Auditing Notes For South African Students-2 - Nodrm

Download as pdf or txt
Download as pdf or txt
You are on page 1of 741

Auditing Notes

for
South African Students
Twelfth Edition
Auditing Notes
for
South African Students
Twelfth Edition

G Richard (Editor)
C Roets (Editor)
A Adams
S West
Members of the LexisNexis Group worldwide
South Africa LexisNexis (Pty) Ltd
www.lexisnexis.co.za
JOHANNESBURG Building 8, Country Club Estate Office Park, 21 Woodlands Drive, Woodmead, 2191
CAPE TOWN First Floor, Great Westerford, 240 Main Road, Rondebosch, 7700
DURBAN 215 Peter Mokaba Road (North Ridge Road), Morningside, Durban, 4001
Australia LexisNexis, CHATSWOOD, New South Wales
Austria LexisNexis Verlag ARD Orac, VIENNA
Benelux LexisNexis Benelux, AMSTERDAM
Canada LexisNexis Canada, MARKHAM, Ontario
China LexisNexis, BEIJING
France LexisNexis, PARIS
Germany LexisNexis Germany, MÜNSTER
Hong Kong LexisNexis, HONG KONG
India LexisNexis, NEW DELHI
Italy Giuffrè Editore, MILAN
Japan LexisNexis, TOKYO
Korea LexisNexis, SEOUL
Malaysia LexisNexis, KUALA LUMPUR
New Zealand LexisNexis, WELLINGTON
Poland LexisNexis Poland, WARSAW
Singapore LexisNexis, SINGAPORE
United Kingdom LexisNexis, LONDON
United States LexisNexis, DAYTON, Ohio

© 2021

ISBN 978-0-6390-0954-4 (softback)


978-0-6390-0955-1 (e-book)

Copyright subsists in this work. No part of this work may be reproduced in any form or by any means without
the publisher’s written permission. Any unauthorised reproduction of this work will constitute a copyright
infringement and render the doer liable under both civil and criminal law.
Whilst every effort has been made to ensure that the information published in this work is accurate, the editors,
authors, writers, contributors, publishers and printers take no responsibility for any loss or damage suffered by
any person as a result of the reliance upon the information contained therein.

Technical Editor: Maggie Talanda


Preface

The original book was compiled specifically to assist students at tertiary institutions in South Africa with their
studies in auditing. This update is intended for the same purpose. The book is not designed to be used on its
own and stands ancillary to the Companies Act 2008 and its Regulations 2011, the International Standards on
Auditing and the (SAICA) Code of Professional Conduct as well as the King IV Report on Corporate
Governance for South Africa. Extensive reference is made to these and other pronouncements.
Notable changes to the twelfth edition are that of: Chapter 1 – Certain theories and concepts included in the
CA2025 competency framework are introduced and the new ISQM 1 and 2, as well as the revised ISA 220, are
introduced. Chapter 2 – Updates have been included relating to the Auditing Profession Amendment Act, 5 of
2021, which became effective on 26 April 2021.
Chapter 5 – This chapter has been substantially rewritten to include the updates relating to the revised ISA
315 “Identifying and Assessing the Risks of Material Misstatement”, effective for audits of financial statements for
periods beginning on or after 15 December 2021 (which also affects major parts of Chapter 7). Chapter 6 – This
chapter has been updated to include the revised ISA 220 “Quality Management for an Audit of Financial
Statements” as well as the related matters included in the new ISQM 1 which requires an engagement quality
review for certain engagements and ISQM 2 which deals with the quality reviewer’s responsibilities and the
appointment and eligibility of such a reviewer. Chapter 7 – As with Chapter 5, this chapter has also been
majorly affected by the revised ISA 315, and as such, substantial parts of the chapter has been rewritten.
Chapter 8 – The revisions to ISA 315 also affected this chapter, and updates were made accordingly. Specific
updates were also made to include relevant matters relating to IT general controls; end-user computing; and
automated application controls. Chapter 9 – More examples and/or illustrations have been included on
cryptocurrencies, cloud computing and networks.
For Chapters 10, 11, 12, 13 and 14 (the cycles), efforts have been made to make these chapters more practical
and to illustrate their link more clearly with the whole of the audit process. These chapters have also been
modernized to some extent, to align them with up-to-date business practices. Finally, substantial updates have
also been made to Chapter 18, The Audit Report.
This book intends to simplify what has proved to be a difficult subject for many generations of auditing
students. The authors hope that they have achieved this. Any comments or suggestions to improve subsequent
editions would be most welcome, especially from students who use the book.

Note from the publisher:


Credit is given to the late Rob Jackson. Both LexisNexis and the auditing student market will forever be
indebted to his invaluable contribution to the training of up-and-coming auditors over many years. Over the
years thousands of students have used his works in preparation for becoming professionals.

v
Contents

Page
Preface ..................................................................................................................................... v

Chapter 1 Introduction to auditing ................................................................................... 1/1


Chapter 2 Professional conduct ........................................................................................ 2/1
Chapter 3 Statutory matters ............................................................................................. 3/1
Chapter 4 Corporate governance ...................................................................................... 4/1
Chapter 5 General principles of auditing........................................................................... 5/1
Chapter 6 An overview of the audit process ...................................................................... 6/1
Chapter 7 Important elements of the audit process ............................................................ 7/1
Chapter 8 Computer audit: The basics .............................................................................. 8/1
Chapter 9 Computer audit: New technology ..................................................................... 9/1
Chapter 10 Revenue and receipts cycle ............................................................................... 10/1
Chapter 11 Acquisitions and payments cycle ...................................................................... 11/1
Chapter 12 Inventory and production cycle ........................................................................ 12/1
Chapter 13 Payroll and personnel cycle .............................................................................. 13/1
Chapter 14 Finance and investment cycle ........................................................................... 14/1
Chapter 15 Going concern and functional insolvency ......................................................... 15/1
Chapter 16 Reliance on other parties .................................................................................. 16/1
Chapter 17 Sundry topics................................................................................................... 17/1
Chapter 18 The audit report ............................................................................................... 18/1
Chapter 19 Review engagements and related service engagements....................................... 19/1

vii
CHAPTER

1
Introduction to auditing

CONTENTS
Page

1.1 Theory and philosophy of auditing .................................................................................... 1/2


1.1.1 What is an auditor? ................................................................................................. 1/2
1.1.2 Why there is a need for auditors .............................................................................. 1/5
1.1.3 Specific theories as they relate to businesses, auditing and the profession .................. 1/6
1.1.4 Assurance engagements and the expectation gap ...................................................... 1/6
1.1.5 Reasonable assurance, limited assurance and absolute assurance .............................. 1/8

1.2 The accounting profession ................................................................................................. 1/10


1.2.1 The nature of professional status.............................................................................. 1/10
1.2.2 Accounting bodies in South Africa .......................................................................... 1/11
1.2.3 Pronouncements which regulate the (auditing) profession......................................... 1/12

1.3 The financial statement audit engagement ..................................................................... 1/13


1.3.1 Introduction ........................................................................................................... 1/13
1.3.2 A model of the independent audit of the annual financial statements of a company
arising out of the requirements of the Companies Act 2008 ....................................... 1/14
1.3.3 The roles of the various parties ................................................................................ 1/15
1.3.4 The role of the Companies Act 2008 and Companies Regulations 2011 .................... 1/15
1.3.5 The role of the Auditing Profession Act 2005 ........................................................... 1/16
1.3.6 The role of the International Standards on Auditing (ISAs) ...................................... 1/16
1.3.7 The role of the assertions ......................................................................................... 1/17
1.3.8 The role of professional scepticism .......................................................................... 1/19
1.3.9 The role of professional judgement .......................................................................... 1/19

1.4 Summary........................................................................................................................... 1/20

1.5 Appendix: Auditing postulates........................................................................................... 1/20

1/1
1/2 Auditing Notes for South African Students

1.1 Theory and philosophy of auditing


1.1.1 What is an auditor?
1.1.1.1 Introduction
No doubt we all have some idea about what an auditor is and what an auditor does, but these ideas are
usually based on what we see in the media, and are often vague or clouded with misconceptions! We hear
or read that the “auditors are investigating the matter”, or that the Auditor General “tabled his report in
parliament”. On television game shows or talent shows we are told that “the auditors are standing by to
verify the results” and we occasionally read in the newspaper that an “environmental audit” has been
carried out for a large industrial company. Auditors seem to be involved in numerous different activities
and there seem to be numerous different kinds of “auditor”.
Auditors are also regularly described as boring, conservative or more rudely as “little grey men (or
women)” or “bean counters”, a description which has grown out of the popular image of auditors, serious
looking individuals, in their grey suits with laptops tucked under their arms! And yet, despite the slightly
mocking image, there is a general acceptance that auditing is a serious business and that auditors have a
very important role to play in society. So what do auditors do?
Simply stated, auditors of all types provide assurance pertaining to information prepared or presented by
one party to another party with the intention of inspiring confidence in the “fairness” of the information
which is being prepared or presented.

Example 1: Intaba Lodge (Pty) Ltd goes to BigMoney Bank to request a loan. BigMoney Bank tells Intaba Lodge
(Pty) Ltd that before the bank can consider giving the company a loan it must provide BigMoney Bank with
financial statements for the company which must be audited. In effect, BigMoney Bank is telling Intaba Lodge (Pty)
Ltd that the company can provide the financial information, but that the bank wants some assurance from a source
independent of Intaba Lodge (Pty) Ltd that the financial information provided by Intaba Lodge (Pty) Ltd is fair.
This is where the auditor comes in. The auditor will examine (audit) the information provided by Intaba Lodge
(Pty) Ltd and report to the bank on whether it is “fair”. (If the auditors do not think the information is “fair”, they
will say so.) This assurance about the financial information submitted by Intaba Lodge (Pty) Ltd adds to its
credibility and BigMoney Bank will be more comfortable about relying on the information when making the
decision on whether to grant the loan. If the (independent) auditor states that the information is fair the bank will be
more confident that granting the loan will not result in the bank suffering a loss because Intaba Lodge (Pty) Ltd
cannot repay the loan. If BigMoney Bank did not insist on audited financial information, Intaba Lodge (Pty) Ltd
could easily manipulate its financial information to deceive BigMoney Bank into granting it a loan.
Example 2: How does giving assurance relate to a television talent show and why do the promoters of the show
involve auditors? The answer is that the promoter wants the results of the talent show to be credible. He does not
want the sponsors, participants and very importantly the public who support the show, to think the results are fixed
(manipulated). If this impression is given, sponsors are likely to withdraw their support and audiences (and ratings)
will decline until there is no talent show. Thus, producers engage auditors, who are generally perceived by all the
parties concerned to be honest, reliable and conservative, to give an opinion on whether the information (e.g. votes
cast and counted, rules, etc.) underlying the result was “fair”.

In the context of the accounting and auditing profession we can express this more formally by referring to
the International Framework for Assurance Engagements, which defines an assurance engagement as one
“in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended
user . . . ” (see paragraph 3 below for a full discussion).

1.1.1.2 Types of auditor


If we consider the following types of auditor, we can get a clearer understanding of what they do and what
they have in common:
• Registered (external) auditors – auditors who express an independent opinion on whether the annual
financial statements of a company fairly present the financial position and results of the company’s
operations. The external auditor is not an employee of the company. The external auditor enhances the
degree of confidence which users of the financial statements will have in the information in those
financial statements. Registered auditors offer their services to the public. They are described as being
“in public practice” and must be registered with the Independent Regulatory Board for Auditors
(IRBA).
Chapter 1: Introduction to auditing 1/3

An audit of financial statements is by no means the only assurance engagement which registered auditors
conduct. As you will see later in this text, registered auditors also frequently perform review engage-
ments, which are also assurance engagements but which provide a lower level of assurance than an
audit provides.
• Internal auditors – auditors who perform independent assignments on behalf of the board of directors of
the company. These assignments are varied but usually relate to the evaluation of the efficiency,
economy and effectiveness of the company’s internal control systems and business activities and to the
evaluation of whether the company has identified and is responding to the business risks faced by the
company. In a sense, the internal audit function helps senior management to meet its responsibilities in
running the organisation by providing independent information about the company’s departments,
divisions or subsidiaries. The internal auditor enhances management’s degree of confidence that the
company’s systems are functioning as intended and that the risks are being assessed and addressed. The
internal auditor is an employee of the company, but must be independent of the department, division or
subsidiary in which the assignment is being carried out. The organisational structure and reporting lines
in the company will be designed to ensure that the internal audit function is as independent as possible.
An individual is not required to be registered with a professional body to be employed as an internal
auditor, but may choose to register with the Institute for Internal Auditors. Many internal auditors are
chartered accountants and will be registered with the South African Institute of Chartered Accountants.
• Government auditors – government auditors perform a role similar to that of the internal auditor – but
within government departments. They will evaluate and investigate the financial affairs of government
departments, reporting their findings to senior government. They assist government in meeting its
responsibilities in running the financial affairs of the country and increase the degree of confidence
which the government has in its departments, and indirectly, the confidence which the public has in the
government’s financial management. The government auditor (called the Auditor General), is an
employee of the government, but his status and organisational positioning make his office independent of
the government departments in which assignments are carried out. Registration with a professional
body is not required to be employed as a government auditor, but many government auditors are
registered with professional bodies.
• Forensic auditors – forensic auditors concentrate on investigating and gathering evidence where there has
been alleged financial mismanagement, theft or fraud. Forensic audits may be carried out in any
government or business entity, but it should be obvious that the forensic auditor needs to be independent
of the entity under investigation. Where an independent and competent forensic auditor has been
involved, the degree of confidence which the court/investigating body has in the financial evidence is
increased. Forensic auditing is a specialist field, but because of the emphasis on financial matters, most
if not all forensic auditors have a background/qualification in auditing.
• Special purpose auditors – these are auditors who specialise in a particular field, such as environmental
auditors, who audit compliance with environmental regulations, and VAT auditors who work for the
South African Revenue Services and who audit vendors’ VAT returns. The conclusion presented by the
special purpose auditors enhances the degree of confidence which, for example, SARS will have in the
“correctness” of the VAT returns audited, or a local authority will have in an environmental impact
report.
What is the characteristic common to these various audit (assurance) activities? The answer is simple but
very important – it is the characteristic of independence. The external auditor is independent of the company,
the internal auditor is independent of the department being audited and the VAT auditor is independent of
the entity whose VAT returns he may be examining. Regardless of whether it is external, internal, govern-
ment, forensic, VAT or any other kind of auditing, if the person performing the “audit” is not independent
of the entity being “audited”, the assurance given by the auditor will be worthless.

Let us relate this to Example 1 given earlier. If BigMoney Bank is not satisfied that the auditor who was engaged by
Intaba Lodge (Pty) Ltd was independent of Intaba Lodge (Pty) Ltd, then the bank will regard the auditor’s opinion
on the “fairness” of Intaba Lodge (Pty) Ltd’s financial information as little more than worthless.
Similarly, with regard to Example 2, the intention of the promoter of a television game show which makes use of
an auditor to verify results is to convey to the public and the show’s sponsors, that there is no “funny business”
going on with the results, and that results are not being manipulated. He wants his results and his show to have
credibility and the public to be confident that the result was valid. Now, if the auditor is not independent of the
game show promoter or is not perceived by the public to be independent, his opinion on the results will be
worthless!
1/4 Auditing Notes for South African Students

Finally, the word “auditor” is derived from the Latin word “audire” (to hear). In ancient times, accounting
took place orally, for example a servant would tell his master what he had done to protect and develop
crops, land or cattle. The master would listen to such accounts of stewardship and question the servants, in
other words, the master was the listener or auditor. As the skills of writing and bookkeeping evolved, so
auditing evolved with them, growing from merely listening to oral accounts of stewardship to examining
written records. In many instances, masters not wishing to attend to such matters would have appointed a
trusted person independent of the stewards to “satisfy himself of the truth” of the steward’s bookkeeping.
The foundation for the modern auditor had been laid, for example shareholders (master) engage auditors
(independent trusted person) to “satisfy themselves as to the fair presentation” of the directors’ (stewards)
bookkeeping, which is presented in the form of the annual financial statements. As business has evolved,
professional accountants are required more and more to give assurance on all kinds of different information
– not only financial statements. However, the basic premise of “enhancing credibility of information” and
“increasing confidence of users” remains.
Note: Postulates can be regarded as the philosophical foundations of a discipline. In their text, The
Philosophy of Auditing, written over 50 years ago, Mautz and Sharaf suggested a number of auditing
postulates on which modern day auditing is built. A broad understanding of these postulates will
increase one’s understanding of the discipline and why some aspects of auditing are as they are!
These postulates have been explained in the appendix to this chapter.

1.1.1.3 Which type of auditor does this text deal with?


This text deals primarily with registered auditors, the external audit of financial statements and the
assurance (opinion) given for this common engagement.
However, registered auditors frequently carry out independent reviews of financial statements, so this
type of engagement is also regularly referred to in the text and covered in some detail in chapter 19. The
major difference between an audit engagement and a review engagement is the nature and extent of the work
done and consequently the level of assurance which is given by the registered auditor. For a detailed
comparison of the two types of engagement see the chart in chapter 19.
As touched on in paragraph 1.1.1.2, registered auditors are individuals who are referred to by the assur-
ance engagement framework as “professional accountants in public practice” and who offer their services
in auditing, accounting, taxation etc., to the public. Such individuals must be, in terms of the Auditing
Profession Act, 2005 (APA), registered with the Independent Regulatory Board for Auditors (IRBA).
In the context of the auditing and accounting profession, the term audit is defined in the APA. The term
“audit” means:
The examination of, in accordance with prescribed or applicable auditing standards:
(i) financial statements with the objective of expressing an opinion as to their fairness or compliance with
an identified financial reporting framework and any applicable statutory requirements or
(ii) financial and other information prepared in accordance with suitable criteria, with the objective of
expressing an opinion on the financial and other information.
The point is that the authority to conduct an audit of financial statements or financial information, as
defined, is restricted to registered auditors. Although other individuals may include the word “auditor” in
their “job description”, for example internal auditor, forensic auditor, environmental auditor, etc., these
individuals may not conduct such audits, that is an audit as defined by the Auditing Profession Act. (Of
course if a forensic auditor was registered with the IRBA as being in public practice he could conduct
audits as defined in addition to his forensic work.)
This is similar to the laws relating to other professions. You cannot call yourself a medical doctor or an
attorney without registering with the relevant professional body, which in turn will require that you are
properly trained and qualified. So how is it then that a person can call himself an “internal auditor” or a
“government auditor” without registering with the IRBA? The answer is simple; section 41 of the APA spe-
cifically permits it. As for other types of auditors, such as environmental auditors, their role is to report on
matters such as compliance with environmental regulations and not on the fairness of financial statements
or other information presented in accordance with financial accounting frameworks. Just to make things a
little more confusing, many auditors of all different types are also chartered accountants, i.e. members of
the South African Institute of Chartered Accountants (SAICA). The reason for this is that qualifying as a
chartered accountant provides a wide range of relevant skills which enable the individual to join commerce
and industry, go into public practice or choose to be an internal auditor, government auditor, etc.
Chapter 1: Introduction to auditing 1/5

1.1.2 Why there is a need for auditors


1.1.2.1 The split between ownership and management
The need for modern-day auditors, both external and internal, arose out of the natural development of
owner-managed businesses into entities which were owned by people who did not manage them. The owners
provided the finance and appointed managers to run the business. The owners would require that the
managers’ report to them at regular intervals on their stewardship (management) of the owners’ money.
Many of the providers of finance who, as stated, were not involved in managing the business, had neither
the time nor the expertise to determine whether what they were being told by their managers was a fair
representation of the managers’ stewardship. The solution was to appoint an independent person to evaluate
the reports of the managers and to provide an opinion on their truth or fair presentation. The need for the
external auditor was established and entrenched.
As businesses grew and became more complex, so the responsibilities of management to run the business
efficiently and effectively and to satisfy shareholders’ expectations became more onerous. Out of this came
the internal audit, described above as a mechanism to assist management in meeting its responsibility of
running the business efficiently and effectively.
The other categories of auditor have also developed out of the growth in business. Government passes
laws about protecting the environment – hence the environmental audit. Businesses suffer fraud – hence the
forensic audit.

1.1.2.2 Confidence in financial information


In order to maintain the confidence of those who invest in business, whether they are members of the
general public or investment companies, assurance is required that the financial information produced by
business organisations is reliable and credible. It is the auditor of the financial information who provides
this assurance (credibility). The success of the world's capital markets hinges partially on whether investors
are confident that they can rely on financial statements and other financial information to make investment
decisions. Auditors (professional accountants) play a crucial role in inspiring this confidence by expressing
opinions as to the fair presentation of financial information. In turn, the availability of independently
audited financial information assists in:
• directing individual investors towards investments that suit their needs, for example risk, or return
• developing the economy as a whole, by ensuring that funds are directed towards those entities which
provide evidence of sound management, high productivity and strong financial positions
• enabling the government to collect taxes on an equitable basis
• inspiring confidence in how the government handles its finances.
Remember that the general public as well as specific investing entities have a direct interest in the economy
and that the economy is aided by the availability of reliable financial information. The performance of unit
trust companies, pension fund administrators, and the South African Revenue Services affects the general
public directly. In turn their performance depends on reliable financial information being available to them
to make sound investments or to levy taxes. The reliability and credibility of the information they use and
which they release is enhanced by its association with the auditing profession and the accounting profes-
sion at large.

1.1.2.3 Accountability
The “auditing” profession, and here we are not restricting our discussion to registered auditors in public
practice, has blossomed over the years with the emergence of internal auditing, government auditing,
forensic auditing and environmental auditing as major forces in their own right. The dominant reason for
this is that the world at large requires accountability. Directors must be held accountable for the way in
which they run their businesses, the government must be held accountable for the way it spends taxpayers’
money, and companies whose activities affect the environment must be held accountable for the way in
which they adhere to environmental regulations and legislation. This has created a need for the wider
“auditing” profession to provide an independent service which assesses and evaluates whether directors,
governments, etc., are meeting their responsibilities. The world demands sound corporate governance and
auditors play a key role in meeting this demand.
1/6 Auditing Notes for South African Students

1.1.3 Specific theories as they relate to businesses, auditing and the profession
During your studies of auditing, you will come across different theories and philosophies, which relate to
specific aspects of businesses, auditing and the profession. Below are a few specific theories/philosophies as
they relate to businesses, auditing and the profession:
x Agency theory as it relates to governance and reporting. This theory, developed by Jensen and Meckling
(1976) explains the relationship between business principles (the shareholders/owners) and their agents
(the directors). The shareholders delegate authority to the directors, who then act on the shareholders’
behalf. Conflict of interest arises between ownership and control, where those who control the entity
(the directors) may not necessarily have the best interest of the shareholders and other stakeholders at
heart.
x Legitimacy theory as it relates to governance. This theory of Dowling and Pfeffer (1975) holds that, for
an entity to continue to exist, it must act in consensus with society’s values, norms and interests.
Entities thus have a social responsibility towards, and should exist in harmony with, their stakeholders.
x Stakeholder theory as it relates to personal and business ethics, governance and reporting. This theory
(usually accredited to Freedman, 1984) places focus on the effect that an entity and its activities have
on all of its stakeholders (e.g. employees, society, customers, suppliers, etc.) as opposed to focusing
only on its shareholders. In accordance with this theory, an entity is expected to have moral values and
social responsibilities.
x Ubuntu as it relates to governance. Ubuntu is an African philosophy which expresses compassion and
humanity. This philosophy manifests that a corporation has a responsibility to serve not only its share-
holders, but also its wider stakeholders.
x Utilitarian ethics as it relates to business ethics. In lay terms, Utilitarian ethics hold that ethical choices
should be based on that which will produce “the greatest good for the greatest number”.
x Virtue ethics as it relates to business ethics. Virtue ethics has to do with a person/organisation’s moral
foundation. An organisation should focus on what type of entity it wants to be and should practice
acting in a morally sound way.

1.1.4 Assurance engagements and the expectation gap


Before moving on to discussing the specifics of the audit of financial statements (the main focus of this text)
we need to take a closer look at assurance in the context of auditing. For example, what are the public’s
expectations from the auditor? Are there such things as non-assurance engagements? Are there different
levels of assurance? What distinguishes a non-assurance engagement from an assurance engagement, etc.?
Before we consider these questions, it is necessary for us to understand the elements of an assurance
engagement. These are explained in the International Framework for Assurance Engagements.

1.1.4.1 The expectation gap


The auditing expectation gap is a term used to describe the difference between what society expects from
the auditing profession and what the auditor in actual fact provides. This “gap” is caused by different
factors, identified by the Association of Chartered Certified Accountants (ACCA), such as the knowledge
that the public has of what auditing involves (referred to as the knowledge gap), the auditor’s actual
performance (referred to as the performance gap) and what the public wishes the auditor would do (referred
to as the evolution gap). Expectations that the public holds may include fraud detection and other non-
audit services as well as specific technical knowledge that they may expect the auditor to possess. The
ACCA also makes specific suggestions in addressing the expectation gap such as proper communication
with the public (via audit firms, accounting bodies, regulators and standard setters, and the media) relating
to auditing requirements and changes to regulations and standards (and the reasons behind such changes);
addressing audit quality issues; and being mindful of the public’s expectations when setting new policies.

1.1.4.2 Assurance engagements


As we saw earlier, in terms of the International Framework for Assurance Engagements, an assurance
engagement is one in which the professional accountant “expresses a conclusion designed to enhance the
degree of confidence of the intended users, other than the responsible party, about the outcome of the
evaluation or measurement of a subject matter against the criteria”. Perhaps the easiest way to understand
Chapter 1: Introduction to auditing 1/7

this rather tedious definition is to break it down into its elements and relate it to the audit or review of a set
of financial statements.

Elements of an assurance engagement

Element Example – audit Example – review


• three-party relationship
– professional accountant – registered auditor – registered auditor
– responsible party – directors responsible – directors
– intended user for annual financial statements – shareholders
(AFS)
– shareholders
• a subject matter • financial position, results of • financial position, results of
operations, etc. operations, etc.
• suitable criteria • International Financial Reporting International Financial Reporting
Standards (IFRS) Standards for small and medium-
sized enterprises (SMEs)
• sufficient appropriate evidence • the evidence the practitioner needs • the evidence the reviewer
to be in a position to form an needs to express a conclusion
opinion as to whether the financial on whether anything has come
statements are free of material to his attention which causes
misstatement and are “presented him to believe the financial
fairly” in terms of IFRS statements are not prepared in
accordance with IFRS
for SMEs
• a written assurance report • the audit opinion report on fair • the review conclusion (limited
presentation (reasonable assurance) assurance)

1.1.4.3 The audit engagement


We can deduce from the chart that the audit of financial statements is an assurance engagement in which
the auditor gathers sufficient appropriate evidence to form an opinion on whether the directors, who are
responsible for the financial statements, have applied IFRS appropriately in presenting the financial
position, financial performance, changes in equity, cash flows and disclosure notes/(subject matter). The
opinion formed is then reported by the auditor to the shareholders in the audit report.
It is important to note the following:
• For the auditor to form an opinion on fair presentation he must have suitable criteria in terms of which
to judge fair presentation. The auditor cannot just say that fair presentation has been achieved, fairness
can only be judged in terms of a benchmark or standard and this is where the accounting framework
comes in. The most common frameworks are IFRS and IFRS for SMEs.
• The auditor must perform the audit in the prescribed manner. How he goes about this is laid down in
the International Standards on Auditing (ISAs) with which the auditor must comply in all aspects of the
audit, i.e. planning, risk assessment, gathering evidence and reporting.
• The audit engagement provides reasonable assurance.
This is discussed below.

1.1.4.4 The review engagement


We can also deduce from the chart that the review of financial statements is an assurance engagement and
is very similar to an audit engagement. In a review engagement the reviewer (who will very often be a
registered auditor) gathers sufficient appropriate evidence to form a conclusion on whether anything has
come to his attention which causes him to believe that the financial statements prepared by the directors are
not prepared in accordance with IFRS for SMEs (or IFRS).
1/8 Auditing Notes for South African Students

Again it is important to note the following:


• The reviewer forms his conclusion in terms of defined criteria, in this case IFRS for SMEs (could also
be IFRS).
• The reviewer must perform the review in the prescribed manner. How he goes about it is laid down in
ISRE 2400 – International Standards on Review Engagements. Although some of the concepts or
procedures in the ISAs are relevant, the ISAs are auditing standards and are not applicable to a review
engagement.
• The review engagement provides only limited assurance.

1.1.4.5 Non-assurance engagements


There are many types of engagement which accountants in public practice undertake, that are not
assurance engagements. These include taxation services and a wide range of advisory services relating to
accounting, business performance, corporate finance, etc. These services can be classified as non-assurance
engagements.
Non-assurance engagements are engagements which do not meet the definition of an assurance engage-
ment, or do not contain the elements of assurance engagements. For example, in an advisory engagement
the practitioner does not normally report to a third party, or the client may not require any assurance, or
there may be no suitable criteria (benchmarks or framework) against which the subject matter of the
engagement can be reliably measured. Perhaps the defining characteristic of these engagements is that the
professional accountant does not express an opinion or form a conclusion on the subject matter of the
engagement. Examples of non-assurance engagements illustrate this.
Example 1: the professional accountant is engaged to compile (collect, classify and summarise) certain
information for the client but is not required to comment or express an opinion thereon.
Example 2: the professional accountant is requested by a client to prepare and submit the company’s tax
return.

1.1.5 Reasonable assurance, limited assurance and absolute assurance


In terms of the assurance engagement framework, there are two types of assurance engagement a practi-
tioner is permitted to perform, namely a reasonable assurance engagement and a limited assurance engage-
ment. Obviously the distinction between the two is the level of assurance (the degree of confidence) which
is provided by the practitioner. It is equally obvious no doubt, that the level of assurance which the prac-
titioner can give depends on the amount of evidence which has been gathered.

1.1.5.1 Reasonable assurance


ISA 200 – Overall Objectives of the Independent Auditor, defines reasonable assurance as a “high but not
absolute” level of assurance. Reasonable assurance can only be given when the practitioner has gathered
sufficient appropriate evidence to satisfy himself that the risk that he expresses an inappropriate opinion on
the subject matter is acceptably low. In the context of an audit of financial statements this means that the
auditor carries out comprehensive procedures to gather evidence so that he can express an opinion, namely
that the financial statements are fairly presented (not materially misstated) in a positive form. The nature
and extent of the audit procedures he conducts must satisfy the auditor that the risk that he will express an
opinion that the financial statements are fairly presented when in fact they are not, is low.

• Reasonable assurance – audit – positive expression


A reasonable level of assurance is conveyed by the use of the phrase “in our opinion the financial state-
ments present fairly . . .”

1.1.5.2 Limited assurance


Limited assurance is a level of assurance which is lower than reasonable assurance but which is still
“meaningful” to users (ISRE 2400). It has also been described as moderate assurance. Limited assurance is
given when the practitioner has gathered enough evidence to satisfy himself that the risk that he expresses
an inappropriate conclusion on the subject matter is greater than for a reasonable assurance engagement,
but still at an acceptably low level for the particular engagement. In the context of a review of financial
statements this means that the reviewer carries out sufficient procedures to gather evidence so that he can
Chapter 1: Introduction to auditing 1/9

express a conclusion in a negative form as to whether anything has come to his attention which causes him
to believe that the financial statements are not fairly presented. Because limited assurance is required for a
review engagement, the nature and extent of procedures conducted by the reviewer will be far less
comprehensive than for an audit, but the reviewer must still be satisfied that he has gathered sufficient
appropriate evidence to support his conclusion.

• Limited assurance – review – negative expression


A limited level of assurance is conveyed by not using the phrase “In our opinion . . .” and replacing it with
“Nothing came to our attention which causes us to believe that these financial statements do not present
fairly . . .”

1.1.5.3 Absolute assurance


Having read the above discussion you may be wondering why the auditor cannot certify or confirm that the
financial statements are 100% correct. Why is the auditor restricted to providing reasonable assurance? By
carrying out more procedures could he not actually confirm that the financial statements are correct?
Essentially the reason that the auditor cannot certify (provide absolute assurance) is that an audit has
inherent limitations which prevent the auditor from certifying or confirming the 100% correctness of a set
of financial statements. ISA 200 provides the basis for the following explanation of the inherent limitations
of an audit.

1.1.5.4 Limitations of an audit


• The nature of financial reporting. In the preparation of financial statements, management must apply
judgement in applying the relevant reporting framework, and financial statements contain many
account balances which are subjective, for example, non-current and current assets are directly affected
by estimates (subjective) of depreciation, impairment, inventory obsolescence and bad debts respect-
ively. It is impossible to know exactly which debtors will not pay, or which inventory will become
obsolete.
• The nature of audit procedures. There are practical and legal limitations on the auditor’s ability to obtain
audit evidence. There is always the possibility that management may not provide complete information
that is relevant to the preparation of the financial statements, and accordingly the auditor cannot be
certain that all relevant information has been received. Audit procedures are not designed specifically to
detect fraud, and by collusion or falsification of documentation and other means of circumventing
controls carried out by management, fraudulent transactions may go undetected and the auditor may
believe that evidence is valid when it is not.
• Audit evidence is usually persuasive rather than conclusive. For example, an auditor is “persuaded” that an
event or transaction took place by the presence of documents or information provided by management,
rather than by actually witnessing the event. The documentation could be false, and the information
provided by management untrue. It is obviously impossible for the auditor to “witness” every trans-
action.
• The use of testing. On a similar note, the auditor cannot examine every single transaction which has
taken place in the business due to financial and time constraints, therefore it is necessary to “test
check”, that is, perform procedures on only a sample of transactions and balances. Once the auditor
“test checks”, he cannot state that everything is 100% correct; only a reasoned opinion based on the
sample on which procedures were undertaken, can be given.
• The inherent limitations of accounting and internal control systems. The auditor is obliged to place reliance
on the systems which the client has put in place to provide financial information. These systems have
inherent limitations which may result in the failure to detect errors or fraud (see “limitations of internal
control”, chapter 5) and hence the information on which the auditor forms an opinion, may be flawed.
• Timeliness of financial reporting and the balance between benefit and cost. To be of any value, the audit
opinion must be reported within a reasonable time after the financial year-end, and the benefit derived
from the audit must exceed the cost. To meet these practical requirements will generally lead to some
compromise in the audit, but it is compromise that users understand and accept.
• Other matters that affect the inherent limitations of an audit. There are frequently aspects of the audit or
assertions in the financial statements which are inherently difficult for the auditor to gather sufficient
1/10 Auditing Notes for South African Students

appropriate evidence about, and which compound the limitations of the audit. For example, in some
situations it is virtually impossible for the auditor to:
– determine the presence or effect of fraud conducted by senior management
– satisfy himself that all related parties and related-party transactions have been identified and correctly
treated in the financial statements
– determine the level of non-compliance with laws and regulations which may have an impact on the
financial statements
– identify and evaluate future events which may have a bearing on the going concern ability of the
company.
The point is that these “uncertainties” contribute to the limitations of the audit process and in turn make it
impossible for the auditor to provide absolute assurance.

