April 2021

Effect of controls on the audit   This  considers the basic components of control systems and how the auditor fulfils their objectives for assessing control risk.   The auditor will ascertain the internal control system to assess whether it is likely to be reliable. If so, they will test the controls to ensure they are in place and working effectively.   Impact of tests of controls on the audit strategy and plan   The extent of substantive testing to be carried out will depend on the results of the tests of controls which will affect the auditor’s assessment of control risk.     If control risk is low   The auditor can place more reliance on internal controls and evidence generated internally within the entity.   This increases the appropriateness of interim audit testing and allows the auditor to reduce the quantity of detailed substantive procedures performed at the final audit stage.   The audit strategy and plan will be updated to reflect that fewer substantive procedures may be required or smaller sample sizes can be tested at the final audit stage.   If control risk is high   Increase the volume of procedures conducted at and after the year-end. [ISA 330, A2]   Increase the level of substantive procedures, in particular, tests of detail. [ISA 330, A2]   Increase the locations included in the audit scope. [ISA 330, A2]   Place less reliance on analytical procedures as the information produced by the client’s systems is not reliable.   Place less reliance on written representations from management if the control environment generally is considered to be weak.   Obtain more evidence from external sources e.g. external confirmations from customers and suppliers.   Update the audit strategy and plan to reflect the additional testing required at the final audit stage.   Limitations of internal controls   The auditor can never eliminate the need for substantive procedures entirely because there are inherent limitations to the reliance that can be placed on internal controls due to:   Human error. [ISA 315, A54]   Ineffective controls. [ISA 315, A54]   Collusion of staff in circumventing controls. [ISA 315, A55]   The abuse of power by those with ultimate controlling responsibility (i.e. management override). [ISA 315, A55]   Use of management judgment on the nature and extent of controls it chooses to implement. [ISA 315, A56]   As a result, the auditor must always perform substantive testing on material balances in the financial statements. [ISA 330, 18]   2      Components of an internal control system   ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment, states that auditors need to understand an entity’s internal controls. To assist this process it identifies five components of an internal control system: The control environment   The control environment includes the governance and management function of an organisation.   It focuses largely on the attitude, awareness and actions of those responsible for designing, implementing and monitoring internal controls.   [ISA 315, A77]   Elements of the control environment that are relevant when the auditor obtains an understanding include the following:   Communication and enforcement of integrity and ethical values   Commitment to competence   Participation by those charged with governance   Management’s philosophy and operating style   Organisational structure   Assignment of authority and responsibility   Human resource policies and practices.   [ISA 315, A78]   When assessing the control environment the auditor may also consider how management has responded to the findings and recommendations of the internal audit function regarding identified deficiencies in internal control relevant to the audit, including whether and how such responses have been implemented, and whether they have been subsequently evaluated by the internal audit function. [ISA 315, A80]   Evidence regarding the control environment is usually obtained through a mixture of enquiry and observation, although inspection of key internal documents (e.g. codes of conduct and organisation charts) is possible.   The risk assessment process   The risk assessment process forms the basis for how management determines the business risks to be managed, i.e. threats to the achievement of ongoing business objectives. These processes will vary depending on the nature, size and complexity of the organisation. [ISA 315, A88]   Threats to business objectives can lead to misstatement in the financial statements, e.g. non -compliance with laws and regulations may lead to fines and penalties, which require disclosure or provision in the financial statements.   If the client has robust procedures for assessing the business risks it faces, the risk of misstatement overall will be lower.   (iii)    The information system   The information system refers to all of the business processes relevant to financial reporting and communication. It includes the procedures within both information technology and manual systems.   The information system includes all of the procedures and records which are designed to:   Initiate, record, process and report transactions.   Maintain accountability for assets, liabilities and equity.   Resolve incorrect processing of transactions.   Process and account for system overrides.   Transfer information to the general/nominal ledger.   Capture information relevant to financial reporting for other events and conditions.   Ensure information required to be disclosed is appropriately reported. [ISA 315, A90]   (iv)  Control activities   The control activities include all policies and procedures designed to ensure that management directives are carried out throughout the organisation.   Examples of specific control activities include those relating to:   Authorisation   Performance review   Information processing   Physical controls   Segregation of duties. [ISA 315, A99]    Examples of control activities   Authorisation – approval of transactions prior to being processed   A manager signing off an employee’s timesheet to confirm that the hours stated have been worked and can be paid. This should ensure the employee is not claiming for hours not worked.   A manager signing a purchase order to confirm the order can be placed with the supplier. This should ensure that the goods are for a valid business use and

