‘sustainability’ in the context of sustainability reporting?
ISSA 5000 (ED) defines ‘sustainability matters’ as ‘environmental, social, economic and cultural matters, including the impacts of
an entity’s activities, products and services on the environment, society, economy or culture, or the impacts on the entity; and
the entity’s policies, performance, plans, goals and governance relating to such matters’.
ISSA 5000 (ED) goes further and provides examples of topics which may be included in sustainability information:
 Climate, including emissions.
 Energy, such as type of energy and consumption.
 Water and effluents, such as water consumption and water discharge
 Biodiversity, such as impacts on biodiversity or habitats protected and restored.
 Labour practices, such as diversity and equal opportunity, training and education, and occupational health and safety.
 Human rights and community relations, such as local community engagement, impact assessments and development
programs.
 Customer health and safety.
 Economic impacts, such as government assistance, tax strategy, anti-competitive behaviour, anti-corruption and market
presence.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
There is a wide range of information that may be provided, and it could be provided in various ways, for example, in narrative
disclosures, in tables of figures including performance indicators, in diagrams or graphics.
Applying ISSA 5000 (ED)
ISSA 5000 (ED) can be applied whether the engagement is designed to provide limited or reasonable assurance and it can be
applied to all of an organisation’s sustainability disclosures, or just to part of them. The proposed standard is long, and
complicated in parts, and this section of the article aims to provide an overview of the key requirements and concepts.
Objectives
The objectives of ISSA 5000 (ED) are:
‘(a) To obtain reasonable assurance or limited assurance, as applicable, about whether the sustainability information is free from
material misstatement;
(b) To express a conclusion on the sustainability information through a written report that conveys a reasonable assurance or a
limited assurance conclusion, as applicable, and describes the basis for the conclusion; and
(c) To communicate further as required by this ISSA and any other relevant ISSA’.
ISSA 5000 (ED) contains an appendix which illustrates different forms of assurance reports which can be provided, distinguishing
between those reports which include limited and reasonable assurance conclusions. In line with other types of assurance
engagement, the higher the level of assurance that is to be provided, more robust evidence is required to support the
conclusion given by the assurance practitioner.
Acceptance of the engagement
Acceptance of a sustainability assurance engagement adopts principles consistent with those in ISQM 1 Quality Management for
Firms that Perform Audits or Reviews of Financial Statements, or other Assurance or Related Services Engagements. Therefore,
ISSA 5000 (ED) requires assurance practitioners to evaluate whether pre-conditions are present as part of their engagement
acceptance procedures. These preconditions include:
1. Understanding the scope of the work
2. The sustainability information to be reported
3. The reporting boundary (information, including activities and resources, to be included in the entity’s sustainability
information)
4. The existence of suitable criteria, and
5. Determining the level of assurance to be provided.

ISSA 5000 (ED) highlights the importance of both firm-level and engagement-level quality management, stating that the
engagement leader shall take overall responsibility for managing and achieving quality on the engagement and also requiring
that the engagement leader must have competence and capabilities in assurance skills and techniques developed through
extensive training and practical application. The engagement leader is also responsible for ethical considerations and ensuring
that sufficient and appropriate resources are allocated to the engagement.
There is detailed guidance relating to the assurance team, with particularly emphasis on the relationship between the
engagement team and ‘other practitioners’ and whether it is appropriate to use the work of others. There is also recognition
that information on which assurance is provided is often derived from sources up and down the value chain of the reporting
entity, so careful planning is required to ensure that the assurance team can obtain sufficient appropriate evidence in a timely
manner.
Planning the engagement
It is crucial to obtain understanding over the organisation’s processes to identify the sustainability information to be reported.
The assurance practitioner will need to spend time at the start of the engagement to ensure they have a good level of
understanding of what is being reported, how it is being reported, and this includes understanding relevant internal controls.
The assurance practitioner must use risk assessment procedures, including procedures relating to fraud. The requirements vary
depending on whether the engagement is to provide limited or reasonable assurance. For example, in reasonable assurance
engagements, more work is needed on understanding the system of internal control.
Materiality
Materiality is a significant issue, and it needs to be applied using a ‘bifurcated’ approach. This means considering materiality for
qualitative disclosures and determining materiality for quantitative disclosures. Materiality for a reasonable assurance
engagement is the same as for a limited assurance engagement because materiality is based on the information needs of
intended users.
However, it is important to understand that the organisation will have its own materiality process, including ‘double materiality’.
This means consideration of the significance of the impact of a sustainability matter on the organisation, as well as the
significance of the impacts of the business activity on the outside world (‘impact materiality’) . The assurance provider needs to
understand the organisation’s materiality process, but this is separate from their own materiality considerations.
Where the concept of double materiality is relevant, the assurance practitioner should consider both financial and impact
materiality when determining their materiality level for the purposes of planning and performing the engagement. It should be
noted that the IAASB’s view is that it will not be relevant to every engagement.
It is important to note that when considering the materiality of potential misstatements, as with performance materiality, these
may be both quantitative and qualitative in nature.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Obtaining evidence
When responding to risks of material misstatement, in designing and performing further audit procedures, the requirements
vary depending on whether it is a limited assurance or a reasonable assurance engagement. For a reasonable assurance
engagement:
ISA 5000 (ED) acknowledges that qualitative sustainability information and estimates or forward-looking information are both
potentially difficult areas over which to obtain evidence. Therefore, the assurance practitioner must exercise significant
professional judgement in evaluating what constitutes sufficient appropriate evidence in these circumstances.
Often, sustainability information is forward-looking and based on estimates and future plans. Organisations produce scenarios
based on best-estimate or hypothetical assumptions which might be subject to management bias or great uncertainty. Evidence
can therefore be difficult to obtain, and the assurance practitioner may need to exercise a significant level of judgement in
determining whether they have obtained sufficient and appropriate evidence.
Also, as already stated, this is in addition to the evidence which may be required from external experts and parties within the
entity’s value chain. It is essential that sufficient time and resources are assigned to the engagement.
Reporting
It is important that users of assurance reports understand the level of assurance being provided. The report must state that ‘the
procedures in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable
assurance engagement and, consequently, the level of assurance obtained in a limited assurance engagement is substantially
lower than the assurance that would have been obtained had a reasonable assurance engagement been performed’.
Greenwashing and other risks in sustainability reporting
Greenwashing is a significant potential problem, this being when an organisation makes false or misleading statements about
sustainability information. This concept is very similar to that of ‘creative accounting’ – where financial information is
manipulated to serve the needs of the preparer of the information, rather than for the needs of the users of that information.
Greenwashing can be considered to be fraudulent reporting. Added to this, the systems and processes that are generating
sustainability information are often subject to change as the sustainability reporting requirements develop. Therefore, there is a
higher risk of error, as well as deliberate misstatement, in the sustainability information that is published.
These risks, when coupled with the potential difficulties of obtaining evidence over qualitative disclosures and future-oriented
information means that there can be danger of issuing an inappropriate assurance opinion. There is a reputation risk for the
assurance provider if they report positively on sustainability information which turns out to the incorrect, inaccurate or
exaggerated.
Given the risks of greenwashing mentioned previously, there is a need to apply professional scepticism and to document how
this has been applied as part of obtaining the evidence which backs up the assurance conclusion.
The ethical angle for assurance providers
Assurance providers need to adhere to relevant ethical codes of practice, just as when they are performing other professional
engagements. The IESBA Code of Ethics includes the principles of integrity, objectivity, professional competence and due care,
confidentiality and professional behaviour.
Perhaps the most obvious threat to ethics relates to the assurance provider’s professional competence. While many
organisations have been reporting on sustainability matters for years, for assurance providers the new reporting standards are
largely unfamiliar territory, so there is a real issue that professional accountants lack the necessary knowledge to provide
assurance on sustainability information. Knowledge can be developed but a deeper level of understanding cannot be developed
overnight. An assurance provider could have a self-interest threat in securing an engagement to report on sustainability
information, giving the firm a foothold in a potentially lucrative new line of work. So, for purely commercial reasons, the audit
firm might take on the job even if they are not competent to do it.
There could also be a self-review threat if an assurance provider is performing the external audit of financial statements as well
as working on the sustainability information of the organisation. In this case, the assurance provider should make sure that
separate teams are used for the different aspects of work.
Ultimately the audit firm would need to apply appropriate professional behaviour, ensuring that commercial objectives are not
prioritised over principles of integrity.