1.2 The accounting profession


1.2.1 The nature of professional status
Professional status is not attained merely by attaching the label “professional” to a body of practitioners. It
is achieved when there is public acceptance that such a body of practitioners is worthy of recognition as a
profession. Howard F. Stettler (the author of a number of auditing works) suggests that certain attributes are
common to groups that are generally considered to have professional standing. These attributes may be
summarised as follows:
A profession offers skills and services which are highly specialised and which require:
• particular intellectual abilities
• mastery of a specialised body of knowledge through a formal education process
• mastery of the application of these intellectual abilities and specialised knowledge through a practical
training process.
The quality of services delivered by a profession cannot easily be evaluated by the public who rely on these
services. In order to protect the public and the reputation of the profession against incompetence or
unethical behaviour in the field concerned, a profession is supported by certain regulatory mechanisms
which include:
• the existence of laws restricting admission to practice to those who are properly qualified
• the existence of a strong voluntary organisation dedicated to the advancement of the profession, with
primary attention devoted to improvement of the services that the profession renders
• freedom from uninhibited competition so that practice may be carried on in an atmosphere of dignity
and self-respect, with adequate opportunity for concentration on the improvement of services
• active support of a code of ethical conduct through which the public may judge the professional stature
of those in practice.
A profession and its members will also demonstrate an intellectual and ethical commitment which
transcend the desire for monetary gain:
• members display an underlying service motive which is not due purely to the financial rewards which
may flow as a result of the services performed
• peer evaluation is based on factors considered to be more important than financial success.
SAICA expresses the same attributes in a slightly different way. It states that a profession is distinguished
by certain characteristics including:
• mastery of a particular intellectual skill, acquired by training and education
• acceptance of duties to society as a whole in additional to duties to the client or employer
• an outlook which is essentially objective
• rendering personal services to a high standard of conduct and performance.
Equally important are the ethical principles which members of the auditing profession must abide by. As is
discussed in depth in chapter 2, the SAICA and IRBA Codes of Professional Conduct lay down the
Chapter 1: Introduction to auditing 1/11

fundamental ethical principles that all chartered accountants and registered auditors are required to observe
as:
• integrity: being straightforward and honest, in all professional and business relationships
• objectivity: not allowing bias, conflict of interest or undue influence of others to override professional or
business judgements (impartial, independent)
• professional competence and due care: maintaining professional knowledge and skill at the required level
and performing work diligently in accordance with applicable technical and professional standards
• confidentiality: respecting the confidentiality of client information
• professional behaviour: complying with laws and regulations and avoiding action which discredits the
profession.
Both ISA 200 (audit) and ISRE 2400 (review) endorse these specific fundamental principles.

1.2.2 Accounting bodies in South Africa


There are a number of accounting bodies in South Africa including the South African Institute of Chartered
Accountants (SAICA), the Association of Chartered Certified Accountants (ACCA), the Chartered
Institute of Management Accountants (CIMA) and the South African Institute of Professional Accountants
(SAIPA). In addition, there is the Independent Regulatory Board for Auditors (IRBA) which was brought
into being by the Auditing Profession Act (APA), and the Institute of Internal Auditors. The dominant
bodies at this stage are SAICA and IRBA and their roles are closely interlinked.

1.2.2.1 South African Institute of Chartered Accountants


SAICA is registered with the International Federation of Accountants (IFAC) and is the body which looks
after the interests of its members whether they are in public practice, business, or other pursuits:
• Currently, to qualify as a member of SAICA, the prospective accountant must obtain a recognised
qualification from an accredited university, for example a BCom (Hons), pass the Initial test of Compe-
tence (ITC) examination as well as the Assessment of Professional Competence (APC) examination
and serve a training contract with a SAICA-accredited training office.
• An individual who satisfies the above requirements may join SAICA and use the designation CA (SA)
which stands for Chartered Accountant (South Africa).
• A member of SAICA can either be a chartered accountant in public practice or a chartered accountant in
business.
• A chartered accountant in public practice is an accountant in a firm (may be a sole practitioner) who
provides services requiring accountancy or related skills such as auditing, taxation, management con-
sulting and financial management services, for example a partner at PWC.
• A chartered accountant in business is an accountant employed or engaged in such areas as commerce,
industry, government service, the public sector, education, etc., for example, a financial director at a
listed company, or the financial controller in a municipality.
• A chartered accountant in public practice must be registered with the IRBA if he (or his firm) wishes to
offer auditing services.
Offering accounting services such as bookkeeping, taxation, management or financial advice, is not
restricted to members of SAICA. As indicated above, there are other accounting bodies such as SAIPA,
ACCA or CIMA who also offer these services but members of these bodies may not offer auditing services
(as defined).
Of course there is nothing to prevent an individual from being registered with two or more professional
bodies provided they meet the registration requirements. The vast majority of registered auditors are mem-
bers of SAICA.

1.2.2.2 The Independent Regulatory Board for Auditors


The IRBA has the responsibility of looking after the professional interests of auditors. It deals with such
matters as registration, education and training, accrediting professional bodies (such as SAICA) for
membership, and prescribing standards of competence and ethics. The IRBA is also there to protect the
public in its dealings with registered auditors, and to discipline IRBA members who “break the rules”.
1/12 Auditing Notes for South African Students

To become a member of the IRBA, an individual must in essence do the following:


• satisfy the educational requirements of SAICA, that is, obtain a recognised qualification from an
accredited university, and pass the ITC and APC examinations
• complete a training contract in public practice (in a registered training office)
• satisfy the requirements of the Audit Development Programme subsequent to meeting the requirements
for registration as a chartered accountant.
The official designation for individuals registered with the IRBA, is “registered auditor” or RA.

1.2.3 Pronouncements which regulate the (auditing) profession


Having discussed why there is a need for auditors and other professional accountants and the attributes of a
profession, the importance of maintaining and inspiring public confidence and trust should be obvious. It is
vital that the accounting profession seeks to ensure that high standards of ethics, conduct and skill are set
for, and maintained by, its members. If these standards are allowed to slip, public confidence will be
undermined.
Legal and professional requirements have therefore been developed over the years to ensure that appro-
priate standards are set and adhered to. Indeed, ISA 200 – Overall objectives of the Independent Auditor
and the conduct of an Audit in accordance with International Standards on Auditing requires, inter alia,
that the auditor:
• shall comply with relevant ethical requirements, including those pertaining to independence, relating to
financial statement audit engagements (contained in the relevant Codes of Professional Conduct)
• shall comply with all International Standards on Auditing.
The important legislation, regulations and standards are set out in the following pronouncements:
• The Auditing Profession Act 2005 (as amended)
• The Companies Act 2008 and Companies Regulations 2011
• The Constitution and By-Laws of SAICA
• The SAICA Code of Professional Conduct
• The Rules regarding Improper Conduct and the Code of Professional Conduct for Registered Auditors
• International Standards on:
(i) Auditing (ISA)
(ii) Review Engagements (ISRE)
(iii) Assurance Engagements (ISAE)
(iv) Related Services (ISRS)
(v) Quality Management (ISQM)
• International Auditing Practice Statements (IAPS)
• South African Auditing Practice Statements (SAAPS).
Note (a): The responsibility for “developing and issuing high quality standards on auditing, assurance and
related service engagements, related practice statements and quality control standards for use
around the world” rests with the International Auditing and Assurance Standards Board.
Note (b): The audit of listed companies is also influenced by the JSE listing requirements and the King IV
report on Corporate Governance for South Africa 2016.

1.2.3.1 Focus on quality management


Renewed focus has been placed on quality management of audit firms and engagements to address the ever
more complex nature of auditing as well as the increasing expectations of stakeholders. In particular, three
new/revised standards are of importance in relation to quality management. These are ISQM 1 and 2, as
well as ISA 220 (revised). ISQM 1, (Quality Management for Firms that Perform Audits or Reviews of
Financial Statements or Other Assurance or Related Service Engagements) replaces ISQC 1 and reinforces
a firm’s quality management by supposing it as a system, designed to the specifications of the specific firm
and specific engagement that it performs. The system incorporates eight components:
(1) the firm’s risk assessment process (setting objectives; identifying risks relating to the achievement of set
objectives and designing responses to those risks);
Chapter 1: Introduction to auditing 1/13

(2) governance and leadership (including culture, leadership and organisational structure);
(3) relevant ethical requirements (including requirements related to independence, objectives set for the
firm, its personnel and others);
(4) acceptance and continuance of client relationships and specific engagements (including considerations
such as the nature, circumstances, integrity, ethical values, ability to perform the engagement as well
as financial and operational priorities);
(5) engagement performance (quality objectives set to address the quality of the engagement including
responsibility, supervision, professional judgement, consultation, resolution of differences, and docu-
mentation);
(6) resources (human, technological, and intellectual, as well as service providers);
(7) information and communication (quality objectives relating to obtaining, generating, using and com-
municating information); and
(8) the monitoring and remediation process (to provide information about the design, implementation and
operation of the system and to take relevant remedial actions to any deficiencies).
Should an engagement quality review be required (as in the case of the audit of a listed entity or in terms of
the specified responses to the risks identified as part of the firm’s risk assessment process, or by law or
regulation) the appointment and eligibility of such an engagement quality reviewer, as well as his/her
responsibilities, are dealt with in ISQM 2 (Engagement Quality Reviews).
ISA 220 – Quality Management for an Audit of Financial Statements, deals specifically with the engage-
ment partner’s and engagement team’s responsibility towards quality management for financial statement
audits, as applicable to the nature and circumstances of each audit. This standard emphasises the specific
responsibilities of the engagement partner (as the person who is ultimately responsible for the audit) and
the importance of professional judgement. It also allows for the engagement team to place reliance on the
firm’s system of quality management (however, not blindly) and it integrates the concepts of ISQM 1 (as
above). ISA 220 is dealt with in detail in chapter 6.

1.3 The financial statement audit engagement


1.3.1 Introduction
As pointed out earlier, this book focuses mainly on engagements at which the external audit of an entity’s
financial statements takes place. This type of engagement is classified as an assurance engagement, and
must be conducted by a registered auditor. The entity could be a company or a close corporation.
Before going any further it is necessary to establish which entities must have their annual financial
statements audited and which companies qualify for an independent review instead of an audit.

1.3.1.1 The public interest


The need for auditing in its various forms is a response to the needs of society and is therefore of public
interest. Society and business are totally interlinked and rely on each other for their survival. If there is no
business, there is no workable society and without society, there is no business – no jobs, no products: no
products, no jobs! As we have already discussed, the public interacts with business in numerous ways:
through employment, through pension funds, through direct or indirect ownership of shares in businesses,
through trading and through making loans to purchase a house or vehicle or educate ourselves. The
business world and society run on financial information and depend on that information being accurate,
fair and credible. Therefore, it is in the public interest that there be a method of achieving the production and
use of credible information in society. This method is the wider practice of auditing which provides the
independent assurance as to the truth and fairness of financial information produced primarily by business
entities.

1.3.1.2 The public interest score


For many years, in order to achieve a climate of reliable financial information, the Companies Act of the
time required that all companies, large or small, public or private, had their financial statements externally
audited. It was the opinion of business and the legislators that this was the right thing to do in terms of the
public interest. At the same time, close corporations were not required to have their annual financial
statements externally audited, despite the fact that in many cases, close corporations were larger than
numerous small companies. The reason for this was simple: because close corporations were (and are)
1/14 Auditing Notes for South African Students

managed and owned by the same individuals (the members), there is no split between owners and
managers. Managers did not have to report their custodianship to the owners and the owners did not need
the protection of independent assurance as to the fairness of the financial statements because, in theory,
they worked in the business.
However, with the introduction of the Companies Act 2008, there was a shift in thinking as regards
which business entities should be required to have their annual financial statements audited. The Act
introduced a new method of determining which entities required an audit of their financial statements. The
decision no longer hinges on whether the entity is a company (audit) or a close corporation (no audit) but is
based rather on the level of public interest in the entity. As a result, the Companies Act 2008 and its
accompanying regulations stipulate that all companies and close corporations must calculate their public
interest score for each financial year. As you would expect, the score is based on factors which generally
determine the level of interest the public has in the entity. An entity’s public interest score will be the sum
of:
• a number of points equal to the average number of employees during the financial year
• one point for every R1 million (or portion thereof) of turnover
• one point for every R1 million (or portion thereof) of third-party liability at year-end, and
• one point for every individual who directly or indirectly has a beneficial interest in any of the com-
pany’s shares/members’ interests.
You will notice immediately that companies and close corporations with large labour forces and high
turnovers are going to have far higher public interest scores than small companies and close corporations.
The public interest score method recognises this and as a result public interest scores are broken down into
three strata, namely 350 points and above, 100 to 349 points and less than 100 points, as indicated in the
Companies Act’s regulations. The stratum into which the entity’s public interest score falls assists in
determining to which level of assurance engagement if any, an entity must subject its annual financial
statements.
In addition to the public interest score, there is another factor which must be taken into account in
determining to which assurance engagement the entity must subject its financial statements. This factor is
whether the annual financial statements are internally compiled by the entity or externally compiled by what is
termed an independent accounting professional (a suitably qualified accountant who is independent of the
entity whose annual financial statements are being compiled).
To complete the picture, remember that there are two types of assurance engagement, namely an
independent audit or an independent review. As we have discussed, an audit is far more comprehensive
than a review, and enables the auditor to give a higher level of assurance on the fair presentation of the
financial statements. As the objective is to create a climate of reliable financial information, particularly
relating to entities in which there is a high public interest, it is logical that companies and close
corporations that have a high public interest score and compile their annual financial statements themselves
should be externally audited. Similarly, companies and close corporations with lower public interest scores
that have their annual financial statements externally compiled (independently) should not have to be
audited, but could rather have their annual financial statements reviewed.
The following chart summarises this:
Public interest score in Close corporations and owner-
Company
points managed companies
Less than 100 Review No assurance engagement required
100 to 349 Audit if AFS internally compiled Audit if AFS internally compiled
Review if AFS externally compiled No assurance required if AFS externally
compiled
(Note 1)
350 and above Audit (regardless of who compiles the AFS) Audit (regardless of who compiles the
AFS)
Note 1: It may seem strange that close corporations and owner/managed companies that have their
financial statements externally compiled and have points falling in the range 100 to 349 do not
require their AFS to be audited or reviewed, while a “normal” company in the same situation
must have its AFS reviewed. This is because the Companies Act and its regulations specifically
exempt owner/managed companies and close corporations from the review requirement for their
Chapter 1: Introduction to auditing 1/15

annual financial statements on the grounds that as the owners and managers of these entities are
the same individuals, the external compilation adds the necessary level of credibility to the
financial statements and satisfies the limited interest the public has in these entities.
In addition to audit and review requirements arising out of public interest scores, the Companies Act 2008
and the regulations make it obligatory for certain other companies to have their annual financial statements
audited, regardless of their public interest score. These are:
(i) public companies and state-owned companies, and
(ii) companies which hold assets (exceeding R5m) in the ordinary course of their primary activities in a
fiduciary capacity for persons not related to the company.
The reason for these specific requirements is obvious – there is a strong element of public interest.

1.3.2 A model of the independent audit of the annual financial statements of a company
arising out of the requirements of the Companies Act 2008
As discussed earlier in this chapter, the establishment of the modern auditing profession arose out of the
split between ownership of a business enterprise and the management of that enterprise. As businesses grew
from entities owned and managed by the same person into large private or public companies where the
owners (shareholders) and managers (directors) were not the same person or persons, the need arose for an
independent party (the auditor) to express an opinion on whether the reports made by those managing the
business to those owning the business were fair. Note that this is the “three-party relationship” element of
an assurance engagement. As business formalised, it became a matter of public interest to lay down rules
and regulations to protect the large and small investor and the economic system as a whole. In virtually all
capitalist economies, this resulted in the promulgation of “Companies Acts” by the various governments.
South Africa was no exception, and for many years our Companies Act has played an integral part in the
practice of auditing. The diagram and explanation presented below illustrate the roles of the various parties
and the Companies Act in the audit.

Note (a): According to ISA 200, the overall objectives of the auditor are to:
• obtain reasonable assurance about whether the financial statements as a whole are free from
material misstatement, whether due to fraud or error, thereby enabling the auditor to express
an opinion on whether the financial statements are prepared, in all material respects, in
accordance with an applicable financial reporting framework (e.g. IFRS), and
• to report on the financial statements and communicate as required by the ISAs, in accord-
ance with the auditor’s findings.
Note (b): The auditor’s opinion is not an assurance of the future viability of the entity, nor the efficiency
with which management has conducted the affairs of the entity.
1/16 Auditing Notes for South African Students

Note (c): It is not an objective of the audit to discover or prevent fraud or to ensure compliance with the law.
These areas are the responsibility of management. The auditor’s responsibility is to carry out his
audit in such a way that there is a reasonable expectation of detecting such instances if they
affect fair presentation (i.e. the financial statements contain material misstatement arising from
fraud or error).
Note (d): Although this model and diagram would be very similar for a review engagement there would be
some important differences. The independent review engagement is covered in depth in chap-
ter 19.

1.3.3 The roles of the various parties


1.3.3.1 Shareholders
• provide finance for the business;
• appoint directors to manage the business;
• appoint auditors to express an opinion on whether the assertions (representations) relating to account
balances, classes of transactions and events, as well as presentation and disclosure, which are made by
the directors to the shareholders in the form of the annual financial statements, are fairly presented; and
• receive the annual financial statements from the directors and a report from the auditors on the fair
presentation of the financial statements.

1.3.3.2 Directors
• are responsible for running the company and reporting the results of their stewardship (management) to
the shareholders, by way of assertions in the annual financial statements; and
• for preparing the financial statements in terms of an appropriate financial reporting framework (e.g.
IFRS).

1.3.3.3 Auditors
• are responsible for gathering sufficient appropriate evidence to be in a position to give an independent
opinion on whether the annual financial statements issued by the directors to the shareholders present
fairly the financial position and results of operations of the company, in terms of the applicable financial
reporting framework; and
• for reporting the audit opinion to the shareholders.

1.3.4 The role of the Companies Act 2008 and Companies Regulations 2011
Section 30 of the Companies Act:
• makes it compulsory for all public companies to be audited and
• provides the Minister (the member of the Cabinet responsible for companies) with the power to make
regulations which require private companies to be audited, taking into account whether it would be
desirable in the public interest, having regard to the economic or social significance of the company as
indicated by:
– its annual turnover,
– the size of its workforce, or
– the nature and extent of its activities.
The Minister has exercised this power by promulgating in the Regulations, the requirement for all com-
panies and close corporations to calculate their public interest score. This in turn will play a role in determin-
ing whether the company (or close corporation) must have its annual financial statements audited.
The Companies Act 2008 also:
• regulates the appointment of auditors and directors, including disqualifying certain individuals from
filling these roles;
• places an obligation on the directors to prepare annual financial statements, stipulates some of the
content, and provides legal backing for the financial reporting standards;
Chapter 1: Introduction to auditing 1/17

• provides the auditor with the right of access to the company’s records, without which the auditor cannot
fulfil his independent audit function; and
• requires that public companies appoint an audit committee and lays down the functions of the audit
committee.
All of these Companies Act sections make it possible for an effective external audit to take place, making
the Companies Act an integral part of the model.

1.3.5 The role of the Auditing Profession Act 2005


• Section 41 of the APA prohibits anyone who is not a registered auditor from performing the audit of an
entity’s financial statements.
• The APA also stipulates that the individual who is responsible for the audit is identified and named the
“designated auditor” (s 44(1)).
• The APA lays down the broad conditions for conducting an audit. Section 44 states that the auditor
may not express an unqualified audit opinion on the financial statements unless:
– the audit has been carried out free of restriction;
– in compliance with applicable auditing pronouncements;
– the auditor has satisfied himself of the existence of all assets and liabilities shown in the financial
statements;
– proper accounting records have been kept in one of the official languages;
– all information, vouchers and other documents, which in the auditor’s opinion, were necessary for
the proper performance of the auditors duty, have been obtained;
– the auditor has not had occasion to report a reportable irregularity to the IRBA;
– the auditor has complied with all laws relating to the audit of the entity; and
– the auditor is satisfied as to the fairness of the financial statements.
• Section 45 places a duty on the auditor to report any reportable irregularity (as defined) uncovered at an
audit client to the IRBA. (This is dealt with in chapter 3.)

1.3.6 The role of the International Standards on Auditing (ISAs)


• The ISAs provide the standards which the auditor must attain, and provide guidance on how this
should be done. The ISAs do not provide detailed lists of audit procedures; this is left up to the
individual auditor or audit firm. For example, Deloitte has its particular methods of doing things, while
PriceWaterhouseCooper (PWC) will have its methods. Auditing is not an exact science, but provided
the ISAs are complied with, an audit of the appropriate quality will be achieved.
• The ISAs cover the entire audit process. They provide guidance ranging from preliminary engagement
activities, through planning the audit, gathering sufficient appropriate evidence, and deciding on the
appropriate audit opinion and reporting the opinion.

1.3.7 The role of the assertions


It is important to understand at this stage what the directors are actually representing to the shareholders in
the financial statements. Once that is understood, the role of the auditor becomes clear. The report from the
directors to the shareholders takes the form of the annual financial statements, and the content of the annual
financial statements is controlled partly by the Companies Act and more extensively by the financial
reporting standards adopted by the entity. What are termed the assertions of the directors, which are in effect
their representations about the company’s assets, equity, liabilities, transactions and events, and
disclosures, are embodied in the financial statements.

1.3.7.1 Assertions and ISA 315 (revised)


The assertions are laid down in ISA 315 (revised) – Identifying and Assessing the Risks of Material Mis-
statements through understanding the Entity, as follows:
Assertions about classes of transactions and events, and related disclosures for the period under audit:
• Occurrence: transactions and events which have been recorded or disclosed, have occurred and pertain
to the entity.
1/18 Auditing Notes for South African Students

• Completeness: all transactions and events which should have been recorded, have been recorded, and all
related disclosures that should have been included in the financial statements have been included.
• Cut off: transactions and events have been recorded in the correct accounting period.
• Accuracy: amounts and other data relating to recorded transactions and events have been recorded
appropriately, and related disclosures have been appropriately measured and described.
• Classification: transactions and events have been recorded in the proper accounts.
• Presentation: transactions and events are appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and understandable in the context of the applicable finan-
cial reporting framework.
Aggregation means to combine or add together, and disaggregation means to break down. For example, in
the case of sales, the company may choose to disclose its sales broken down into categories that are
relevant to the company, for example, revenue from sales of different products, or by region or customer
type (government, private sector).
Assertions about account balances and related disclosures at the period end
• Existence: assets, liabilities and equity interests exist.
• Rights and obligations: the entity holds or controls the rights to assets, and liabilities are the obligations
of the entity.
• Completeness: all assets, liabilities and equity interests that should have been recorded have been
recorded, and all related disclosures that should have been included in the financial statements have
been included.
• Accuracy, valuation and allocation: assets, liabilities and equity interests have been included in the
financial statements at appropriate amounts and any resulting valuation or allocation adjustments (e.g.
depreciation, obsolescence) are appropriately recorded, and related disclosures have been appropriately
measured and described.
• Classification: assets, liabilities and equity interests have been recorded in the proper accounts.
• Presentation: assets, liabilities and equity interests are appropriately aggregated or disaggregated and
clearly described, and related disclosures are relevant and understandable in the context of the require-
ments of the applicable financial reporting framework.

1.3.7.2 Assertions, the audit model and the auditor’s role


The assertions are dealt with more extensively in chapter 5 but in order to understand how the assertions fit
into the audit model and how they relate to the auditor’s role, consider the following example:

The line item below appears in the statement of financial position (balance sheet) of Tradition Ltd:
Trade accounts receivable R2 782 924
What are the directors actually saying (asserting) about accounts receivable? In terms of the assertions they are
representing that at period end:
• the debtors included in the balance existed at year-end, that is, no fictitious debtors have been included (existence)
• Tradition Ltd holds or controls the rights to the amounts owed by debtors, for example, the debtors have not
been factored (rights)
• all debtors have been included in the amount of R2 782 924, and all related disclosures have been included
(completeness)
• the amount of R2 782 924 is appropriate and represents the amount that can reasonably be expected to be
collected from debtors after making a suitable allowance for debtors who will not pay (accuracy, valuation and
allocation)
• accounts receivable have been recorded in the proper accounts (classification), and
• accounts receivable have been appropriately aggregated/disaggregated and clearly described, and related
disclosures are relevant and understandable (presentation).

Note. If you are wondering why occurrence and cut-off are not dealt with in this example, remember that we
are dealing with a balance and related disclosures at period end. Occurrence and cut-off relate to the
transactions underlying the balance, in this case, credit sales.
Chapter 1: Introduction to auditing 1/19

1.3.7.3 The auditor’s role regarding assertions


So what is the auditor’s role with regard to the assertions? A major part of the audit is the auditor’s assess-
ment of the risk that an account balance, etc., will be materially misstated in the AFS. The auditor
conducts this assessment by considering the likelihood (risk) of material misstatement applicable to each
assertion. Once this has been done, the auditor responds by conducting procedures to gather sufficient
appropriate evidence to form an opinion as to whether the account balance (and collectively the AFS) is
presented fairly. To put this into the context of the example given above:

While assessing risk relating to the accuracy, valuation and allocation assertion, the auditor discovers that to attract
more customers the client has relaxed its credit terms. As a result, the auditor considers that the accounts receivable
may be materially overstated (misstated) because in setting the allowance for bad debts, Tradition Ltd’s
management has not taken into account the fact that the company potentially has new and less creditworthy (credit
terms have been relaxed) customers. The auditor’s response will be to increase the procedures which he conducts on
the allowance for bad debts to determine whether it is fair or materially misstated.
Similarly, the auditor may assess the risk of the inclusion of fictitious debtors in the account balance as low, due
to Tradition Ltd’s excellent internal controls (control environment), the integrity of management and the absence of
any reason/incentive for management to manipulate the accounts receivable balance. The auditor will still conduct
procedures relevant to the existence assertion, but to a lesser extent.

1.3.8 The role of professional scepticism


• Professional scepticism is an attitude, and in the context of the financial statement audit engagement is
the attitude which should be adopted by all members of the engagement team. It requires that members
of the team approach their work with a questioning mind, and that they be alert to conditions which
may indicate possible misstatement due to error or fraud, and that audit evidence is critically assessed.
It also means that members of the team should not allow themselves to be “led around by the nose” by
client employees, and should not simply accept at face value what they are being told or shown by the
client. An auditor should remain unconvinced of the truth of a particular fact until suitable evidence to
support the fact is provided.
• Members of the audit team should, for example, be alert to:
– audit evidence that contradicts other audit evidence obtained;
– information that brings into question the reliability of documents and responses to inquiries to be
used as audit evidence; and
– conditions that may indicate possible fraud.
Adopting professional scepticism is not an option, it is a requirement. For example, even if the auditor
regards management as being honest and trustworthy, the audit will still be conducted with an attitude of
professional scepticism.
• Adopting an attitude of professional scepticism does not allow the members of the audit team to be rude
to, or dismissive of, the client’s personnel; the audit team’s approach should remain polite, dignified
and professional.

1.3.9 The role of professional judgement


• The audit of a set of financial statements is not a specific set of clearly defined procedures carried out on
clear-cut facts and figures. Different circumstances arise on different audits and there is no “one size fits
all” with regard to an audit. Audits give rise to uncertainties and options which must be considered and
responded to by the auditor. This is where professional judgement comes into play.
• Professional judgement is the application of relevant training, knowledge and experience within the
context provided by auditing, accounting and ethical standards in making informed decisions about the
courses of action and options that are appropriate in the circumstances of the audit (or review) engage-
ment.
• In terms of ISA 200, the auditor is required to exercise professional judgement in planning and perform-
ing an audit of financial statements. Virtually all decisions that must be made on an audit contain an
element of professional judgement, for example, professional judgement will be required in such diverse
decisions as:
– evaluating the integrity of the client’s management,
– deciding on materiality levels,
1/20 Auditing Notes for South African Students

– identifying and assessing risk,


– evaluating whether sufficient appropriate evidence has been gathered, and
– drawing conclusions on the evidence obtained and deciding on the appropriate audit opinion to be
given.

1.4 Summary
The auditor is a professional person who plays an important role in strengthening the credibility of finan-
cial information and hence the general and investing public’s confidence in the financial and economic
system of the country. This role is carried out through the expression of opinions as to whether or not
financial statements are, or financial information is, presented fairly.
Confidence in the reliability of the auditor’s opinion can only be maintained as long as there is public
acceptance that:
• auditors are a body of practitioners who demonstrate the attributes which set them apart from the
general public and make them worthy of recognition as professionals; and
• the auditing profession adheres to a strict code of ethical principles.
The profession is dynamic and is constantly changing to meet the needs of the economic community and
the public at large. Auditing firms have diversified into many different services, both to remain competitive
and to make use of the vast pool of talent which exists within its membership. However, at the core of the
profession is the irrefutable need for a professional body which provides an independent opinion on the
fairness of financial information. Financial information is the lifeblood of the economy and it is vital in the
interests of society (the public at large) that such information be fair and credible.

1.5 Appendix
Auditing postulates
The word “postulate” is best explained by considering the following definitions from the Oxford Dictionary:
“thing(s) claimed as a basis for reasoning” and
“postulates provide a basis for thinking about problems and arriving at solutions . . . a starting point . . . a
fundamental condition”
Perhaps to express it simply we can say that the auditing postulates are the very foundation on which the
discipline is built. Without a foundation, nothing of permanence can be built.

1. No necessary conflict of interest exists between the auditor and management/employees of the
enterprise under audit (both the client and the auditor have the same objective with regard to fair
presentation)
Explanation
This postulate proposes that the auditor and the client’s management share a common desire to ensure that
the financial statements prepared by management, do achieve fair presentation.
This postulate assumes that management will not want to manipulate the financial statements to present a
misleading account of the affairs of the enterprise, for example, to hide fraud or to present a more favour-
able financial picture of the company to potential investors.

Discussion
This postulate implies that if management does not want to achieve fair presentation (and thus is willing to
manipulate/falsify information), it becomes impossible to perform a conventional (normal) audit.
The postulate is critical if audits are to be economically and operationally feasible, and yet its relevance
and applicability is becoming increasingly questionable. In view of the ever rising evidence of financial mis-
management, theft and fraud in business and government worldwide, is it realistic to presume that manage-
ment does have the desire to report business information honestly and fairly?
The auditor has traditionally been able to rely on management's integrity in the absence of contrary
evidence. In the light of the alarming increase in fraud in recent years, it has become increasingly important
for the auditor to evaluate management integrity with professional scepticism. Indeed, the adoption of
Chapter 1: Introduction to auditing 1/21

professional scepticism by the auditor is one of the requirements placed on the auditor in terms of ISA 200
– Overall Objectives of the Independent Auditor and the Conduct of an audit in accordance with Inter-
national Standards on Auditing. It means that the auditor can no longer take what he or she is told by
management as necessarily being the truth. It means not being “led around by the nose” or blindly accept-
ing what management or other employees tell him, and it means that the auditor cannot accept, as a basis
for the audit, that this postulate holds true.
ISA 200 defines professional scepticism as “an attitude that includes a questioning mind, being alert to
conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of
audit evidence”.

2. An auditor must act exclusively as auditor in order to be able to offer an independent and objective
opinion on the fair presentation of financial information
Explanation
The auditor's opinion can only be relied upon if he is free of any bias whatsoever, in other words,
independent. Furthermore, for the auditor to satisfy his duty as a professional, he should devote all of his
energy to performing the audit.

Discussion
The auditor has to be, and be seen to be, independent, if he is to retain credibility as an auditor. This requires
that all other interests that the auditor has which relate to an audit client, must be carefully assessed and if
they affect independence, either these interests or the audit must be relinquished. Unfortunately, the
relevance and applicability of this postulate is also becoming questionable as audit firms place increasing
emphasis on their ability to provide clients with other services, for example tax, management advice and
more. It is interesting to note that in the United States of America there is a strong move on the part of the
regulators of the auditing profession to commit to the principle of this postulate. Major financial scandals
such as the collapse of Enron, one of the largest companies in the world, provided strong evidence of a total
lack of independence on the part of the auditors who are alleged to have been party to, or to have had
knowledge of, serious financial manipulation and fraud by the company, but did nothing about it. Was this
a serious matter? It led to the worldwide demise of one of the “Big 5” auditing firms, once highly regarded
for its ethics and integrity. It was a serious matter!
South Africa has also reacted to the demands of this postulate. In terms of the new Companies Act 2008,
public companies (which must be audited) must also appoint an audit committee. The audit committee in
turn must approve any non-audit work that the auditor of the company is engaged to perform. This can be
seen to be an attempt to focus the auditor’s attention on performing the audit, not on providing other
services. The audit committee must be satisfied that the auditor is independent, and must state whether it is
satisfied with the audit of the annual financial statements. The committee is likely therefore to be very
careful about what other non-audit work is given to the auditor.

3. The professional status of the independent auditor imposes commensurate professional obligations
Explanation
Professional status implies that the auditor has qualities, knowledge and capabilities which set him apart
from the general public, but that this status brings responsibility with it.

Discussion
To enjoy this status, a professional has to live up to certain expectations and accept certain responsibilities.
The concepts of due care, service before personal interest, efficiency and competence flow from these expectations
and have to be accepted as responsibilities by professional accountants.