Audit evidence   In order for the auditor’s opinion to be considered trustworthy, auditors must come to their conclusions having completed a thorough examination of the books and records of their clients and they must document the procedures performed and evidence obtained, to support the conclusions reached.   ISA 500 Audit Evidence states the objective of the auditor, in terms of gathering evidence, is:   ‘to design and perform audit procedures in such a way to enable the auditor to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion.’ [ISA 500, 4]   Sufficiency relates to the quantity of evidence.   Appropriateness relates to the quality or relevance and reliability of   [ISA 500, 5b, 5e]   Sufficient evidence   There needs to be ‘enough’ evidence to support the auditor’s conclusion. This is a matter of professional judgment. When determining whether there is enough evidence the auditor must consider:   The risk of material misstatement The materiality of the item The nature of accounting and internal control systems The results of controls tests The auditor’s knowledge and experience of the business The size of a population being tested The size of the sample selected to test The reliability of the evidence obtained.   Sufficient evidence   Consider, for example, the audit of a bank balance:   Auditors will confirm year-end bank balances directly with the bank. This is a good source of evidence but on its own is not sufficient to give assurance regarding the completeness and final valuation of bank and cash amounts. The key reason is timing differences. The client may have received cash amounts or cheques before the end of the year, or may have paid out cheques before the end of the year, that have not yet cleared the bank account.   For this reason the auditor should also review and reperform the client’s year-end bank reconciliation.   In combination these two pieces of evidence will be sufficient to give assurance over the bank balances.   Appropriate evidence   Appropriateness of evidence breaks down into two important concepts:   Reliability   [ISA 500, 5b]   Reliability   Auditors should always attempt to obtain evidence from the most trustworthy and dependable source possible.   Evidence obtained from an independent external source is more reliable than client generated evidence.   Evidence obtained directly by the auditor is more reliable than evidence obtained indirectly.   Client generated evidence is the least reliable source of evidence. If the client is manipulating the financial statement figures they may produce fictitious evidence to support the figures. Client generated evidence is more reliable if effective controls are in place. This doesn’t mean the auditor should not rely on client generated evidence. It simply means that where more reliable evidence is available, the auditor should obtain it.   In addition, written evidence is more reliable than oral evidence as oral representations can be withdrawn or challenged. Originals are more reliable than copies as it may be difficult to see whether copies have been tampered with.   [ISA 500, A31]   Broadly speaking, the more reliable the evidence the less of it the auditor will need. However, if evidence is unreliable it will never be appropriate for the audit, no matter how much is gathered. [ISA 500, A4]   Relevance   Relevance means the evidence relates to the financial statement assertions being tested. [ISA 500, A27]   For example, when attending an inventory count, the auditor will:   Select a sample of items from physical inventory and trace them to inventory records to confirm the completeness of accounting records   Select a sample of items from inventory records and trace them to physical inventories to confirm the existence of inventory assets.   Whilst the procedures are similar in nature, their purpose (and relevance) is to test different assertions regarding inventory balances.   2      Financial statements assertions   The objective of audit testing is to assist the auditor in coming to a conclusion as to whether the financial statements are free from material misstatement.   Auditors perform a range of tests on the significant classes of transaction and account balances. These tests focus on what are known as financial statements assertions: Assertions about classes of transactions and events, and related disclosures, for the period under audit   Occurrence – the transactions and events recorded and disclosed actually occurred and pertain to the entity.   Completeness – all transactions and events that should have been recorded have been recorded, and all related disclosures that should have been included have been included.   Accuracy – amounts and other data have been recorded appropriately and related disclosures have been appropriately measured and described.   Cut-off – transactions and events have been recorded in the correct accounting period.   Classification – transactions and events have been recorded in the proper accounts.   Presentation – transactions and events are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the applicable financial reporting framework.   [ISA 315, A129a]   Assertions about account balances and related disclosures at the period end   Existence – assets, liabilities and equity interests exist.   Rights and obligations – the entity holds or controls the rights to assets and liabilities are the obligations of the entity.   Completeness – all assets, liabilities and equity interests that should have been recorded have been recorded, and all related disclosures that should have been included have been included.   Accuracy, valuation and allocation – assets, liabilities and equity interests have been included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments have been appropriately recorded, and related disclosures have been appropriately measured and described.   Classification – assets, liabilities and equity interests have been recorded in the proper accounts.   Presentation – account balances are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the applicable