Exam focus
Candidates may be required to consider scenario specific risks in the exam, such as pressures to meet reporting deadlines,
requirements or meeting finance covenants. There may be estimations or other areas where management judgement has
been applied. As in a financial assurance engagement, candidates should be aware of potential bias by management and
the need to obtain sufficient and appropriate audit evidence.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
The assurance of social, environmental and sustainability information (part 1)
Part 1: The need to measure and report, with considerations for the assurance professional
Auditors may be asked to complete assurance engagements on non-financial information, and this is increasingly likely to
include the review of management reports on social, environmental and sustainability information. When management provides
this type of information it is known as Extended External Reporting (EER), which is a requirement for listed and larger private
companies in some jurisdictions. In addition, many companies wish to provide additional information on the environmental
impact of their operations on the environment.
There are challenges in undertaking such engagements, and although this can be a highly specialist area, there are still steps that
the assurance provider can take to mitigate these issues.
This article considers the main reasons why companies produce these reports and the various methods of measurement used.
Auditors may be asked to review the information as part of their review of the annual report, or as a separate assurance
engagement.
This is the first of two articles which considers why sustainability information is published and a brief coverage of the
measurement issues. An assurance professional is most likely to review sustainability information as part of the strategic report,
which is covered briefly here. Increasingly though, assurance professionals are being tasked in reviewing specific sustainability
reports, this is covered in the second article on the topic.
Why is there a need for companies to produce these reports?
 National reporting requirements: Some regions require specific sized companies (larger, listed entities usually) or those
in specific industries to report on their environmental, social and governance information. Examples include:

o Corporate Sustainability Reporting Directive (CSRD) is legislation in the European Union (EU) requiring all large
companies to publish reports on their social and environmental impact activities 1

o UK premium listed companies must report their compliance with the Task Force on Climate-Related Financial
Disclosures (TCFD) recommendations for periods commencing 1 January 2021. This is already effective in New
Zealand and Japan 2

 Stakeholder needs: Increasingly shareholders, especially larger investors like pension funds, are demanding more
information of the impact of a company on the environment and society.

 Voluntary disclosure: Companies may seek to gain a competitive advantage by declaring their ‘green credentials’. Such
voluntary disclosure may be subject to management bias as the reporting requirements are not specified under
legislation.

Companies can choose to include this type of information within their annual report or to produce stand-alone reports on social,
environmental and sustainability matters. In the last decade, Integrated Reporting <IR> has become common, which aims to
provide a holistic view of the company’s financial and non-financial performance and its potential for long term value creation.
Measuring and reporting on environmental, social and sustainability information
The measurement of specialised information can be problematic, because sustainability or environmental indicators may be
reported in different ways even within the same industry and several differing reporting standards may be used, rather than a
single, global reporting basis.
In 2022, the International Sustainability Standards Board (ISSB) commenced a consultation on two proposed sustainability
standards, one regarding general sustainability related disclosures and one regarding climate related disclosures. There are a
variety of different Key Performance Indicators (KPIs) and metrics in use, and comparison between companies and industries is
challenging for the following reasons:
 Rapid change in EER requirements and disclosure principles
 Diversity of subject matter
 Lack of single reporting basis for non financial information
 Additional risk of management bias due to the subjective nature of measurement in many cases and selection of the
criteria being presented

Examples of performance measures

The United Nations (UN) adopted a series of sustainable development goals (SDG) in 2015 and there are over 200 KPIs as
published by the OECD in 2021. Therefore, there is a wide range of KPIs (‘sustainability indicators’) and targets which may be
adopted by businesses, and these can vary by region, by industry and by individual company.
Assurance providers are faced with understanding what is being reported upon and why (legislative or commercial reasons), as
well how the information is being obtained, collated and presented.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
The reporting of these benchmarks may be presented in different ways, for example, one company may produce a table of
financial information to report on subject matter, whereas another may choose to report using non-financial or narrative
disclosures. Comparison between companies, even within the same industry, is problematic due to the lack of consistency in
selecting which measures to disclose, how the information is presented and how metrics are quantified.
Examples of reporting benchmarks include:
 Greenhouse gas emissions (GHG)
 Waste minimisation and management
 Finite resource consumption (oil, gas, coal, minerals, forestry)
 Supply chain sustainability
 Water and pollution
 Employee welfare and equality

Example of a water consumption disclosure within the sustainability reporting section of the Annual Report 2020 for MMC
Corporation: 3

Considerations when planning an assurance engagement

As with any assurance engagement, the auditor should consider the impact of risks on the planning and performance of the
engagement. When faced with planning an assurance engagement of non-financial criteria, such as those relating to the
environment or sustainability, the fundamentals of existing auditing and assurance standards may be used as a basis for the
engagement team.
Sustainability information may be supplied in the annual report alongside the financial statements. It is worth bearing in mind
that there is an expectation gap risk occurring, as some users expect that all information in an annual report is subject to a
detailed assurance process by the auditor (beyond what is expected of ISA 720 (Revised) The Auditor’s Responsibilities Relating
to Other Information). Where such information is to be presented, it is vital for the assurance provider to clearly state in their
letter of engagement, as well as in their auditor’s report on the financial statements, the limitations of their assurance work.
Types of engagement
1. Review of the contents of the annual report as part of the statutory financial statements audit engagement; or

2. Independent assurance engagement over non-financial information which is outside of the statutory financial
statements audit (this is covered in the second part of our article on Assurance on Sustainability Information: Part 2)

Review of non-financial information which is part of the annual report (such as the strategic report)
Guidance on the review of non-financial information as part of the annual report is covered by ISA 720 (Revised). Auditors need
to consider whether there is a material inconsistency between the other information and the financial statements.
Auditors should consider all auditing standards, but a few key ones which may be relevant to the review of other information
are:
ISA 540 (Revised) Auditing Accounting Estimates and Related Disclosures
 Management bias – this may arise in both the calculation and the disclosure of information, especially if the information
is provided voluntarily by the company in order to gain a competitive advantage.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
 Appropriateness of methods of calculation and whether the basis for estimations are reasonable and appropriate – this
may be an issue where there are no industry standard measurements established and management is responsible for
deciding on the parameters of the estimation.