4. Financial data is verifiable


Explanation
This postulate proposes that it is possible to verify the client’s financial data. If this were not the case, it
would be impossible to perform an audit. “Verify” means to determine something’s truth or falsity, which
is essentially what an audit is all about, and it implies that there will be sufficient appropriate evidence to
support the transactions which have taken place.
1/22 Auditing Notes for South African Students

Discussion
An auditor cannot meet the audit objective of forming an opinion on fair presentation of the financial
information unless he has gained the necessary level of assurance through verification of the financial
information. With the advent of paperless transactions, trading on the Internet and E-Commerce, this
postulate is increasingly under threat, as transactions may not necessarily be supported by documents
which the auditor can see and touch, or even access. To respond to this, the profession will need to develop
new ways of gathering sufficient appropriate evidence to verify client data. Obviously, if financial data is
not verifiable, an opinion on its fair presentation cannot be given.

5. Internal controls reduce the probability of errors and irregularities


Explanation
Simplistically expressed, internal controls are those policies and procedures which a business puts in place
to ensure that its recorded transactions are valid, accurate and complete, that its assets are secured and that
it complies with the law.
The postulate suggests that errors and irregularities become possible rather than probable where internal
controls are good. For example, where there is a sound control environment, good division of duties and
effective authorisation procedures (all internal controls) the probability of unauthorised transactions is
significantly reduced.
Internal controls provide the auditor with a starting point when conducting an audit. In terms of this
postulate, the better the internal controls, the more chance there is that the financial information produced
will be “truthful”, that is, valid, accurate and complete. The postulate also suggests to auditors that they
should realise, and make use of, the benefits of good internal control. Indeed, auditing standards require
that the auditor assess the effectiveness of the client’s internal controls in planning the audit.

Discussion
This postulate is of critical importance to the economic and operational feasibility of audits. The alternative
(i.e. no effective internal control), is a situation where auditors are forced either to refrain from offering an
opinion, or to conduct extremely detailed audit examinations. Such alternatives are not constructive,
economical or feasible. Expressed simply, without internal control the audit function is not possible. In
effect, if a company has very poor internal control, the financial data produced by the accounting system is
most unlikely to be verifiable. (See postulate 5).

6. Application of generally accepted accounting practice results in fair presentation


Explanation
This postulate proposes that the application of generally accepted accounting practice does result in fair
presentation. It suggests that there are frameworks available (e.g. IFRS) which, if adhered to, will result in
fair financial presentation.

Discussion
This postulate emphasises the importance of objectivity and of having to measure “fair presentation”
against a predetermined accepted standard. The auditor’s opinion should be based on something which has
gained general acceptance rather than mere personal preferences. An accounting framework provides the
auditor with a “ready-made standard” against which to judge the fairness of the financial information
under audit. The implication is that if the auditor obtains evidence of the proper application of appropriate
generally accepted accounting practice, fair presentation will have been achieved.

7. That which held true in the past will hold true in the future (in the absence of any contrary
evidence)
Explanation
As a basic premise, the auditor may assume that in the context of an ongoing audit engagement at the same
client “things generally stay the same”. Thus historical evidence is crucial. Judgements about the future are
continually being made and accounted for on the basis of historical information. For example, when an
auditor evaluates the allowance which a client has made for bad debts to determine whether it is fair, he
will take into account such matters as:
• the payment records of debtors in prior years,
Chapter 1: Introduction to auditing 1/23

• the allowances which were made in prior years, and


• the kinds of debtors which had to be written off in prior years.
A more general application of this postulate might be that the auditor may assume, in the light of no
contrary evidence, that the integrity of the client’s directors does not alter from year to year.

Discussion
The auditor has to draw on past experience when assessing judgements about the future. Factual historical
evidence is far more powerful than speculation. However, this should not be taken to mean that things do
not change; for example, the integrity of the directors may decline, forcing the auditor to rethink the extent
to which he can rely on the representations of management in the gathering of audit evidence. Trading
conditions can change in a host of different ways and new business risks may arise; the auditor must
recognise this in planning and performing the audit.

8. The financial statements submitted to the auditor for verification are free of collusive and other
unusual irregularities
Explanation
This postulate suggests that the auditor can start from the basic premise that the financial statements do not
contain misstatement which has arisen out of collusion or similar deceptions by management. Collusion
implies that there has been a deliberate attempt to misstate the financial statements. However, in terms of
this postulate the auditor may, in the absence of evidence to the contrary, assume that management has
taken adequate steps to ensure that the financial statements are free of “collusive or unusual irregularities”
engineered by employees and that members of the management team itself have not colluded in the presen-
tation of the financial statements.

Discussion
A cynical view may be that when these postulates were proposed (circa 1961), directors and employees
were more honest than they are today! Whether this postulate holds true today could no doubt be debated
at length, but the intense focus on corporate governance and the introduction of professional scepticism as
an important prerequisite for auditors suggest that this postulate is also under threat. However, for the
auditor to assume the opposite, namely that the financial statements are not free of “collusive and other
irregularities” would change the objective and focus of the auditor from forming an opinion on fair presen-
tation to an all-out search for fraud and other irregularities.
CHAPTER

2
Professional conduct

CONTENTS
Page

2.1 The SAICA and IRBA codes of professional conduct (effective 15 June 2019) ...................... 2/2

2.2 General guidance: Ethics and professional conduct............................................................ 2/2


2.3 The public interest ............................................................................................................ 2/3
2.4 Code of professional conduct (SAICA) (effective 15 June 2019) .......................................... 2/4
2.4.1 Structure of the code ............................................................................................... 2/4
2.4.2 Part 1 – General application of the code................................................................... 2/4
2.4.3 Part 2 – Professional accountants in business ........................................................... 2/10
2.4.4 Part 3 – Professional accountants in public practice .................................................. 2/22
2.4.5 Part 4 – Independence ............................................................................................. 2/37
2.5 Rules regarding improper conduct (IRBA) .......................................................................... 2/57

2/1
2/2 Auditing Notes for South African Students

2.1 The SAICA and IRBA codes of professional conduct (effective 15 June 2019)
There are two codes of professional conduct which provide ethical guidance to professional accountants
and auditors in South Africa. They are:
1. The SAICA code of professional conduct for professional accountants
2. The IRBA code of professional conduct for registered auditors.
Both of these codes are based on and consistent in all material aspects with the code of ethics for account-
ants released by the International Ethics Standards Board for Accountants (IESBA) published by the Inter-
national Federation of Accountants (IFAC) in April 2018. As you would expect, the two “South African”
codes are consistent with each other.
Why is it necessary to have two codes? The simple answer is that most professional accountants (i.e.
members of SAICA) are not members of the IRBA (i.e. registered auditors) because they do not conduct
audits. Typically, these professional accountants are in government, commerce or industry, engaged as
internal auditors, financial directors or company accountants. They become members of SAICA to benefit
from being part of a professional body and thus must comply with the SAICA code.
While the majority of the members of the IRBA (i.e. registered auditors) are also members of SAICA
(i.e. professional accountants), it is not a requirement that to be a member of the IRBA, the individual must
join SAICA. Therefore, the IRBA must have its own code and must define its own rules regarding
improper conduct.
As mentioned above, the two codes are very similar and are based on the same international code. One
important difference is that the SAICA code, in addition to having a section related to professional
accountants in public practice, has a separate section that deals with professional accountants in business,
that is, professional accountants in commerce and industry etc. Professional accountant is a generic term
used in the code to refer to a chartered accountant (CA (SA)), an associate general accountant (AGA
(SA)), associate accounting technician (FMAAT (SA), MAAT (SA), or PSMAAT (SA)). The IRBA obvi-
ously does not have such a section because, by definition, registered auditors are not in commerce and
industry, they are all registered auditors in public practice.
If an individual who is a member of both the IRBA and SAICA acts improperly or unethically, he can be
charged in terms of both codes. Again, this is perfectly logical; the IRBA disciplinary committee has the
power to “punish” one of its own members but has no power to “punish” the individual in terms of the
SAICA code. That would be up to the SAICA disciplinary process.
In summary:
• the SAICA code applies to a person who is registered with SAICA regardless of whether he is a
professional accountant in public practice or a professional accountant in business
• the IRBA Code applies to a much narrower field, namely those persons registered with the IRBA as
registered auditors, and
• provided an individual complies with the registration requirements of both SAICA and the IRBA, he
can be a member of both bodies.

2.2 General guidance: Ethics and professional conduct


Perhaps the most crucial prerequisite for the accounting and auditing profession is attaining the highest
level of professional ethics by its members, both singularly and collectively. Of course members of the
profession must have the necessary intellectual and practical competency, but these will be worth little if
respect for and trust in the profession is eroded by members displaying a lack of professional ethics. Indeed
SAICA has identified skills and integrity as the pre-eminent attributes of chartered accountants (SA).
The Concise Oxford Dictionary defines ethics as: “. . . a set of principles or morals . . . rules of con-
duct . . . ” and “moral” is defined as: “concerned with the distinction between right and wrong . . . virtuous
in general conduct”. Professional conduct could be described as the set of principles that govern accountants’
and auditors’ professional and wider behaviour.
Ethics apply when a person finds it necessary to make a decision that involves moral principles, namely a
choice between “good” and “bad” or “right” and “wrong”. There are various sources for ethical guidance:
• in our private lives these may include our parents, religion and role models, and in our working lives,
these may include codes of conduct developed by corporations, institutions and professions, in addition
to senior work colleagues or individuals trained to advise in what can be challenging ethical situations.
Chapter 2: Professional conduct 2/3

Different religions, races, cultures, and backgrounds may see ethical issues from totally different perspect-
ives, so it is impossible to establish one set of hard and fast rules which can be applied to all situations
which raise ethical issues. So, in the absence of hard and fast rules, how do people decide whether the
ethical decision they have made is right? There is no simple solution, but if the answer to the following
questions is yes, then the decision is probably the right one:
• Is the decision honest and truthful?
• In making the decision, will I be acting in a way that I would like others to act towards me?
• Will this decision build goodwill and result in the greatest good for the most significant number?
• Would I be comfortable explaining my decision to people whom I respect for their moral values?
In effect, asking the above four questions acknowledges that a conceptual framework approach to ethics is
desirable. There cannot be a rule for every situation, so other processes must be available for the
professional accountant to deal with ethical issues.
While individual members of the profession will no doubt be concerned with ethical issues which affect
society as a whole (the death penalty, abortion or providing jobs at the expense of environmental
destruction), it will be their daily occupations that will give rise to specific ethical situations of a profes-
sional nature.
For example:
• Have I acted in a truly independent manner?
• Should I make use of confidential information obtained from a client for my advantage?
• Should I report a client who may be evading tax to the authorities?
Specific guidance and a way of thinking about ethical issues are provided in the various pronouncements
indicated below.

2.3 The public interest


As we discussed in chapter 1, the public at large relies, directly or indirectly, on members of the accounting
and auditing profession in several ways, one such example being the reliance that third parties, such as
banks and shareholders, place on audited financial statements in deciding whether to advance finance to
companies. This reliance requires that the profession accept a responsibility to the public, as reliance will
only continue to be placed on the profession for as long as it retains public confidence in its abilities.
Professional accountants and registered auditors must therefore ensure that their services are delivered
following the highest ethical and professional standards. Public reliance is not only placed on members
who are in public practice. Many professional accountants fill very influential roles in the financial world
and are relied upon by the public at large to perform with integrity and competence. Even though it may be
indirect reliance, the public at large relies, on:
• financial executives to contribute to the efficient and effective use of their organisations resources and to
strive for the highest levels of corporate governance
• internal auditors in both the private and government sectors to be part of sound internal control systems
that address the risks faced by business and enhance the reliability of financial information
• tax experts to help establish confidence and efficiency in the tax system
• management consultants to promote sound management decision-making
• internal auditors to promote sound corporate governance and assist in fulfilling its broader mandate.
Does the SAICA code bind trainee accountants? The answer to this question is that if you enter into a
formal training contract that is registered with SAICA, such as a training contract with a firm of
accountants and auditors or the auditor general, you will be bound by the code. The training contract you
sign will contain a clause that requires that you adhere to the code of professional conduct, and should you
breach the code, you can be disciplined. For example, if you have contravened the code by making use of
confidential information obtained while carrying out an audit at a client, your training contract could be
cancelled.
This text concentrates on the code of professional conduct of the South African Institute of Chartered
Accountants (SAICA). The reasons are that your current studies are probably being conducted under the
2/4 Auditing Notes for South African Students

auspices of SAICA through a SAICA-accredited university, and that the SAICA code is cast a little wider
as it deals with professional accountants in business and public practice. No doubt, many of you will end
up in business and not as auditors.

2.4 Code of professional conduct (SAICA) (effective 15 June 2019)


2.4.1 Structure of the code
1. The code is broken down into three parts, and each part into sections
Part 1 (ss 100 to 120) – Complying with the Code, Fundamental Principles and Con-
ceptual Framework – deals with the general application of the
Code and is applicable to all professional accountants
Part 2 (ss 200 to 299) – Professional Accountants in Business – applicable to profes-
sional accountants in business when performing professional
activities. Part 2 is also applicable to professional accountants in
public practice when performing professional activities related to
their relationship with the firm, whether as a contractor,
employee or owner
Part 3 (ss 300 to 399) – Professional Accountants in Public Practice – applicable to
professional accountants in public practice when providing
professional services
International Independence Standards – Set out additional material regarding independence that applies
to professional accountants when providing assurance services.
The section is divided into Part 4A and Part 4B as follows:
Part 4A (ss 400 to 899) – Independence for Audit and Review Engagements
Part 4B (ss 900 to 999) – Independence for Assurance Engagements other than Audit or
Review Engagement
2. A list of definitions is also provided. Where required, definitions will be included in the narrative
covering the various sections.

2.4.2 Part 1 – General application of the code


2.4.2.1 Introduction and fundamental principles – section 100
1. Introduction
It is a distinguishing mark of the auditing and accounting profession that registered auditors and profes-
sional accountants have a responsibility to act in the public interest (discussed on page 2/3). The profes-
sional accountant’s responsibility is not exclusively to satisfy the needs of an individual client (professional
accountant in public practice) or his employer (professional accountant in business). The code establishes
the fundamental principles of ethical behaviour and provides a conceptual framework which the profes-
sional accountant can apply in ethical situations.

2. Fundamental principles
The code establishes five fundamental principles with which professional accountants must comply:
2.1 integrity
2.2 objectivity
2.3 professional competence and due care
2.4 confidentiality, and
2.5 professional behaviour.

3. Basis of the code – The conceptual framework approach (s 120)


3.1 The code provides an approach that professional accountants should adopt to ensure that they comply
with the fundamental principles. Remember that this conceptual framework approach is based on
the premise that, due to the diversity of ethical issues, it is not possible or desirable to have a
Chapter 2: Professional conduct 2/5

comprehensive set of rules to identify and resolve ethical issues. It is not possible to say “yes, you can
do that” or “no, you can’t do this” in all situations.
3.2 Therefore, professional accountants using their professional judgement are required to:
• identify threats to compliance with the fundamental principles
• evaluate the threats identified, and
• address the threats by eliminating them or reducing them to an acceptable level.
3.3 When applying the conceptual framework, the professional accountant shall:
• exercise professional judgement
• remain alert to new information and changes in facts and circumstances, and
• consider whether the same conclusion would likely be reached by another party (the third-party
test).
3.4 To be able to apply the conceptual approach, the professional accountant must understand the:
• fundamental principles
• types of threats which may arise, and
• safeguards that may be applied.

2.4.2.2 The fundamental principles


A professional accountant must comply with the fundamental principles of integrity, objectivity, profes-
sional competence and due care, confidentiality and professional behaviour. Subsections 111 to 115 of the
code discuss the five fundamental principles of professional ethics.

1. Integrity – section 111


1.1 A professional accountant shall comply with the principle of integrity which requires straightforwardness, honesty,
fair dealing and truthfulness in professional and business relationships.
1.2 Professional accountants should not be associated with information they believe:
• contains a materially false or misleading statement
• contains statements or information provided recklessly, or
• omits or obscures information where such omission or obscurity would be misleading.
1.3 If a professional accountant becomes aware that he has been associated with such information, he
must take steps to disassociate himself therefrom. Note: This may present a threat to the fundamental
principle of confidentiality.

2. Objectivity – section 112


2.1 Professional accountants should not allow bias, conflict of interest, or undue influence of others to
override or compromise professional or business judgements.

3. Professional competence and due care – section 113


3.1 Professional accountants are required to:
• attain and maintain professional knowledge and skill at a level that ensures that clients or
employers (in the case of professional accountants in business) receive competent professional
service. This emphasises the importance of continuing professional development, and
• act diligently following applicable technical and professional standards when providing profes-
sional services.
3.2 Rendering “competent professional service” assumes the exercising of sound judgement in applying
professional knowledge and skill. To maintain professional competence, a professional accountant
must remain abreast of relevant technical, professional and business developments.
3.3 Acting diligently (with due care) requires that the professional accountant acts timeously, carefully,
thoroughly and follows the requirements of the assignment.
3.4 A professional accountant must ensure that those working under his authority in a professional cap-
acity have appropriate training and supervision.
2/6 Auditing Notes for South African Students

3.5 Clients, employers and other users shall be made aware of the inherent limitations of services provided.
3.6 A professional accountant shall not undertake or continue with any engagement he/she is not com-
petent to perform unless advice and assistance are obtained to carry out the engagement satisfactory.

4. Confidentiality – section 114


4.1 Professional accountants shall comply with the principle of confidentiality which requires a professional
accountant to respect the confidentiality of information acquired due to professional and business relation-
ships. A professional accountant shall:
• be alert to the possibility of inadvertent disclosure, including in a social environment, and particu-
larly to a close business associate or an immediate or close family member
• maintain confidentiality of information within the firm or employing organisation
• maintain confidentiality of the information disclosed by a prospective client or employing
organisation
• not disclose confidential information acquired as a result of professional and business relationships
outside the firm or employing organisation without proper and specific authority, unless there is a
legal or professional duty or right to disclose
• not use confidential information acquired as a result of professional and business relationships for
the personal advantage of the professional accountant or the advantage of a third party
• not use or disclose any confidential information, either acquired or received as a result of a profes-
sional or business relationship, after that relationship has ended
• take reasonable steps to ensure that personnel under the professional accountant’s control and
individuals from whom advice and assistance are obtained respect the professional accountant’s
duty of confidentiality.
4.2 Disclosure of confidential information is permitted when:
• disclosure is permitted by law and is authorised by the client or employer
• disclosure is required by law, for example:
– providing documents and other provision of evidence in the course of legal proceedings
– disclosure to appropriate public authorities, including disclosures of reportable irregularities
reported to the regulatory board as required by section 45 of the Auditing Profession Act 2005
(APA).
• there is a professional duty or right to disclose confidential information about a client, for
example:
– to comply with the quality review of the regulatory board or the professional body (where the
professional accountant’s practice is being reviewed)
– to respond to an enquiry or investigation by the regulatory board or a regulatory body
– to protect the professional interests of a professional accountant in legal proceedings, or
– to comply with technical standards and the requirements of this code.
4.3 In deciding whether to disclose confidential information, a professional accountant should consider:
• whether the interests of all parties, including third parties, could be unnecessarily or unjustly
harmed by the disclosures if the client consents to the disclosure of information
• whether all relevant information is known and substantiated (disclosing unsubstantiated facts or
incomplete information could be unfairly damaging to other parties and is unprofessional), and
• whether the method or type of communication is appropriate, and the recipient of the information
is appropriate, for example, going on a popular TV talk show and disclosing confidential informa-
tion about, say, alleged fraud at a client company, would not be appropriate.

5. Professional behaviour – section 115


Section 115 deals with a number of matters under the heading of professional behaviour. SAICA added
much of what has been included in the section to tailor the section to satisfy the needs of the South African
profession. This section deals with:
• a general explanation of the principle (5.1)
Chapter 2: Professional conduct 2/7

• publicity, advertising and solicitation (5.2)


• being a member of more than one firm (5.3), and
• signing reports (5.4).
5.1 General explanation
This fundamental principle requires that professional accountants:
• comply with relevant laws and regulations, and
• avoid any action which the professional accountant knows or should know that may bring discredit to
the profession (act in a way which negatively affects the good reputation of the profession as judged by
a reasonable and informed third party, taking into account the specific facts and circumstances available
to the professional accountant at the time of his actions).
5.2 Publicity, advertising and solicitation
Professional accountants are entitled to market and promote themselves and their firms, but in doing so
must:
• not bring the profession into disrepute
• be honest and truthful
• not make exaggerated claims for the services they offer, the qualifications they possess, or experience
they have gained, and
• not make disparaging references or unsubstantiated comparisons to the work of others.
Publicity – the communication to the public of information about a professional accountant or his
firm or bringing his name or the firm’s name to the notice of the public.
Advertising – the communication to the public of information as to the services or skills provided by a
professional accountant to procure professional business.
Perhaps the key phrase is good taste. However, it is impossible to define “good taste” as it is very subjective.
The code does not give guidance as to what would be regarded as contrary to good taste, and ultimately the
responsibility for applying the requirements of this section lies with the professional accountant.
However, previous versions of the code have suggested that advertising, publicity or solicitation charac-
terised by any of the following will not be in good taste:
• racism
• a tendency to shock or sensationalise
• offensive towards religious beliefs
• trivialising important issues
• relying excessively on a particular personality
• deriding (making fun of) a public figure, for example the minister of finance
• disparaging (mocking) educational attainment
• odious (hateful, obnoxious) language
• strident (loud) or extravagant speech or behaviour, or
• belittling of others or claiming superiority.
5.3 Membership of multiple firms and assisted holding out
A professional accountant is permitted to be a member of more than one firm of registered auditors and/or
a member of any other firm which offers professional accounting services. Such association shall not be
misleading or cause confusion, and the professional accountant shall ensure that there is clear distinction
between the different firms. A professional accountant who is a member of an auditing firm and a profes-
sional services firm that is not registered with the IRBA must ensure that the professional services firm does
not perform any audit work, pretend to be registered with the IRBA or use any designation or description
likely to create the impression of being a registered audit firm in public practice. For example, the
professional services firm cannot describe itself as “a firm of public accountants” or “accountants and
auditors in public practice”. (Refer to section 41 of the APA.)
2/8 Auditing Notes for South African Students

5.4 Signing conventions for reports or certificates


A professional accountant must not delegate to any person who is not a partner or fellow director the
power to sign audits, reviews, or other assurance reports or certificates which are required in terms of the
law or regulation to be signed by the professional accountant responsible for the engagement:
• this restriction may be waived in emergencies (partner may be incapacitated). If this is the case, the need
for delegation must be reported to the client and the IRBA
• written consent for such delegation is obtained from the regulatory board or the institute.
In terms of the SAICA code, when signing off a report or certificate, such as an audit or review report, the
professional accountant responsible for the engagement (the designated auditor in the case of an audit)
should include in his signing off:
(i) the individual professional accountant’s full name
(ii) the capacity in which he is signing, for example, partner or director
(iii) the person’s designation underneath his/her name, and
(iv) the name of the professional accountant’s firm (if not set out on the letterhead).

2.4.2.3 Threats
Now that the fundamental principles have been described, it is necessary to consider the circumstances that
threaten compliance with them. The code categorises threats as follows:

1. Self-interest threats
These are threats that a financial or other interest will inappropriately influence the professional account-
ant’s judgement or behaviour and lead him to act in his self-interest.
For example:
• A professional accountant has shares in an audit client (objectivity).
• A firm is dependent for its survival on the fees from one client (objectivity).
• A member of the audit team will join the client as an employee shortly after completing the audit
(objectivity).
• The client is putting pressure on the audit firm to reduce fees (objectivity, professional competence, and
due care; for example, the audit team “cuts corners” to save costs).
• The engagement partner obtains confidential information about the client from a meeting with the
directors, which he could use to his financial advantage (objectivity, integrity, confidentiality and
professional behaviour).

2. Self-review threats
These are threats that a professional accountant will not appropriately evaluate the results of a previous
service performed by the professional accountant or by another individual in his firm, on which the profes-
sional accountant will rely as part of a current service.
For example:
• The former financial accountant of an audit client, a professional accountant, recently resigned and
joined the firm that conducts the audit of his former employer. He was placed on the audit team for the
current audit (objectivity and professional competence, and due care).
• In terms of ISA 315 (revised 2019), the audit team must obtain an understanding of the client’s system
of internal control. Thus, a firm issuing an audit opinion on the financial statements of a company for
which the same firm has designed or implemented the internal control system is subject to the threat
that the audit team will assume that the internal control system is sound, without evaluating it, because
their firm designed it (objectivity, professional competence and due care.)

3. Advocacy threats
These threats may arise when a professional accountant promotes a client’s or employing organisation’s
position to the point that his subsequent objectivity may be compromised.
Chapter 2: Professional conduct 2/9

For example:
• A professional accountant values a client’s shares and then leads the negotiations on the sale of the
client’s company.

4. Familiarity threats
These are threats that may arise when, because of a close relationship, a professional accountant becomes
too sympathetic to the interests of others.
For example:
• The professional accountant accepts gifts or preferential treatment from a client (objectivity). This type
of occurrence can threaten the basis of a professional relationship.
• The father of a member of the engagement team is responsible for the financial data, which is the
subject of the audit engagement.
• The audit engagement partner and audit manager have a long association with the audit client (object-
ivity and (potentially) professional competence and due care, in other words, the audit becomes too
casual and friendly).

5. Intimidation threats
These are threats that occur when a professional accountant may be deterred from acting objectively by
actual or perceived pressures, including attempts to exercise undue influence.
For example:
• A professional accountant in business fails to report a fraud perpetrated by his section head because he
fears he will be dismissed by the section head (objectivity, integrity, professional behaviour).
• An audit firm is being threatened with dismissal from the engagement (objectivity).
• Pressure to accept an inappropriate decision on an accounting matter is exerted by the client’s financial
director on a young, inexperienced audit manager (objectivity and integrity).
Not all threats fall neatly into the above categories! This does not mean they are not threats. They are, and
must still be addressed.

2.4.2.4 Evaluating threats


When the professional accountant identifies a threat to compliance with the fundamental principles, the
accountant shall evaluate whether the threat is at an acceptable level.

1. Acceptable level
An acceptable level would be when the accountant complies with the fundamental principles.

2. Factors relevant in evaluating the level of threats


The consideration of qualitative and quantitative factors is relevant in the professional accountant’s evaluation
of threats, as is the combined effect of multiple threats, if applicable.
The existence of conditions, policies and procedures might also be relevant in evaluating the level of
threats to compliance with fundamental principles. Examples of such conditions, policies and procedures
include:
• corporate governance requirements
• educational, training and experience requirements for the profession
• effective complaint systems which enable the professional accountant and the general public to draw
attention to unethical behaviour
• an explicitly stated duty to report breaches of ethics requirements
• professional or regulatory monitoring and disciplinary procedure.
2/10 Auditing Notes for South African Students

3. Addressing threats
If the professional accountant determines that the threat is not at an acceptable level, he/she shall reduce
the threat to an acceptable level by:
• eliminating the circumstances, including interests or relationships, that are causing the threats
• applying safeguards to reduce the threat to an acceptable level, or
• declining or ending the specific professional activity.

Considerations for audits, reviews and other assurance engagements


4. Independence
Professional accountants in public practice are required by international independence standards to be
independent when performing audits, reviews, or other assurance engagements. Independence is linked to
the fundamental principles of objectivity and integrity and includes independence in mind and appearance.

5. Professional scepticism
Under auditing, review and other assurance standards, including those issued by the IAASB, professional
accountants in public practice are required to exercise professional scepticism when planning and
performing audits, reviews and other assurance engagements. Professional scepticism is inter-related with
the following fundamental principles:

Integrity
• being straightforward and honest when raising concerns about a position taken by a client, and
• pursuing inquiries about inconsistent information and seeking further audit evidence about false or
misleading statements.

Objectivity
• recognising relationships, such as familiarity with the client, that might compromise the professional
accountant’s professional or business judgement, and
• considering the impact of such circumstances and relationships on the professional accountant’s
judgement when evaluating the sufficiency and appropriateness of audit evidence related to a matter
material to the client’s financial statements.

Professional competence and due care


• applying knowledge to the client’s industry
• designing and performing appropriate audit procedures, and
• applying relevant knowledge when critically assessing whether audit evidence is sufficient and appro-
priate.

2.4.3 Part 2 – Professional accountants in business


2.4.3.1 Introduction – section 200
1. General
1.1 The majority of professional accountants work in business. They may be, among other things,
salaried employees, company directors, or owner-managers. Numerous groupings of individuals, such
as investors, creditors, employers, and the government (e.g. SARS) and the public at large (e.g.
ordinary investors in unit trusts), rely on professional accountants directly or indirectly. This is
particularly so where the professional accountant is involved in preparing and reporting financial and
other information but is not restricted to this – professional accountants are frequently involved in
providing financial management and other advice on business matters.
1.2 Professional accountants in business are expected to encourage an ethics-based culture within their
organisations. At the same time, they should comply with the fundamental principles of integrity,
objectivity, confidentiality, professional competence and due care and professional behaviour. A
simple example to illustrate: a professional accountant working for a listed company who gets
involved in a financial fraud betrays the trust of his employers, investors and fellow employees and
discredits the accounting profession.
Chapter 2: Professional conduct 2/11

2. The conceptual framework


The conceptual framework to be applied by professional accountants in business is the same as has been
discussed for professional accountants in public practice, that is:
• identify threats to compliance with the fundamental principles
• evaluate whether these threats are insignificant, and
• address the threats.

3. Threats
The categorisation of threats for professional accountants in business remains the same as for professional
accountants in public practice, namely, self-interest, self-review, advocacy, familiarity and intimidation:
• Self-interest threats are created when a financial or other interest will inappropriately affect the profes-
sional accountant’s judgement or behaviour:
– financial interests, loans or guarantees
– incentive compensation arrangements
– inappropriate personal use of corporate assets
– concern over employment security, and
– a gift or special treatment from a supplier.
Example 1: Lucas Borak, the financial director of Company A, has shares in Company A. The finan-
cial decisions he makes may be influenced by the effect the decisions will have on his
share value and not the facts relating to the decision.
Example 2: Carl Marks, the financial controller at Company B, participates in a performance bonus
scheme for managers. Financial decisions which he makes can materially affect the bonus
he receives.
• Self-review threats are created when a professional accountant in business evaluates a previous judge-
ment or service which he has performed. The threat is that the evaluation may be inappropriate, for
example, not diligently carried out.
Example 3: Jackie Jones, the financial director of Company X, determines the appropriate accounting
treatment for a complex financing transaction that he constructed and approved.
• An advocacy threat is created when a professional accountant in business promotes his employer’s
position to the extent that his objectivity is compromised.
Example 4: In attempting to sell a financial product marketed by the company for which he works,
Dickie Dell, a professional accountant, uses questionable tactics and debatable statistics in
“proving” the superiority of his company’s products (this is an advocacy threat to his
integrity, objectivity and professional behaviour).
• A familiarity threat is created when a professional accountant in business will be or becomes too
sympathetic to the interests of some other party, because he has a long or close relationship with that
party:
– a professional accountant in business is in a position to influence reporting or business decisions that
may benefit an immediate or close family member, and
– a professional accountant in business has a long association with business contracts influencing
business decisions.
Example 5: Billy Alviro, the managing director of Company Z, regularly accepts expensive gifts and
travel opportunities from two of his company’s major suppliers. The threat is that pref-
erential treatment will be given to these two suppliers because they are friends and not
because they are the best suppliers for the company. This is a threat to Billy’s objectivity,
and possibly, his professional competence and due care.
• Intimidation threats are created when a professional accountant will be deterred from acting objectively
because of actual or perceived pressures:
– threat of dismissal or replacement of the professional accountant in business or a close or immediate
family member over a disagreement about the application of an accounting principle or how financial
information is to be reported, or
– a dominant personality attempting to influence the decision-making process.
2/12 Auditing Notes for South African Students

As a professional accountant in business very often depends upon his employing organisation for his
livelihood, he can often be placed in a challenging position where ethical situations arise. He may be
put under pressure to behave in ways that could threaten his compliance with the fundamental
principles. A professional accountant in business may be put under pressure (intimidated by fear of
losing his job) to:
Example 6: Act contrary to law or regulation, for example, claim VAT deductions to which the com-
pany is not entitled (integrity, professional behaviour, objectivity).
Example 7: Facilitate unethical or illegal earnings strategies, for example, provide false documentation
to conceal the purchase and sale of illegal products (integrity, professional behaviour,
objectivity).
Example 8: Lie to, or intentionally mislead (including by remaining silent) others, in particular:
– the auditors, for example, by producing false evidence to support fictitious sales, or
– regulators, for example, by lying to customs officials about the nature of imported
goods to reduce import charges (integrity, professional behaviour, objectivity).

4. Evaluating threats
Although the professional accountant in business will have safeguards created by the profession, legislation
or regulation available to him, safeguards in the professional accountant’s workplace will likely be more
accessible and relevant to him.
For example,
A professional accountant, whose compliance with the fundamental principle of professional behaviour is
being threatened by intimidation from a superior, should have a means of exposing the intimidation (and
preventing his non-compliance) without fear of retribution. This may be an individual at the employer
appointed to deal with such matters and to whom the professional accountant can notify of the
intimidation.
The following will impact the professional accountant’s evaluation of whether a threat to compliance with
a fundamental principle is at an acceptable level:
• the employer’s system of corporate oversight, which, among other things, monitors the ethical
behaviour at all levels of management, including executive directors
• strong internal controls, for example, clear division of duties and reporting lines which hold employees
accountable for their actions
• recruitment procedures in the employing organisation emphasising the importance of employing high-
calibre, competent staff
• policies and procedures to implement and monitor the quality of employee performance
• policies and procedures to empower employees to communicate any ethical issues to senior levels
without fear of retribution
• leadership that stresses the importance of ethical behaviour and the expectation that employees will act
in an ethical manner
• policies and procedures, including any changes, to be communicated to all employees on a timely basis,
and appropriate training and education on such policies and procedures to be provided, and
• ethics and code of conduct policies.