Purpose of planning   ‘The objective of the auditor is to plan the audit so that it will be performed in an effective manner.’   [ISA 300 Planning an Audit of Financial Statements, 4]   Audits are potentially complex, risky and expensive processes. Although firms have internal manuals and standardised procedures, it is vital that engagements are planned to ensure that the auditor:   Devotes appropriate attention to important areas of the audit.   Identifies and resolves potential problems on a timely basis.   Organises and manages the audit so that it is performed in an effective and efficient manner.   Selects team members with appropriate capabilities and competencies.   Directs and supervises the team and reviews their work.   Effectively coordinates the work of others, such as experts and internal audit.   [ISA 300, 2]   Planning ensures that the risk of performing a poor quality audit (and ultimately giving an inappropriate audit opinion) is reduced to an acceptable level.   In order to achieve the overall objectives of the auditor, the audit must be conducted in accordance with ISAs.   Conducting the audit in accordance with ISAs:   Ensures that the auditor is fulfilling all of their responsibilities.   Allows a user to have as much confidence in one auditor’s opinion as another’s and therefore to rely on one audited set of financial statements to the same extent that they rely on another.   Ensures that the quality of audits internationally, is maintained to a high standard (thereby upholding the reputation of the profession).   Provides a measure to assess the standard of an auditor’s work (necessary when determining their suitability as an authorised practitioner).   Professional scepticism and professional judgment   Auditors are also required to perform audits with an attitude of professional scepticism. Professional scepticism was explained in the previous . Having an enquiring mind in itself is not sufficient to comply with a risk based method of auditing, the auditor must also use professional judgment.   Professional judgment – the application of relevant training, knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement.   [ISA 200, 13k]   Therefore the use of a risk based approach requires skill, knowledge, experience and an inquisitive, open mind.   Although risk assessment is a fundamental element of the planning process, risks can be uncovered at any stage of the audit and procedures must be adapted in light of revelations that indicate further risks of material misstatement. It is, ultimately, the responsibility of the most senior reviewer (usually the engagement partner) to confirm that the risk of material misstatement has been reduced to an acceptable level.   The planning process   Planning consists of a number of elements. They can be summarised as:   Preliminary engagement activities:   – Perform procedures regarding the continuance of the client engagement.   –  Evaluating compliance with ethical requirements.   – Ensuring there are no misunderstandings with the client as to the terms of the engagement.   [ISA 300, 6]   The preliminary engagement activities were covered in the previous .   Planning activities:   –  Developing the audit strategy   –  Developing an audit plan.   [ISA 300, 7]   The audit strategy and the audit plan must be documented in the audit working papers. Any updates to them must also be documented.   2      The audit strategy The audit strategy sets the scope, timing and direction of the audit. It allows the auditor to determine:   The resources to deploy for specific audit areas (e.g. experience level, external experts)   The amount of resources to allocate (i.e. number of team members) when the resources are to be deployed   How the resources are managed, directed and supervised, including the timings of meetings, debriefs and reviews.   [ISA 300, A8]   3         The audit plan   Once the audit strategy has been established, the next stage is to develop a specific, detailed plan to address how the various matters identified in the overall strategy will be applied.   The strategy sets the overall approach to the audit, the plan fills in the operational details of how the strategy is to be achieved.   The audit plan should include specific descriptions of:   The nature, timing and extent of risk assessment procedures.   The nature, timing and extent of further audit procedures, including:   –  What audit procedures are to be carried out   –  Who should do them   –  How much work should be done (sample sizes, etc.)   –  When the work should be done (interim vs. final)   Any other procedures necessary to conform to ISAs.   [ISA 300, 9]   The relationship between the audit strategy and the audit plan Interim and final audit   The auditor must consider the timing of audit procedures such as whether to carry out an interim audit and a final audit, or just a final audit.   For an interim audit to be justified the client normally needs to be of a sufficient size because this may increase costs. However, an interim audit should improve risk assessment and make final procedures more efficient.   It is important to note that the interim audit and final audit are two stages of the same audit. One set of financial statements are audited. One auditor’s report will be issued. The audit work however is being performed in two stages – some work before the year-end and some work after the year-end.   Interim audit Final audit Timing Completed part way Takes place after the year-end through a client’s at a time agreed with the client accounting year which enables them to file (i.e. before the year- their financial statements with end). the relevant authorities by the Early enough not to required deadline. Generally a client would not interfere with year-end procedures at the client want the auditor to be and to give adequate performing the audit at the warning of specific