ISA 250 (Revised) Consideration of Laws and Regulations in an Audit of Financial Statements
 If the requirement to report is required by legislation, there may be financial penalties or reputational issues for failure
to report correctly for both the company and the auditor.

 If there has been a breach of regulations, for example if any required environmental disclosures are not given, there
may be implications for the financial statements, such as provisions for fines. This increases audit risk. Breaches of laws
or regulations may even impact the ability of the company to continue to trade, for example licences to trade may be
subject to adhering to laws and regulations, or fines or penalties may be substantial enough to significantly impact the
cash flow of an entity.

ISA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement
 Assurance providers need knowledge and experience of the industry and subject matter, this may be a highly
specialized area. Independent experts may be required to assist in the assessment of specialist criteria, for example,
greenhouse gas emissions, chemical levels in waste etc. or using an EER expert to manage the assurance process.

 There may be industry standard measurements which are used (example) or the criteria may be more widely
recognised, such as greenhouse gas emissions.

 Internal controls of the client – consideration of the reliance which can be placed on the information and whether this
information is internally or externally generated.

 Information from third parties, these could include environmental bodies (governmental or private) and the reliance
which can be placed on this information.

ISA 450 Evaluation of Misstatements Identified During the Audit

 Omissions of information, both financial and operational for example, the impact of business interruption due to
pollution, environmental damage or industrial action by employees, suppliers or third parties, such as environmental
protesters.

 Consideration of whether the omission of such information may affect the users of the financial statements.

This list is not exhaustive and other auditing standards may need to be considered in order to obtain the relevant sufficient
evidence in an engagement.
The second article in this series considers the challenges of auditing sustainability information in more detail, as well as some
tips on exam technique for your Advanced Audit and Assurance exam.

The assurance of social, environmental and sustainability information (part 2)

AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
Independent assurance engagement
The assurance provider will need to consider the scope of their assurance to be provided, whether it is a limited or reasonable
scope engagement.
In accordance with ISAE 3000, the engagement should be planned to assess the scope, timing and direction of the engagement
and to ensure that the procedures will enable the team to gain sufficient appropriate audit evidence. The assurance
engagement team must ensure that they have adequate time and resources, including whether they may need to seek the
assistance of an independent expert.
It would also be applicable to apply other auditing standards to assurance engagements of other information, such as those
stated above to ensure a quality assurance engagement.
Providing assurance on performance measures
The assurance provider faces some challenges in reviewing and providing assurance on non-financial performance measures.
information internally generated
There may be deficiencies in the controls and internal tools used by the company to collect and measure the information, and the
controls may not be as established or robust as those within the financial reporting system which is more familiar to the
assurance practitioner. This means that there is a higher risk of the assurance provider not identifying control deficiencies.
Information from third party sources
This may include information from sources such as:

 entities within the supply chain (suppliers, contractors)

 external agencies e.g. carbon offset registries, industry benchmark specialists, external carbon dioxide calculation tools.

The reliance which can be placed upon the evidence from third party sources will need to be assessed by the assurance provider
using their professional judgement. There will need to be an understanding of how the information is collected and what, if any,
recognized standards it adheres to. This is an area where the use of an independent expert may be required in order to identify
whether any specialist information is consistent and relevant to the industry.
Substantive procedures to detect potential misstatements re socio-environmental and sustainability matters
ISA 500 Audit Evidence
The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose of
obtaining sufficient appropriate audit evidence (para.6). Substantive procedures are designed to detect material
misstatements at the assertion level. They comprise tests of details and substantive analytical procedures.
The assurance provider will need to ensure that they obtain sufficient appropriate evidence, and as there are a wide
range of KPIs which may be used by management in sustainability reports, this may be challenging. However, there
may be financial evidence to support some of the information in the report, as well as discussions with management
or review of the board minutes.
Example
A manufacturer reports on the wastage and pollution in its sustainability report.
Tests which may be performed:
 Review of any fines in the financial statements to see whether the company has incurred financial penalties as a result
of environmental breaches.
 Enquire and review the legal documentation, including legal expenses, to assess whether legal advice was sought in
response to a breach of regulations.
 Enquire whether there are financial impacts of increased waste, such as costs of disposal, or incentives by governmental
bodies to increase recycling or waste reduction. These may be reflected in the financial statements within expenses or
other income.
 Significant issues may be reflected in the press or by third party ‘whistleblowers’.
 If wastage increases, there may an increase in the cost per unit, this may be assessed by a review of the cost per unit
and whether more material is required to manufacture the units. Performing analytical reviews of the costs may
highlight potential issues in this area.

The audit evidence obtained, depending on the level of assurance required by the scope of the engagement (limited or
reasonable), should be reviewed using the professional judgement of the assurance provider. Responses from management
should be viewed with an element of professional scepticism and considered in the light of the substantive work undertaken.
Professional scepticism may need to be applied to mitigate the risk of management bias in the reported figures, especially
where there are significant impacts on the business if the report is to be relied upon by third parties, such as financial
institutions, government bodies or those issuing licences to trade, which is common in regulated industries like energy
production and supply.
Example from the Annual Report 2021 from Kier Plc 2021:
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024

The auditor would have to assess the contents of the sustainability report of Kier Plc to ensure that it is materially consistent
with the information in the financial statements. Possible audit evidence may include:
 Analysis of the costs attributable to waste and recycling with a comparison of year on year to assess whether the trend
is consistent with the environmental information.
 Discussion with management and review of any independent reports which detail the information regarding carbon
emissions. Verify that the independent expert is suitably qualified or registered.
Form and content of independent verification statement of integrated or sustainability information
As in all assurance engagements, issues found during the assurance engagement should be reported to Those
Charged with Governance.
The content and scope of the assurance provider’s report must be considered: If the report is to be included within
the financial statements, which stakeholders will be relying upon it and what level of assurance is required. There
should be an explicit reference to national or international standards for quality management and any reporting
requirements which have been adhered to. ISAE 3000 also requires that the practitioner should be aware of whether
any errors in the final assurance report may lead to reputational damage to the assurance provider.
EER and sustainability reporting is a rapidly changing specialism, and the assurance provider will need to ensure that they have
sufficient expertise and experience when accepting engagements of this type.
Exam technique
The AAA exam does not require knowledge of specific sustainability or climate reporting standards, however
students may be asked in the exam to assess a scenario whereby the assurance provider is asked to consider the risks
of a non-financial engagement. Students should apply their knowledge of auditing and assurance standards and
evaluate the risks in an exam question:
1. Read the requirement carefully – consider whether the engagement is part of the statutory review of the annual report
(and the application of ISA 720 is required) or a separate assurance engagement.
2. Evaluate the risks in the engagement and consider how may the assurance practitioner mitigate these. Think about
some of the problems faced by assurance providers such as challenges in measuring and comparing information across
companies and industries (see 'Measuring and reporting' in Part 1 of this article).
3. Application of knowledge of auditing and assurance standards (such as those stated above, although some scenarios
may also benefit from reference to other standards) when asked to review or provide assurance on a report.
4. Justify the responses, if procedures are requested in the exam, then consider what reasonable evidence may be
obtained and why it is that this is being reviewed.