5. Addressing threats
5.1 Sections 210 to 270 describe specific threats that may arise and include actions that might address
such threats.
5.2 A professional accountant in business should consider seeking legal advice if it is believed that
unethical behaviour has occurred and will continue within the organisation. He should also consider
resigning from the employing organisation if the circumstances that created the threat cannot be
eliminated, or should safeguards not be available or be incapable of reducing the threat to an accept-
able level.
Chapter 2: Professional conduct 2/13

2.4.3.2 Conflicts of interest – section 210


1. Responsibility
1.1 A professional accountant in business shall not allow a conflict of interest to compromise his profes-
sional or business judgement. A conflict of interest may arise when:
• the professional accountant undertakes a professional activity (an activity requiring accountancy
or related skills) related to a particular matter for two or more parties whose interests concerning
that matter conflict, or
• the interests of the professional accountant concerning a particular matter and the interests of a
party (e.g. an employing organisation, a vendor, a customer, a lender, a shareholder, or another
party) for whom the professional accountant undertakes a professional activity related to that
matter, are in conflict.
1.2 When identifying and evaluating the interests and relationships that might create a conflict of interest,
and implementing safeguards, a professional accountant in business shall exercise professional judge-
ment and be alert to all interests and relationships that a reasonable and informed third party,
weighing all the specific facts and circumstances available to the professional accountant at the time,
would be likely to conclude might compromise compliance with the fundamental principles.

2. Threats
2.1 Primarily, a conflict of interest creates a threat to objectivity but may also create a threat to other fun-
damental principles.
2.2 Situations in which conflicts may arise:
Example 1: Shoab Aktar is a professional accountant in business. He sits on the board of two
unrelated companies (A and B) who operate in the same business sector. At a board
meeting of company A, Shoab obtains confidential information that he could use to the
advantage of company B, but which would be to the disadvantage of company A. This
situation (conflict) creates a threat to his objectivity, confidentiality and professional
behaviour and integrity.
Example 2: Tom Collins, a professional accountant in business, has been engaged to provide finan-
cial advice to each of two parties to assist them in dissolving their medical partnership.
There are several contentious issues in the dissolution. This situation could create
threats to Tom’s objectivity (he may favour one partner over the other), professional
behaviour (he may act in a manner that discredits the profession by favouring one
partner because there is some reward for doing so) as well as his integrity.
Example 3: Paul Premium is a professional accountant employed by company Z. He is responsible
for contracting a company to supply a full range of IT support for company Z. Awarding
the contract to one of the strong contenders for the contract could result in a financial
benefit for an immediate family member (his wife or a dependent). This creates a
significant threat to his objectivity and possibly, confidentiality and professional behav-
iour (if for example he gave the immediate family member confidential information
about how she should charge for her services to win the contract).
Example 4: Fred Bennett, a professional accountant in business, sits on the investment committee of
company Q. The investment committee approves all significant investments the
company makes. If the investment committee approves a specific investment, it will
increase Fred’s personal investment portfolio value. This creates a threat to his object-
ivity, in other words, Fred votes to approve the investment, not because it is a good
investment for the company, but because it is a good investment for himself.

3. Addressing the threats


The following safeguards may be implemented by the professional accountant to counter the threats arising
from a conflict of interest situation:
• withdrawing from the decision-making or authorising processes relating to the matter giving rise to the
conflict (example 1, 3 and 4)
• restructuring and segregating specific responsibilities and duties
• disclosing the potential conflict of interest to all parties involved, including the possible consequences of
the professional accountant being conflicted (example 1, 2, 3 and 4)
2/14 Auditing Notes for South African Students

• obtaining appropriate oversight for the service he has provided, for example, acting under the super-
vision of an independent director (example 2 and 3), and
• consulting with third parties such as SAICA, legal counsel or other professional accountants on how to
resolve the conflict.
It may also be necessary to disclose the nature of conflicts of interest to interested parties and obtain
consent regarding the safeguards implemented. If such disclosure or consent is not in writing, the profes-
sional accountant is encouraged to document:
• the nature of the circumstances giving rise to the conflict of interest
• the safeguards applied to address the threats when applicable, and
• the consent obtained.

2.4.3.3 Preparation and reporting of information – section 220


1. Responsibility
1.1 Preparing and presenting information
Professional accountants at all levels in an employing organisation are involved in preparing or presenting
information both within and outside the organisation. Preparing or presenting information includes record-
ing, maintaining and approving information. Information can include financial and non-financial informa-
tion that might be made public or be used for internal purposes, including operating and performance
reports, decision support analyses, budgets and forecasts, the information provided to internal and external
auditors, risk analysis, general- and specific-purpose financial statements, tax returns and reports filed with
regulatory bodies for legal and compliance purposes.
When preparing and presenting information, the professional accountant shall prepare or present
information:
• following a relevant reporting framework (e.g. IFRS)
• in a manner that is intended neither to mislead nor to influence contractual or regulatory outcomes
inappropriately
• exercise professional judgement to:
– ensure that all facts are represented accurately and completely in all material respects
– describe clearly the true nature of business transactions or activities, and
– classify and record information in a timely and proper manner, and
• the professional accountant shall also not omit anything to render information misleading or influence
contractual or regulatory outcomes.
1.2 Use of discretion in preparing or presenting information
Preparing or presenting information might require the exercise of discretion in making professional
judgements. The professional accountant shall not exercise such discretion to mislead others or influence
contractual or regulatory outcomes inappropriately. Examples of ways in which discretion might be
misused to achieve inappropriate outcomes include:
Example 1: Determining estimates, for example, determining fair value estimates to misrepresent profit or
loss.
Example 2: Selecting or changing an accounting policy or method among two or more alternatives
permitted under the applicable financial reporting framework, such as selecting a policy for
accounting for long-term contracts to misrepresent profit or loss.
Example 3: Determining the timing of transactions, such as timing the sale of an asset near the end of the
fiscal year to mislead.
1.3 Relying on the work of others
A professional accountant who intends to rely on the work of others, either internal or external to the
employing organisation, shall exercise professional judgement to determine what steps to take, if any, to
fulfil the responsibilities when preparing and presenting information set out in 1.1 above.
Factors to consider in determining whether reliance on others is reasonable to include:
• the reputation, expertise and resources available to the other individual or organisation, and
• whether the other individual is subject to applicable professional and ethical standards.
Chapter 2: Professional conduct 2/15

2. Threats
Intimidation or self-interest threats to objectivity, integrity or professional competence are created when a
professional accountant is pressured by internal or external parties, or by the prospect of personal gain, to
prepare or report information in a misleading way or to become associated with misleading information
through the actions of others, for example, manipulating reported profits or knowingly benefiting from
reported profits manipulated by others to earn additional bonuses.

3. Addressing the threats


3.1 Self-interest threats can only be addressed by professional accountants in business putting preventative
measures in place to ensure that they cannot be accused of looking after their own interests. Of
course, addressing a self-interest threat requires a willingness on the part of the professional account-
ant to comply with the fundamental principles. The professional accountant shall be particularly alert
to threats to the principle of integrity, which requires the professional accountant to be straight-
forward and honest.
3.2 When the professional accountant knows or has reason to believe that the information with which the
accountant is associated is misleading, the professional accountant shall take appropriate actions to
seek to resolve the matter:
• Appropriate action might include consulting with superiors within the organisation, for example
the audit committee or a professional body, in order to reduce or eliminate the threat by:
– having the information corrected
– informing users and correcting information if already disclosed to them, and
– consulting the policies and procedures of the employing organisation (e.g. ethics or whistle-
blowing policy) regarding how to address such matters internally.
3.3 Where it is not possible to reduce the threat to an acceptable level, a professional accountant in
business shall refuse to be or remain associated with the information he deems to be misleading and
shall take steps to dissociate himself from such information, but without non-compliance with the fun-
damental principle of confidentiality (s 114 of the APA). The professional accountant might consider
consulting with:
• a relevant professional body
• the internal or external auditor of the employing organisation
• legal counsel
• determining whether any requirements exist to communicate to:
– third parties, including users of the information
– regulatory and oversight authorities, and
• if after exhausting all feasible options, the professional accountant shall refuse to be or to remain
associated with the information, in which case it might be appropriate to resign.

2.4.3.4 Acting with sufficient expertise – section 230


1. Responsibility
The professional accountant is responsible for undertaking only those tasks for which he has the necessary
training or expertise. If the professional accountant does not have the necessary expertise, he has a respon-
sibility to obtain it.

2. Threats
2.1 The primary threat in this situation is that the professional accountant may fail to comply with the
fundamental principle of professional competence and due care.
2.2 A self-interest threat to compliance with the principles of professional competence and due care might
be created if a professional accountant has:
• insufficient experience, education or training
• inadequate resources
• inadequate time available for performing the duties, and
• incomplete, restricted or inadequate information.
2/16 Auditing Notes for South African Students

2.3 Factors that are relevant in evaluating the level of the threat include:
• the extent to which the professional accountant is working with others
• the seniority of the individual in the business, and
• the level of supervision and review applied to the work.

3. Safeguards
The relevant safeguards may be the following:
• to obtain assistance or training from someone with the necessary expertise
• to ensure that there is sufficient time and the necessary resources to perform the task to the required
professional standard
• the professional accountant shall refuse to perform an assignment, should he/she not possess the
experience or expertise and should the above safeguards fail to reduce or eliminate the resultant threat
to the fundamental principle of professional competence and due care.

2.4.3.5 Financial interests, compensation and incentives linked to financial reporting and
decision-making – section 240
1. Responsibility
Where a professional accountant in business (or his immediate or close family member) has a financial
interest in the employing organisation, including those arising from compensation or incentive arrange-
ments, he must ensure that he complies with the fundamental principles. A professional accountant in busi-
ness shall neither manipulate information nor use confidential information for personal gain, as this will
amount to self-interest threats to his compliance with the fundamental principles of objectivity or confiden-
tiality.

2. Threats
Self-interest threats to objectivity or confidentiality and, at times, professional behaviour may be created.
Such threats may arise where the professional accountant or an immediate or close family member:
2.1 holds a direct or indirect financial interest in the employing organisation, and decisions made by the
professional accountant can directly influence the value of the interest
2.2 is eligible for a profit-related bonus, and the value of the bonus could be directly affected by decisions
made by the professional accountant
2.3 holds, directly or indirectly, deferred bonus share rights or share options in the employing organisa-
tion, the value of which might be affected by decisions made by the professional accountant
2.4 has a motive and opportunity to manipulate price-sensitive information in order to gain financially
2.5 the professional accountant participates in compensation arrangements that provide incentives to
achieve performance targets, the amount of which can be influenced by the decisions made by the
professional accountant.
Note that self-interest threats arising from compensation or incentive arrangements may be further
compounded by pressure from superiors or peers whose “bonuses” may be influenced by decisions
made by the professional accountant in business.
For example:
All management above a certain level at company P participate in a bonus scheme based on the net
profit before tax. Peter Pinarello, the chief financial officer and a professional accountant, makes
several decisions that can affect the reported net profit before tax. As Peter is on a management level
that will benefit from the “bonus” scheme, a self-interest threat is created. Pressure from other
management on Peter to make financial reporting decisions that will maximise net profit before tax
(and hence their bonuses) will intensify the self-interest threat and may amount to an intimidation
threat.

3. Evaluating the level of the threat


Whether safeguards need to be applied will depend upon the significance of the threat and may include
factors that are relevant in evaluating the level of such a threat, which include:
• The significance of the financial interest. What constitutes a significant financial interest will depend on
personal circumstances and the materiality of the financial interest to the individual.
Chapter 2: Professional conduct 2/17

• Implementing policies and procedures for a committee independent of management to determine the
level or form of senior management remuneration.
• Following any internal policies, disclosure to those charged with governance of:
– all relevant interests
– any plans to exercise entitlements or trade-in relevant shares, and
• Specific internal and external audit procedures to address issues that give rise to the financial interest.

2.4.3.6 Inducements including gifts and hospitality – section 250


Receiving and making offers
1. Responsibility
The professional accountant in business (or an immediate or close family member) may be offered a gift,
hospitality, preferential treatment, etc., in an attempt to unduly influence his actions or decisions, or
encourage him to act illegally or dishonestly, or to reveal confidential information. The professional
accountant has a responsibility to be alert to threats to his compliance with the fundamental principles and
not be influenced by the inducement.
A professional accountant in business should not induce or improperly influence the judgement or
behaviour of a third party. Pressure to do so may be placed on the professional accountant by internal
sources, for example, a superior, or from external sources, for example, a business associate who promises
a business deal in return for the professional accountant’s company paying for an overseas holiday for the
business associate.
The professional accountant must understand relevant laws and regulations and comply with them when
he encounters such circumstances.
A professional accountant shall not accept, or encourage others to accept, any inducement that he
concludes is made, or considers a reasonable and informed third party would be likely to conclude is made,
with the intent to improperly influence the behaviour of the recipient or another individual.

Inducement
• An object, situation or action
• used as means to influence another individual’s behaviour
• includes minor acts of hospitality
• acts that result in non-compliance with laws and regulations (NOCLAR)
• gifts
• hospitality
• entertainment
• political or charitable donations
• appeals to friendship and loyalty
• employment or other commercial opportunities, and
• preferential treatment, rights or privileges.

2. Threats
Accepting or making inducements may create self-interest, familiarity or intimidation threats to objectivity
integrity and professional behaviour.

3. Factors to consider when determining whether there is an actual or perceived intent to influence
behaviour
The determination of whether there is actual or perceived intent to influence behaviour requires the
exercise of professional judgement. Relevant factors to consider might include:
• the nature, frequency, value and cumulative effect of the inducement
• timing of when the inducement is offered relative to any action or decision that it might influence
• whether the inducement is a customary or cultural practice in the circumstances, for example, offering a
gift on the occasion of a religious holiday or wedding
2/18 Auditing Notes for South African Students

• whether the inducement is an ancillary part of professional service, for example, offering or accepting
lunch in connection with a business meeting
• whether the inducement offer is limited to an individual recipient or available to a broader group. The
broader group might be internal or external to the employing organisation, such as other customers or
vendors
• the roles and positions of the individuals offering or being offered the inducement
• whether the professional accountant knows, or has reason to believe, that accepting the inducement
would breach the policies and procedures of the counterparty’s employing organisation
• the degree of transparency with which the inducement is offered
• whether the inducement was required or requested by the recipient, and
• the known previous behaviour or reputation of the offeror.

4. Safeguards
To protect against these threats, the professional accountant in business should:
• immediately inform higher levels of management or those charged with governance if such an offer is
made
• amend or terminate the business relationship with the offeror
• decline or not offer the inducement
• transfer responsibility for any business-related decision involving the counterparty to a counterparty
who would not be improperly influenced in making the decision
• be transparent with senior management or those charged with governance of the employing organisa-
tion
• register the inducement in a log maintained by the employing organisation
• have an appropriate reviewer, who is not otherwise involved in undertaking the professional activity,
review any work performed or decisions made by the professional accountant
• donate the inducement to charity after receipt and appropriately disclose the donation, for example, to
those charged with governance or the individual who offered the inducement
• reimburse the cost of the inducement, such as hospitality received, and
• as soon as possible, return the inducement, such as a gift, after it was initially accepted.

Inducements with no intent to improperly influence behaviour


Inducements with no intent to improperly influence behaviour can still create threats to the fundamental
principles. Self-interest threats may be created where a vendor offers a professional accountant part-time
employment. Familiarity threats may be created if a professional accountant regularly takes a customer or
supplier to sporting events. Intimidation threats may be created if the professional accountant accepts
hospitality, the nature of which could be perceived to be inappropriate were it to be publicly disclosed.
If such an inducement is trivial and inconsequential, any threats created will be at an acceptable level.

2.4.3.7 Responding to non-compliance with laws and regulations (NOCLAR) – section 260
1. General
A professional accountant might encounter or be made aware of non-compliance or suspected non-com-
pliance in the course of carrying out professional activities. This section guides the professional accountant
in assessing the implications of the matter and the possible courses of action when responding to non-
compliance or suspected non-compliance with:
• laws and regulations generally recognised to have a direct effect on the determination of material
amounts and disclosures in the employing organisation’s financial statements and
• other laws and regulations that may be fundamental to the operational aspects of the employer’s
business or its ability to continue in business or avoid material penalties.
NOCLAR is –
• any act or omission
• intentional or unintentional
Chapter 2: Professional conduct 2/19

• committed by a client or an employer or those charged with governance, by management or other


individuals working for, or under the direction of a client or employer
• that is contrary to the prevailing laws or regulations, being:
– all laws and regulations which affect material amounts and disclosure in financial statements, and
– other laws and regulations that are fundamental to an entity’s business.
Examples of laws and regulations that could be transgressed for NOCLAR:
• fraud, corruption and bribery
• money-laundering, terrorist financing and proceeds of crime
• securities markets and trading
• banking and other financial products and services
• data protection
• tax and pension liabilities and payments
• environmental protection, and
• public health and safety.
Non-compliance might result in fines, litigation or other consequences for the employing organisation,
potentially affecting its financial statements. Notably, such non-compliance might have broader public
interest implications in terms of potentially substantial harm to investors, creditors, employees or the
general public (e.g. perpetration of a fraud resulting in significant financial losses to investors, and breaches
of environmental laws and regulations endangering the health or safety of employees or the public).

2. Requirements
Professional accountants must understand legal or regulatory provisions and how non-compliance with
laws and regulations should be addressed, should it exist in a jurisdiction. The requirements may include
reporting the matter to an appropriate authority or a prohibition on alerting the relevant party.
Professional accountants must always act in the public interest, and the objectives when responding to
non-compliance with laws and regulations are therefore to:
• comply with the fundamental principles of integrity and professional behaviour
• by alerting management or those charged with governance, to seek to:
– enable them to rectify, remediate or mitigate the consequences of the non-compliance, or
– prevent the non-compliance where it has not yet occurred, and
• to take further action as appropriate in the public interest.
Many employing organisations have policies and procedures that deal with the reporting of, amongst
others, non-compliance with laws and regulations. The professional accountant shall consider this in
deciding how to respond to non-compliance (e.g. an ethics policy or internal whistle-blowing mechanism).
Professional accountants in business shall comply with this section on a timely basis, having regard to
the nature of the matter and the potential harm to the interests of the employing organisation, investors,
creditors, employees or the general public.

3. Threats
A self-interest or intimidation threat to compliance with the principles of integrity and professional behav-
iour is created when a professional accountant becomes aware of non-compliance or suspected non-com-
pliance with laws and regulations.

4. Actions required by NOCLAR


The code distinguishes between the responsibilities of senior professional accountants and other
professional accountants.
Senior professional accountants in business – follow steps 1–5 below.
Other accountants in business, follow step 1 below and then inform an immediate superior or higher
level of authority if the immediate superior is involved. In exceptional circumstances, the professional
accountant may determine that disclosure of the matter to an appropriate authority is an appropriate course
of action. If the professional accountant does so according to step 4 below (paragraphs 260.20 A2 and A3),
2/20 Auditing Notes for South African Students

that disclosure is permitted according to the fundamental principle of confidentiality. The other profes-
sional accountant should also document the process as set out in step 5 below.
Senior professional accountants in business – namely directors, officers or senior employees able to
exert significant influence over and make decisions regarding the acquisition, deployment and control of
the employing organisation’s human, financial, technological, physical and intangible resources.

Step 1: Obtaining an understanding of the matter


1.1 The understanding shall include:
• the nature of the NOCLAR or suspected NOCLAR and the circumstances in which it occurred or
might occur
• laws and regulations relevant to the situation, and
• potential consequences of the non-compliance or suspected non-compliance.
1.2 The senior professional accountant is required to apply knowledge, professional judgement and expertise,
but is not expected to have a level of knowledge beyond what is required for the professional
accountant’s role in the employing organisation.
1.3 Consultation on a confidential basis with others in the employing organisation or professional body is
permitted, depending on the nature and significance of the matter.

Step 2: Addressing the matter


2.1 The senior professional accountant shall discuss the matter with his immediate superior, except if the
immediate superior appears to be involved, in which case the matter shall be discussed with the next
higher level of authority within the employing organisation.
2.2 The senior professional accountant should also take appropriate steps to:
• have the matter communicated to those charged with governance
• comply with applicable laws and regulations governing the reporting of NOCLAR
• rectify, remediate or mitigate the consequences of NOCLAR
• reduce the risk of re-occurrence, and
• seek to prevent the NOCLAR if it has not yet occurred.
2.3 The senior professional accountant shall also determine whether a disclosure to the employing organ-
isation’s auditor is necessary to enable the auditor to perform the audit.

Step 3: Determining whether further action is needed


3.1 The senior professional accountant shall, in determining whether further action is needed, assess the
appropriateness of the response of his superiors or, where appropriate, those charged with
governance.
3.2 Relevant factors to consider in assessing the appropriateness:
• the response is timely
• appropriate action has been taken or authorised to seek to rectify, remediate or mitigate the
consequences of the non-compliance, or to avert the non-compliance if it has not yet occurred; and
• the matter has been disclosed to an appropriate authority where appropriate and, if so, whether the
disclosure appears adequate.
3.3 In light of the response of the senior professional accountant’s superiors, if any, and those charged
with governance, the professional accountant shall determine if further action is needed in the public
interest. Consider:
• the legal and regulatory framework
• the urgency of the situation
• the pervasiveness of the matter throughout the employing organisation
• whether the senior professional accountant continues to have confidence in the integrity of the
professional accountant’s superiors and those charged with governance
• likelihood of recurrence, and
• evidence of substantial harm.
Chapter 2: Professional conduct 2/21

3.4 The senior professional accountant shall exercise professional judgement in determining the need for,
and nature and extent of, further action. In making this determination, the professional accountant shall
take into account whether a reasonable and informed third party would be likely to conclude that the
professional accountant has acted appropriately in the public interest by:
• informing the management of the parent company of the matter if the employing organisation is a
member of a group
• disclosing the matter to an appropriate legal body, and
• resigning from the employing organisation.

Step 4: Determining whether to disclose the matter to an appropriate authority


4.1 Disclosure to an appropriate authority would be precluded if doing so would be contrary to law or
regulation.
4.2 In deciding whether or not to make a disclosure, the senior professional accountant shall consider the
actual or potential harm that is or may be caused by the matter to investors, creditors, employees or
the general public. The decision will also be influenced by:
• the entity being engaged in bribery (e.g. of local or foreign government officials for purposes of
securing large contracts)
• the entity being regulated, and the matter being of such significance as to threaten its licence to
operate
• the entity being listed on a securities exchange, and the matter might result in adverse
consequences to the fair and orderly market in the employing organisation’s securities or pose a
systemic risk to the financial markets
• the entity selling harmful products, and
• the entity promoting a scheme to its clients to assist them in evading taxes.
Furthermore, the decision will also be influenced by external factors such as:
• whether there is an appropriate authority able to receive and deal with the information
• whether robust and credible protection exists from civil, criminal or professional liability or retalia-
tion, and
• whether there are threats to the physical safety of any person.
4.3 If the senior professional accountant determines that disclosure of the matter to an appropriate
authority is an appropriate course of action in the circumstances, that disclosure is permitted accord-
ing to paragraph R114.1(d) (confidentiality) of the code.

Step 5: Documentation
The senior professional accountant is encouraged to have the following documented:
• the matter
• the results of discussions with superiors, those charged with governance and other parties
• how the above parties have responded to the matter
• the courses of action considered, the judgements and the decisions made, and
• how the senior professional accountant is satisfied that all his responsibilities have been fulfilled.

2.4.3.8 Pressure to breach the fundamental principles – section 270


1. Responsibility
A professional accountant shall not allow pressure from others which cause him to breach the fundamental
principles, or place pressure on others that would result in the other individual breaching the fundamental
principles. Examples of pressure that might result in threats to compliance with the fundamental principles
include:
• pressure related to conflicts of interest (s 210) – pressure from a family member who is bidding to be a
vendor to select the family member over another prospective vendor
• pressure to influence the preparation or presentation of financial statements (s 220) – pressure to
suppress internal audit reports containing adverse findings
2/22 Auditing Notes for South African Students

• pressure to act without sufficient expertise or due care (s 230) – pressure from superiors to inappro-
priately reduce the extent of work performed
• pressure related to financial interests (s 240) – pressure from those who might benefit from participation
in an incentive scheme to manipulate performance indicators
• pressure related to inducements (s 250) – pressure to accept a bribe
• pressure related to non-compliance with laws and regulations (s 260) – pressure to structure a trans-
action to evade tax.

2. Threats
A professional accountant might face pressure that creates threats (such as intimidation) to compliance
with the fundamental principles when undertaking a professional activity. Pressure might be explicit or
implicit and might come from:
• within the employing organisation, for example, from a colleague or superior
• an external individual or organisation such as a vendor, customer or lender, and
• internal or external targets and expectations.

3. Evaluating the level of the threat


Whether safeguards need to be applied will depend upon the significance of the threat. Factors that are
relevant in evaluating the level of such a threat include:
• the intent of the individual who is exerting the pressure and the nature and extent of the pressure
• the application of laws, regulations, and professional standards to the circumstances
• the culture and leadership of the employing organisation, including the extent to which they reflect or
emphasise the importance of ethical behaviour, for example, a corporate culture that tolerates unethical
behaviour might increase the likelihood that the pressure would result in a threat to compliance with the
fundamental principles, and
• policies and procedures that the employing organisation has established, such as ethics or human
resources policies that address pressure.

4. Safeguards
Discussions with the following parties may enable the professional accountant to evaluate the level of the
threat:
• the individual who is exerting the pressure – an attempt to resolve it
• the accountant’s superior (not the individual exerting the pressure)
• higher levels of management
• internal or external auditors
• those charged with governance
• disclosing the matter in line with policies, and
• consulting with:
– a colleague, human resources personnel, or another professional accountant
– relevant professional body (e.g. SAICA), and
– legal counsel.
• The professional accountant is encouraged to document the facts, the communications and parties with
whom the matter was discussed, the courses of action considered and how the matter was addressed.

2.4.4 Part 3 – Professional accountants in public practice


2.4.4.1 Introduction – section 300
1. This part of the code applies to all professional accountants in public practice, whether they provide
assurance services or not. The term “professional accountant” also refers to the individual accountant in
public practice and his firm. Professional accountants in public practice are obliged, as explained earlier,
to identify and react to any circumstances or situations which may threaten their compliance with the
fundamental principles on which the profession is built.
Chapter 2: Professional conduct 2/23

It is important to note that threats may vary depending on the service the professional accountant is
providing. The services the professional accountant in public practice offers can be categorised as:
• assurance engagements – an engagement where the professional accountant expresses an opinion or a
conclusion which is intended to enhance the degree of confidence of a user of the information on
which the opinion or conclusion has been expressed, for example, an audit or review of financial
statements, or
• non-assurance engagements – an engagement where the professional accountant does not express an
opinion or draw a conclusion on information, for example, agreed-upon procedure engagements or
compilation engagements.
Threats to the fundamental principles may be more significant for assurance engagements than for non-
assurance engagements, particularly in the case of threats to objectivity.
Suppose an opinion on the fair presentation of Atco (Pty) Ltd’s financial statements is given by a
professional accountant who is not truly independent of Atco (Pty) Ltd.
For example:
If he owns shares in Atco (Pty) Ltd, the credibility of the opinion will be questionable. Holding shares
in an audit client is an unacceptable threat to the professional accountant’s objectivity. If, however, Atco
(Pty) Ltd was not an audit client and the professional accountant was asked to compile some financial
information for the company, his shareholding would not present a significant risk to his objectivity.
This does not mean that threats arising on non-assurance engagements can be ignored. Objectivity is
only one of the five fundamental principles and while there may be no specific threat to objectivity in a
non-assurance engagement, other principles such as a threat to the principle of confidentiality, may be
considerable in a non-assurance engagement, for example, when the professional accountant is advising
a client on a highly sensitive merger transaction.
2. The charts on the following three pages are designed to assist you in understanding the conceptual
framework approach. The examples given are nowhere near exhaustive.

3. Evaluating threats
Professional accountants need to evaluate whether the above threats are at an acceptable level. Conditions,
policies and procedures might impact this evaluation and might relate to:
• The client and its operating environment
Nature of client engagement:
– an audit client and whether the audit client is a public interest entity
– an assurance client that is not an audit client, or
– a non-assurance client.
As an example, providing a non-assurance service to an audit client that is a public interest entity may
result in a higher level of threat to compliance with the fundamental principle of objectivity.
Corporate governance structure promoting compliance with fundamental principles.
For example:
– the client requires appropriate individuals other than management to ratify or approve the appoint-
ment of a firm to perform an engagement
– the client has competent employees with experience and seniority to make managerial decisions
– the client has implemented internal procedures that facilitate objective choices in tendering non-
assurance engagements, or
– the client has a corporate governance structure that provides appropriate oversight and communica-
tions regarding the firm’s services.
• The firm and its operating environment indicate
– firm leadership that stresses the importance of compliance with the fundamental principles (e.g. to
act with integrity and professionally)
– the expectation that members of an assurance team will act in the public interest
– policies and procedures to implement and monitor quality control of engagements, including policies
and the monitoring thereof concerning independence and compliance with the fundamental prin-
ciples
– compensation, performance appraisal and disciplinary policies and procedures that promote com-
pliance with the fundamental principles
2/24 Auditing Notes for South African Students

– management of the reliance on revenue received from a single client


– engagement partner having authority within the firm for decisions concerning compliance with the
fundamental principles
– educational, training and experience requirements, and
– processes to facilitate and address internal and external concerns or complaints.
• New information or changes in facts and circumstances may change the level of the threat or conclu-
sions about whether safeguards continue to address the threats.
• Examples of changes include:
– the expansion of the scope of a professional service
– the merger or listing of the client
– when the professional accountant is jointly engaged by two clients and a dispute emerges between the
two clients, and
– when there is a change in the professional accountant’s personal or immediate family relationships.
4. Addressing threats
The following are examples of engagement-specific safeguards that might be actions to address the threats:
• allocating additional time and qualified personnel to required tasks when an engagement has been
accepted might address a self-interest threat
• having an appropriate reviewer who was not a member of the team review the work performed or
advise as necessary might address a self-review threat
• using different partners and engagement teams with separate reporting lines for the provision of non-
assurance services to an assurance client might address self-review, advocacy or familiarity threats
• involving another firm to perform or re-perform part of the engagement might address self-interest, self-
review, advocacy, familiarity or intimidation threats
• disclosing to clients any referral fees or commission arrangements received for recommending services
or products might address a self-interest threat
• separating teams when dealing with matters of a confidential nature might address a self-interest threat.

Examples of circumstances that may create threats to professional accountants and some possible safe-
guards
Neither the threats nor the safeguards are exhaustive. The intention is to illustrate the application of the
conceptual framework.
Fundamental principle
Threat Example Safeguard
threatened
Self-interest 1. Walter Wiseman, an 1. Objectivity, Integrity, 1. • A policy within the audit
audit partner, owns 15% Professional Behaviour firm which prohibits partners
of Buttco (Pty) Ltd, an (Walter may overlook issues and employees from holding
audit client. that arise shares in an assurance client.
on audit, to protect his (Walter should dispose of his
investment.) investment.)
• A procedure for monitoring
this prohibition and a
disciplinary follow up for
transgressors.
2. Joe Zulu, an audit 2. Integrity, Objectivity, 2. • Removal of Joe from the
manager, has been Professional Behaviour audit engagement team.
offered a highly paid job (Joe may overlook issues • Having the key audit work
at his audit clients. that arise on audit so as not performed by Joe reviewed
to jeopardise the job offer.) by a professional accountant
independent of the
engagement.
• Notifying the company’s
audit committee of the
situation and the safeguards
put in place.
continued
Chapter 2: Professional conduct 2/25

Fundamental principle
Threat Example Safeguard
threatened
3. Fred Fasset could make 3. Integrity, Confidentiality, 3. • Ongoing education for
a great deal of money by Objectivity and Professional employees regarding ethical
getting his wife to Behaviour. (Fred would be issues, compliance with
purchase shares in a contravening the Insider legislation, etc., specifically
listed company where he Trading Act, acting relating to listed companies.
is in charge of the audit dishonestly and making use • Instant dismissal of a firm
before the annual of confidential information. employee (in this case Fred
financial statements are If his wife purchases shares, Fasset) for this kind of
released. Fred’s objectivity would breach of the fundamental
also be compromised.) principles and a policy that
requires that transgressors of
the Insider Trading Act be
reported to the relevant
authorities.
Self-review 1. Harris Ford, a partner in 1. Objectivity (Harris may be 1. • Notifying the third party of
an auditing firm has tempted to omit valid the extent of Harris and his
been asked by a third criticisms of the system as engagement team’s involve-
party to provide a report he designed it ment in the system design
on a (non-audit) client’s – he is reporting on his and implementation before
computerised sales own work.) accepting the engagement.
system, which he and
his team had recently
designed and
implemented.
2. Hopgood & Co write up 2. Objectivity (The audit firm 2. In effect, the Companies Act
the accounting records is not independent as it 2008 provides the safeguard.
of Tuis (Pty) Ltd and will be giving an opinion on • In terms of s 90, an individ-
have been approached to financial statements it ual (or firm) may not be
perform the annual prepared from accounting appointed as auditor if he (or
audit. records it compiled.) his partner or employees)
regularly performs the duties
of accountant or bookkeeper
of that company.
3. Clarence Kleynhans, 3. Objectivity, Integrity and 3. • A firm policy that prohibits
who was for some years Professional Competence newly appointed employees
the financial manager of (As Clarence would be in such as Clarence (coming
Kambo (Pty) Ltd, charge of the audit of from a client) from being
recently resigned to go financial information, some part of the audit team until,
back into the profession. of which he would have say, two years have lapsed.
He was employed by the been directly responsible for, • Appointing him to the
audit firm that holds the he cannot be regarded as engagement team (to make
appointment of auditor independent. His integrity use of his knowledge), but
of Kambo (Pty) Ltd and may also be threatened, as not as the manager.
because of his know- there could be issues in • Comprehensive reviews of
ledge of the company, it which he was involved as the work he carries out if he
has been suggested that the financial manager, but does work on the audit.
he be placed in charge of which he does not want to
• Notifying those charged with
the audit. be subject to audit. It is also
governance of the situation
possible that he lacks the
before placing him on the
professional competence
team.
to manage an engagement
of this nature.) Note: As the auditor should be
independent and seen to be inde-
pendent, the best safeguard would
be to keep Clarence off the team.
continued
2/26 Auditing Notes for South African Students

Fundamental principle
Threat Example Safeguard
threatened
Advocacy 1. Dandy Ncobo, a partner 1. Objectivity (Dandy may 1. • A firm policy which requires
(this category in an audit firm, has over-promote or over-state that a partner independent
of threat is far been requested to the worth of his client to get of the client (Hi-Shine (Pty)
less common negotiate the sale of a better price, Ltd), handle the sale
than the Hi-Shine (Pty) Ltd, to the extent that he is negotiation.
others) an audit client. perceived as not being • A firm policy that limits the
objective in his approach non-assurance services
to the negotiations.) offered to assurance clients
to only those with a minimal
threat of non-compliance
with the fundamental
principles.
Familiarity 1. The financial director 1. Objectivity and professional 1. • A firm policy that forbids the
of Travel Bug Ltd has competence and due care. acceptance of gifts and
offered to take the whole (This type of situation hospitality which are any-
audit team on an changes the professional thing other than clearly
all-expenses paid relationship between the insignificant.
weekend to an exclusive audit team from “profes- • A strict disciplinary action
game lodge. He has sional” to “familiar”. In for any transgressions by
stated that this will return, the financial director staff members who do not
become a yearly event may expect “favours” from adhere to this policy.
if the audit deadline the audit team. The promise
is met. of future trips if the deadline
is met may threaten the
objectivity, adherence to
standards and due care of
future audit teams who may
be tempted to “overlook”
audit problems to ensure the
deadline is met.)
2. Marie Lopes, the audit 2. Objectivity (Marie will 2. • Removal of Marie from the
manager on the audit of shortly have an immediate audit.
Topaz Ltd will shortly family member (spouse) • Policies and procedures
marry Bill Brown the who can exert direct and within the firm which
financial director of significant influence over monitor specifically the
Topaz Ltd. the information she will be independence of the firm’s
auditing. Her independence employees so that situations
is compromised.) such as this are identified
and can be addressed.
Intimidation 1. The financial director of 1. Objectivity, professional 1. • A review of the work carried
Rubdub Ltd has competence and due care out on the audit by a partner
informed Rex Randolf, and integrity. (To retain the independent of the client.
the engagement partner audit, Rex may compromise • Quality control procedures
on the audit of Rubdub on standards, for example, within the firm that review
Ltd, that unless the audit do insufficient audit work, the desirability of continuing
fee is reduced by 30%, and fail to follow up professional relationships
his firm will be removed problems which he is fully with the firm’s clients.
from the appointment of aware should be followed up • Raising the matter with the
an auditor. so as not to audit committee and/or
go “over budget” on the other governance structures.
reduced fee.)
continued
Chapter 2: Professional conduct 2/27

Fundamental principle
Threat Example Safeguard
threatened
2. The financial director 2. Objectivity, professional 2. • Appointing an engagement
of ProTech (Pty) Ltd is competence and due care. team that consists of
very aggressive, (The financial director’s experienced, strong-willed
domineering and attitude may compromise individuals who will behave
dismissive of the audit the audit team’s professionally under
function and audit team. professional judgement. pressure.
They may be “bullied” • Quality procedures within
into ignoring problems on the firm which review the
the audit out of fear of the desirability of continuing
financial director.) professional relationships
with the firm’s clients.
• Discussion of the situation
with the client’s governance
structure.
• Discussion of the situation
with the audit committee.