Audit risk   One of the main requirements of the audit is for the auditor to:   ‘…obtain sufficient appropriate evidence to reduce audit risk to an acceptably low level…’   [ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with ISAs, 17]   Audit risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated.   [ISA 200, 13]   This means that they give an unmodified audit opinion when the financial statements are materially misstated. Audit risk comprises the risk of material misstatement and detection risk.   Risk of material misstatement is the risk that the financial statements are materially misstated prior to the audit. [ISA 200, 13ni]   This will be due to fraud or errors occurring during the year when transactions have been processed or when the financial statements have been prepared.   ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment states:   ‘The objective of the auditor is to identify and assess the risk of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.’ [ISA 315, 3]   What is a misstatement?   ‘A difference between the amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance with the applicable financial reporting framework. Misstatements can arise from error or fraud.’   [ISA 450 Evaluation of Misstatements Identified During The Audit, 4a]   In conducting a thorough assessment of risk, auditors will be able to:   Identify areas of the financial statements where misstatements are likely to occur early in the audit.   Plan procedures that address the significant risk areas identified.   Carry out an efficient, focused and effective audit.   Reduce the risk of issuing an inappropriate audit opinion to an acceptable level.   Minimise the risk of reputational and punitive damage.   Categories of misstatement   There are three categories of misstatements:   Factual misstatements: a misstatement about which there is no doubt.   Judgmental misstatements: a difference in an accounting estimate that the auditor considers unreasonable, or the selection or application of accounting policies that the auditor considers inappropriate.   Projected misstatements: a projected misstatement is the auditor’s best estimate of the total misstatement in a population through the projection of misstatements identified in a sample.   [ISA 450, A6]   The risk of material misstatement comprises inherent risk and control risk.   Inherent risk   Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure to misstatement that could be material, before consideration of any related controls.   [ISA 200, 13ni]   Complex accounting treatment is an example of an inherent risk. For example, where an accounting standard provides guidance on a specific accounting treatment this might not be understood by the client and material misstatement could result.   Inherent risk may arise due to the nature of the industry, entity or the nature of the balance itself. For example, inventory is inherently risky if it quickly becomes obsolete as it may not be valued appropriately at the lower of cost and NRV as required by IAS 2 Inventories.   Control risk   Control risk is the risk that a misstatement that could occur and that could   be material will not be prevented, or detected and corrected on a timely basis by the entity’s internal controls. [ISA 200, 13nii]   Control risk may be high either because the design of the internal control system is insufficient in the circumstances of the business or because the controls have not been applied effectively during the period. This is covered in more detail in the  ‘Systems and controls’.   Detection risk   Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material. [ISA 200, 13e]   Detection risk comprises sampling risk and non-sampling risk:   Sampling risk is the risk that the auditor’s conclusion based on a sample is different from the conclusion that would be reached if the whole population was tested, i.e. the sample was not representative of the population from which it was chosen. [ISA 530 Audit Sampling, 5c]   Non-sampling risk is the risk that the auditor’s conclusion is inappropriate for any other reason, e.g. the application of inappropriate procedures or the failure to recognise a misstatement.   The auditor must amend the audit approach in response to risk assessment to ensure they detect the material misstatements in the financial statements.   They can achieve this by:   Emphasising the need for professional scepticism.   Assigning more experienced staff to complex or risky areas of the engagement.   Providing more supervision.   Incorporating additional elements of unpredictability in the selection of further audit procedures.   Making changes to the nature, timing or extent of audit procedures, e.g.   –  Placing less reliance on the results of systems and controls testing.   –  Performing more substantive procedures.   – Consulting external experts on technically complex or contentious matters.   –  Changing the timing and frequency of review procedures.   [ISA 330 The Auditor’s Response to Assessed Risks, A1]   Professional scepticism   Professional scepticism is: ‘An attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence.’ [ISA 200, 13l]   Clearly this requires the audit team to have a good knowledge of how the client’s activities are likely to affect its financial statements. The audit team should discuss these matters in a planning meeting before deciding