Performance information in the public sector

Background
While the specifics will vary from country to country, in general public sector organisations are funded wholly or partly by the
government, and in turn by the tax payers in a particular jurisdiction. Public sector organisations may include hospitals and other
health care facilities such as ambulance services, schools and universities, the police force and organisations responsible for
public transport and the road network. In some cases, such as the UK university sector, organisations do charge for services
provided but still rely on government funding to support their activities.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
The government as well as other stakeholders will pay close attention to the performance of these organisations to evaluate
whether public funds are being used appropriately. The organisations should aim to demonstrate that public monies allocated to
them are being used effectively, that specific targets are being met, and that appropriate decisions are being made in respect of
long term planning. Essentially the management and those charged with governance of a public sector organisation need to
show that the organisation is meeting its objectives and performing its role in society, and performance information is likely to
be required in order for this to be demonstrated. If a public sector organisation is not performing well then its funding may be
cut and its management may be replaced; in extreme situations the organisation may even be shut down.
This is supported by guidance issued by the public sector board of IFAC which notes that the primary function of governments
and most public sector entities is to provide services to constituents. Consequently, their financial results need to be assessed in
the context of the achievement of service delivery objectives. Reporting non-financial as well as financial information about
service delivery activities, achievements and/or outcomes during the reporting period is necessary for a government or other
public sector entity to discharge its obligation to be accountable.
An example of how this is implemented is given below, taken from the UK’s National Health Service (NHS) website:

In the NHS, performance monitoring should:

• help to define performance targets/goals across the key aspects of service delivery, including management of resources
(personnel, infrastructure), customer service and financial viability

• provide a comprehensive picture of the organisation's progress towards achieving its performance targets/goals

• provide an early indication of emerging issues/cost pressures that may require remedial action

• indicate where there is potential to improve the cost effectiveness of services through comparison with other
organisations

Measuring performance information

Candidates will be familiar with the concept of Key Performance Indicators (KPIs) which are widely used by private sector
organisations in relation to non-financial information such as social and environmental reporting; there have been several
examination requirements in past P7 exams focussing on this syllabus area. In the public sector the same principles apply in that
target KPIs will be established as a performance objective and the organisation’s performance against the target KPIs will be
measured.
Performance measures should be measurable and relevant if they are to be effective. Measurability means trying to ensure that
there is consistency in how performance information is captured and reported. The measures should be clearly defined and
unambiguous, but measurability is sometimes difficult where the subject matter of the performance information is subjective in
nature. For example for an ambulance service it would be quite easy to measure the average time taken for an ambulance to
respond to an emergency as this is quantifiable, but more difficult to measure the patient’s satisfaction with the service provided
as this is based on the patient’s opinion.
An issue linked to measurability is the existence of data to generate the performance information. Much of the work involved in
setting up a good system for reporting on performance information is focussed on ensuring the completeness and accuracy of
supporting information and that the information is sufficiently robust to withstand scrutiny.
Relevance means that the performance information addresses a valid concern and public sector organisations should consider
the specific needs of their stakeholders in developing relevant performance measures. Continuing to using the UK’s NHS as an
example, identified stakeholders who regularly review the NHS performance information include:
 The government department responsible for health services
 Medical staff
 NHS management team and non-executive committee members
 Patients
 Private companies who supply to the NHS
 Academics and students researching the NHS

The NHS therefore has to produce a range of performance measures relevant to the needs of this wide range of stakeholders.
Different stakeholders have different needs, for example patients may focus on the effectiveness of a certain medical procedure,
whereas management may focus on the cost of providing that procedure. Therefore a very wide range of performance
information may be required yet it would be pointless to set targets and produce performance information on an issue which is
not relevant to any stakeholder.
The audit of performance information
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
It is worth reiterating the difference between the audit of performance information and performance auditing as both are likely
to occur in the public sector. Candidates are reminded that the audit of performance information is concerned with the audit of
reported performance information against predetermined objectives. The auditor’s role here is usually to report on the
credibility, usefulness and accuracy of the reported performance. Performance auditing is related to the evaluation of how the
public sector body is utilising resources and often focuses on determining how the public sector body is achieving economy,
efficiency and effectiveness, sometimes referred to as value for money auditing. It is the former that is the focus of this area of
the P7 syllabus.
In some jurisdictions it is part of the audit requirement for public sector organisations that the auditor should report on
performance information. In jurisdictions where this is not a requirement, the auditor may be asked to perform a separate
engagement to the financial statement audit, the objective of which is to report specifically on the performance information. In
either case, the auditor will need to plan procedures in much the same way as in a conventional audit scenario. Candidates are
therefore encouraged to apply their existing knowledge of audit planning (risk assessment) and evidence gathering techniques
to this type of information. The auditor is still looking to ultimately report on the validity of the information included in this
respect. The auditor may find the principles of ISAE 3000 Assurance Engagements other than Audits or Reviews of Historical
Financial Information provide a useful framework for planning and performing the work on performance information.
As with any engagement to provide assurance, this would likely start with an understanding of the entity to ensure knowledge of
the predetermined performance measures, an evaluation of the systems and controls used to derive and capture the
performance information and also performing substantive procedures on the reported measures. The auditor will also need to
understand the rationale behind the measures that are being reported on, considering the relevance and suitability of them in
terms of the objectives of the public sector organisation in order to help assess the usefulness of the information being
provided.
Audit procedures may include:
 Tests of controls on the systems used to generate performance information
 Performing analytical review to evaluate trends and gauge the consistency of the information
 Discussion with management and other relevant individuals, for example those responsible for the reporting process
 Review of minutes of meetings where performance information has been discussed
 Confirmation of performance information to source documentation; this may be performed on a sample basis
 Recalculation of quantitative performance information measures

Of course, the procedures must be specifically tailored to the performance information subject to the audit. Further as in any
audit, the working papers must contain a summary of findings and clear conclusions on the procedures that have been
performed.
Reporting on performance information
There is no specific format or wording that is prescribed by international regulations for reporting on public sector performance
information, though in some jurisdictions the national regulators may issue country-specific requirements.
Generally, the auditor will provide a conclusion on whether the public sector entity has achieved its objectives as shown by the
reported performance information and concludes on the information itself. This conclusion may be in the form of a reasonable
assurance conclusion – ie an opinion is expressed, or may be in the form of a negative assurance conclusion – ie no opinion is
expressed. Essentially, in the absence of any jurisdiction specific requirements, the auditor will agree the type of conclusion with
the public sector organisation and usually its regulating body.
Often the performance information will be provided as part of the public sector organisation’s integrated report, in which case
the auditor’s conclusion will be included within the integrated report.

Forensic auditing
This article explores some of the issues relevant to forensic investigations.

‘Forensic auditing’ covers a broad spectrum of activities, with terminology not strictly defined in regulatory guidance. Generally,
the term ‘forensic accounting’ is used to describe the wide range of investigative work which accountants in practice could be
asked to perform. The work would normally involve an investigation into the financial affairs of an entity and is often associated
with investigations into alleged fraudulent activity. Forensic accounting refers to the whole process of investigating a financial
matter, including potentially acting as an expert witness if the fraud comes to trial. Although this article focuses on investigations
into alleged frauds, it is important to be aware that forensic accountants could be asked to look into non-fraud situations, such
as the settling of monetary disputes in relation to a business closure or matrimonial disputes under insurance claims.