2.4.4.2 Conflicts of interest – section 310


1. Responsibility
A professional accountant in public practice may face a conflict of interest when performing virtually any
professional service, including audits, reviews, taxation services, or advisory services including corporate
finance, forensic and information technology. A professional accountant cannot allow a conflict of interest
to compromise his professional or business judgement.

2. Threats
2.1 Conflicts of interest create a threat to the professional accountant’s objectivity and may also give rise
to threats to the other fundamental principles, particularly confidentiality. Such threats may arise
when:
Type 1: the professional accountant provides a professional service related to a particular matter for
two or more clients whose interest in respect to that matter are in conflict, or
Type 2: the interests of the professional accountant concerning a particular matter and the client’s
interests for whom the professional accountant provides a professional service related to
that matter are in conflict.
Examples:
• Advising client A and client B at the same time where client A and client B are competing to
acquire Company C (Type 1).
• Client X wants to acquire Company Z, and engages professional accountant Y to advise on the
acquisition. Company Z is an audit client of professional accountant Y. A conflict of interest arises
if professional accountant Y has obtained confidential information from the audit of Company Z,
which may be relevant to the acquisition (Type 1).
• P and Q are partners but wish to dissolve the partnership due to an ethical disagreement. Both
partners have engaged professional accountant R to advise them on the financial aspects of the
dissolution (Type 1).
• Company S pays royalties to Company T. Professional accountant V provides Company T with
an assurance report on the “fair presentation” of the amount of royalties due while at the same
time performing the royalties payable calculation on behalf of Company S (Type 1).
• Professional accountant O advises Company Q to invest in Company R, a company in which
professional accountant O’s wife has a financial interest (Type 2).
• Professional accountant F advises a client to purchase and install an expensive suite of financial
reporting software. The local agent for the installation and maintenance of the software is a com-
pany in which professional accountant F’s son is the majority shareholder and managing director
(Type 2).
2/28 Auditing Notes for South African Students

2.2 Generally when there is a potential conflict of interest, there will be a confidentiality threat as well.
The professional accountant will need to be mindful of precisely what information can be divulged to
each of the parties involved.

3. Conflict identification
A professional accountant in public practice must identify potential conflicts of interest, including potential
conflicts because of a network firm, before accepting a new client. Such steps shall include identifying:
• the nature of the relevant interests and relationships between the parties involved
• the service and its implication for relevant parties.
An effective process to identify actual or potential conflicts of interest will take into account factors such as:
• the nature of the professional services provided
• the size of the firm
• the size and nature of the client base, and
• the structure of the firm, for example, the number and geographic location of offices.
The professional accountant should also remain alert for changes in circumstances that may create conflicts
of interest. Refer to section 320, professional appointments, for more information on client acceptance.

4. Evaluating threats
The professional accountant in public practice should evaluate the level of the threat caused by conflicts of
interest. Factors that are relevant in evaluating the level of the threat include:
• the existence of separate practice areas for speciality functions within the firm, which might act as a
barrier to the passing of confidential client information between practice areas
• policies and procedures to limit access to client files
• confidentiality agreements signed by personnel and partners of the firm
• separation of confidential information physically and electronically
• specific and dedicated training and communication.

5. Safeguards
5.1 Having separate engagement teams who are provided with clear policies and procedures on main-
taining confidentiality.
5.2 Having an appropriate reviewer, who is not involved in providing the service or otherwise affected by
the conflict, review the work performed to assess whether the key judgements and conclusions are
appropriate.
5.3 Disclosing to all parties involved in the “conflict” situation that there is a conflict of interest and
explaining the threats which arise therefrom. If any safeguards have been or will be put in place, for
example see 5.2 above, these should also be disclosed and explained. The parties should acknowledge
their understanding and acceptance of the situation. (If the parties do not accept, the professional
accountant will have to decline or resign from the service leading to the conflict of interest.) All of the
above should be documented (it should not be verbal, and acceptance should not simply be implied).
5.4 The professional accountant should discontinue an engagement or not accept the engagement should
explicit consent be sought and not be granted by a client.
5.5 Specific disclosures in order to obtain explicit consent may result in a breach of confidentiality. The
firm shall generally not accept or continue with an engagement under these circumstances unless:
• the firm does not act in an advocacy role for one client against another client in the same matter
• specific measures are in place to prevent disclosure of confidential information between engage-
ment teams, and
• the firm applies the reasonable and informed third-party test and concludes that it is appropriate to
accept or continue the engagement.
Chapter 2: Professional conduct 2/29

2.4.4.3 Professional appointment – section 320


Client and engagement acceptance
1. Responsibility
Before accepting a client, accepting a specific engagement, or replacing another professional accountant in
public practice, a professional accountant in public practice should consider any circumstances that may
create threats to compliance with the fundamental principles. The level of the threats should be evaluated
and actions taken to address the threats.

2. Threats
2.1 The two fundamental principles most at threat are integrity and professional behaviour. These would
be threatened if, for example, the client’s management condoned unethical (dishonest) business
practices, such as being involved in a business sector that may have a reputation for questionable
business practices like second-hand car parts, or being socially or morally questionable. This may
include companies that have no regard for environmental damage or that exploit their workforce.
2.2 Having accepted the client, a self-interest threat to professional competence and due care is created if
the engagement team does not possess, or cannot acquire, the competencies necessary to perform the
engagement.

3. Evaluating threats
3.1 The professional accountant in public practice should evaluate the threat level caused by the client’s
acceptance. Factors that are relevant in evaluating the level of the threat include:
• pre-engagement activities, including obtaining knowledge and understanding of the client, its
owners, management and those charged with governance and business activities
• the client’s commitment to addressing the questionable issues, such as improving corporate
governance practices or internal controls.
3.2 Factors that are relevant in evaluating the level of the threat caused by engagement acceptance (there-
fore after accepting the client) include:
• obtaining an appropriate understanding of the:
– nature of the client’s business
– complexity of its operations
– requirements of the engagement, and
– purpose, nature and scope of the work to be performed.
• knowledge of relevant industries or subject matter
• experience with relevant regulatory or reporting requirements, and
• the existence of quality control policies and procedures when accepting the engagement.

4. Safeguards
Safeguards that may be implemented include:
• assigning sufficient staff with the necessary competencies
• using experts where necessary (it should first be determined whether reliance is warranted)
• agreeing on a realistic timeframe for the performance of the engagement.

Changes in professional appointment


1. Responsibility
A professional accountant who is asked to replace another professional accountant in public practice (the
existing accountant), or who is considering tendering for an engagement currently held by another profes-
sional accountant, or considers providing complementary work, must determine whether there are any
reasons, professional or otherwise, for not accepting the engagement. This will include any threats to com-
pliance with the fundamental principles.
2/30 Auditing Notes for South African Students

2. Threats
2.1 The threat to the proposed accountant is in essence the same as the threats posed by taking on a new
client/accepting a new engagement. There may be threats to the proposed accountant’s compliance
with the fundamental principles of professional competence and due care, professional behaviour and
integrity. For example, there may be a threat to professional competence if the professional account-
ant does not know all the relevant facts about the proposed client.
2.2 The threat to the existing accountant is that he fails to comply with the fundamental principle of
confidentiality (e.g. by divulging confidential information to the proposed accountant without client
permission) and professional behaviour (by bringing discredit to the profession by, for example,
criticising either the client he is losing or the proposed accountant). There is also a potential threat to
integrity. The existing accountant must be honest and truthful in his dealings with the proposed
accountant. The threat is genuine if the existing accountant is angry/upset about being replaced.

3. Safeguards
3.1 In addition, the proposed accountant should effect the following safeguards:
• discussions with the current professional accountant to evaluate the significance of any threats and
also identify suitable safeguards, and
• obtaining information from other sources such as through inquiries of third parties or background
investigations regarding senior management or those charged with governance of the client.
As mentioned above, the fundamental principle of confidentiality should still be honoured. The
incoming (proposed) accountant will usually need the client’s permission, preferably in writing, to
initiate discussions with the existing or predecessor accountant.
If unable to communicate with the existing or predecessor accountant, the proposed accountant shall
take other reasonable steps to obtain information about any possible threats. This means including
enquiries from third parties and performing background checks on the proposed client.
Suppose the proposed client refuses or fails to give permission for the proposed accountant to
communicate with the existing or predecessor accountant. In that case, the proposed accountant shall
decline the appointment unless there are exceptional circumstances of which the proposed accountant
has complete knowledge, and has verified all relevant facts by some other means.
3.2 The existing accountant should address the threats facing the firm by implementing the following
safeguards:
• obtaining the client’s permission to discuss the client’s affairs with the proposed accountant and
defining the boundaries of what may be discussed (in writing)
• complying with relevant laws and regulations governing the request, and
• providing the proposed accountant with information honestly and unambiguously.

2.4.4.4 Second opinions – section 321


1. Responsibility
A professional accountant may be faced with a situation where he is asked to provide a second opinion on
some aspect of work carried out for an entity that is not an existing client. In this instance, the professional
accountant has ethical responsibilities to himself and the other party (existing accountant).

2. Threats
2.1 This situation could give rise to a self-interest threat that the professional accountant will fail to
comply with the fundamental principle of professional competence and due care if he is not provided
with the same set of facts or evidence provided to the existing accountant.
For example:
The matter on which a second opinion is sought is how a complex transaction that is subject to
various conditions should be treated in the financial statements. The professional accountant from
whom the second opinion has been sought gives his opinion without being aware of the full extent of
the various conditions. His opinion is then discredited, and he appears incompetent.
2.2 Another threat that arises is that the second opinion may appear to be a criticism of the provider of
the first opinion if it differs from the first opinion. This is a threat to compliance with the principle of
professional behaviour.
Chapter 2: Professional conduct 2/31

3. Safeguards
3.1 Describing the limitations surrounding any opinion in communications with the client.
3.2 Obtaining the client’s permission to contact the provider of the first opinion to discuss the matter. (If
this permission is not given, the professional accountant should consider very carefully whether it is
appropriate to provide a second opinion.)
3.3 Providing the existing or predecessor accountant with a copy of the opinion.

2.4.4.5 Fees and other types of remuneration – section 330


Level of fees
1. Responsibility
The professional accountant is entitled to be remunerated fairly but must charge appropriate fees, for
example, not over-charge or under-charge.

2. Threats
In an attempt to secure the engagement, a professional accountant may quote a fee that is so low that it will
be challenging to perform the engagement according to applicable standards. This is potentially a self-
interest threat to compliance with the fundamental principle of professional competence and due care, and
to a lesser extent, integrity (this is not an honest practice) and objectivity (the low fee may adversely
influence the nature and extent of tests performed).

3. Evaluating threats
Factors that are relevant in evaluating the level of the threat include:
• whether the client is aware of the terms of the engagement and, in particular, the basis on which fees are
charged and the services to which fees relate, and
• whether the fee level is set by an independent third party such as a regulatory body.

4. Safeguards
Examples of actions that might be safeguards to evaluate the threat include:
• adjusting the level of the fee or the scope of the engagement, and
• having an appropriate reviewer review the work performed.

Contingent fees
1. Responsibility
Contingent fees (fees calculated on a predetermined basis relating to the outcome of the work performed or
as a result of a transaction that arises from the service) are acceptable for a wide range of non-assurance
engagements. The professional accountant may charge such fees per business norms. (Contingent fees for
assurance engagements are not permitted.)
A professional accountant shall not charge contingent fees to prepare an original or amended tax return,
as these services are regarded as creating self-interest threats to objectivity that cannot be eliminated.
Safeguards are not capable of reducing the threat to an acceptable level.

2. Threats
The charging of contingent fees may give rise to a self-interest threat to objectivity. The professional
accountant becomes more interested in the fee that could be earned than the quality of the service offered.

3. Evaluating threats
Factors that are relevant in evaluating the level of the threat may depend on:
• the nature of the engagement
• the range of possible fee amounts
• the basis for determining the fee
• disclosure to intended users of the work performed by the professional accountant and the basis of
remuneration
2/32 Auditing Notes for South African Students

• quality control policies and procedures


• whether the outcome of the transaction is to be reviewed by an independent third party, and
• whether the fee level is set by an independent third party, such as a regulatory body.
4. Safeguards
4.1 Obtaining a written agreement with the client as to the basis and detail of fees to be charged in
advance.
4.2 A review by an independent third party (committee) of the work performed by the professional
accountant to counter any claims that the professional accountant was only interested in maximising
the fee.

Referral fees/commissions
1. Responsibility
A professional accountant may receive or pay a fair referral fee or commission, but must ensure that the
payment of such fees or commission does not compromise the fundamental principles.

2. Threats
The threats that may arise are compliance with the principles of objectivity, professional competence and
due care and integrity.
Example 1: The firm of Jones and Jones does not offer information technology (IT) services. Any requests
they receive for IT services are referred to other firms and Jones and Jones receives a referral
fee. These fees vary from firm to firm. The threat is that Jones and Jones will refer the client
to the firm that pays the highest referral fee but which may not necessarily be the most
suitable for the particular assignment.
Example 2: Jones and Jones receive a 15% commission for any office equipment which OfficeMan (Pty)
Ltd sells to clients of Jones and Jones, who have been referred to the company by Jones and
Jones. Again, Jones and Jones are interested in the transaction and may be referring clients to
OfficeMan (Pty) Ltd because of the commission and not because of the suitability of
OfficeMan (Pty) Ltd’s products.

3. Safeguards
3.1 Disclosure to the client of any arrangements to pay or receive a referral fee or commission and the
details thereof. These disclosures should be made in advance of the transaction taking place and should be
in writing.
3.2 Obtaining prior agreement, in writing, from the client for commission arrangements in connection
with the sale by a third party of goods or services to the client.

2.4.4.6 Inducements, gifts and hospitality – section 340


1. Responsibility
A professional accountant shall not offer or accept, or encourage others to offer, any inducement that is
made, or which the professional accountant considers a reasonable and informed third party would be
likely to conclude is made, with the intent to improperly influence the behaviour of the recipient or another
individual.
Refer to section 250 for the definition of an inducement. The factors in section 250 have to be considered
to determine the actual or perceived intent behind the inducement.

2. Threats
Offering or accepting inducements might create a self-interest, familiarity or intimidation threat to com-
pliance with the fundamental principles, particularly the principles of integrity, objectivity and professional
behaviour.
Examples of circumstances where offering or accepting such an inducement might create threats even if
the professional accountant has concluded there is no actual or perceived intent to improperly influence
behaviour include:
• Self-interest threats
– A professional accountant is offered hospitality from the prospective acquirer of a client while providing
corporate finance services to the client.
Chapter 2: Professional conduct 2/33

• Familiarity threats
– A professional accountant regularly takes an existing or prospective client to sporting events.
• Intimidation threats
– A professional accountant accepts hospitality from a client, the nature of which could be perceived to
be inappropriate were it to be publicly disclosed.

3. Safeguards
Refer to section 250 for examples of actions that might be safeguards to address such threats created by
offering or accepting such an inducement.

2.4.4.7 Custody of client assets – section 350


1. Responsibility
1.1 A professional accountant may not take custody of a client’s assets (money or other) unless permitted
to do so by law (e.g. Financial Intelligence Centre Act 38 of 2001 (FICA)). If the asset source is
unknown, appropriate enquiries should be made about the source of such assets. Inquiries about the
source of client assets might reveal, for example, that the assets were derived from illegal activities,
such as money-laundering. The professional accountant shall not accept or hold the assets in such
circumstances, and section 360 would apply.
1.2 Before taking custody
As part of client and engagement acceptance procedures related to assuming custody of client money
or assets, a professional accountant shall:
• make inquiries about the source of the assets
• consider related legal and regulatory obligations.
1.3 After taking custody
A professional accountant entrusted with money or other assets shall:
• keep client assets separate from personal or firm assets
• use such assets only for the purpose for which they were intended
• at all times, be prepared to account to any person who is entitled to such accounting for those
assets, and any income, dividends or gains generated, and
• comply with all relevant laws and regulations relevant to the holding or accounting of those assets.
1.4 A professional accountant shall not accept custody of an audit or assurance client’s assets unless the
threat to independence can be eliminated or reduced to an acceptable level.

2. Threats
2.1 The custody of a client’s assets may threaten compliance with the fundamental principles of profes-
sional behaviour and objectivity.
Example: Ronnie Rings, a professional accountant, has been given sole authority to operate the
bank accounts of Marjory Manoj, a wealthy client who is on an extended visit overseas.
She has requested that Ronnie pay her taxes, rates, electricity accounts, etc., as they fall
due. The threat is that Ronnie may use his client’s funds to enrich himself (self-interest),
for example, make speculative deals from which he benefits using Marjory’s money.
2.2 A further threat is that a client may be trying to launder illegal money through the firm. This presents
a threat to compliance with the law (professional behaviour) and allegations of the professional
accountant being involved in dishonest practice (integrity).
2.3 The professional accountant may be accused of misuse of client assets.

3. Safeguards
3.1 Safeguards for all client monies which the professional accountant controls or is liable to account for
are the following:
• do not refer to such client monies as being “in trust” or in a “trust account” as this could be mis-
leading
2/34 Auditing Notes for South African Students


maintain one or more bank accounts with an institution or institutions registered in terms of the
Banks Act, 1990 (Act 94 of 1990), that are separate from the professional accountant’s bank
account
• the accounts have to be appropriately named to distinguish them from the firm’s normal business
accounts or a specific account named and operated per a relevant client (such as ABC’s client
account)
• deposit client monies without delay to the credit of such client account
• maintain such records as may reasonably be expected to ensure that the client monies can be
readily identified as being the property of the client, for example, detailed bookkeeping and being
able to supply the client with an analysis of the account/s
• perform a reconciliation between the designated bank account and the client monies ledger
account/s, and
• do not hold client monies indefinitely unless explicitly allowed by laws and regulations. Profes-
sional accountants are encouraged to hold client monies for a limited period, depending on the
professional service provided.
3.2 The professional accountant is entrusted with client assets other than client monies:
• do not refer to such client assets as being held “in trust” or in a “trust account” as this could be
misleading
• maintain such records as may be reasonably expected to ensure that the client assets can readily be
identified as being the property of the client, and
• for documents of title, the professional accountant should arrange to safeguard the documents
against unauthorised use.
3.3 A professional accountant shall apply appropriate measures to protect the client assets:
• use an umbrella account with sub-accounts for each client
• open a separate bank account and provide the professional accountant with appropriate power of
attorney or signatory rights over the account
• consider whether the firm’s indemnity and fidelity insurance is sufficient to cover incidents of
fraud or theft, and
• where a formal engagement letter is entered into covering the professional service involving
custody of client assets, the engagement letter shall address the risks and responsibilities relating to
such client assets.

2.4.4.8 Responding to non-compliance with laws and regulations (NOCLAR) – section 360
1. General
A professional accountant might encounter or be made aware of non-compliance or suspected non-com-
pliance in the course of carrying out professional activities. This section guides the professional accountant
in assessing the implications of the matter and the possible courses of action when responding to non-
compliance or suspected non-compliance with:
• laws and regulations generally recognised to have a direct effect on the determination of material
amounts and disclosures in the employing organisation’s financial statements, and
• other laws and regulations that may be fundamental to the operational aspects of the employer’s
business or its ability to continue in business or to avoid material penalties.
NOCLAR is –
• any act or omission
• intentional or unintentional
• committed by a client or an employer or those charged with governance, by management or other
individuals working for, or under the direction of a client or employer
• that is contrary to the prevailing laws or regulations, being:
– all laws and regulations which affect material amounts and disclosure in financial statements, and
– other laws and regulations that are fundamental to an entity’s business.
Chapter 2: Professional conduct 2/35

Examples of laws and regulations that could be transgressed for NOCLAR:


• fraud, corruption and bribery
• money-laundering, terrorist financing and proceeds of crime
• securities markets and trading
• banking and other financial products and services
• data protection
• tax and pension liabilities and payments
• environmental protection, and
• public health and safety.
Non-compliance might result in fines, litigation or other consequences for the employing organisation,
potentially materially affecting its financial statements. Notably, such non-compliance might have wider
public interest implications in terms of potentially substantial harm to investors, creditors, employees or the
general public (e.g. perpetration of a fraud resulting in significant financial losses to investors and breaches
of environmental laws and regulations endangering the health or safety of employees or the public).

2. Requirements
Professional accountants must understand legal or regulatory provisions and how non-compliance with
laws and regulations should be addressed, should it exist in a jurisdiction. The requirements may include a
requirement to report the matter to an appropriate authority or a prohibition on alerting the relevant party.
Professional accountants must always act in the public interest, and the objectives when responding to
non-compliance with laws and regulations are therefore to:
• comply with the fundamental principles of integrity and professional behaviour
• by alerting management or those charged with governance, to seek to:
– enable them to rectify, remediate or mitigate the consequences of the non-compliance, or
– prevent the non-compliance where it has not yet occurred, and
• to take further action as appropriate in the public interest.
Many employing organisations have policies and procedures that deal with the reporting of, among other
things, non-compliance with laws and regulations. The professional accountant shall consider this in
deciding on how to respond to non-compliance (e.g. an ethics policy or internal whistle-blowing mech-
anism).
Professional accountants in business shall comply with this section on a timely basis, having regard to
the nature of the matter and the potential harm to the interests of the employing organisation, investors,
creditors, employees or the general public

3. Threats
A self-interest or intimidation threat to compliance with the principles of integrity and professional behav-
iour is created when a professional accountant becomes aware of non-compliance or suspected non-
compliance with laws and regulations.

4. Actions required by NOCLAR


Step 1: Obtaining an understanding of the matter
1.1 The understanding shall include:
• the nature of the NOCLAR or suspected NOCLAR and the circumstances in which it occurred or
might occur
• laws and regulations relevant to the situation, and
• potential consequences of the non-compliance or suspected non-compliance.
1.2 The professional accountant is required to apply knowledge, professional judgement and expertise, but is
not expected to have a level of knowledge beyond what is required for the professional accountant’s
role in the employing organisation.
1.3 Consultation on a confidential basis with others in the employing organisation or professional body is
permitted, depending on the nature and significance of the matter.
2/36 Auditing Notes for South African Students

Step 2: Addressing the matter


2.1 The professional accountant shall discuss the matter with his immediate superior, except if the imme-
diate superior appears to be involved, in which case the matter shall be discussed with the next higher
level of authority within the employing organisation.
2.2 The professional accountant should also take appropriate steps to:
• have the matter communicated to those charged with governance
• comply with applicable laws and regulations governing the reporting of NOCLAR
• rectify, remediate or mitigate the consequences of NOCLAR
• reduce the risk of re-occurrence, and
• seek to prevent the NOCALR if it has not yet occurred.
2.3 Disclose the matter to an appropriate authority where required to do so by law or where considered to
be in the public interest.
2.4 A professional accountant involved in the audit of a group as the component auditor shall consider
communicating an actual or suspected non-compliance to the group engagement partner unless pro-
hibited to do so by law or regulation. The same applies to communication as the group engagement
partner to the component auditor.

Step 3: Determining whether further action is needed


3.1 The professional accountant shall, in determining whether further action is needed, assess the appro-
priateness of the response of his superiors or, where appropriate, those charged with governance.
3.2 Relevant factors to consider in assessing the appropriateness:
• the response is timely
• the non-compliance or suspected non-compliance has been adequately investigated
• appropriate action has been taken or authorised to seek to rectify, remediate or mitigate the
consequences of the non-compliance, or to avert the non-compliance if it has not yet occurred, and
• the matter has been disclosed to an appropriate authority where appropriate and, if so, whether the
disclosure appears adequate.
3.3 In light of the response of the professional accountant’s superiors, if any, and those charged with
governance, the professional accountant shall determine if further action is needed in the public interest.
Consider:
• the legal and regulatory framework
• the urgency of the situation
• the pervasiveness of the matter throughout the employing organisation
• whether the professional accountant continues to have confidence in the integrity of the profes-
sional accountant’s superiors and those charged with governance
• likelihood of recurrence, and
• evidence of substantial harm.
3.4 The professional accountant shall exercise professional judgement in determining the need for, and
nature and extent of, further action. In making this determination, the professional accountant shall take
into account whether a reasonable and informed third party would be likely to conclude that the
professional accountant has acted appropriately in the public interest by:
• disclosing the matter to an appropriate authority even when there is no legal or regulatory require-
ment to do so, and
• withdrawing from the engagement and the professional relationship where permitted by law or
regulation.
On the request of the successor accountant, the professional accountant shall provide all information
regarding the actual or suspected non-compliance (s 320).
If the proposed accountant is unable to communicate with the predecessor accountant, the proposed
accountant shall take reasonable steps to obtain information about the circumstances of the change of
appointment by other means.
Chapter 2: Professional conduct 2/37

Step 4: Determining whether to disclose the matter to an appropriate authority


4.1 Disclosure to an appropriate authority would be precluded if doing so would be contrary to law or
regulation.
4.2 In deciding whether or not to make a disclosure, the professional accountant shall consider the actual
or potential harm that is or may be caused by the matter to investors, creditors, employees or the
general public. The decision will also be influenced by the following:
• the entity is engaged in bribery (e.g. of local or foreign government officials for purposes of
securing large contracts)
• the entity is regulated, and the matter is of such significance as to threaten its licence to operate
• the entity is listed on a securities exchange, and the matter might result in adverse consequences to
the fair and orderly market in the employing organisation’s securities or pose a systemic risk to the
financial markets
• the entity is selling harmful products, and
• the entity is promoting a scheme to its clients to assist them in evading taxes.
Furthermore, the decision will also be influenced by external factors such as:
• whether there is an appropriate authority able to receive and deal with the information
• whether robust and credible protection exists from civil, criminal or professional liability or
retaliation, and
• whether there are threats to the physical safety of any person.
4.3 If the professional accountant determines that disclosure of the matter to an appropriate authority is
an appropriate course of action in the circumstances, that disclosure is permitted according to para-
graph R114.1(d) (confidentiality) of the code.

Step 5: Documentation
The professional accountant is encouraged to have the following matters documented:
• how management or those charged with governance have responded to the matter
• the courses of action considered, the judgements and the decisions made, and
• how the professional accountant is satisfied that all his responsibilities have been fulfilled.

Professional services other than audits of financial statements


The above will also be applicable to the delivery of services other than audits of financial statements by
professional accountants.

2.4.5 Part 4 – Independence


2.4.5.1 Introduction
1. As pointed out, the SAICA code places a great deal of importance on independence, particularly in
respect of assurance engagements. This is not surprising as, by definition, an assurance engagement is
one where a professional accountant in public practice expresses an opinion/conclusion on client
information to enhance the degree of confidence of third parties in that information. It is easy to
understand that if the professional accountant is not independent of the client or the information, the
intended increase in credibility/confidence will not be achieved.
2. Studying independence in terms of the SAICA Code with its unfamiliar terminology and long-
windedness can be daunting. However, the key to coping with it is firstly, to recognise the importance
of independence and secondly, that the code presents a conceptual framework for dealing with
independence issues, which, if clearly understood, makes the task a great deal easier.
3. The SAICA Code contains two very long sections which deal with independence:
• Part 4A: Independence – Audit and Review Engagements
• Part 4B: Independence – Other Assurance Engagements.
This text deals only with Part 4A. The reasons for this are that the conceptual approach to independ-
ence applies in precisely the same way to both sections, the content of both sections is very repetitive
and that your studies concentrate on audit engagements, reviews to a lesser extent and do not cover
other assurance engagements.
2/38 Auditing Notes for South African Students

4. Part 4A of the Code essentially provides narrative passages about such matters as financial interests,
family and personal relationships, temporary staff assignments and a host of other situations which may
threaten independence. In this text, we have chosen to illustrate the application of the conceptual
approach to these potential independence problems by way of example. We have described a situation,
circumstance or relationship, identified the threat posed and then suggested suitable safeguards.

2.4.5.2 The conceptual approach applied to independence


1. Before considering the conceptual framework approach to independence, we should consider what
independence comprises. It comprises:
1.1 Independence of mind – the state of mind that permits the expression of a conclusion without being
affected by influences that compromise professional judgement, allowing an individual to act with
integrity, objectivity and professional scepticism.
1.2 Independence in appearance – the avoidance of facts and circumstances that are so significant that a
reasonable and informed third party, having knowledge of all relevant information, including
safeguards applied, would reasonably conclude that a firm’s, or member of the assurance team’s,
integrity, objectivity or professional scepticism had been compromised.
As can be seen from the definitions above, independence is about an independent state of mind and
the appearance of independence. Both are very important. Why? Bear in mind that a member who has,
for example, a financial interest in a client may actually perform his duties to that client with the
highest level of independence (state of mind) but will still not be perceived to be independent by
any party who is aware that he has a financial interest in the client (appearance). The member
should not only “be independent, but he should also be seen to be independent.”
2. Breach of an independence provision for audit and review engagements
2.1 Breaches relate to breaches of the code that have already occurred instead of implementation
safeguards to prevent the breach from occurring. If a firm concludes that a breach of independence
has occurred, the firm shall:
• end, suspend or eliminate the interest or relationship that created the breach and address the
consequences of the breach
• requirements:
– consider and comply with legal or regulatory requirements, and
– consider reporting the breach to a professional or regulatory body or oversight authority.
• communicate the breach in accordance with its policies and procedures:
– the engagement partner
– those with responsibility for the policies and procedures relating to independence
– other relevant personnel, and
– those who need to take appropriate action.
• evaluate the significance of the breach and its impact on the firm’s objectivity and ability to
issue an audit report:
– the nature and duration of the breach
– the number and nature of any previous breaches concerning the current audit engagement
– whether an audit team member knew of the interest or relationship that created the breach
– whether the individual who created the breach is an audit team member or another individ-
ual for whom there are independence requirements
– if the breach relates to an audit team member, the role of that individual
– if the breach was created by providing a professional service, the impact of that service, if
any, on the accounting records or the amounts recorded in the financial statements on which
the firm will express an opinion, and
– the extent of the self-interest, advocacy, intimidation or other threats created by the breach.
• depending on the significance of the breach, determine:
– whether to end the audit engagement, or
– remove the relevant individual from the audit team
Chapter 2: Professional conduct 2/39

– use different individuals to conduct an additional review of the affected audit work or re-
perform that work to the extent necessary
– recommend that the audit client engage another firm to review or re-perform the affected
audit work to the extent necessary and
– if the breach relates to a non-assurance service that affects the accounting records or an
amount recorded in the financial statements, engage another firm to evaluate the results of
the non-assurance service or have another firm re-perform the non-assurance service to the
extent necessary to enable the other firm to take responsibility for the service.
2.2 If action can be taken to address the consequences, the firm shall discuss with those charged with
governance:
• the significance of the breach, including its nature and duration
• how the breach occurred and how it was identified
• the action proposed or taken and why the action will satisfactorily address the consequences of
the breach and enable the firm to issue an audit report
• objectivity has not been compromised and
• any steps proposed or taken by the firm to reduce or avoid the risk of further breaches occur-
ring.
2.3 If the firm determines that action cannot be taken to address the consequences of the breach
satisfactorily, the firm shall inform those charged with governance as soon as possible and take the
steps necessary to end the audit engagement in compliance with any applicable legal or regulatory
requirements.
2.4 If the breach occurred, the firm should document:
• the breach
• the actions taken
• the key decisions made
• all the matters discussed with those charged with governance, and
• any discussions with the professional or regulatory body.