The need for professional ethics   Professional accountants have a responsibility to act in the public interest. The purpose of assurance engagements is to increase the confidence of the intended users, therefore the users need to trust the professional who is providing the assurance.   In order to be trusted the assurance provider needs to be independent of their client.   Independence can be defined as having ‘freedom from situations and relationships where objectivity would be perceived to be impaired by a reasonable and informed third party.’   Practitioners need to behave and be seen to behave in an ethical, professional manner. This means taking active steps to comply with the Code of Ethics in every professional situation.   2      The IFAC and ACCA codes and the conceptual framework   IFAC, through the IESBA, has issued a code of ethics, as has the ACCA. The ACCA Code of Ethics is covered in this . However, both of these Codes have the same roots and are, to all intents and purposes identical.   Both follow a conceptual framework which identifies:   Fundamental principles of ethical behaviour   Potential threats to compliance with these fundamental principles   Possible safeguards which can be implemented to eliminate the threats identified, or reduce them to an acceptable level.   Ethical guidance can either use a principles-based approach or rules-based approach.   A conceptual framework relies on a principles-based approach.   Both IFAC and the ACCA adopt a principles-based approach.   Principles-based approach Rules-based approach • Flexible, so can be applied to • May be easier to follow because new, unusual or rapidly changing it is clearly defined. situations. • Needs frequent updating to • Principles may be applied across ensure the guidance applies to national boundaries where laws new situations. may not. • May encourage accountants to • Requires the accountant to use interpret requirements narrowly in professional judgment. order to get round the spirit of the • Requires compliance with the requirements. • spirit of the guidance. Virtually impossible to be able to • Can still incorporate specific rules deal with every situation that may arise, particularly across various for ethical situations likely to national boundaries and in a affect many firms. dynamic industry.   Consequences   Practitioners should apply the spirit of the code to everyday practice. Professional bodies such as the ACCA have the right to discipline members who fail to comply with the code of ethics through a process of disciplinary hearings which can result in:   Fines   Suspension of membership   Withdrawal of membership.   3      The fundamental principles The formal definitions of the fundamental principles are as follows:   Objectivity: Members should not allow bias, conflicts of interest or undue influence of others to override professional or business judgments.   Professional behaviour: Members should comply with relevant laws and regulations and should avoid any action that discredits the profession.   Professional competence and due care: Members should maintain professional knowledge and skill at a level required to ensure that a client or employer receives competent professional services based on current developments in practice, legislation and techniques.   Members should act diligently and in accordance with applicable technical and professional standards.   Integrity: Members should be straightforward and honest in all professional and business relationships.   Confidentiality: Members should respect the confidentiality of information acquired as a result of professional and business relationships and should not disclose any such information to third parties without proper and specific authority or unless there is a legal or professional right or duty to disclose. Confidential information acquired as a result of professional and business relationships should not be used for the personal advantage of members or third parties.   Illustration 1 – Fundamentals principles   The following are real précis hearings held and decisions made and published by the ACCA Disciplinary Committee:   A member was found guilty of misconduct because they signed the auditor’s report without conducting any audit work, contrary to the fundamental principle of integrity.   A member was found guilty of misconduct because they failed to advise a client to have an audit when an audit was required by law, contrary to the fundamental principle of professional competence and due care.   A member was found guilty of misconduct because they ‘failed to reply to correspondence sent by a third party and ACCA’ contrary to the fundamental principle of professional behaviour.   A member was found guilty of misconduct because they ‘lost possession of a client’s books and records to a third party’ contrary to the fundamental principle of confidentiality.   A member was found guilty of misconduct because they ‘carried out an audit of a company’ in which they owned shares ‘without implementing appropriate safeguards’ contrary to the fundamental principle of objectivity.   As a result, a combination of the following sanctions were ordered by the ACCA Disciplinary Committee in each case:   Suspension of membership   Exclusion from ACCA   A fine   Ordered to pay costs   Publication of the results of the decision and the member’s name on the ACCA website   Publication of the results of the decision and the member’s name in the local press.   Threats and safeguards   Firms must establish procedures to: A safeguard is an action or measure that eliminates a threat, or reduces it to an acceptable level.   The ACCA Code of Ethics divides safeguards into two broad categories:   Safeguards created by the profession, legislation or regulation, these include: requirements for entry into the profession, continuing professional development, corporate governance, professional standards, monitoring and disciplinary procedures, etc.   Safeguards created by the work environment, these include: rotation/removal of relevant staff from the engagement team, independent quality control reviews, using separate teams, etc.   Identifying threats Self-interest threats   Where the auditor has a financial or other interest that will inappropriately influence their judgment or behaviour.   Threat Safeguards Fee dependency Non-listed clients Over-dependence on an audit client If fees from an audit client represent