The process of forensic accounting as described above includes the ‘forensic investigation’ itself, which refers to the practical
steps that the forensic accountant takes in order to gather evidence relevant to the alleged fraudulent activity. The investigation
is likely to be similar in many ways to an audit of financial information, in that it will include a planning stage, a period when
evidence is gathered, a review process, and a report to the client. The purpose of the investigation, in the case of an alleged
fraud, would be to discover if a fraud had actually taken place, to identify those involved, to quantify the monetary amount of
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
the fraud (ie the financial loss suffered by the client), and to ultimately present findings to the client and potentially to court.

Finally, ‘forensic auditing’ refers to the specific procedures carried out in order to produce evidence. Audit techniques are used
to identify and to gather evidence to prove, for example, how long the fraud has been carried out, and how it was conducted
and concealed by the perpetrators. Evidence may also be gathered to support other issues which would be relevant in the event
of a court case. Such issues could include:
 the suspect’s motive and opportunity to commit fraud
 whether the fraud involved collusion between several suspects
any physical evidence at the scene of the crime or contained in documents
 comments made by the suspect during interviews and/or at the time of arrest
 attempts to destroy evidence.

TYPES OF INVESTIGATION
The forensic accountant could be asked to investigate many different types of fraud. It is useful to categorise these types into
three groups to provide an overview of the wide range of investigations that could be carried out. The three categories of frauds
are corruption, asset misappropriation and financial statement fraud.

Corruption
There are three types of corruption fraud: conflicts of interest, bribery, and extortion. Research shows that corruption is
involved in around one third of all frauds.
 In a conflict of interest fraud, the fraudster exerts their influence to achieve a personal gain which detrimentally affects
the company. The fraudster may not benefit financially, but rather receives an undisclosed personal benefit as a result
of the situation. For example, a manager may approve the expenses of an employee who is also a personal friend in
order to maintain that friendship, even if the expenses are inaccurate.
 Bribery is when money (or something else of value) is offered in order to influence a situation.
 Extortion is the opposite of bribery, and happens when money is demanded (rather than offered) in order to secure a
particular outcome.

Asset misappropriation
By far the most common frauds are those involving asset misappropriation, and there are many different types of fraud which
fall into this category. The common feature is the theft of cash or other assets from the company, for example:
 Cash theft – the stealing of physical cash, for example petty cash, from the premises of a company.
 Fraudulent disbursements – company funds being used to make fraudulent payments. Common examples include
billing schemes, where payments are made to a fictitious supplier, and payroll schemes, where payments are made to
fictitious employees (often known as ‘ghost employees’).
 Inventory frauds – the theft of inventory from the company.
 Misuse of assets – employees using company assets for their own personal interest.

Financial statement fraud

This is also known as fraudulent financial reporting, and is a type of fraud that causes a material misstatement in the financial
statements. It can include deliberate falsification of accounting records; omission of transactions, balances or disclosures from
the financial statements; or the misapplication of financial reporting standards. This is often carried out with the intention of
presenting the financial statements with a particular bias, for example concealing liabilities in order to improve any analysis of
liquidity and gearing.

CONDUCTING AN INVESTIGATION
The process of conducting a forensic investigation is, in many ways, similar to the process of conducting an audit, but with some
additional considerations. The various stages are briefly described below.

Accepting the investigation

The forensic accountant must initially consider whether their firm has the necessary skills and experience to accept the work.
Forensic investigations are specialist in nature, and the work requires detailed knowledge of fraud investigation techniques and
the legal framework. Investigators must also have received training in interview and interrogation techniques, and in how to
maintain the safe custody of evidence gathered.

Additional considerations include whether or not the investigation is being requested by an audit client. If it is, this poses extra
ethical questions, as the investigating firm would be potentially exposed to self-review, advocacy and management threats to
objectivity. Unless robust safeguards are put in place, the firm should not provide audit and forensic investigation services to the
same client. Commercial considerations are also important, and a high fee level should be negotiated to compensate for the
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
specialist nature of the work, and the likely involvement of senior and experienced members of the firm in the investigation.

Planning the investigation

The investigating team must carefully consider what they have been asked to achieve and plan their work accordingly. The
objectives of the investigation will include:
 identifying the type of fraud that has been operating, how long it has been operating for, and how the fraud has been
concealed
 identifying the fraudster(s) involved
 quantifying the financial loss suffered by the client
 gathering evidence to be used in court proceedings
 providing advice to prevent the reoccurrence of the fraud.

The investigators should also consider the best way to gather evidence – the use of computer assisted audit techniques, for
example, is very common in fraud investigations.

Gathering evidence
In order to gather detailed evidence, the investigator must understand the specific type of fraud that has been carried out, and
how the fraud has been committed. The evidence should be sufficient to ultimately prove the identity of the fraudster(s), the
mechanics of the fraud scheme, and the amount of financial loss suffered. It is important that the investigating team is skilled in
collecting evidence that can be used in a court case, and in keeping a clear chain of custody until the evidence is presented in
court. If any evidence is inconclusive or there are gaps in the chain of custody, then the evidence may be challenged in court, or
even become inadmissible. Investigators must be alert to documents being falsified, damaged or destroyed by the suspect(s).

Evidence can be gathered using various techniques, such as:

 testing controls to gather evidence which identifies the weaknesses, which allowed the fraud to be perpetrated
 using analytical procedures to compare trends over time or to provide comparatives between different segments of the
business
 applying computer assisted audit techniques, for example to identify the timing and location of relevant details being
altered in the computer system
 discussions and interviews with employees
 substantive techniques such as reconciliations, cash counts and reviews of documentation.

The ultimate goal of the forensic investigation team is to obtain a confession by the fraudster, if a fraud did actually occur. For
this reason, the investigators are likely to avoid deliberately confronting the alleged fraudster(s) until they have gathered
sufficient evidence to extract a confession. The interview with the suspect is a crucial part of evidence gathered during the
investigation.

Reporting
The client will expect a report containing the findings of the investigation, including a summary of evidence and a conclusion as
to the amount of loss suffered as a result of the fraud. The report will also discuss how the fraudster set up the fraud scheme,
and which controls, if any, were circumvented. It is also likely that the investigative team will recommend improvements to
controls within the organisation to prevent any similar frauds occurring in the future.

Court proceedings
The investigation is likely to lead to legal proceedings against the suspect, and members of the investigative team will probably
be involved in any resultant court case. The evidence gathered during the investigation will be presented at court, and team
members may be called to court to describe the evidence they have gathered and to explain how the suspect was identified. It is
imperative that the members of the investigative team called to court can present their evidence clearly and professionally, as
they may have to simplify complex accounting issues so that non-accountants involved in the court case can understand the
evidence and its implications.