2.4.5.3 Illustrative examples


The examples laid out in the charts which follow describe specific situations, circumstances or relationships
which may create threats to independence. The charts classify the threat and indicate which safeguards
might be appropriate. Remember, the fundamental principle which is primarily under threat is objectivity.
The following definitions are important for this section:
• financial interest: an interest in an equity or other security, debenture, loan or other debt
instruments of an entity, including rights and obligations to acquire such an
interest.
• direct financial interest: – a financial interest owned directly by, and under the control of, an
individual or entity, or
– a financial interest beneficially owned through an investment vehicle (e.g.
unit trust, mutual fund), trust, estate, etc., controlled by the individual or
entity.
• indirect financial interest: a financial interest beneficially owned through a collective investment
vehicle, (e.g. unit trust, mutual fund) estate or trust over which the individual
or entity has no control.
• immediate family: spouse (or equivalent) or dependent.
• close family: parent, child or sibling who is not an immediate family member.
• For the purposes of section 4A – Independence – Audit and Review Engagements, “audit” includes:
“audit team”, “audit engagement”, “audit client”, and “audit report” and applies equally to “review
team”, “review engagement”, “review client” and “review report”.
2/40 Auditing Notes for South African Students

The situation, circumstance, relationship Threat Safeguards


1. Financial interests in an audit client (s 510)
1.1 A member of the audit team or his Self-interest • Disposal of the financial interest if held by
immediate family member (spouse or the firm, or withdrawal from the
dependent) or the firm has a direct or engagement.
material indirect financial interest in an • Disposal of the financial interest before
audit client. the individual becomes a member of the
audit team if held by the member of the
team or his immediate family member.
• Disposal of the indirect financial interest
in total or to the extent that it is no longer
material before the individual becomes a
member of the audit team.
• Removal of the member of the audit team
from the audit engagement.
Note 1: If the financial interest arises out of
an inheritance, a gift or as a result of a
merger, the same threat will exist, and the
same safeguards can be applied, namely,.
disposal at the earliest practical date, or
removal of the member from the audit team.
Note 2: None of the following shall have a
direct financial interest or a material indirect
financial interest in an audit client:
• member of the audit team
• immediate family member of this
individual, and
• the firm.
1.2 A close family member (parent, child, or Self-interest • Disposal of the interest (or portion
sibling) of the audit team member has a thereof) at the earliest date. The close
direct or material indirect financial interest family member will have to make this
in an audit client. decision.
Note: The significance of the threat will depend • Notifying the audit client’s governance
upon: structures (e.g. the audit committee) of the
• the nature of the relationship between the interest.
member of the audit team and the close family • Providing an additional independent
member review of the work done by the audit team
• the materiality of the financial interest to the member with the close family relationship.
close family member, and • Removal of the affected member from the
• the significance and influence of the member audit team.
of the audit team concerning the audit.
1.3 The firm or a member of the audit team (or Self-interest • The firm or member of the audit team
a member of his immediate family) holds a should resign the position of trustee.
direct financial interest or a material However, resignation will not be necessary
indirect financial interest in an audit client if:
in the capacity of a trustee. – the firm, or the member, or the
Example: Joe Soap and Co., an audit firm, is a member’s immediate family are not
trustee of Laduma Trust. Laduma Trust holds beneficiaries of the trust
shares in Plexcor (Pty) Ltd. Joe Soap and Co. are – the interest held by the trust in the
the auditors of Plexcor (Pty) Ltd. audit client is not material
– the trust is not able to exercise significant
influence over the audit client, and
– the firm or the audit team member does
not have significant influence over the
investment decisions of the trust.

continued
Chapter 2: Professional conduct 2/41

The situation, circumstance, relationship Threat Safeguards


1. Financial interests in an audit client (s 510) (continued)
1.4 A partner in the office of the engagement Self-interest • The financial interest holder must dispose
partner, or his immediate family holds a of it as no safeguards can reduce the self-
direct or material indirect financial interest interest threat to an acceptable level.
in an audit client. • The audit appointment may have to be
given up. (Note that the immediate family
member cannot be forced to dispose of the
financial interest.)
1.5 Other partners and managerial employees Self-interest • If the involvement of partners and
or their immediate family members hold a managerial employees is anything other
direct or material indirect financial interest than minimal, the holder of the interest
in an audit client to which they provide non- must dispose of it.
assurance services (e.g. IT services).
1.6 An individual who has a close personal Self-interest, • Notifying the audit client’s governance
relationship with a member of the audit familiarity structures (e.g. the audit committee) of the
team, for example, best friend, has a direct interest (in effect obtaining their
or material indirect financial interest in the approval).
audit client. • Providing an additional independent
review of the work done by the audit team
member who has a close personal
relationship with the person who has the
financial interest.
• Removal of the member from the audit
team.
• Excluding the member from significant
decision-making on the audit.
1.7 A member of the audit team or his Self-interest • The holder of the financial interest must
immediate family member or the firm has a dispose of it, or
direct financial interest (or a material • the audit appointment must be given up.
indirect financial interest) in an entity that (Note: Denise cannot be forced to dispose
has a controlling interest in the audit client of her investment, so Das may have to
and the client is material to the entity. resign from the audit appointment.)
Example: Ridabike (Pty) Ltd is 60% owned by
Denise Chetty. Ridabike (Pty) Ltd owns 75% of
the shares in Roadie (Pty) Ltd. Roadie (Pty) Ltd
is audited by Denise’s husband, Das Chetty.
Roadie (Pty) Ltd is one of Ridabike (Pty) Ltd’s
major investments.
2. Loans and guarantees (s 511)
2.1 A loan or guarantee made by an audit client No threat (the Comment: Some threats (self-interest) could
that is a bank or similar institution to the threat arises if the arise if the loan is material to the audit firm.
firm under normal lending procedures, loan was not made This would be especially significant if the
terms and requirements. under normal firm is financially dependent on the audit
lending con- client to the extent that audit decisions could
ditions) be affected. The only suitable safeguard may
be for the audit firm to seek financing from a
non-client financial institution.
2.2 A loan by an audit client that is a bank or No threat (as Comment. If the loan was not made according
similar institution made to a member of the above) to normal lending procedures, terms and
audit team (or his immediate family) under requirements, it should be thoroughly
normal lending procedures, terms and investigated by the bank, and the audit firm,
requirements. and the member of the audit team should be
Examples: Mortgages, overdrafts, vehicle finance. removed from the audit engagement and be
required to pay back the loan
continued
2/42 Auditing Notes for South African Students

The situation, circumstance, relationship Threat Safeguards


2. Loans and guarantees (s 511) (continued)
2.3 The firm or a member of the audit team (or Self-interest • The loan should be cancelled and repaid
immediate family) makes or accepts a loan unless it is immaterial to both parties.
to or from an audit client other than a bank There is no other suitable safeguard.
or similar institution or a director or officer
of the client. Note: This amounts to direct
financial involvement.
3. Business relationships (s 520)
3.1 The firm or a member of the audit team (or Self-interest and • Termination of the business relationship.
immediate family) has a close business intimidation, for • Reducing the magnitude of the
relationship with an audit client or its example, client relationship so that the financial interest is
management, for example: threatens to immaterial and the relationship is
• a joint venture, or terminate the insignificant.
• an agreement whereby the firm acts as a business • Resigning the audit engagement.
distributor or marketer of the audit relationship if
• Removing the member from the audit
client’s products/services or vice versa certain audit
team (i.e. where the close business
(e.g. accounting package software). problems are not
relationship is between the member of the
overlooked.
team and the audit client).
• Independent review of a member of the
audit team’s work.
3.2 A firm or a member of the audit team No threat Comment: Some threat (self-interest, intimi-
purchases goods from an audit client in the dation) may arise if the transactions are:
normal course of business on an arm’s- • not in the normal course of business
length basis. • not arm’s-length (potential intimidation),
or
• of significant nature or magnitude.
If this is the case, safeguards should be:
• cancelling or reducing the transactions
(including any future transactions)
• notifying the clients’ governance
structures (e.g. audit committee)
• removing the member from the audit
team, and
• firm policy that prohibits audit team
members from transacting with an audit
client.
4. Family and personal relationships (s 521)
4.1 An immediate family member (spouse or Self-interest, • The member must be removed from the
dependent) of a member of the audit team familiarity and audit engagement team.
is: intimidation • Possibly restructuring the responsibilities
• a director, an officer or an employee (e.g. of the audit team so that the member of
financial controller) who is in a position the audit team does not deal with the
to exert direct and significant influence immediate/close family member.
over the subject matter of the audit Note: In terms of section 90 of the Com-
engagement at the client. panies Act 2008, an individual related to any
director or employee or consultant involved
in the maintenance of the company’s
financial records or preparation of its
financial statements may not be appointed
auditor (designated auditor).

continued
Chapter 2: Professional conduct 2/43

The situation, circumstance, relationship Threat Safeguards


4. Family and personal relationships (s 521) (continued)
4.2 A close family member (parent, child or Self-interest, • The member of the audit team must be
sibling) of a member of the audit team is a familiarity and removed from the audit engagement.
director, an officer or an employee who is in intimidation
a position to exert direct and significant
influence over the subject matter of the
audit engagement, at the client.
Comment: The likelihood of the threat will have
to be assessed in terms of the close family
member’s position with the client and the role of
the member of the audit team on the audit.
Example 1: Zeb Ngidi is a junior trainee on the Insignificant threat No safeguard is required.
audit team. His father is the factory manager of Self-interest, Safeguards against the threat posed by
the audit client. familiarity and example 2 would be:
Example 2: Raj Naidu is the senior-in-charge of intimidation • removing Raj from the audit team
the audit of Megamen (Pty) Ltd. His brother is • structuring Raj’s responsibilities in such a
the financial controller of Megamen (Pty) Ltd, a way that he does not have to deal with
senior financial position. matters which are the responsibility of his
Note 1: The same principles as discussed under brother, for example, he is no longer the
4.2 will apply to a person other than a close senior-in-charge of the audit, or
family member who has a close relationship with • having any work carried out by Raj
a member of the audit team, for example, a independently reviewed.
lifelong friend who is also a director, officer or
employee in a position to exert direct or
significant influence over the subject matter of
the audit engagement at the client.
Note 2: Consideration must be given to whether
a self-interest, familiarity or intimidation threat
arises where a personal or family relationship
between a partner or employee of the firm who is
not a member of the audit team and a director,
officer or employee of the audit client who is in a
position to exert direct influence on the subject
matter of the audit engagement, exists. Example:
Jacqui Chan, a tax partner of Corbett and Co, an
audit firm, has a close personal relationship with
Chuck Morris, an employee at Kwando (Pty)
Ltd, an audit client. Jacqui is not part of the audit
team. Whether or not the threats arise will
depend on:
• the nature and “closeness” of Jacqui and
Chuck’s relationship
• the extent of influence (if any) Chuck Morris
has in the subject matter of Kwando (Pty)
Ltd’s financial statements, and
• his seniority in the company.
continued
2/44 Auditing Notes for South African Students

The situation, circumstance, relationship Threat Safeguards


5. Employment with an audit client (s 524)
5.1 A member of the audit team, or partner of Self-interest,
the audit firm, leaves the firm to take up a familiarity and
position as a director, an officer or an intimidation
employee of the audit client.
Comment: The significance of the threat to
independence will have to be assessed in terms of
the following:
• the position the former member has taken at
the audit client
• the amount of involvement the former
member of the audit team will have with the
audit team
• the position the former member held within
the audit team, and
• the length of time which has elapsed since the
former member was part of the audit team.
Example 1: Art Simon, the former manager in If a threat to independence does exist, the
charge of the audit of Crossbow (Pty) Ltd, took following safeguards should be considered
up a position as financial controller at Crossbow and applied as necessary:
(Pty) Ltd during the year currently under audit – • introducing changes to the audit strategy
potentially a high threat to independence. and audit plan
Example 2: Three years ago, Geoff Martin joined • assigning a strong and experienced audit
Crossbow (Pty) Ltd as a credit controller. He had team to the engagement (to counter any
previously worked as a second-year trainee on intimidation threat), and
the audit of Crossbow (Pty) Ltd – no threat to • introducing an additional review (of the
independence. audit work) by a partner/manager who
was not a member of the audit team.
5.2 A member of the audit team participates in Self-interest (and • Policies and procedures at the firm require
the audit engagement while knowing he will familiarity) employees to notify the firm when
be joining the audit client at some stage in entering serious employment negotiations
the future. (Note: The audit team member with an audit client.
may deliberately overlook certain audit • Removal of the member from the audit
“problems” so as not to jeopardise his team.
future employment with the audit client.) • Performing an independent review of any
Note: If the designated (key) audit partner of a significant judgements made by the audit
public interest entity audit (e.g. listed company) team member while on the engagement.
joins the company as:
• a director or prescribed officer, or
• an employee in a position to exert significant
influence over the preparation of the client’s
accounting records or the financial statements
on which (his former) firm will express an
opinion, a familiarity or intimidation threat
will be created, and independence would be
deemed to be compromised, unless
• after the partner ceasing to be the key audit
partner, the public interest entity has issued
audited financial statements covering at least
12 months, and
• the former partner did not work on the audit.
continued
Chapter 2: Professional conduct 2/45

The situation, circumstance, relationship Threat Safeguards


6. Temporary personnel assignments (s 525)
A firm lends a trainee (or other staff members) to Self-review The following safeguards must be applied:
an audit client to assist in the accounting • The trainee/employee may not:
department. – make any management decisions
Note: A firm employee who has been loaned to – exercise discretionary authority to
an audit client may not take on any management commit the client, for example sign a
responsibilities at the client. There are no purchase order, or write off a bad debt.
safeguards that could make such a situation
• The trainee on “loan” should not be given
acceptable.
audit responsibility for any function he
performed while on loan.
• The audit client must acknowledge its
responsibility for directing and supervising
the “on-loan” trainee.
• The loan of the staff member should be for
a short period only.
• The trainee on “loan” does not form part
of the audit team.
7. Recent service with an audit client (s 522)
7.1 An individual who, during the period covered Self-interest, • This individual should not be assigned to
by the audit report, has been a director, familiarity and the audit team for that client’s audit, as no
officer, or employee in a position to exert self-review (may safeguards can reduce the threat to an
direct and significant influence over the be auditing his acceptable level.
subject matter of the audit engagement, own work) Note: In terms of section 90 of the
joins the audit firm which conducts the Companies Act 2008, a person who was a
audit of his former company. director at any time during the five financial
Example: Max Mosely CA(SA), resigned from years preceding the current year may not be
Crafters Ltd where he had been employed as the appointed as auditor. This does not legally
financial controller for five years, halfway prevent the person from working as part of
through the current financial year. He was the audit team, but he should not in terms of
offered and accepted the position of audit the Code.
manager at Uyse and Co, the auditors of Crafters Note: If the individual as described in 7.1,
Ltd. joined the audit firm before the period
covered by the audit report, the significance
of the threat which this situation poses will
take into account:
• the position the individual held with the
audit client
• the length of time that has passed since the
individual left the audit client, and
• the role the individual fills on the audit
team.
If the threat is perceived to be significant, the
following safeguards may be applied:
• not assigning the individual to the audit
team for that client
• introducing an additional review of the
individual’s work on the audit
• notifying the client’s governance
structures of the situation.
continued
2/46 Auditing Notes for South African Students

The situation, circumstance, relationship Threat Safeguards


8. Serving as an officer or a director of an audit client (s 523)
8.1 A partner or employee of the firm accepts Self-review and • The firm must withdraw (resign) from the
an appointment to serve as an officer or self-interest, audit engagement or the partner/employee
director of the audit client (without advocacy must resign from the firm. There are no
resigning from the audit firm). (promoting the other safeguards that will reduce the
position of the threats to an acceptable level.
client) Note: In terms of section 90, a director,
officer, or employee may not be the
company’s auditor.
Note: In terms of section 90, an individual
appointed as company secretary may not be
appointed auditor.
9. Long association of senior personnel with an audit client (s 540)
Senior personnel, for example, partner/manager, Familiarity and • Changing the senior personnel on the
have been involved with the client over a long self-interest audit team on a planned basis.
period. • Introducing additional independent
Example: John Jonas, the audit manager of reviews by a professional accountant of
Contion Ltd, has been associated with the client the work done by the partner/manager.
for 10 years, starting as a first-year trainee and • Regular internal or external quality
working his way up to the manager on the audit. control reviews.
He spends many hours at Contion Ltd, he has his Note: Section 92 of the Companies Act 2008
own office and is listed in the internal telephone states that the same individual may not serve
directory. as the designated auditor for more than five
consecutive years. As John is not the
designated auditor, Code safeguards would
be applied as indicated above.
10. Provision of non-assurance services to an audit client (s 600)
Management responsibility. As a basic principle, Self-interest and • The firm should not permit the rendering
management is responsible for managing the self-review and of such non-assurance services to audit
entity, and the auditor should not in any way advocacy clients. This policy must be conveyed to
take over this responsibility whether the all audit teams and those involved in
company is public or private, as it presents a formulating the terms of engagement with
significant threat to independence. audit clients.
10.1 An audit client requests a firm to provide Note 1: All of the services listed under 10.1
the following non-assurance services: are management client responsibilities.
• authorisation, execution and Note 2: In terms of section 94 of the Com-
consummation of certain transactions panies Act 2008, the audit committee of a
• making certain business decisions for the public company must determine the nature
client and extent of non-audit work carried out by
• management reporting the auditor and must be satisfied that the
auditor is and remains independent.
• setting policy and strategic direction
• supervision of the client’s staff in the
performance of their normal activities
• taking responsibility for designing,
implementing and maintaining internal
control.
10.2 A firm advises an audit client on accounting No threat These activities are considered to be “part of
principles and disclosure or the the dialogue of the audit process” and an
appropriateness of financial and accounting appropriate means to promote the fair
controls or the methods used in presentation of the financial statements. The
determining stated amounts of assets and auditor advises and assists but does not make
liabilities or proposed adjusting journal decisions.
entries.
continued
Chapter 2: Professional conduct 2/47

The situation, circumstance, relationship Threat Safeguards


11. Accounting and bookkeeping services
The Code draws a distinction between “public/
listed companies” and “private companies”. It
states that a firm should not provide accounting
and bookkeeping services (as listed below) to a
public/listed company which is its audit client.
However, it suggests that the firm may provide
the services listed below to a private company
which is its audit client, provided the appropriate
safeguards are put in place to reduce any self-
review threat to an acceptable level.
11.1 A firm provides the following accounting Self-review In the case of public companies, the best
and bookkeeping services to an audit client: safeguard would be compliance with the
• recording transactions that the client has audit committee’s interpretation of
approved and classified accounting and bookkeeping services. The
• posting such transactions to the client’s audit committee:
general ledger • must approve all non-audit work, and
• posting client-approved entries to the • must be satisfied that the auditor is
trial balance independent.
• preparing the client’s payroll and related In the case of a private company, if the audit
services, for example, submitting PAYE firm perceives that a significant threat may
returns arise, safeguards might include:
• drawing up the annual financial • arranging for such services to be per-
statements from the trial balance. formed by someone not on the audit team
Comment: There appear to be two issues here. • notifying the audit team that they may not
Firstly, are the services described above part of make any management decisions
the preparation of the financial statements (which • clarifying for management:
is a management responsibility) and secondly, – that management is responsible for
are the services considered to be part of source data, transaction approval,
“habitually or regularly performing the duties of journal entry origination and approval,
accountant or bookkeeper . . .” because, in terms etc.
of section 90 of the Companies Act 2008, a – what the audit team is permitted to do.
person who performs the duties of accountant or
Note: In the situation where a company
bookkeeper may not be appointed as an auditor
avoids an audit and qualifies to have its AFS
(because of the apparent lack of independence).
independently reviewed because the AFS are
Traditionally the services listed above have not externally compiled, the reviewer (who will
been regarded as “habitually or regularly frequently be a professional accountant) may
performing the duties of accountant or not also be the compiler of the AFS (lack of
bookkeeper” so section 90 of the Companies Act independence).
would not apply. However, a self-review threat
still arises, and safeguards should be put in place.
continued
2/48 Auditing Notes for South African Students

The situation, circumstance, relationship Threat Safeguards


12. Valuation services
A firm performs a valuation (of an asset, liability, Self-review Where the valuation has a material effect on
investment) for an audit client, which must be the financial statements and involves a
incorporated into, or used in conjunction with, significant degree of subjectivity, the
the client’s financial statements. valuation service should not be undertaken.
Example: Company A holds 20% of the shares in Where a valuation service is undertaken, the
(private) company B. The directors of A request self-review threat could be reduced to an
the auditors to value the investment at the acceptable level by the introduction of the
reporting date so that the fair value can be following safeguards:
incorporated into the year-end financial • Ensuring that the personnel who perform
statements. the valuation are not part of the audit
Note again that in the case of a public company team.
the audit committee must determine the nature • Involving an individual who was not a
and extent of any non-audit work to be member of the audit team to review the
conducted by the auditor. This is an effective valuation.
safeguard. • Confirming with the client its
understanding of the underlying
assumptions and methodologies used in
the valuation and obtaining its approval
thereof.

13. Provision of taxation services to an audit client


Taxation services can be broken down into four
broad categories, each of which may present
different kinds of threat or no threat at all. The
four categories are:
• preparation of tax returns
• carrying out tax calculations to prepare
accounting entries
• tax planning and advisory services
• tax services involving valuations, and
• assistance with the resolution of tax disputes.
13.1 The audit firm assists with preparing tax No threat Taxation services are generally not perceived
returns and advises the audit client on any to impair independence but the audit firm
queries arising from the SARS relating to must be careful not to make management
the tax return. decisions or assume responsibility for the tax
affairs of the audit client. The role should be
advisory.
13.2 The firm prepares calculations of current Self-review Safeguards could include:
and deferred tax liabilities to prepare • using individuals who are not members of
journal entries for a private company that the audit team to perform the service
will be subsequently audited. • using a partner who is not a member of
the audit team to review the calculations
• not performing the service if the
calculations have a very material effect on
the financial statements
• obtaining advice from an external tax
professional
• complying with the audit committees
ruling on non-audit work.
continued
Chapter 2: Professional conduct 2/49

The situation, circumstance, relationship Threat Safeguards


13. Provision of taxation services to an audit client (continued)
13.3 As in 13.2 above but for public/listed • The Code states that the auditor should
companies. not prepare tax calculations for a public
company that are material to the financial
statements other than in an “emergency”.
13.4 The firm provides tax planning and Self-review Safeguards as above.
advisory services that will affect matters Note: If the advice given is clearly supported
reflected in the financial statements. by the tax authority, precedent or established
practice, then, generally speaking, no threat
to independence arises.
13.5 The firm represents an audit client in Self-review or • Safeguards as above. However, if the
resolving a tax dispute which has arisen advocacy. amounts involved are material to the
from SARS rejecting the client’s arguments Objectivity, financial statements on which the auditor
on a particular issue, and the matter has integrity and will express an opinion, there are no
been referred to a hearing/court by either professional safeguards that would reduce the threat
the SARS or the audit client. behaviour posed (by acting for the client) to an
Comment: Professional accountants who render acceptable level.
professional tax services in any form may often The following safeguards should protect the
find themselves faced with difficult situations. professional accountant:
Generally, clients do not like paying tax and may • A professional accountant should put
go to great lengths to evade tax. Clients may forward the best position in favour of a
request a professional accountant to submit false client, provided he does so:
returns on their behalf or may deliberately – with professional competence, integrity
withhold information from the professional and objectivity
accountant who is acting on their behalf to evade
tax. Some clients may even become abusive with – within the bounds of the law.
a professional accountant or make claims that • A professional accountant should ensure
“Everyone evades tax, so why shouldn’t I?” that the client understands that:
Paying tax can be an emotive issue, but the – tax services and advice offered may be
overriding requirement is that a professional challenged by the South African
accountant should not be associated with any Revenue Services where they are based
taxation return or communication in which there on opinion rather than fact, as is often
is reason to believe that it: the case
• contains a false or misleading statement – responsibility for the content of a tax
• contains statements or information furnished return rests with the client even where
recklessly or without any actual knowledge of the return has been prepared by the
whether they are true or false professional accountant.
• omits or obscures information required to be • Material matters relating to tax
submitted, and such omission or obscurity advice/opinions given to a client should
would mislead the revenue authorities. be recorded in writing. This is essential to
prevent a client accused of tax evasion
To assist a client to evade tax will amount to a from falsely claiming that he was
failure to comply with the fundamental “following the advice given to him by the
principles. professional accountant”.
• In preparing a tax return, a professional
accountant may rely on information
furnished by the client, provided :
– the information appears reasonable
– the professional accountant makes use
of the client’s returns for prior years
where feasible
– the professional accountant makes
reasonable enquiries when information
appears incorrect or incomplete
continued
2/50 Auditing Notes for South African Students

The situation, circumstance, relationship Threat Safeguards


13. Provision of taxation services to an audit client (continued)
However, the professional accountant is
encouraged to:
– request supporting data as required
– make reference to relevant documents
and records of the client’s business
operations.
• Where a professional accountant discovers
that there have been material errors or
omissions relating to tax returns submitted
in respect of prior years, he should:
– notify the client of the error or
omission
– advise the client to make full disclosure
of the error or omission to the revenue
authorities
– advise the client of the powers of the
revenue authorities to obtain
information they may require, for
example, seizing the client’s books and
records and imposing penalties, for
example, double the amount of tax
payable.
Comment: It is quite possible that the client
was well aware of the omission and is not
prepared to make any disclosures. This
creates a difficult situation for the profes-
sional accountant if he is associated with the
incorrect return which was submitted. In
terms of the fundamental principle of con-
fidentiality, the professional accountant may
not inform the revenue authorities at this
stage, without permission, as this may be a
breach of confidentiality. On the other hand,
section 110 of the Code states that a member
should not be associated with any false
return. Advice given by the technical depart-
ment of SAICA on this anomaly in the Code
is that a professional accountant who is asso-
ciated with a false return which has been
submitted, and which the client will not
rectify, should notify the revenue authorities
that his association with the return can no
longer be relied upon but without giving any
details. Legal advice should be taken before
doing this! Of course, this action will alert the
authorities to the problem, and they will
follow it up.
• As a general rule, a professional account-
ant should not continue an association
with a dishonest client and should be
aware that in terms of section 105 of the
Income Tax Act, the Commissioner is
empowered to report a professional
accountant to SAICA for unprofessional
conduct.

continued
Chapter 2: Professional conduct 2/51

The situation, circumstance, relationship Threat Safeguards


14. Provision of internal audit services to an audit client
Internal audit functions vary and can include:
• monitoring of internal controls
• reviewing the economy, efficiency and
effectiveness of operating activities, both
financial and non-financial
• assessing risks faced by the company and the
company’s responses to it
• reviewing compliance with laws and
regulations, management policies, etc.
All of the above are management responsibilities,
so if the external auditor gets too involved with
these activities, there is a significant threat that
the auditor will be assuming management
responsibilities, which is not acceptable as it will
compromise the auditor’s independence.
Furthermore, if the firm uses the internal audit
work in the course of the external audit, there is a
potential self-review threat to independence.
14.1 Providing internal audit services such as Self-review • Although not specifically prohibited by
the following would equate to assuming the Companies Act 2008, the provision of
management responsibilities: both internal and external audit services
• setting internal policy and strategic by the same firm is unlikely to be accept-
direction for internal audit able to the audit committee for independ-
• directing and taking responsibility for ence reasons. It would also be contrary to
internal audit’s employees the King IV Report on Corporate Govern-
ance, particularly for public (listed) com-
• deciding which recommendations from
panies.
the internal audit should be implemented
• The best safeguard would be not to offer
• performing procedures such as business
internal and external audit services to the
risk assessment on behalf of internal
same client. However, the Code does state
audit.
that a firm can offer (some) internal audit
Note: In some situations, there may be internal services and at the same time avoid
audit work the audit firm can do which presents assuming management responsibility if
no threat, for example, the audit firm provides management:
internal audit services of an operational (not
– designates an appropriate and com-
financial) nature, such as an evaluation of an
petent resource to be responsible at all
audit client’s product distribution system.
times for internal audit activities and to
acknowledge responsibility for design-
ing, implementing and maintaining
internal control
– reviews, assesses and approves internal
audit work (scope, risk and frequency)
– evaluates the adequacy of the internal
audit services and findings and
determines which recommendations to
implement
– reports to those charged with govern-
ance on the significant findings and
recommendations arising from the
internal audit service.
• In the case of a public company, the audit
committee would have to approve the
appointment to do this work.
continued
2/52 Auditing Notes for South African Students

The situation, circumstance, relationship Threat Safeguards


15. Provision of information technology services to an audit client
15.1 The audit firm provides design and Self-review If the audit client is a public/listed company,
implementation services for financial the audit firm should not provide IT services
systems that form a significant part of the as described under 15.1 as no safeguards can
internal control over financial reporting or reduce the threat to independence to an
are used to generate information that forms acceptable level (because of the level of
part of a client’s financial statements, for “public interest” in the audit client).
example, revenue and receipts cycle If the audit client is a private company, the
software. safeguards to address the threat should
Note: The following IT systems services are include the following:
deemed not to create a threat to independence (as • the audit client acknowledges its
long as the firm’s personnel do not assume a responsibility for establishing and
management responsibility) for either a private or monitoring a system of internal controls
public/listed company: • the audit client designates a competent,
• design and implementation of IT systems senior employee with the responsibility of
unrelated to internal control over financial making all management decisions
reporting or which do not generate concerning the design and implementation
information forming a significant part of the of the hardware or software required
accounting records, for example, a sales • the audit client evaluates the adequacy
forecasting system and results of the design and
implementation of the system
16. Provision of litigation support services to an audit client
• Implementing “off the shelf” accounting or • The audit client is responsible for the
financial reporting software (not developed by operation of the system (hardware and
the firm) software) and the data used or generated
• Evaluating and making recommendations by the system, and
concerning a system designed, implemented • the IT service is carried out by personnel
or operated by another service provider. not involved in the audit engagement.
Litigation support services include acting as an Self-review Safeguards might include:
expert witness, calculating estimated legal • using professionals (from the firm) who
damages payable or receivable, or assisting in are not members of the audit team to
gathering documentation concerning a perform the service
dispute/litigation. • using independent experts
A self-review threat will usually arise only where • ensuring that the firm does not make
the result of providing the litigation service management decisions on behalf of the
affects the financial statements. For example, the client.
service involves assisting with determining an
estimate of legal damages that must be disclosed
in the financial statements.
17. Provision of legal services to an audit client
Legal services differ from litigation support
services. Legal services are defined as services
which only a qualified lawyer can offer. (Many of
the larger firms employ lawyers.) Litigation
support services (see 16 above) can be provided
by anyone with the necessary expertise.
17.1 The legal service provided supports an Self-review If the following safeguards are put in place,
audit client in the execution of a the threat would generally be insignificant:
transaction, such as drafting a contract, • the lawyer who provides the legal service
providing legal advice, or providing legal is not a member of the audit team
due diligence for a merger. • having a lawyer who was not involved in
providing the legal service:
– advise the audit team on the details of
the service, and
– reviewing any treatment of matters
arising from the legal service in the
financial statements.
continued
Chapter 2: Professional conduct 2/53

The situation, circumstance, relationship Threat Safeguards


17. Provision of legal services to an audit client (continued)
17.2 The legal service provided is to act for an Self-review and An audit firm should not undertake this legal
audit client in a dispute or litigation when advocacy service on behalf of an audit client.
the amounts involved are material
concerning the financial statements on
which the firm will express an opinion.
17.3 The legal service provided is to act for an Normally no If the audit firm is concerned that there may
audit client in a dispute or litigation when threat be an advocacy or self-review threat, the
the amounts involved are not material safeguards described under 17.1 could be
concerning the financial statements on applied to reduce the threat to an acceptable
which the firm will express an opinion. level.
17.4 The audit client wishes to appoint a partner Self-review and A partner or employee of the audit firm
or employee of the firm which holds the advocacy should not accept this appointment. (A legal
audit appointment as legal advisor, i.e. the advisor is generally a senior management
person to whom legal affairs are referred. position, and independence would be
(The person appointed remains an significantly threatened.)
employee of the audit firm.) Note: A part-
ner in an audit practice may, besides being
a registered auditor, also be a qualified
lawyer.
18. Recruiting senior management on behalf of an audit client
18.1 The firm is engaged to recruit suitable Self-interest, Safeguards should include the following:
accounting staff for an audit client. familiarity • limiting the service to reviewing the
suitability of applicants against a list of
criteria drawn up by the client
• leaving the final decision to the client
• ensuring that the service is rendered by a
professional at the firm who is not a
member of the audit team.
18.2 The firm is engaged by a public/listed Self-interest, In addition to the above, where the audit
company which is an audit client to recruit familiarity client is a public/listed company, the
a senior employee who will be in a position following additional safeguards should be
to exert significant influence over the implemented:
preparation of the client’s accounting The audit firm should not:
records or the financial statements on • search for candidates to fill such positions
which the firm will express an opinion, for as described in 18.2
example, the financial director.
• undertake reference checks of prospective
candidates for such positions as described
in 18.2.
19. Corporate finance services
Whether providing corporate finance services Self-interest and The audit firm should not undertake these
will threaten independence will depend upon the advocacy activities as there are no safeguards that
nature of the service. would reduce the threat to an acceptable
Examples: level.
19.1 The firm promotes, deals in, or underwrites
an audit client’s shares

continued
2/54 Auditing Notes for South African Students

The situation, circumstance, relationship Threat Safeguards


19. Corporate finance services (continued)
19.2 The firm assists an audit client in Self-interest, self- Safeguards that could be applied:
developing corporate finance strategies review and • ensuring that management decisions are
and/or introduces clients to sources of advocacy threats. not made on behalf of the client by
finance and/or identifies potential targets implementing a client approval procedure
for the audit client to acquire. as the assignment progresses
Note: Providing some types of corporate finance • using individuals from the firm who are
services may materially affect the amounts not members of the audit team on
reported in the financial statements on which the corporate finance assignments
firm will express an opinion. Self-review threats • having an individual who was not
may arise. involved in the corporate finance service:
– advise the audit team on the details of
the service, and
– review any accounting treatment for
transactions arising from the corporate
finance service
• ensuring that the firm does not commit the
client to anything or consummate a
transaction on behalf of the client
• discussing the engagement with the
governance structures of the client
• disclosing to the client any financial
interest the audit firm may have in the
advice it renders, for example, the firm
receives a commission from the source of
finance it introduces to the audit client.
20. Fees (s 410)
20.1 Fees – relative size
The fees generated by one audit client represent a Self-interest, Safeguards should include the following:
large portion of a firm’s total fee income. intimidation • discussing the matter with the client’s
Note: The audit firm may compromise its governance structures
independence because it does not want to lose • taking steps to reduce dependency, for
the client (self-interest). example, actively seeking new clients
There is also a possibility that the client, realising • introducing external quality control
that the audit firm derives a large proportion of reviews
its income from it, will pressure the audit firm by • consulting a third party on key audit
threatening to end the relationship (intimidation). judgements, for example, the
appropriateness of the audit opinion to be
given.
Note: “Pre” and “Post” issuance quality control
reviews
1. In a situation where an audit client is a
public/listed entity and, for two consecutive
years, the total fees from the client and its
related entities (e.g. an entity over which the
client has direct or indirect control such as a
subsidiary) represent more than 15% of the
total fees received by the audit firm, the firm
must:
• notify those charged with governance
(including the audit committee), of the
15% situation, and
• must discuss which of the safeguards
described below the firm will implement to
reduce any threats to an acceptable level.
continued
Chapter 2: Professional conduct 2/55