Objectives and importance of corporate governance   Corporate governance is the means by which a company is operated and controlled.   The aim of corporate governance is to ensure that companies are run well in the interests of their shareholders, employees, and other key stakeholders such as the wider community.   The aim is to try and prevent company directors from abusing their power which may adversely affect these stakeholder groups. For example, the directors may pay themselves large salaries and bonuses whilst claiming they have no money to pay a dividend to shareholders. Similarly, they may be making large numbers of staff redundant but awarding themselves a payrise.   In response to major scandals (e.g. Enron), regulators sought to change the rules surrounding the governance of companies, particularly publicly owned ones.   In the US the Sarbanes Oxley Act (2002) introduced a set of rigorous corporate governance laws. The UK Corporate Governance Code introduced a set of best practice corporate governance initiatives into the UK.   Advantages of a company following good corporate governance principles:   Greater transparency   Greater accountability   Efficiency of operations   Better able to respond to risks   Less likely to be mismanaged.   Relevance of corporate governance to external auditors   If a company complies with corporate governance best practice, the control environment of the company is likely to be stronger. There will be a greater focus on financial reporting and internal controls which should reduce control risk and inherent risk which together reduce the risk of material misstatements in the financial statements.   External auditors may be required to report on whether companies are compliant with the Code. For example, in the UK, external auditors of listed entities are required to report on whether the company is compliant with the UK Corporate Governance Code.   There is significantly more communication between audit committees and external auditors in the current environment. If the company, including the audit committee, demonstrates good corporate governance, the external auditors have someone with which to share responsibility. This should result in the company taking more responsibility for its actions, the independence of the auditor being greater, and the overall quality of the audit being higher. Enron   In the year 2000 Enron, a US based energy company, employed 22,000 people and reported revenues of $101 billion. In late 2001 they filed for bankruptcy protection. After a lengthy investigation it was revealed that Enron’s financial statements were sustained substantially by systematic, and creatively planned, accounting fraud.   In the wake of the fraud case the shares of Enron fell from over $90 each to just a few cents each, a number of directors were prosecuted and jailed and their auditors, Arthur Andersen, were accused of obstruction of justice and forced to stop auditing public companies. This ruling against Arthur Andersen was overturned at a later date but the damage was done and the firm ceased trading soon after.   This was just one of a number of high profile frauds to occur at that time.   The Enron scandal is an example of the abuse of the trust placed in the management of publicly traded companies by investors. This abuse of trust usually takes one of two forms:   Direct extraction from the company of excessive benefits by management, e.g. large salaries, pension entitlements, share options, use of company assets (jets, apartments etc.)   Manipulation of the share price by misrepresenting the company’s profitability, usually so that shares in the company can be sold or options ‘cashed in’.   In response, regulators sought to change the rules surrounding the governance of companies, particularly publicly owned ones. In the US the Sarbanes Oxley Act (2002) introduced a set of rigorous corporate governance laws and at the same time the Combined Code (now called the UK Corporate Governance Code) introduced a set of best practice corporate governance initiatives into the UK. The Corporate Governance Code   The Organisation for Economic Co-operation and Development (OECD) has produced a set of six principles of corporate governance to guide policy makers when setting regulations for their own country.   The six OECD Principles are:   Ensuring the basis of an effective corporate governance framework   The rights of shareholders and key ownership functions   The equitable treatment of shareholders   The role of stakeholders in corporate governance   Disclosure and transparency   The responsibilities of the board.   The UK Corporate Governance Code reflects the OECD principles. The main requirements of the Code are given below.   Leadership   Each company should have an effective board who take collective responsibility for the long term success of the company.   There should be clear division of responsibilities between running the board and the running of the company. No one should have unfettered powers of decision.   The chairman should lead the board and ensure it is effective.   Non-executive directors should constructively challenge and help develop strategy.   Effectiveness   The board should have the appropriate balance of skills, experience, independence and knowledge of the company.   Appointment of directors should be made through a formal, transparent and rigorous process.   Directors should allocate sufficient time to discharge their responsibilities.   All directors should receive induction on joining the board and should regularly update and refresh their skills and knowledge.   The board should be supplied with timely information in an appropriate form and quality.   The board should undertake formal and rigorous evaluation of its performance and that of its committees and individual directors.   All directors should be submitted for re-election at regular intervals subject to satisfactory performance. Accountability   The board should present a balanced and understandable assessment of the company’s position and prospects.   The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.   The board should maintain sound risk management and internal control systems.   The board should establish formal and transparent arrangements for