Current Issues and Developments (G)

The role and mindset expected of professional accountants
The need for professional scepticism
ISA 200 Overall Objective of the Independent Auditor, and the Conduct of an Audit in Accordance with International Standards on
Auditing defines professional scepticism as ‘an attitude that includes a questioning mind, being alert to conditions which may
indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence.’ In recent years there have
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
been a number of calls for the professional accountancy Standard-setting Boards to review the way in which their existing
guidance addresses ‘professional scepticism’ with a view to strengthening the concept and requiring all professional accountants
to exercise it, rather than solely audit and assurance practitioners.
Professional scepticism is an important mindset for the professional auditor to adopt when planning and reviewing assurance
engagements. IESBA revised key areas of the International Code of Ethics for Professional Accountants (the Code) which promote
the role and mindset expected of professional accountants. These include the following:
 Highlighting the wide-ranging role in society of professional accountants and the relationship which exists between
compliance with the Code and a professional accountant’s responsibility to act in the public interest.

 Changes to the definitions of the fundamental principles of objectivity and professional behaviour.

 The addition of new application material in respect of the fundamental principle of integrity to include a
determination to act appropriately.

 Strengthening the Code through requiring professional accountants to have an inquiring mind when applying the
conceptual framework and exercising professional judgement.

 Emphasising the importance of being aware of the dangers of bias when carrying out professional work and of
professional firms having a positive, internal organisational culture.

Role and responsibility

Compliance with the Code enables professional accountants to meet their responsibilities to act in the public interest. In its
explanatory memorandum, however, the IESBA concedes that compliance with the Code, in itself, does not necessarily mean
that professional accountants discharge this responsibility in full. Professional accountants are involved in a wide range of roles
and acknowledge that organisations involve professional accountants in these activities because they recognise the skills and
values that they bring to these activities.
Objectivity and professional behaviour
The Code states that the definition of "objectivity" requires the exercise of professional judgement, without being compromised
by factors such as bias, conflicts of interest or any form of undue influence by, or undue reliance on other parties.
The Code considers the potential impact of technological developments such as artificial intelligence and big data on the ethical
behaviour of professional accountants. As a result of these concerns, the definition of ‘objectivity’ highlights the risks of
technology impairing a professional accountant’s objectivity. In this respect it is also significant that the IESBA has included
‘automation bias’ in the list of examples of bias under Section 120 of the Code .
These references to technology in the Fundamental Principles and Conceptual Framework are aimed at recognising the changes
in assurance technologies and their potential impact on compliance with the principle of objectivity within the Code.
The Code defines the fundamental principle of "professional behaviour" by requiring that professional accountants must behave
in a manner that is consistent with the profession’s responsibility to act in the public interest. This reinforces the relationship
between compliance with the five fundamental principles and a professional accountant’s responsibility to act in the public
interest.
Integrity
The Code states that demonstrating integrity includes having the determination to act appropriately when confronted with
dilemmas or difficult situations, providing the following examples of what this might involve:
 standing one’s ground when facing pressure to do otherwise during the course of performing professional activities, or
 challenging others when appropriate, even when doing so creates potential adverse personal or organisational
consequences.

The inclusion of the concept of ‘determination to act appropriately in difficult situations’ and its position within the principle of
integrity emphasises the need to do the right thing regardless of the challenges faced by a professional accountant. At a time
when the accountancy profession is under enormous pressure and scrutiny, it seems the focus of the change is to ensure that
the Code convey that it is one thing for an accountant to know something is wrong, but actually having the courage to speak up
will be vital to compliance.
Application of the conceptual framework: having an enquiring mind
Professional accountants should have a mindset that encapsulates the following characteristics:
 The ability to obtain and understand information relevant for making reliable judgements based in facts and
circumstances which are known to the professional accountant.
 The capability to make informed challenges of the views developed by others.
 Sensitivity to the integrity of information, including the source of the information and the appropriateness of its
presentation, and
 Be able to withhold judgement until careful consideration can be given to all known and relevant available information.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
The Code is aimed at promoting the need for professional accountants to be inquisitive and curious about the information
available. They should also conduct the necessary assessment or investigation of the integrity, relevance and sufficiency of that
information to reach an informed decision. The application material within the Code defines ‘having an inquiring mind’ as:
i. being open and alert for situations and information (or the lack thereof) that might require further investigation; and
ii. considering whether there is a need to critically evaluate the information obtained where the need for, extent and nature of,
any investigation, including critical evaluation, will depend on the nature, scope and outputs of the professional activity being
undertaken.
This requires all professional accountants to consider or remain alert to whether facts and circumstances have changed and,
therefore, obliges them to exercise an inquiring mind in the judgements they reach. The exercise of scepticism is a vital quality
for all professional accountants.
Application of the conceptual framework: bias
It is important to heighten awareness of the risks arising from bias. This includes making professional accountants’ aware of
individual bias which may affect their application of professional judgement. In addition to this, the Code includes an illustrative
list of other common forms of bias. These include:
 Anchoring bias: a tendency to use an initial piece of information as an anchor against which subsequent information is
adequately assessed.

 Automation bias: a tendency to favour output generated from automated systems, even when human reasoning or
contradictory information raises questions as to whether such output is reliable or fit for purpose.

 Availability bias: a tendency to place more weight on events or experiences that immediately come to mind or are
readily available than on those that are not.

 Confirmation bias: a tendency to place more weight on information that corroborates an existing belief than
information that contradicts or casts doubt on that belief.

 Groupthink: a tendency to think or make decisions as a group that discourages creativity or individual responsibility.

 Overconfidence bias: a tendency to overestimate one’s own ability to make accurate assessments of risk and other
judgements or decisions.

 Representation bias: a tendency to base an understanding on a pattern of experiences, events or beliefs that is
considered to be representative.

 Selective perception: a tendency for a person’s expectations to influence how the person views a particular matter or
person.

By raising awareness in relation to potential forms of bias, the professional accountant can reduce the risk and impact of its
effect, particularly on the ability to exercise professional judgement. They will be able to identify and mitigate for the
subsequent threats created, such as through consulting others or seeking advice from experts, additional input or appropriate
challenge therefore enhancing the evaluation process.
Application of the conceptual framework: importance of organisational culture
The Code emphasise the importance of a positive internal organisational culture to the effective application of the conceptual
framework by providing application material. In particular, it explains that ethical culture is most effective when:
(a) Leaders and those in managerial roles hold themselves and others accountable for demonstrating the ethical values of the
organisation
(b) Appropriate education and training programs, management processes, and performance evaluation criteria that promote
that ethical culture are in place: and
(c) Ethical values are adhered to in dealings with third parties.
It is also worth highlighting that the Code works closely alongside the International Standard on Quality Management 1, Quality
Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services
Engagements, which sets out requirements and application material in the relation to the firm’s responsibility to design and
implement an effective system of quality management.