The situation, circumstance, relationship Threat Safeguards


20. Fees (s 410) (continued)
20.1 Fees – relative size (continued)
Safeguard 1. Pre-issuance quality control
review
Before issuing the audit opinion on the
second year’s financial statements, a
professional accountant (in public practice)
who is not a member of the firm performs a
quality control audit engagement, or
Safeguard 2. Post-issuance quality control
review
After the audit opinion on the second year’s
financial statements has been issued, and
before the audit opinion on the third year’s
financial statements has been issued, a
professional accountant (in public practice)
who is not a member of the firm performs a
quality control review on the second year’s
audit.
2. The disclosure to, and discussion with, those
charged with governance, shall occur each
year for as long as the 15% situation con-
tinues and one of the two safeguards
described above must be applied.
3. If the total fees significantly exceed 15% of
the audit, the firm must determine whether a
post-issuance review will reduce the threat to
an acceptable level and if not, a pre-issuance
review must be conducted.
20.2 Fees – overdue
An audit client has not paid its fees for Self-interest Safeguards should include the following:
professional services for a long time. Section 511 • obtaining partial payment of overdue fees
concerning loans and guarantees might also • introducing an additional independent
apply to situations where such unpaid fees exist. review of the work performed (for
Note: This may result in the audit firm not quality). However, this will increase the
putting the necessary resources and time into the fee!
current engagement because the
partner/manager does not expect the fee to be
paid. This threatens independence.
The firm shall determine:
(a) whether the overdue fees might be
equivalent to a loan to the client, and
(b) whether it is appropriate for the firm to be
re-appointed or continue the audit
engagement.
continued
2/56 Auditing Notes for South African Students

The situation, circumstance, relationship Threat Safeguards


20. Fees (s 410) (continued)
20.3 Fees – contingent
Contingent fees are fees calculated on a predeter- Self-interest A firm may not enter into a contingent fee
mined basis relating to the outcome of the work Self-interest arrangement for an audit engagement, as no
performed or as a result of a transaction which safeguards would reduce the threat to an
arises from the service. Note: Fees are not acceptable level.
contingent if they are established by a court or Safeguards that could be implemented
public authority, such as a liquidator’s fee. include:
• A contingent fee is proposed for an audit • disclosing the nature and extent of the fee
engagement. The audit firm is required to to the audit client’s governance structures
express an opinion on a set of financial before the engagement
statements to be used by the client to support a • having the “fairness” of the fee reviewed
loan application. The audit client offers to pay or decided upon by an independent third
a fee equal to 5% of the loan applied for if the party
application is successful.
• see also 18 above relating to recruiting.
• A contingent fee is proposed for a non-assur-
ance engagement to be rendered to an audit
client, for example the client engages the audit
firm to recruit senior personnel. The fee will
be equal to 10% of the annual remuneration
package payable to the person appointed.
21. Compensation and evaluation policies (s 411)
21.1 Members of the audit team are given a Self-interest Safeguards could include:
financial bonus for selling non-audit • changing or eliminating compensation
services to the audit client. (The audit team methods of this nature
member could be more interested in, or • removing the audit team member who
focused on, trying to earn bonuses than on sold the non-audit services from the audit
audit work.) team
• having the work of audit team members
independently reviewed.
Note: An audit partner should not be
remunerated based on his success at selling
non-assurance services.
22. Gifts and hospitality (s 420)
22.1 An audit client wishes to “reward” the Self-interest, A firm or member of the audit team should
firm’s audit manager by giving him a familiarity and not accept gifts or hospitality which are
holiday trip to America. intimidation anything other than clearly insignificant.
22.2 An audit client gives each engagement No threat In determining whether the gift or hospitality
team member an inexpensive pen bearing is insignificant, the monetary value should be
the company’s logo at the completion of considered and whether the degree of
the annual audit. independence in the relationship between the
client and audit team will be altered, for
example, has a “professional” relationship
become one of “familiarity”.
23. Actual or threatened litigation between the firm and an audit client (s 430)
Where a client and firm are involved in actual or Self-interest or As this situation will often make it impossible
threatened litigation instigated by either party, intimidation for the auditor to perform to the required
the relationship between them is likely to be standards, withdrawal from the audit
altered significantly. Both parties are likely to be engagement would generally be the only
defensive and unco-operative as they have been option. Discussion with the audit committee
placed in adversarial positions. may resolve the issue.
Chapter 2: Professional conduct 2/57

2.5 Rules regarding improper conduct (IRBA)


As you are primarily studying auditing, you should be aware that the IRBA has a set of “rules regarding
improper conduct”. The opposite of “professional conduct” is “improper conduct”, and registered auditors
(the majority of whom are also professional accountants in public practice), if found guilty of improper
conduct, may be sentenced to:
• a caution or reprimand
• a fine
• a suspension of the right to practice for a specified period
• cancellation of registration and removal of the member’s name from the register of registered auditors.
The table below summarises the acts or omissions by a registered auditor that will amount to improper
conduct.
Rule reference The following will be regarded as improper conduct:
Contravention of or failure to comply with:
2.1 • the Auditing Profession Act
2.2 • any other Act which should be complied with by a Registered Auditor, for example Companies Act
2.5 • auditing pronouncements prescribed by the IRB
2.6 • the IRBA Code of Professional Conduct.
Dishonesty:
2.3 • dishonesty in the form of any offence, especially:
2.4 – theft, fraud, perjury, bribery and corruption
• dishonesty in carrying out work and duties
• dishonesty concerning any office of trust held by the registered auditor.
2.7 Failure to perform any professional service with reasonable care and skill or failure to perform the
professional service at all.
2.8 Evasion of any tax, duty, levy or rate or assisting others in such evasion by knowingly or recklessly
making, signing or preparing false statements or records.
2.9 Vouching for the accuracy of estimates in future earnings
The registered auditor’s name may not be used in a manner that suggests the registered auditor
vouches for the accuracy of the forecast. (This lends unwarranted credibility to the forecast.)
Contraventions in respect of trainee accountants
2.10 • imposing (or attempting to impose) restraints of any kind which will apply after the traineeship
2.11 However, this rule will not apply to restraining a trainee who becomes a registered auditor from
soliciting the practitioner’s existing clients for one year after the trainee ceases to be employed by
the practitioner.
• requiring compensation for agreeing to cancel a training contract (does not apply to actual
expenses paid to IRBA in respect of the training contract)
2.12 • failing to comply with his responsibilities to the IRBA/other persons
2.13 • failing to respond promptly to communications, orders requirements or requests
2.15 • failing, after demand, to pay fees or other charges due to the IRBA.
Contraventions in respect of relinquishing engagements
2.14 • failing without reasonable cause to resign from a professional appointment when the client
2.16 requests the member to do so
• abandoning his or her practice without giving notice to clients and making necessary
arrangements to obtain the services they require.
2.17 Acting in a manner that brings the profession into disrepute.
CHAPTER

3
Statutory matters

CONTENTS
Page

3.1 Introduction ...................................................................................................................... 3/3

3.2 The Companies Act 71 of 2008 ........................................................................................... 3/3


3.2.1 Introduction ........................................................................................................... 3/3
3.2.2 Structure of the Act ................................................................................................. 3/4
3.2.3 Titles of chapters ..................................................................................................... 3/4
3.2.4 Titles of schedules ................................................................................................... 3/5
3.2.5 Structure of individual sections ................................................................................ 3/5
3.2.6 Existing companies and compliance with the new Act .............................................. 3/5

3.3 Important regulations for study purposes.......................................................................... 3/5

3.4 Section summaries and notes ............................................................................................ 3/10


3.4.1 Chapter 1 – Interpretation, purpose and application ................................................. 3/10
3.4.2 Chapter 2 – Formation, administration and dissolution ............................................ 3/14
3.4.3 Chapter 3 – Enhanced accountability and transparency ............................................ 3/42
3.4.4 Chapter 4 – Public offerings of company securities ................................................... 3/47
3.4.5 Chapter 5 – Fundamental transactions, takeovers and offers ..................................... 3/47
3.4.6 Chapter 6 – Business rescue and compromise with creditors ..................................... 3/49
3.4.7 Chapter 7 – Remedies and enforcement ................................................................... 3/53
3.4.8 Chapter 8 – Regulatory agencies and administration of Act ...................................... 3/55
3.4.9 Chapter 9 – Offences, miscellaneous matters and general provisions ......................... 3/57

3.5 The Close Corporations Act 69 of 1984............................................................................... 3/57


3.5.1 Introduction ........................................................................................................... 3/57
3.5.2 Important changes to the Close Corporations Act .................................................... 3/58
3.5.3 Calculation of the Close Corporations public interest score ....................................... 3/58
3.5.4 Preparation of financial statements .......................................................................... 3/58
3.5.5 Audit requirement .................................................................................................. 3/58
3.5.6 Breakdown of the Close Corporations Act by part .................................................... 3/59
3.5.7 Section summaries and notes................................................................................... 3/59

3/1
3/2 Auditing Notes for South African Students

Page

3.6 The Auditing Amendment Act 5 of 2021 ............................................................................ 3/68


3.6.1 Introduction ........................................................................................................... 3/68
3.6.2 Structure of the Act ................................................................................................. 3/69

3.7 Summaries and notes ........................................................................................................ 3/69


3.7.1 Chapter I: Interpretation and objects of the Act (ss 1 and 2) ...................................... 3/69
3.7.2 Chapter II: Independent regulatory board for auditors (ss 3 to 31) ............................. 3/69
3.7.3 Chapter III: Accreditation and registration (ss 32 to 40) ............................................ 3/70
3.7.4 Chapter IV: Conduct by and liability of registered auditors (ss 41 to 46) .................... 3/71
3.7.5 Chapter V: Accountability of registered auditors (ss 47 to 51) ................................... 3/78
3.7.6 Chapter VI: Offences(s 52) ...................................................................................... 3/78
3.7.7 Chapter VII: General matters (ss 55 to 60) ............................................................... 3/79
Chapter 3: Statutory matters 3/3

3.1 Introduction
Registered auditors and chartered accountants cannot escape the need to have a sound knowledge of the
laws and regulations which govern their professional activities as well as the activities of their clients. A
knowledge of common law, for example, negotiable instruments, contracts, etc. has to be obtained by all
aspirant auditors and accountants during the early years of their study, and in addition, hundreds of
sections relating to specific disciplines such as income tax and company law must be absorbed. This
chapter will concentrate on the more important sections of the Companies Act 71 of 2008 (Companies
Act), the Close Corporations Act 69 of 1984 (Close Corporations Act) and the Auditing Profession Act 26
of 2005 (APA). This chapter is not an in-depth study of these Acts – it must instead be regarded as a
summary of important sections with brief commentary to be used in conjunction with the Acts themselves.

3.2 The Companies Act 71 of 2008


3.2.1 Introduction
1.1 The Companies Act became effective from 1 May 2011. Amendments have been made to it in terms
of the Companies Amendment Act 3 of 2011 and the Financial Markets Act 19 of 2012. These
amendments were not significant.
The Companies Regulations 2011 document was also introduced in 2011. The regulations work in
tandem with the Companies Act. Section 223 of the Companies Act gives the Minister of Trade and
Industry the power to make these regulations, and as a result, they must be complied with in the same
manner as the Companies Act itself.
What are the Companies Regulations? The Company Regulations are an extensive set of require-
ments, explanations and procedures about the sections of the Companies Act.
Example 1: Section 30 of the Companies Act states that the financial statements of a public
company must be audited and that any other profit or non-profit company must have its
financial statements audited if it is desirable in the public interest.
Regulation 26 supplements and explains this by introducing the concept of a public interest score and
proceeds to lay down how it is calculated.
Regulation 28 then takes the idea further by indicating which companies must be audited, based,
among other things, on their public interest score.
Example 2: Section 21 of the Companies Act states that a person may enter into a written agreement
in the name of an entity that is contemplated to be incorporated but which does not yet
exist.
Regulation 35 expands on this and states that a person may notify a company of a pre-incorporation
contract by filing a notice with the Companies and Intellectual Property Commission (CIPC) and
delivering a notice in Form CoR35.1. The regulations also contain an example of Form CoR 35.1.
Example 3: Section 94(5) of the Companies Act states that the Minister may prescribe minimum
qualification requirements for members of an audit committee.
Regulation 42 expands on this and stipulates that “at least one-third of the members of a company’s
audit committee at any particular time must have academic qualifications, or experience in eco-
nomics, law, corporate governance, finance, accounting, commerce, industry, public affairs or human
resource management.” (Very broadly stated and not very onerous!)
Perhaps, fortunately, the Companies Regulations are not important in terms of academic study, as
they are more relevant to the application of company law requirements. However, there are a few
important regulations of which students should have an understanding. These have been dealt with
before the section summaries and referred to in the notes to the sections.
1.2 In developing the Companies Act, the legislators’ intention was to produce a Companies Act which
would match the changes on the economic, social and political landscape which had taken place since
the introduction of the previous Act – The Companies Act 61 of 1973. Five policy objectives around
which the Act would be built were formulated as follows:
Company law should promote the competitiveness and development of the South African economy by:
• encouraging entrepreneurship and enterprise development, and consequently, employment oppor-
tunities by:
– simplifying the procedures for forming companies, and
3/4 Auditing Notes for South African Students

– reducing costs associated with the formalities of forming a company and maintaining its
existence
• promoting innovation and investment in South African markets and companies by providing for:
– flexibility in the design and organisation of companies, and
– a predictable and effective regulatory environment
• promoting the efficiency of companies and their management
• encouraging transparency and high standards of corporate governance
• making company law compatible and harmonious with best practice jurisdictions internationally.
In support of the five objectives, five more specific goals were set as follows:
• Simplification
Example: The Act should provide for a company structure that reflects the characteristics of close
corporations (CCs), such as a simplified procedure for incorporation and more self-
regulation.
• Flexibility
Example: Company law should provide for “an appropriate diversity of corporate structures”,
and the distinction between listed and unlisted companies should be retained.
• Corporate efficiency
Example: Company law should shift from a capital maintenance regime based on par value to one
based on solvency and liquidity.
Example: There should be clarification of board structures and director responsibilities, duties
and liabilities.
• Transparency
Example: Company law should ensure the proper recognition of director accountability and
appropriate participation of other stakeholders.
Example: The law should protect shareholder rights and provide enhanced protections for
minority shareholders.
Example: Minimum accounting standards should be required for annual reports.
• Predictable regulation
Example: Company law should be enforced through appropriate bodies and mechanisms, either
existing or newly introduced.
Example: Company law should strike a careful balance between adequate disclosure in the
interests of transparency and over-regulation.

3.2.2 Structure of the Act


Before considering the detail of the sections, you should obtain an overall understanding of how the Act is
structured:
• the sections are grouped into nine Chapters
• each Chapter deals with a broadly stated topic
• each Chapter is broken down further into alphabetically sequenced parts, for example, Chapter 1 part B
• each part deals with a more specifically stated topic
• in addition to the nine Chapters, there are five Schedules that deal with specific matters
• the Act itself is then supported by the Companies Regulations 2011.

3.2.3 Titles of chapters


Chapter 1. Interpretation, Purpose and Application (10 sections in Parts A and B).
Chapter 2. Formation, Administration and Dissolution of Companies (73 sections in Parts A to G).
Chapter 3. Enhanced Accountability and Transparency (11 sections in Parts A to D).
Chapter 3: Statutory matters 3/5

Chapter 4. Public Offerings of Company Securities (17 sections in a single part).


Chapter 5. Fundamental Transactions, Takeovers and Offers (16 sections in Parts A to C).
Chapter 6. Business rescue and Compromise with creditors (28 sections in Parts A to E).
Chapter 7. Remedies and Enforcement (29 sections in Parts A to F).
Chapter 8. Regulatory Agencies and Administration of Act (28 sections in Parts A to E).
Chapter 9. Offences, Miscellaneous Matters and General Provisions (13 sections in Parts A to C).

3.2.4 Titles of Schedules


Schedule 1. Provisions concerning Non-Profit Companies.
Schedule 2. Conversion of Close Corporations to Companies.
Schedule 3. Amendment of Laws.
Schedule 4. Legislation to be enforced by CIPC.
Schedule 5. Transitional Arrangements.

3.2.5 Structure of individual sections


When reading a section of the Companies Act, remember that the majority of the sections deal with:
• the requirements necessary for some action to take place, for example, appointing an auditor
• specific prohibition of some action, for example, registering a company name which constitutes the
advocacy of hatred based on race, gender or religion, or appointing a person who has been prohibited
from being appointed a director, as a director
• the level of authority necessary to make an “action” legal, for example, a special resolution
• exceptions/provisos to the requirements of the section or the authority stipulated in the main body of
the section.
Thinking about the section in this way makes the Act easier to understand.

3.2.6 Existing companies and compliance with the new Act


You may have noticed that Schedule 5 deals with transitional arrangements, that is, transition from the
Companies Act 1973 to the Companies Act 2008. In short, the thousands of companies that existed before
the introduction of the Companies Act 2008 have continued to operate but are required to comply with the
new Companies Act in doing so. A time period has been allowed for companies to align themselves with
the requirements of this Act where necessary, for example replacing the (outdated) Memorandum and
Articles of Association with the (new) Memorandum of Incorporation (MOI), but in effect the new Act has
governed from the date it was proclaimed by the President in the Gazette, namely, 1 May 2011.

3.3 Important regulations for study purposes


1. Regulations 26, 27, 28, 29 – Public interest scores, etc.
These regulations work in conjunction with each other and are pertinent to the public interest score
concept, audit and review requirements, reportable irregularities for independent reviews as well as the
financial reporting standards with which different entities must comply.

Regulation 26
This regulation introduces the concept of the public interest score, which every company (and CC) must
calculate at the end of each financial year. The public interest score is used primarily to determine:
• which financial reporting standards the company must comply with
• the categories of companies that must be audited/reviewed, and
• who must carry out the review of a company which must be independently reviewed.
Note (a): The public interest score will be the sum of:
(i) a number of points equal to the average number of employees during the financial year
3/6 Auditing Notes for South African Students

(ii) 1 (one) point for every R1million (or portion thereof) in third party liability of the com-
pany, at the financial year-end
(iii) 1 (one) point for every R1million (or portion thereof) in turnover during the financial year,
and
(iv) 1 (one) point for every individual who directly or indirectly has a beneficial interest in any
of the company’s securities.
Example: The following relevant details pertaining to Plus (Pty) Ltd:
Detail Public Interest Points
1. Employees at 1 March 19XX 300
2. Employees at 28 Feb 20XX 360
3. The average number of employees 660 ÷ 2 330
4. Long and short term liabilities at 28 Feb 20XX = R9m 9
5. Turnover for the year to 28 Feb 20XX = R82,7m 83
6. Shareholders = 14 14
Public interest score 436

This illustrative example is straightforward, but the interpretation of the public interest score may be less
so, for example:
• If an individual is an employee and a shareholder (direct interest in the company’s securities), will he be
counted twice in the public interest score?
• If a trust holds shares in a company, is the trust counted as an individual or is it the number of trustees
or beneficiaries of the trust, or both, which are used in the public interest score?
• Similarly, if another company owns shares in a company (whether in a holding/subsidiary company or
not) does the company holding the shares count as an individual or is it the number of individuals who
hold shares in that company, and thereby have a beneficial interest in the shares of the company in
which the investment is held? (See note (b) below.)
• Are temporary or part-time employees included in the public interest score?
• Concerning third-party liability, what is a third party?
• If a private company has a subsidiary, is its portion of the subsidiary’s turnover included in determining
its turnover for public interest score purposes?
No doubt there will be other questions raised pertaining to the interpretation of the “public interest score”.
Time, practice and case law will eventually resolve these questions.
Note (b): In terms of a JSE listing requirement, the subsidiaries of all listed companies must be externally
audited regardless of their public interest scores.

Regulation 27
This regulation does two things. Firstly, it states that a company’s financial statements may be compiled
internally or independently.
To be classified as compiled independently, the Annual Financial Statements (AFS) must be prepared:
• by an independent accounting professional (see note (a) below)
• based on financial records provided by the company, and
• following any relevant financial reporting standard.
Note (a): An “independent accounting professional” means a person who:
(i) is a registered auditor in terms of the APA, or
(ii) is a member in good standing of a professional body accredited in terms of the APA, such
as SAICA, or
(iii) is qualified to be appointed as an accounting officer of a CC in terms of the Close
Corporation Act, for example, a member of SAICA, ICSA, CIMA, ACCA, or SAIPA
(iv) does not have a personal financial interest in the company or a related or inter-related
company
(v) is not involved in the day to day management of the company and has not been so involved
during the previous three years
Chapter 3: Statutory matters 3/7

(vi) is not a prescribed officer or full-time executive employee of the company (or a related or
inter-related company) and has not been such an employee or officer during the previous
three financial years, and
(vii) is not related to any person contemplated in (iv) to (vi) above.
Secondly, regulation 27 stipulates the applicable financial reporting standards with which different cat-
egories of company must apply. (Note that the requirements for non-profit companies have not been
included in this text. Reference can be made to the regulations themselves if necessary.)

State-owned and profit companies

Category of Companies Financial Reporting Standard


State-owned companies. IFRS, but in the case of any conflict with any requirement
in terms of the Public Finance Management Act, the
latter prevails.
Public companies listed on an exchange. IFRS.
Public companies not listed on an exchange. One of:
(a) IFRS; or
(b) IFRS for SMEs, provided that the company meets
the scoping requirements outlined in the IFRS for
SMEs.
Profit companies, other than state-owned or public com- One of:
panies, whose public interest score for the particular (a) IFRS, or
financial year is at least 350. (b) IFRS for SMEs, provided that the company meets
the scoping requirements outlined in the IFRS for
SMEs.
Profit companies, other than state-owned or public com- One of:
panies: (a) IFRS, or
(a) whose public interest score for the particular finan- (b) IFRS for SMEs, provided that the company meets
cial year is at least 100 but less than 350, or the scoping requirements outlined in the IFRS for
(b) whose public interest score for the particular year is SMEs.
less than 100, and whose statements are independ-
ently compiled.
Profit companies, other than state-owned or public The financial reporting standard as determined by the
companies, whose public interest score for the particular company for as long as no financial reporting standard is
financial year is less than 100, and whose statements are prescribed.
internally compiled.

Regulation 28
This regulation stipulates the categories of companies that are required to be audited. These are:
(i) public companies and state-owned companies
(ii) any profit (or non-profit) company which, in the ordinary course of its primary activities, holds assets
in a fiduciary capacity for persons not related to the company, and the aggregate value of the assets
held exceeds R5million at any time during the financial year, and
(iii) any company whose public interest score in that financial year
• is 350 or more
• is at least 100 if its annual financial statements for that year were internally compiled.
Note (a): In terms of the JSE listing requirements, all subsidiaries of listed companies must be externally
audited regardless of their public interest scores. This is primarily because the holding com-
pany’s consolidated financial statements must contain audited figures for the audit report to
have any value.

Regulation 29
This regulation deals with the matters surrounding the independent review of a company’s financial state-
ments (including important regulations pertaining to reportable irregularities).
3/8 Auditing Notes for South African Students

(i) A company that is not required to be audited must have an independent review of its annual financial
statements unless it is a private company in which every shareholder is a director (owner-managed).
(ii) If the company’s public interest score is 100 or more, the review must be conducted by a registered
auditor or by a member of a professional body accredited in terms of the APA (SAICA is currently
the only such body).
(iii) If the company’s public interest score is less than 100, the review can be carried out by a qualified
person to be appointed as an accounting officer in terms of the Close Corporations Act, for example
ACCA, SAIPA, CIMA, SAICA, etc.
(iv) The review should be carried out in terms of the International Statement on Review Engagements
ISRE 2400.
(v) An independent review of a company’s annual financial statements must not be carried out by an
independent accounting professional who was involved in preparing the said financial statements
(independence requirement).
In terms of section 10 of the Close Corporations Act 1984, CCs must calculate their public interest score (on the
same basis as a company) and may also have to have their financial statements audited. The following
chart summarises which companies and CCs must be audited, which must be reviewed and which need not
bother with external (professional) intervention.

Public interest score Private company Close corporation Owner-managed


Less than 100 Independent Review No external intervention No external intervention.
regardless of whether AFS (Accounting Officer
are internally or externally Report).
compiled.
Note (a).
100 to 349 Audit if AFS internally Audit if AFS internally Audit if AFS internally
compiled. compiled. compiled.
Independent Review if AFS No independent review if No independent review if
externally compiled. externally compiled. externally compiled.
Note (b). (Accounting Officer’s Note (c).
Report)
Note (c).
350 and above Audit Audit Audit

Note (a): This review (less than 100 points) must be carried out by a Registered Auditor or an individual
who qualifies for appointment as an Accounting Officer of a CC in terms of section 60 of the
Close Corporations Act, for example SAICA, SAIPA, ACCA, CIMA, etc.
Note (b): Audit can only be carried out by a Registered Auditor. This review (100 to 349 points) may only
be carried out by a registered auditor or a chartered accountant. Externally compiled means
compiled by an “independent accounting professional” as defined.
Note (c): This category of CC and owner-managed company is exempt from review in terms of section
30(2A) of the Companies Act.
Note (d): Subsidiary companies of listed companies must be externally audited (JSE listing requirement).
Note (e): All public companies (listed or otherwise) and state-owned companies must be audited.
Note (f): Private companies which hold fiduciary assets for persons not related to the company which in
aggregate have exceeded R5m at any time during the year must be audited.
Note (g): A private company may include a clause that requires that it be audited in its MOI, or a
company may be voluntarily audited, for example directors decide to have the AFS externally
audited.

Regulation 29 – Reportable irregularities, independent reviews


In terms of the APA, an auditor is required to report a “reportable irregularity” (as defined) at an audit
client, but this requirement does not apply to a review client. However, regulation 29 places an obligation
on the independent reviewer to report a reportable irregularity arising at an independent review, whether he
is a registered auditor or not. While the reportable irregularity situations which the auditor or reviewer
Chapter 3: Statutory matters 3/9

might find themselves in are very similar, the definitions of a reportable irregularity and the procedure to be
followed by the auditor and reviewer do differ. For regulation 29, the following will apply to reportable
irregularities at a review client:
(i) Definition: a reportable irregularity (RI) means any act or omission committed by any person
responsible for the management of a company, which:
• unlawfully has caused or is likely to cause material financial loss to the company, or any member,
shareholder, creditor or investor of the company in respect of his, her or its dealings with the
company, or
• is fraudulent or amounts to theft, or
• causes or has caused the company to trade under insolvent circumstances.
(ii) Procedure: if an independent reviewer is satisfied or has reason to believe that an RI is taking place,
he must:
• without delay, send a written report to the CIPC giving the particulars of the RI and any other
information he deems appropriate
• within three business days of sending the report to the CIPC, notify the board (of the company) in
writing of the sending of the report, and the provisions of this section of regulation 29
• a copy of the report must be submitted with this notice to the board (of the company)
• as soon as reasonably possible, but not later than 20 business days from the date the report was
sent to the CIPC
– take all reasonable measures to discuss the report with the directors
– allow the directors to make representations in respect of the report
– send another report to the CIPC, which must include a statement (with supporting infor-
mation) that the reviewer is of the opinion that;
* no RI has taken place or is taking place, or
* the suspected RI is no longer taking place, and that adequate steps have been taken for the
prevention or recovery of any loss, or
* the RI is continuing.
Note (a): If the second report states that the RI is continuing, the CIPC must, as soon as possible after the
receipt of the report, notify any appropriate regulator, for example SARS or SAPS, in writing,
with a copy of the report.
Note (b): To investigate or report an RI, the independent reviewer may carry out whatever procedures he
or she deems necessary.

2. Regulation 43 – Social and ethics committee


2.1 The following companies must appoint a social and ethics committee:
• every state-owned company (SOC)
• every listed public company, and
• any other company that has in two of the previous five years scored above 500 points in its public
interest score.
2.2 A company that must have a social and ethics committee must appoint the committee within one year
of:
• its date of incorporation in the case of an SOC
• the date it first became a listed public company
• the date it first met the “500 points” requirement.
2.3 The committee must comprise:
• not less than three directors or prescribed officers of the company
• one of which must be a director who is not involved in the day-to-day management of the com-
pany’s business (non-executive) and has not been so involved in the previous three years.
3/10 Auditing Notes for South African Students

2.4 The function of the Social and Ethics Committee is to monitor the company’s activities, having regard
to any relevant legislation, legal requirements or codes of best practice, with regard to:
• social and economic development, including the company’s standing in terms of the goals and pur-
poses of:
– the ten principles set out in the United Nations Global Company Principles
– the Organisation for Economic Co-operation and Development (OECD) recommendations
regarding corruption
– the Employment Equity Act 55 of 1998
– the Broad-Based Black Economic Empowerment Act 53 of 2003.
• good corporate citizenship
– promotion of equality, prevention of unfair discrimination and reduction of corruption
– development of communities in which it operates or within which its products are predomin-
antly marketed
– sponsorship, donations and charitable giving.
• the environment, health and public safety, for example the impact of its products/services on the
environment.
• consumer relationships, for example advertising, public relations and compliance with consumer
protection laws.
• labour and employment.
Note (a): A subsidiary company which in terms of the section must appoint a social and ethics committee
need not do so if its holding company has a social and ethics committee that will perform the
functions required by regulation 43 on behalf of the subsidiary.
Note (b): The committee must:
• draw any matters arising from its monitoring activities to the attention of the board, and
• one of its members must report to the shareholders at the company’s annual general meeting
(AGM).

3.4 Section summaries and notes


3.4.1 Chapter 1 – Interpretation, purpose and application
Chapter 1 – Part A – Interpretation
1. Section 1 – Definitions
2. Section 2 – Related and inter-related persons and control
Note (a): There are numerous definitions. Where necessary, these will be dealt with in the section sum-
maries.
For the purposes of the Companies Act:
2.1 An individual is related to another individual if:
• they are married, or live together in a relationship similar to a marriage, or
• they are separated by no more than two degrees of natural or adopted consanguinity (blood rela-
tionship) or affinity (relationship between two or more people as a result of somebody’s marriage).
2.2 An individual is related to a juristic person if:
• the individual directly or indirectly controls the juristic person.
2.3 A juristic person is related to another juristic person if:
• either of them directly or indirectly controls the other or the business of the other, or
• either is a subsidiary of the other, or
• a person directly or indirectly controls each of them or the business of each of them.
Note (a): The intention of section 2 is to prevent individuals or companies from doing things through the
medium of another individual or company (entity), which they would not be able to do because
of the requirements of the Companies Act. Essentially the Act is saying that an individual
Chapter 3: Statutory matters 3/11

or company and the individuals or companies (entities) related to them (as defined by s 2) are
considered by the Act to be the same person. For example, a company must obtain a special
resolution to give a loan to a director. It cannot get around this requirement by giving the loan to
the director’s wife or child because they are related persons as defined in section 2. Thus, a
special resolution will still be required.
Note (b): An individual is defined as a natural person; a juristic person is a “person” formed by law, for
example CC, trust, and a “person” includes a juristic person.
Note (c): The section also guides what constitutes control:
Example 1: Company B is a subsidiary of Company A. Company A controls Company B
(s 2(2)(a)(i)).
Example 2: Joe Sope and his wife (related person) control the majority of the voting rights in
Company C.
• The control can be by virtue of the two of them owning the majority of the shares or as a
result of a shareholders agreement (s 2(2)(a)(ii)).
• Joe and his wife do not have to hold the shares themselves. The shares in Company C could
be held by an entity that Joe and his wife control. The control can be direct or indirect.
Example 3: Fred Bloggs and his son Bob have the right (by virtue of their combined share-
holding) to control the appointment of the directors of Company D, who control a majority of
the votes at a meeting of the board (s 2(2)(a)(ii)(bb)).
Example 4: Jeeves Ndlovu owns the majority of the members’ interests (or controls the majority
of members’ votes) in Starwars Close Corporation (s 2(2)(b)).
Example 5: Charlie Weir, the senior trustee of Cape Trust, has, in terms of the trust agreement,
the ability to control the majority of votes of trustees or appoint the majority of trustees or to
appoint or change the majority of the beneficiaries of the trust (s 2(2)(c)).
Example 6: Martin Mars owns the majority interest in both Thunder CC and Lightning CC. The
two CCs will be related (s 2(1)(c)(iii)).
Note (d): In addition to the specific situations given in the section, there is also a “general” proviso (s 2(d))
which suggests that if a person can materially influence the policy of a juristic person in a
manner comparable to the examples given above, that person will have control.
Note (e): Situations/transactions relating to the Act may arise that prejudice a person because by definition
the person is related to the company despite the person having acted independently. Section 2(3)
enables the court, the Companies Tribunal (or the Takeover Regulation Panel (TRP) in the case
of a takeover transaction) to exempt the person from the effect of the relationship if there is
sufficient evidence to conclude that the person acts independently of any related person, for
example, although Joan and Peter de Wet are married (and thus by definition are related) they
may live apart and may conduct entirely separate business and social lives.