The need for regulation   The role of the auditor has come under increased scrutiny over the last thirty years due to an increase in high profile audit failures. The most high profile case, and the catalyst for regulatory change, was the collapse of Enron and its auditor Arthur Andersen.   In order to try and regain trust in the auditing profession, national and international standard setters and regulators have tried to introduce three initiatives:   Harmonisation of auditing procedures, so that users of audit services are confident in the nature of audits being conducted around the world.   Focus on audit quality, so that the expectations of users are met.   Adherence to a strict ethical code of conduct, to try and improve the perception of auditors as independent, unbiased service providers.   In order to achieve this, practitioners have to follow regulatory guidance:   National corporate law (e.g. The Companies Act 2006 in the UK and The Sarbanes Oxley Act in the US).   Auditing Standards (the basis of this text is International Standards on Auditing).   Code of Ethics. Covered in the chapter ‘Ethics and acceptance’.   2      Legal requirements for audits and auditors   In this section, the law referred to in most cases is UK law and the Companies Act 2006. Different countries may have different requirements but generally the same principles will apply across the world.   National law includes:   Which companies are required to have an audit   Who can and cannot carry out an audit   Auditor appointment, resignation and removal   The rights and duties of an auditor.   Who needs an audit and why?   In most countries, companies are required by law to have an audit.   Small or owner-managed companies are often exempt. This is because there is less value in an audit for these companies.   Note that these exemptions often do not apply to companies in certain regulated sectors, e.g. financial services companies or companies listed on a stock exchange.   Reasons for exempting small companies from audit   The owners and managers of the company are often the same people.   The advice and value which accountants can add to a small company is more likely to concern other services, such as accounting and tax.   The impact of misstatements in the financial statements of small companies is unlikely to be material to the wider economy.   The audit fee and disruption of an audit are seen as too great a cost for any benefits the audit might bring.   Who may act as auditor?   To be eligible to act as auditor, a person must be:   A member of a Recognised Supervisory Body (RSB), e.g. ACCA, and allowed by the rules of that body to be an auditor or   Someone directly authorised by the state.     Conducting audit work   Individuals who are authorised to To be eligible to offer audit conduct audit work may be: services, a firm must be: • Sole practitioners • Controlled by members of a • Partners in a partnership suitably authorised supervisory body or • Members of a limited liability • A firm directly authorised by partnership the state. • Directors of an audit company.   Note: In some countries only individuals can be authorised to act as auditor and need to be directly authorised by the state.   Who may not act as auditor?   Excluded by law: The law in most countries excludes those who manage or work for the company, and those who have business or personal connections with them from auditing that company.   Excluded by the Code of Ethics: Auditors must also comply with a Code of Ethics. The Code of Ethics requires the auditor to consider any factors that would prevent them acting as auditor, such as independence, competence or issues regarding confidentiality. This is considered in more detail in the next chapter.   Who appoints the auditor?   Members (shareholders) – of the company appoint the auditor by voting them in.   Directors – can appoint the first auditor or to fill a ‘casual vacancy’. This requires the members’ approval at a members’ meeting. In some countries the auditors may be appointed by the directors as a matter of course.   Secretary of State – if no auditors are appointed by the members or directors.   Auditors of public companies are appointed from one AGM to the next one.   Auditors of private companies are appointed until they are removed.   Removing the auditor   Arrangements for removing the auditor have to be structured in such a way that:   the auditor has sufficiently secure tenure of office, to maintain independence of management.   auditors can be removed if there are doubts about their continuing abilities to carry out their duties effectively.   Removal of the auditor can usually be achieved by a simple majority at a general meeting of the company. There are some safeguards, such as a specified notice period, to prevent the resolution to remove the auditors being ‘sprung’ on the meeting.   The auditor can circulate representations stating why they should not be removed if applicable.   A statement of circumstances must be sent to the company and the regulatory authority to set out issues surrounding the cessation of office.   Resigning as auditor   In practice, if the auditor and management find it difficult to work together, the auditor will usually resign.   The auditor issues written notice of the resignation and a statement of circumstances to the members and regulatory authority.   Notifying ACCA   If an auditor resigns or is removed from office before the end of their term of office, they must notify the ACCA.   The auditors responsibilities on removal/resignation   The following is taken from UK law, but provides an example of the typical responsibilities of the auditor.   Deposit at the company’s registered office:   – A statement of the circumstances connected with the removal/resignation