Covers multiple areas

Data analytics and the auditor

AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
What is data analytics?
Data analytics has been around in various forms for a long time, but businesses are finding increasingly sophisticated
and timely methods to utilise data analytics to enhance their operations. Data analytics enable businesses to identify
new opportunities, to harness costs savings and to enable faster more effective decision making. Whether it is the
ability to identify potential for new products and services or to detect the potential loss of clients in order to direct
efforts to encourage them to stay, data analytics is everywhere in business today.
At a basic level data analytics is examining the data available to draw conclusions. This isn’t a new concept but there
are growing trends towards more integrated and more timely use of data from multiple sources to help inform
business decisions or to draw conclusions. The data used by companies is likely to be both internal and external and
include quantitative and qualitative data. This is often aided by specialised software which may have to be developed
to enable the information from many different sources and formats to be first combined and then analysed. In some
cases the formats covered include audio and visual analysis in addition to the usual text and number formats.
What are the uses of data analytics?
The possible uses for data analytics are as diverse as the businesses that use them. They can be as simple as
production of Key Performance Indicators from underlying data to the statistical interrogation of scientific results to
test hypotheses. Firms may use data analytics to predict market trends or to influence consumer behaviour. Data
mining of customer feedback for repeated common phrases might give insights into where improvements in
customer service are needed or to which competitor customers may be most likely to move to. Voice pattern
recognition can be used to identify areas of customer dissatisfaction. Police forces can collate crime reports to
identify repeat frauds across regions or even countries, enabling consolidated overview to be taken. The possibilities
with data analytics can appear limitless as emerging artificial intelligence can allow for faster analysis and adaptation
than humans can undertake.
How can data analytics be used by audit firms?
The IAASB defines data analytics for audit as the science and art of discovering and analysing patterns, deviations and
inconsistencies, and extracting other useful information in the data underlying or related to the subject matter of an
audit through analysis, modelling and visualisation for the purpose of planning and performing the audit
The larger audit firms and increasingly smaller firms utilise data analytics as part of their audit offering to reduce risk
and to add value to the client. Bigger firms often have the resources to create their own data analytics platforms
whereas smaller firms may opt to acquire an off the shelf package. There is no one universal audit data analytics tool
but there are many forms developed inhouse by firms. These tools are generally developed by specialist staff and use
visual methods such as graphs to present data to help identify trends and correlations.
For auditors, the main driver of using data analytics is to improve audit quality. It allows auditors to more effectively
audit the large amounts of data held and processed in IT systems in larger clients. Auditors can extract and
manipulate client data and analyse it. By doing so they can better understand the client’s information and better
identify the risks. Data analytics tools have the power to turn all the data into pre-structured forms/presentations
that are understandable to both auditors and clients and even to generate audit programmes tailored to client-
specific risks or to provide data directly into computerised audit procedures thus allowing the auditor to more
efficiently arrive at the result.

Examples of the use of data analytics to perform audit procedures include:

* NRV testing – comparing the last time an inventory item was purchased with the last time it was sold and at
what price

* Analysis of revenue trends by product and region

* Matching purchase orders to invoices and payments

* Segregation of duties testing by identifying combinations of users involved in processing transactions from the
metadata attached to transactions

Benefits of data analytics

The increased access and manipulation of data and the consistency of application of data analytics tools should
increase audit quality and efficiency through:
 increased business understanding through a more thorough analysis of a client’s data and the use of visual output such
as dashboard displays rather than text or numerical information allows auditors to better understand the trends and
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
patterns of the business and makes it easier to identify anomalies or outliers

 better focus on risk. This increase in understanding, aids the identification of risks associated with a client, enabling
testing to be better directed at those areas. This is further enhanced by freeing up auditor time from analysing routine
data so that more time can be spent on areas of risk

 increased consistency across group audits where all auditors are using the same technology and process, enabling the
group auditor to direct specific tools for use in component audits and to execute testing across the group. This would
require appropriate consent from all component companies but if granted enables a more holistic view of a group to be
undertaken

 increased efficiency through the use of computer programmes to perform very fast processing of large volumes of data
and provide analysis to auditors on which to base their conclusion, saving time within the audit and allowing better
focus on judgemental and risk areas. For example much larger samples can be tested, often 100% testing is possible
using data analytics, improving the coverage of audit procedures and reducing or eliminating sampling risk

 data can be more easily manipulated by the auditor as part of audit testing, for example performing sensitivity analysis
on management assumptions

 increased fraud detection through the ability to interrogate all data and to test segregation of duties, and

 information obtained through data analytics can be shared with the client, adding value to the audit and providing a
real benefit to management in that they are provided with useful information perhaps from a different perspective.
Challenges of data analytics
The introduction of data analytics for audit firms isn’t without challenges to overcome. At present there is a lack of
consistency or a widely accepted standard across firms and even within a firm*. At present there is no specific
regulation or guidance which covers all the uses of data analytics within an audit. This results in difficulty establishing
quality guidelines. It also means that firms with the resources to develop their own data analytics tools may have a
competitive advantage in the market place effectively increasing the gap between the largest firms and smaller firms,
reducing effective competition in the audit industry. Other issues which can arise with the introduction of data
analytics as an audit tool include:
 data privacy and confidentiality. The copying and storage of client data risks breach of confidentiality and
data protection laws as the audit firm now stores a copy of large amounts of detailed client data. This data
could be misused by the firms or illegal access obtained if the firm’s data security is weak or hacked which
may result in serious legal and reputational consequences

 for a variety of reasons, including the above, and also due to a perception that it may be disruptive to business, the
audit client may be reluctant to allow the audit firm sufficient access to their systems to perform audit data analytics

 completeness and integrity of the extracted client data may not be guaranteed. Specialists are often required to
perform the extraction and there may be limitations to the data extraction where either the firm does not have the
appropriate tools or understanding of the client data to ensure that all data is collected. This may especially be the case
where multiple data systems are used by a client. In addition, it may be possible for clients to only make selected data
accessible or to manipulate the data available for extraction

 compatibility issues with client systems may render standard tests ineffective if data is not available in the expected
formats

 audit staff may not be competent to understand the exact nature of the data and output to draw appropriate
conclusions, training will need to be provided which can be expensive

 insufficient or inappropriate evidence retained on file due to failure to understand or document the procedures and
inputs fully. For example, a screen shot on file of the results of an audit procedure performed by the data analytic tool
may not record the input conditions and detail of the testing*, and

 practice management issues arise relating to data storage and accessibility for the duration of the required retention
period for audit evidence. The data obtained must be held for several years in a form which can be retested. As large
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
volumes will be required firms may need to invest in hardware to support such storage or outsource data storage which
compounds the risk of lost data or privacy issues

 an expectation gap among stakeholders who think that because the auditor is testing 100% of transactions in a specific
area, the client’s data must be 100% correct.

Professional scepticism
What is professional scepticism?
The glossary of terms contained in the IAASB’s Handbook of International Quality Control, Auditing, Review, Other Assurance,
and Related Services Pronouncements contains the following definition of the term ‘professional scepticism’:
An attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or
fraud, and a critical assessment of evidence.
ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards
on Auditing, contains more guidance on how and why the auditor should act with an attitude of professional scepticism. ISA 200
contains a specific requirement in relation to professional scepticism:
The auditor shall plan and perform an audit with professional scepticism recognising that circumstances may exist that cause the
financial statements to be materially misstated.
This overall objective is the fundamental driver for the relevant learning outcomes within the Paper P7 syllabus, namely:
 To discuss the importance of professional scepticism in planning and performing an audit (B1e), and
 To assess whether an engagement has been planned and performed with an attitude of professional scepticism, and
evaluate the implications (B1f).