What is assurance?   An assurance engagement is: ‘An engagement in which a practitioner obtains sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria.’   [International Framework for Assurance Engagements, 10]   Giving assurance means offering an opinion about specific information so the users of that information are able to make confident decisions knowing that the risk of the information being ‘incorrect’ is reduced. There are five elements of an assurance engagement:   Element Explanation In relation to an audit (i) Three party Practitioner (the reviewer Auditor involvement of the subject matter who provides the assurance) Intended users (of the Shareholders information) Responsible party (those Directors responsible for preparing the subject matter) (ii) Appropriate The information subject to Financial statements subject examination by the matter practitioner (iii) Suitable The subject matter is Financial reporting criteria evaluated against the framework suitable criteria (iv) Sufficient Sufficient appropriate Sufficient appropriate appropriate evidence is needed to evidence is obtained by evidence provide a basis for the performing audit opinion/conclusion procedures (v) Written The output of the Independent auditor’s assurance assurance engagement report providing an opinion report in an expressing a as to whether the financial appropriate conclusion/opinion about statements give a true and form the subject matter fair view   [International Framework for Assurance Engagements, 26]     Illustration 1 – Buying a house   Consider someone who is buying a house. There is a risk that someone pays a large sum of money to purchase a structurally unsafe property which needs further expenditure to make it habitable. To reduce this risk, it is normal for house buyers (the users) to pay a property surveyor (the practitioner) to perform a structural assessment of the house (the subject matter). The surveyor would then report back (written report) to the house buyer identifying any structural deficiencies (measured against building regulations/best practice and other criteria). With this information the potential buyer can then make their decision whether or not to buy the house with the confidence that they know its structural condition. In this example, the responsible party is the current house owner, and the evidence would largely be obtained through visual inspection of the property.   Assurance engagements   Examples of assurance engagements include:   Audit of financial statements   Review of financial statements   Systems reliability reports   Verification of social and environmental information   Review of internal controls   Value for money audit in public sector organisations.   General principles the assurance provider must follow when performing such engagements include:   Comply with ethical requirements.   Apply professional scepticism and judgment.   Perform acceptance and continuance procedures to ensure only work of acceptable risk is accepted.   Agree the terms of engagement.   Comply with quality control requirements (ISQC 1).   Plan and perform the engagement effectively.   Obtain sufficient appropriate evidence.   Consider the effect of subsequent events on the subject matter.   Form a conclusion expressing either reasonable or limited assurance as appropriate.   The evidence should be documented to provide a record of the basis for the assurance report.   Types of assurance engagement   Two types of assurance engagement are permitted:   Reasonable   Reasonable assurance   engagements   The practitioner:   Gathers sufficient appropriate evidence to be able to draw reasonable conclusions   Concludes that the subject matter   conforms in all material respects with identified suitable criteria   Gives a positively worded   assurance opinion   Gives a high level of assurance (confidence)   Performs very thorough procedures to obtain sufficient appropriate evidence – tests of controls and substantive procedures       Limited assurance   engagement   The practitioner:   Gathers sufficient appropriate evidence to be able to draw limited conclusions   Concludes that the subject matter, with respect to identified suitable criteria, is plausible in the   circumstances   Gives a negatively worded assurance conclusion   Gives a moderate or lower level of assurance than that of an audit   Performs significantly fewer procedures – mainly enquiries and analytical procedures     In our opinion, the financial statements give a true and fair view of (or present fairly, in all material respects) the financial position of Murray Company as at December 31, 20X4, and of its financial performance and its cash flows for the year then ended in accordance with International Financial Reporting Standards.   Nothing has come to our attention that causes us to believe that the financial statements of Murray Company as of 31 December, 20X4 are not prepared, in all material respects, in accordance with an applicable financial reporting framework.     The confidence inspired by a reasonable assurance report is designed to be greater than that inspired by a limited assurance report.   Therefore:   There are more regulations/standards governing a reasonable assurance assignment.   The procedures carried out in a reasonable assurance assignment will be more thorough.   The evidence gathered will need to be of a higher quality.   2      External audit engagements   An external audit is an example of a reasonable assurance engagement.   Purpose of an external audit engagement   ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing states the purpose of an external audit engagement is to ‘enhance the degree of confidence of intended users in financial statements.’   This is achieved by the auditor expressing an opinion on whether the financial statements:   Give a true and fair view (or present fairly in all material respects).   Are prepared, in all material respects, in accordance with an applicable financial reporting framework.   [ISA 200, 3]   The financial reporting framework to be applied will vary from country to country. In Audit & Assurance, it is assumed that International Financial Reporting Standards are the basis for preparing the financial statements.