The application paragraphs of ISA 200 contain more guidance on what is meant by applying professional scepticism when
conducting an audit:

Professional scepticism includes being alert to, for example:

 Audit evidence that contradicts other audit evidence obtained.
 Information that brings into question the reliability of documents and responses to inquiries to be used as audit
evidence.
 Conditions that may indicate possible fraud.
 Circumstances that suggest the need for audit procedures in addition to those required by the ISAs. (ISA 200 A.18).

Essentially, ISA 200 requires the use of professional scepticism as a means of enhancing the auditor’s ability to identify risks of
material misstatement and to respond to the risks identified. Professional scepticism is closely related to fundamental ethical
considerations of auditor objectivity and independence. Professional scepticism is also linked to the application of professional
judgment by the auditor. An audit performed without an attitude of professional scepticism is not likely to be a high quality
audit. At its core the application of professional scepticism should help to ensure that the auditor does not neglect unusual
circumstances, oversimplify the results from audit procedures or adopt inappropriate assumptions when determining the audit
response required to address identified risks, all of which should improve audit quality.
How does the auditor apply professional scepticism?
The auditor is likely to apply professional scepticism at various stages from client acceptance and at various points during the
audit process, and some typical examples are given below:
 When assessing engagement acceptance – at this stage the auditor should consider whether the management of the
intended audit client acts with integrity and whether there are any matters that may impact on the auditor being able to
act with professional scepticism if they accept the engagement, such as ethical threats to objectivity.

 When performing risk assessment procedures – an auditor should be sceptical when performing risk assessment
procedures at the planning stage of the audit. For example, when discussing the results of analytical procedures with
management, the auditor should not accept management’s explanations at face value, and should obtain corroboratory
evidence for the explanations offered.

 When obtaining audit evidence – the auditor should be ready to challenge management, especially on complex and
subjective matters and matters that have required a degree of judgement to be exercised by management. The
reliability and sufficiency of evidence should be considered, especially where there are risks of fraud. There may also be
specific issues arising during an audit which impacts on professional scepticism – for example, if management refuses
the auditor’s request to obtain evidence from a third party. The auditor will have to consider how much trust can be
placed on evidence obtained from management – for example, evidence in the form of enquiry with management or
written representations obtained from management. ISA 200 states that ‘a belief that management and those charged
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
with governance are honest and have integrity does not relieve the auditor of the need to maintain professional
scepticism or allow the auditor to be satisfied with less than persuasive audit evidence when obtaining reasonable
assurance’.

 When evaluating evidence – the auditor should critically assess audit evidence and be alert for contradictory evidence
that may undermine the sufficiency and appropriateness of evidence obtained.

The auditor should also apply professional scepticism when forming the auditor’s opinion, by considering the overall sufficiency
of evidence to support the audit opinion, and by evaluating whether the financial statements overall are a fair presentation of
underlying transactions and events.
Ultimately, the application of professional scepticism should reduce detection risk because it enhances the effectiveness of
applied audit procedures and reduces the possibility that the auditor will reach an inappropriate conclusion when evaluating the
results of audit procedures.
Specific applications of professional scepticism
Fraud
ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, specifically refers to professional
scepticism stating that ‘when obtaining reasonable assurance, the auditor is responsible for maintaining professional scepticism
throughout the audit, considering the potential for management override of controls and recognising the fact that audit
procedures that are effective for detecting error may not be effective in detecting fraud’ (ISA 240.8).
ISA 240 goes on to state a specific requirement for the auditor: ‘The auditor shall maintain professional scepticism throughout
the audit, recognising the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor’s past
experience of the honesty and integrity of the entity’s management and those charged with governance’ (ISA240.12).
The application paragraphs of ISA 240 emphasise the importance of assessing the reliability of the information to be used as
audit evidence and the controls over its preparation and maintenance. In addition, ISA 240 states that ‘management is often in
the best position to perpetrate fraud. Accordingly, when evaluating management’s responses to inquiries with an attitude of
professional scepticism, the auditor may judge it necessary to corroborate responses to inquiries with other information’ (ISA
240.A17). This is significant in that ISA 240 reminds the auditor that when management provides the auditor with audit evidence
– be that in the form of answers to enquiries, written representations or other forms of documentary evidence – the auditor
should carefully consider the integrity of that evidence and whether additional corroboratory evidence should be obtained from
a more reliable source.
Other aspects of an audit where professional scepticism may be important
The IAASB has issued a Staff Questions and Answers document entitled Professional Scepticism in an Audit of Financial
Statements, which outlines some of the areas of the audit where the use of professional scepticism may be important. These are
outlined below and largely relate to areas of the audit that are complex, subjective or highly judgmental.
 Accounting estimates – this can include fair value accounting estimates, the use of significant assumptions by
management in developing accounting estimates, and reviewing the judgements and decisions used by management for
management bias in developing accounting estimates.

 Going concern – the auditor should review management’s assessment of going concern and whether management’s
plans are feasible, this being particularly important where there is a significant doubt over the entity’s ability to
continue as a going concern.

 Related party relationships and disclosures – it can be difficult to obtain information on related parties, as knowledge
may be confined to management meaning that the auditor may have to rely on management to identify all related
parties The auditor should also be sceptical when assessing the business rationale behind related party transactions.

 Consideration of laws and regulations – the auditor should be alert throughout the audit for indications that there may
have been a suspected non-compliance with laws and regulations.

The increasing importance of professional scepticism

The IAASB Staff Questions and Answers document contains a foreword by Arnold Schilder, IAASB chairman, which emphasises
the increasing need for auditors to apply professional scepticism. One reason for this is the increased use of judgment and
subjectivity in management’s financial reporting decisions. This is due to the application of International Financial Reporting
Standards (IFRS), which are largely principle-based, and often require the preparers of financial statements to exercise
significant judgment when making decisions on accounting treatments.
The global financial crisis of 2008–2009 also focused attention on professional scepticism. Auditors in many jurisdictions were
criticised for not applying sufficient professional scepticism at that time, particularly in relation to the audit of fair values, related
party transactions and going concern assessments. One of the reasons for the IAASB issuing the Staff Questions and Answers
document was to re-emphasise the importance of professional scepticism especially in the audit of financial statements where
there is a high risk of material misstatement due to financial distress.
AAA TECHNICAL ARTICLE SUMMARY MARCH 2024
The UK’s Financial Reporting Council (FRC) has issued a Briefing Paper on professional scepticism which suggests that
professional scepticism is the cornerstone of audit quality. It proposes that the auditor should actively look for risks of material
misstatement, and that this is only possible when a high degree of knowledge of the audited entity’s business and the
environment in which it operates is obtained. The document contains proposals for how audit firms can encourage audit teams
to approach audits with a sceptical mindset, and it considers that some audit firms may need to change their culture to allow
this to happen.
The IAASB’s Work Plan for 2015–16, Enhancing Audit Quality and Preparing for the Future – issued in December 2014 –
prioritises the issues that impact on audit quality, including group audits, quality control, and professional scepticism. It is clear
the professional scepticism is to stay on the agenda of the regulatory authorities for some time to come, as it is so intrinsically
linked to other key audit issues such as audit quality, ethics and independence and, ultimately, the confidence that the public
has in the auditing profession.