3. Section 3 – Subsidiary relationships


3.1 A company will be a subsidiary of another juristic person if that juristic person:
• can directly or indirectly exercise a majority of the voting rights whether pursuant to a share-
holders agreement or otherwise, or
• has the right to appoint, elect or control the appointment or election of directors of that company
who control the majority of the votes at a board meeting.
Note (a): The holding/subsidiary company relationship is an easy one to understand, and the companies
(holding, subsidiary, sub-subsidiary and fellow subsidiaries) in a group will be “related”.

4. Section 4 – Solvency and liquidity test (important section)


4.1 A company satisfies the solvency and liquidity test if, considering all reasonably foreseeable financial
circumstances of the company at the time:
• the assets of the company fairly valued equal or exceeded the liabilities of the company fairly valued,
and
3/12 Auditing Notes for South African Students

• it appears that the company will be able to pay its debts as they become due in the ordinary course
of business for 12 months after the liquidity and solvency test is considered, or
• in the case of a distribution (see note (e) below), 12 months after the distribution is made.
Note (a): This section is very important because it represents a fundamental change to company legisla-
tion. The Companies Act 1973 was based upon what was termed the capital maintenance
concept, which simplistically speaking, resulted in very strict regulations on any transactions
which affected the capital of the company. For example, a company was prohibited from giving
financial assistance to anyone for the purchase of shares in that company. A Companies Act
based on this concept was regarded as inflexible and over-regulatory. On the other hand, the
Close Corporations Act has been based on the liquidity/solvency test since its inception and has
proved to be effective. As has been explained, the legislators and other interested parties required
that the new Companies Act be more flexible and accommodating but at the same time
sufficiently protective for stakeholders in the company. The Companies Amendment Act 2006
introduced the liquidity/solvency concept for companies and the Companies Act 2008 adopted
it. As will become evident, whenever important transactions are resulting in outflows of
amounts relating in some way to capital/profits, the liquidity/solvency test comes into play. For
example, a company can now provide financial assistance to a person to purchase shares in the
company, provided, among other things, that the liquidity/solvency requirements are satisfied.
Note (b): Where the test is applied, the financial information considered must be based on:
• accurate and complete accounting records as required by the Companies Act section 28, and
in one of the official languages of the Republic, and
• financial statements which satisfy the Companies Act section 29 and relevant financial
reporting standards.
Note (c): The fair valuation of the assets and liabilities must include any reasonably foreseeable contingent
assets and liabilities.
Note (d): The liquidity/solvency test will also help protect the company’s stakeholders from abuse by the
directors (or a majority shareholder) of their powers. The requirements to satisfy the liquid-
ity/solvency test will usually be accompanied by other requirements for the transaction to be
legal, for example, permission in the MOI and/or a special resolution.
Note (e): In terms of a simplified definition, a “distribution” is a direct or indirect transfer by a company
of money or other property to a shareholder by virtue of that shareholder’s shareholding. For
example, a dividend paid to a shareholder is a distribution, but a salary paid to a shareholder
who also works in the company is not a distribution. A salary is a payment to an employee. In
the context of section 4, if a distribution is made, the liquidity/solvency test is only satisfied if
the company can pay its debts as they become due in the ordinary course of business for
12 months from when the distribution is made, not from when the decision to make the distribu-
tion was taken.

5. Section 5 – General interpretation of the Act


5.1 Section 7 (see below) spells out the purposes of the Companies Act. This section states that where
interpretation and application of the Act is required, it is to be done in a manner which gives effect to
the purposes as stipulated.
5.2 This section also provides an explanation of how a particular number of business days should be
calculated, for example if a section requires the submission of a document to be within 10 business
days of a notification calling for the submission of a document, the 10 business days will be calculated
as follows:
• exclude the day of the notification
• include the day by which the document must be submitted, and
• exclude any public holiday, Saturday or Sunday which falls between the notification date and the
date by which the document must be submitted.
5.3 The section also provides guidance on situations where the Companies Act may conflict with other
Acts. (Refer to the Act.)
Chapter 3: Statutory matters 3/13

Chapter 1 – Part B – Purpose and application

1. Section 7 – Purpose of the Act


1.1 The purposes of this Act are to:
• promote compliance with the Bill of Rights as provided for in the Constitution, in the application
of company law
• promote the development of the South African economy by:
(i) encouraging entrepreneurship and enterprise efficiency
(ii) creating flexibility and simplicity in the formation and maintenance of companies, and
(iii) encouraging transparency and high standards of corporate governance as appropriate, given
the significant role of enterprises within the social and economic life of the nation
• promote innovation and investment in South African markets
• reaffirm the concept of the company as a means of achieving economic and social benefits
• continue to provide for the creation and use of companies in a manner that enhances the economic
welfare of South Africa as a partner within the global economy
• promote the development of companies within all sectors of the economy, and encourage active
participation in economic organisation, management and productivity
• create optimum conditions for the aggregation of capital for productive purposes, and for the
investment of that capital in enterprises and the spreading of economic risk
• provide for the formation, operation and accountability of non-profit companies in a manner
designed to promote, support and enhance the capacity of such companies to perform their func-
tions
• balance the rights and obligations of shareholders and directors within companies
• encourage the efficient and responsible management of companies
• provide for the efficient rescue and recovery of financially distressed companies, in a manner that
balances the rights and interests of all relevant stakeholders, and
• provide a predictable and effective environment for the efficient regulation of companies.

2. Section 8 – Categories of companies (important section)


2.1 In terms of this Act, two types of companies may be formed and incorporated: profit companies and
non-profit companies.
Note (a): A profit company means a company incorporated for financial gain for its shareholders.
Note (b): A non-profit company means a company that is incorporated for a public benefit, and the prop-
erty and income of which are not distributable to its incorporators, members, directors, officers
or related persons except as reasonable compensation for services rendered.
Note (c): A profit company is either:
• an SOC
• a private company
• a personal liability company, or
• a public company.
Note (d): a private company is private because its MOI:
• prohibits it from offering any of its securities to the public, and
• restricts the transferability of its securities (e.g. an existing shareholder may be required to
obtain the consent of the other shareholders if he wishes to sell his shares).
A private company cannot be a state-owned enterprise.
Note (e): A personal liability company:
• must meet the criteria for a private company and
3/14 Auditing Notes for South African Students

• its MOI must state that it is a personal liability company. This amounts to a clause in the
MOI which provides that the directors and past directors are jointly and severally liable,
together with the company, for any debts and liabilities of the company that were contracted
during their terms of office.
Note (f): A public company is a profit company that is not an SOC, a private company or a personal
liability company.
Note (g): In terms of section 11(3)(c), company names must end with the appropriate expression (or
abbreviation thereof) which conveys their company category, namely:
• public company: Anglovaal Limited (or Ltd)
• personal liability company: Mitchells’ Incorporated (or Inc.)
• private company: Rubberducks Proprietory Limited (or (Pty) Ltd)
• state-owned company: Tollroad SOC Ltd
• non-profit company: Educate NPC.
Note (h): Although not formally categorised in the Act, a few provisions recognise two further “types” of
company. Both of these “types” of company are exempted from a few requirements of the Act.
These “types” are:
• companies where all of the shares are owned by related persons (which results in a dimin-
ished need to protect minority shareholders), and
• companies where all the shareholders are directors (which results in a diminished need to
seek shareholder approval for certain board actions and audit requirements in some
circumstances).
These are not hugely significant but are in line with making the Act more flexible.

3.4.2 Chapter 2 – Formation, administration and dissolution


Chapter 2 – Part A – Reservation and registration of company names
1. Section 11 – Criteria for names of companies
1.1 A company name may:
• comprise words in any language, irrespective of whether the words are commonly used or made
up, together with
– any letters, numbers or punctuation marks
– any of the following symbols +, &, #, @, %, = , and
– round brackets used in pairs to isolate any other part of the name.
1.2 The name of a company must:
• not be the same as or confusingly similar to:
– the name of another company or CC
– a name registered by another person as a defensive name (a name registered to prevent it being
used by another person) or a business name in terms of the Business Names Act of 1960, unless
the registered user of the defensive name or the business name has officially transferred the
name to the company wishing to use it
– a registered trademark belonging to a person other than the company, and
– a mark, word or expression protected by the Merchandise Marks Act or registered under the
Trade Marks Act
• not falsely imply or suggest, or reasonably mislead a person into believing incorrectly that the com-
pany is:
– part of or associated with any other person or entity, and
– is an organ of or supported/endorsed by the State, a foreign state, head of state, head of gov-
ernment or international organisation
• not include any word, expression or symbol, may reasonably be considered to constitute:
– propaganda for war
Chapter 3: Statutory matters 3/15

– incitement of violence or harm, and


– advocacy of hatred based on race, ethnicity, gender or religion.
Note (a): Company names must end in the manner which signifies their category. (See Chapter 1 s 8
note (g).)
Note (b): In terms of the prohibitions listed in the section, the following company names would probably
not be allowed. These are simply illustrative examples:
• Whites Only (Pty) Ltd
• Terrorists for God (Pty) Ltd
• Pick and Pay Enterprises (Pty) Ltd
• Government Supplies (Pty) Ltd
• SARS Consulting Inc
• Zenophobic Solutions (Pty) Ltd
• Bafana Bafana Enterprises (Pty) Ltd.
Note (c): The Act does allow a profit company to use its company’s registration number as its name, but
the number must be followed by the expression (South Africa), for example 97/3217 (South
Africa) (Pty) Ltd. This section appears to have been included so that if a person tries to incor-
porate a company with a name that is already in use, reserved or contrary to section 11(2), the
commissioner can use the registration number as the company name in the interim. If the
company does not respond, the registration number becomes the name.
Note (d): If the company’s MOI contains any restrictive condition applicable to the company or prohibits
the amendment of any particular provision of the MOI the company’s name must be imme-
diately followed by the expression (RF). This alerts any person dealing with the company that
the MOI contains restrictions that the person should be aware of. Section 19(5)(a) deems that a
person dealing with the company knows these provisions.

Chapter 2 – Part B – Incorporation and legal status of companies


1. Section 13 – Rights to incorporate company
1.1 One or more persons or an organ of state may incorporate a profit company.
1.2 Three or more persons or an organ of state or a juristic person may incorporate a non-profit company.
1.3 The procedure is to:
• complete and sign (person or proxy) a MOI
• file a Notice of Incorporation with a copy of the MOI, and
• pay the prescribed fee.
Note (a): The MOI can be in the prescribed form or can be in a form unique to the company.
Note (b): If the MOI includes any provision which imposes a restrictive condition applicable to the com-
pany or prohibits the amendment of any particular provision of the MOI, the Notice of Incor-
poration must include a prominent statement drawing attention to each such provision and its
location in the MOI. Remember also that the company’s name must be followed by the expres-
sion (RF) see section 11(3)(b).
Note (c): The CIPC may reject a Notice of Incorporation if the notice or anything to be filed with it is
incomplete or improperly completed but only if substantial compliance has not been achieved.
Note (d): Substantial compliance simply means that if a form, document, record etc is in a form or is
delivered in a manner that satisfies all the substantive requirements of its required content and
delivery, the form or its delivery will be valid (s 6).
Note (e): The CIPC must reject a Notice of Incorporation if:
• the initial directors listed in the notice are fewer than required by the Act:
– one director for a private company or a personal liability company
– three directors for a public company or non-profit company
• it believes that any of the initial directors as set out in the notice are disqualified in terms of
the Act and the remaining directors are fewer than required by the Act.
Note (f): Commission is the Companies and Intellectual Property Commission (CIPC).
3/16 Auditing Notes for South African Students

2. Section 14 – Registration of company


2.1 As soon as practicable after having accepted a Notice of Incorporation, the CIPC must:
• assign a unique registration number to the company
• enter the company’s information in the Companies Register
• endorse (confirm by official stamp/signature) the Notice of Incorporation (NOI) and MOI
• issue and deliver to the company, a registration certificate (dated either on the date of issue or the
date stated in the NOI (if any) by the incorporators, whichever is later).
Note (a): A registration certificate is conclusive evidence that:
• all the requirements for incorporation have been complied with, and
• the company is incorporated from the date stated on the certificate.

3. Section 15 – Memorandum of Incorporation, shareholder agreements and rules of the company


3.1 Each provision of the MOI:
• must be consistent with the Act, and
• will be void to the extent that it contravenes or is inconsistent with the Act.
Note (a): The MOI deals with numerous matters which are necessary to operate the company. The mat-
ters dealt with by the MOI include, among other things:
• details of the incorporation of the company, for example, date and type of company
• alteration of the MOI
• authorised shares; number and class
• authority of the board to issue debt instruments
• shareholders’ rights
• shareholders’ meetings, for example notice, location, quorum, resolutions
• directors – composition of the board, meetings, committees, compensation.
Note (b): The MOI may include a provision:
• dealing with a matter that the Act does not address
• altering the effect of any alterable provision (see note (f) below) in the Act, for example pro-
viding for lower quorum requirements for shareholders’ meetings
• imposing on the company a higher standard, greater restriction, a longer period or any more
onerous requirement than would otherwise apply to the company in terms of an unalterable
provision of this Act. In effect, it appears that an unalterable provision can be altered but
only if it makes the provision stricter
• which contains restrictive conditions applicable to the company (including requirements to
amend such condition) or which prohibits amendment to any particular provision of the
MOI, for example, the requirement that a special resolution may not be passed by less than
75% of all members’ votes cannot be altered (the Act allows this percentage to be less).
Note (c): In addition to the MOI, the board has the authority to make, amend or repeal any necessary or
incidental rules relating to the governance of the company in respect of matters not addressed in
the Act or the MOI. These rules must be:
• consistent with the Act and the MOI, otherwise they will be void
• published in terms of the requirements for the publishing of rules contained in the MOI, and
• filed with the CIPC.
Note (d): A rule will take effect on a date later than ten business days after the rule has been filed or the
date specified in the rule itself.
• The rule will be binding on an interim basis until the next general shareholders’ meeting and
on a permanent basis if it is ratified by ordinary resolution.
If a rule is not ratified, the directors may not make a (substantially) similar rule within 12 months,
unless approved in advance by an ordinary shareholder resolution. Example of a rule: the
company may not invest in derivatives.
Chapter 3: Statutory matters 3/17

Note (e): A company’s MOI and rules are binding:


• between the company and each shareholder
• between or among the shareholders of the company
• between the company, and
– each director or prescribed officer, or
– any person serving as a member of any committee of the board.
Note (f): An alterable provision is a provision of the Act which can be altered by the MOI of a company.
The result of the alteration may be to negate, restrict, limit, qualify, extend or otherwise alter in
substance or effect the existing provision of the Act. Some provisions of the Act may not be
altered under any circumstances, for example a public company cannot decide not to appoint an
auditor, but it would appear that a company could, in terms of section 15(b), alter this provision
by stipulating stricter audit requirements, such as having two different auditors performing the
annual audit independently of each other!
Note (g): In terms of section 15(7), the shareholders of a company may enter into agreements (termed
shareholders’ agreements) amongst themselves in respect of any matter relating to the company.
Any such agreement:
• must be consistent with the Act and the MOI, and
• will be void if it is not consistent.
Example: Bob Dobb, Fred Free, and Dave Dimm hold 40, 30 and 30 of the 100 shares in DimDob (Pty)
Ltd, respectively. The company’s MOI states that each share held attracts at least one vote. A shareholders’
agreement that states that Bob’s shares attract 80 votes while Fred and Dave’s shares attract 30 votes each,
would be acceptable if agreed by all shareholders. In effect, this would give control of DimDob (Pty) Ltd to
Bob.
4. Section 16 – Amending the Memorandum of Incorporation
4.1 A company may amend its MOI.
Note (a): The board or shareholders entitled to exercise at least 10% of the voting rights may propose a
special resolution to make the amendment.
Note (b): The company’s MOI may provide different requirements concerning proposals to amend the
MOI.
Note (c): An amendment to the MOI in compliance with a court order is effected by the board and does
not require a special resolution.
Note (d): As expected, where an amendment has been made, the company must file a Notice of Amend-
ment with the CIPC with the prescribed fee.
5. Section 19 – Legal status of companies read in conjunction with section 20 – Validity of company
actions
5.1 From the date and time that the incorporation of a company is registered, it is a juristic person that
exists continuously until its name is removed from the companies register in accordance with the Act.
A company has all the legal powers and capacity of an individual except to the extent that:
• a juristic person is incapable of exercising any such power, or having any such capacity, for
example a juristic person cannot exercise the power of an individual to get married, and
• the company’s MOI provides otherwise.
5.2 In terms of section 19(1)(c), the company is constituted in terms of the provisions in its MOI. In effect
the company is defined by its MOI.
5.3 In terms of section 19(2), a person is not solely by reason of being an incorporator, shareholder or
director, liable for any liabilities or obligations of the company, except to the extent that the Act or
MOI provides otherwise. In a personal liability company, the directors and past directors will be
jointly and severally liable, together with the company, for the debts and liabilities of the company
contracted during their respective periods of office. (Personal liability companies must insert a clause
to this effect in the MOI.)
5.4 In terms of section 19(4), a person must not be regarded as having received notice or knowledge of the
contents of any document (e.g., MOI, Rules) merely because the document:
• has been filed, or
• is accessible for inspection at the office of the company
3/18 Auditing Notes for South African Students

but in terms of section 19(5), a person must be regarded as having notice and knowledge of any
restrictive or prohibitive section15(2)(b) and (c) provisions in the MOI if:
• the company’s name includes the element RF (refer to notes on section 11), and
• the company’s NOI or any subsequent Notice of Amendment (NOA) has drawn attention to the
restrictive or prohibitive sections.
This is very important for people or companies dealing with a company with (RF) attached to its
name – the reason for the (RF) must be followed up.
Note (a): In terms of the Companies Act 1973, a company was required to state its “main” and
“ancillary” objects in its Memorandum. This in a sense defined the capacity of the company,
and thus any action by the company which appeared to be outside the stated objects of the
company could be challenged as being beyond the capacity of the company and, therefore an
“ultra vires” act. In terms of the common law, ultra vires acts are null and void. For example,
could a company that had a primary objective of being a wholesaler of clothing decide to open a
video store, or would that have been an ultra vires act?
The Companies Act does not require that the company state its “main” and “ancillary” objects,
and at the same time gives the company the legal power of an individual. So in terms of the Act
there is nothing to prevent a company that sells clothing from opening a video store. Thus the
difficulty with “capacity/ultra vires” has been largely removed by the Act (see note (b)).
Note (b): The company’s shareholders can still limit, restrict or qualify the purposes, powers or activities
of their company in the MOI. For example, the MOI may expressly prohibit the company’s
directors from purchasing financial derivatives (e.g. options or futures). This gives rise to some
interesting questions. For example:
Q1. If the company purchases futures through XYZ Stockbrokers and subsequently suffers loss,
can the company refuse to make good (pay up) on the loss because the company had no
capacity (it was restricted in the MOI) to purchase the futures and therefore the transaction
was null and void?
A1. In terms of section 20(1), no action of the company is void by reason only that:
• the action was prohibited by the MOI, or
• as a consequence of the limitation, the directors had no authority to authorise the
action.
Q2. Can the company get out of the transaction because XYZ Stockbrokers should have known
that the company was prohibited from purchasing futures because the MOI is a public
document (constructive notice)?
A2. In terms of section 19(4), a person is not deemed to know the contents of a document
merely because the document:
• has been filed, or
• is accessible for inspection.
Furthermore, in terms of section 20(7), XYZ Stockbrokers are entitled to presume that the com-
pany complied with all of the formal and procedural requirements (such as obtaining authority)
in terms of the Act, the company’s MOI and rules unless:
• they know or reasonably ought to have known, that the company had failed to comply with
the requirement.
However, both the answers to Q1 and Q2 are influenced by section 19(5), which states that a
person (XYZ Stockbrokers) must be regarded as knowing restrictive provisions in the company’s
MOI if the company’s name contains the element (RF), which it should!
Q3. Can the shareholders ratify (approve) an action by the company or the directors that the
MOI actually restricts? For example, could the shareholders ratify the director’s action of
purchasing the futures?
A3. Yes. In terms of section 20(2), they may ratify the action by special resolution. (Note: An
action which is in contravention of the Companies Act cannot be ratified.)
Chapter 3: Statutory matters 3/19

Q4. Can a director who discovers that his fellow directors (the company) are about to carry out
an action that is prohibited by the MOI restrain (prevent) the company from doing so, for
example, prevent the directors from purchasing futures from XYZ Stockbrokers?
A4. Yes. In terms of section 20(5), one or more shareholders or directors may take proceedings
to restrain the company.
Q5. Do the shareholders have a claim for damages against a director who causes the company
to do anything inconsistent with the Act or any restrictions, etc., in the MOI or rules? For
example, can a shareholder sue the directors for losses suffered in the futures transaction
with XYZ Stockbrokers?
A5. Yes – section 20(6). This section says that each shareholder of a company has a claim for
damages against any person who intentionally, fraudulently or due to gross negligence,
causes the company to do anything which is inconsistent with the Act or with a limitation,
restriction, or qualification in the MOI or rules, unless the shareholders have ratified the
action.

6. Section 21 – Pre-incorporation contracts


6.1 A person may enter into a written agreement in the name of, or purport to act in, or on behalf of, an
entity that has not yet been incorporated (does not exist).
Note (a): This section is necessary, because before incorporation, the company does not exist as a juristic
person and therefore cannot exercise its powers.
Note (b): Within three months after its date of incorporation, the board of the company may:
• completely, partially or conditionally ratify or reject the pre-incorporation contract.
Note (c): If the company fails (takes no action) to ratify or reject the pre-incorporation contract, the
company will be deemed to have ratified the contract.
Note (d): Although the other party should always be cautious when entering a pre-incorporation contract,
the section does provide some protection:
• the person who purported to be acting on behalf of the company yet to be incorporated is
jointly and severally liable with any other such person for all liabilities created while so
acting if:
– the entity is not incorporated, or
– the entity, once incorporated, rejects the contract (or any part thereof).

7. Section 22 – Reckless trading prohibited


7.1 A company must not:
• carry on its business recklessly, with gross negligence, with intent to defraud any person or for any
fraudulent purpose.
Note (a): If the CIPC has reasonable grounds to believe that a company is contravening this section or is
unable to pay its debts as they become due and payable in the normal course of business, the
Commission may issue a notice to the company to show cause why the company should be
permitted to continue carrying on its business or trade.
Note (b): The company has 20 business days to satisfy the Commission that it is not contravening the
section or that it can pay its debts. If the company does not achieve this, the Commission may
issue a compliance notice requiring it to cease trading.
Note (c): This section may prove cumbersome to implement but has been included so that the Commis-
sion has the power to intervene against errant companies.

Chapter 2 – Part C – Transparency, accountability and integrity of companies


1. Section 23 – Registered office
1.1 Section 23(3). Every company must continuously maintain at least one office in the Republic.
Note (a): The company must register the address of its office when filing its NOI. If the address changes,
the company must file a notice of change with the prescribed fee.
Note (b): This section deals extensively with external companies.
3/20 Auditing Notes for South African Students

2. Section 24 – Form and standards for company records


2.1 A company must keep all documents, accounts, books, writing, or other information which it is
required to keep in terms of this Act or any other public regulation;
• in written form, or
• in electronic or other form which allows it to be converted to written form within a reasonable
time and they must be kept
• for a period of seven years (or any longer period if so specified by other applicable regulations).
2.2 Every company must maintain:
• a copy of its MOI (including amendments) and any Rules the company has made
• a record of its directors (see note (c) below)
• copies of all reports presented at an AGM
• copies of annual financial statements
• accounting records as required by the Act
• notice and minutes of shareholders meetings, including all resolutions adopted and supporting
documentation made available to the holders of securities related to it
• copies of any written communications sent to shareholders (all classes of shares), and
• minutes of all meetings of directors, or directors’ committees and of the audit committee.
Note (a): Every profit company must maintain a securities register (see note to s 50).
Note (b): Every profit company must maintain a register of its company secretary and auditors if they have
made such appointments (not all profit companies are obliged to have a company secretary or
auditor).
Note (c): The company’s record of directors must include for each director:
• full name and any former names
• identity number or if no ID number, date of birth
• if not a South African, nationality and passport number
• occupation
• date of most recent appointment as a director, and
• name and registration number of every other company (including a foreign company) of
which the person is a director, and its nationality in the case of a foreign company.
Note (d): In terms of section 25, the company’s records should be accessible at the company’s registered
office or from other locations in the Republic:
• if the records are not at the registered office, or are moved from one location to another, the
company must file a notice of location of records.
Note (e): In terms of regulation 23, a company’s record of directors must include, for each director:
• the address for service for that director
• in the case of a company that is required to have an audit committee, for example, a public
company, any professional qualifications and experience of that director to enable the
company to comply with the qualification requirements for an audit committee,

3. Section 26 – Access to company records


3.1 A person who holds or has a beneficial interest in any securities issued by a company has a right to
inspect and copy the information contained in the company’s records as listed in section 24 para-
graph 2.2 above (but see note (a) below).
3.2 Such a person also has a right to any other information to the extent granted by the MOI.
Note (a): This right of access does not extend to the minutes of meetings and resolutions of directors,
directors’ committees or the audit committee or to the accounting records.
Note (b): The right of access in terms of this section is in addition to any right arising from section 32 of
the Constitution, the Promotion of Access to Information Act or any other public regulation.
Chapter 3: Statutory matters 3/21

Note (c): It will be an offence by the company if it fails to accommodate any reasonable request for access
or to refuse, impede, interfere with or attempt to frustrate any person entitled to information
from exercising his rights.
Note (d): In terms of section 31, a person who holds securities in a company is entitled to receive notice of
publication of the AFS, and on following the required steps, to receive, without charge, one
copy of the AFS.

4. Section 27 – Financial year of company


4.1 The company must have a financial year:
• the year-end date must be stated in the NOI
• the financial year will be the company’s accounting period
• a company may change its year-end by filing a notice of that change, but not to a date prior to the
date on which the notice is filed.

5. Section 28 – Accounting records


5.1 A company must keep accurate and complete accounting records in one of the official languages of
the Republic.
Note (a): Records must satisfy the requirements of the Act and any other law to facilitate the preparation
of financial statements and include any prescribed accounting records, for example, a fixed asset
register.
Note (b): Accounting records must be kept at or be accessible from the company’s registered office.
Note (c): If a company, with an intention to deceive or mislead any person:
• fails to keep accurate or complete records, or
• keeps records other than in the prescribed manner and form, or
• falsifies or allows its records to be falsified
it will be guilty of an offence.

6. Section 29 – Financial statements


6.1 If a company provides any financial statements (including AFS) to any person, for any reason, those
statements must:
• satisfy the financial reporting standards as to form and content
• present fairly the state of affairs and business of the company, and explain the transactions and
financial position of the business
• show the company’s assets, liabilities and equity as well as its income and expenses
• set out the date of publication and the accounting period of the statements
• prominently indicate on the first page of the statements whether the statements
– have been audited, or
– independently reviewed, or
– have not been audited or independently reviewed, and
– state the name and professional designation if any, of the individual who prepared or
supervised the preparation of, those statements.
Note (a): Financial statements must not be false, misleading or incomplete in any material respect.
Note (b): Any person (e.g. financial director) who is a party to the preparation, approval, dissemination or
publication of financial statements that do not comply with 6.1 above or that are materially false
or misleading will be guilty of an offence.
Note (c): This section gives the Minister power to prescribe financial reporting standards. These standards
must be consistent with the International Financial Reporting Standards (IFRS). See Companies
Regulations 27.
Note (d): A summary of the financial statements may be provided by the company, but the first page of the
summary must prominently state:
• that the document is a summary, and identify the financial statements which have been sum-
marised
3/22 Auditing Notes for South African Students

• whether the financial statements which have been summarised were audited, independently
reviewed or neither
• the name and professional designation (if any) of the individual who prepared or supervised
the preparation of the financial statements which have been summarised, and
• the steps required to obtain a copy of the financial statements which have been summarised.
Note (e): Section 29 gives legal force to the accounting standards, for example, IFRS, IFRS for SMEs.

7. Section 30 – Annual financial statements


To understand the requirements of section 30 of the Companies Act, it is necessary to understand
regulations 26 to 29. The important points on section 30 are included in the summary below. The discussion
on the pertinent regulations is at the start of the chapter. We recommend that you work through the section
and the regulations concurrently.
7.1 A company must prepare annual financial statements within six months after the end of the financial
year.
7.2 In the case of a public company, the financial statements must be audited.
7.3 In the case of any other profit (or non-profit) company the financial statements must be:
• audited if so required by regulation 28
• audited voluntarily if the MOI, or a shareholders’ resolution or the board requires it, or
• independently reviewed in terms of regulation 29.
Note (a): In terms of his powers granted in section 30(7) of the Companies Act, the Minister has, in
regulations 28 and 29, prescribed which categories of companies must be audited and which
companies must be independently reviewed. This categorisation is based upon the public interest
score of the company, as explained in regulation 26.
Note (b): A voluntary audit may arise from a requirement in the company’s MOI, an ordinary
shareholders’ resolution or a decision by the board.
Note (c): The requirements of the “independent review” have been formulated by the Minister in regula-
tion 29.
Note (d): A company will be exempted from the requirement to be audited or independently reviewed if:
• every person who is a shareholder (security holder) is also a director of the company
unless the company falls into a class of company required to have its annual financial statements
audited in terms of the regulations, for example, it has a public interest score of more than 350.
Note (e): The annual financial statements must:
• include an auditor’s report (if audited)
• include a directors’ report dealing with the state of affairs, the business and profit and loss of
the company, any matter material for the shareholders to appreciate the company’s state of
affairs and any prescribed information
• be approved by the board and signed by an authorised director (usually managing director/
chief executive officer), and
• be presented at the first shareholders’ meeting after the board has approved the financial
statements.
Note (f): The annual financial statements of a company that is required to have its statements audited
must include:
• the amount of remuneration and benefits received by each director
• pensions paid and payable to past and present directors or a pension scheme for their benefit
• amounts paid in respect of compensation paid for loss of office
• the number and class of any securities issued to a director or a person related to the director
(related as defined) and the consideration received by the company, and
• details of service contracts of current directors.
Chapter 3: Statutory matters 3/23

Note (g): The term remuneration is all-embracing and includes:


• fees, salary, bonuses, performance related payments
• expense allowances (for which the director is not required to account)
• contributions paid under any pension scheme not otherwise disclosed
• value of options given directly or indirectly to a director, past or future director or person
related to them
• financial assistance for the purchase of shares to any director, past or future director or per-
son related to them, and
• concerning any financial assistance or loan made, the amount of any interest deferred,
waived or forgiven or the difference between the amount of interest that would reasonably be
charged in comparable circumstances at fair market rates in an arm’s-length transaction and
the interest actually charged, if the actual interest is less, for example, the fair market rate on
R1m loan is 10%; a loan was granted to a director at 2%; therefore disclose R80 000
remuneration.
Note (h): This disclosure is also applicable to prescribed officers of the company.
Note (i): A person who holds or has a beneficial interest in any security of a company is entitled to
receive:
• without notice of the publication of the AFS setting out the steps required to obtain a copy
• on-demand, without charge, one copy of the AFS.

8. Section 32 – Use of company name and registration


8.1 A company must provide its full registered name or registration number to any person on demand,
and not misstate its name or registration number in a manner likely to mislead or deceive any person.
8.2 A person must not use the name or registration number of a company in a manner likely to convey
the impression that the person is acting on behalf of the company unless authorised to do so by the
company.
8.3 Every company must have its name or registration number mentioned in legible characters in all
notices and official publications of the company and all bills of exchange, promissory notes, orders for
money or goods and in all letters, delivery notes, invoices, receipts and letters of credit.

9. Section 33 – Annual return


9.1 Every company must file an annual return in the prescribed form with the prescribed fee and within
the prescribed period after its financial year-end.

10. Section 34 – Additional accountability requirements for certain companies


10.1 Public companies and state-owned companies must comply with Chapter 3 of the Companies Act.
10.2 Private companies, personal liability companies and non-profit companies are not required to comply,
except to the extent that the MOI provides otherwise (i.e. voluntary adoption).
Note (a): Chapter 3 makes it obligatory for a public company to appoint:
• an auditor
• an audit committee, and
• a company secretary.

Chapter 2 – Part D – Capitalisation of profit companies


1. Section 35 – Legal nature of company shares and requirement to have shareholders
1.1 A share is movable property, transferable in any manner provided for in the Act (or other legislation).
1.2 A share does not have a nominal or par value.
1.3 A company may not issue shares to itself.
1.4 An authorised share has no rights associated with it until it has been issued.
3/24 Auditing Notes for South African Students

Note (a): The concept of a par value share has been abandoned. There are thousands of companies that
currently have par value shares in issue; these shares retain the description and rights they had
before the introduction of the new Act but will in due course have to be “converted” to no-par
value shares in terms of the transitional arrangements.

2. Section 36 – Authorisation for shares


2.1 The company’s MOI must set out:
• the classes and number of shares that the company is authorised to issue
• a distinguishing designation (name) for each class of share, and
• the preferences (e.g. to dividends), rights (e.g. voting) and limitations (e.g. aspects of voting),
applicable to each class of share.
Note (a): The MOI may authorise a stated number of unclassified shares for subsequent classification by
the board, and may set out a class of shares without specifying its preferences, rights and
limitations. Obviously, before issue, all of the above must be determined (by the board).
Note (b): The authorisation, classification and number of authorised shares, as well as the preferences,
rights and limitations, may be changed only by:
• an amendment to the MOI by special resolution, or
• the board of the company (but see note (c)).
Note (c): Except to the extent that the MOI provides otherwise, the board may:
• increase or decrease the number of authorised shares for any class of shares
• reclassify any classified authorised but unissued shares
• classify any unclassified shares (note (a)), and
• determine the preferences, rights and limitations of any shares described in note (b).
If any of the above actions are carried out by the directors, the MOI must still be amended (i.e.,
file a notice of amendment).

3. Section 37 – Preferences, rights, limitations and other share terms


3.1 All the shares within a class of shares will have the same preferences, rights and limitations as other
shares in that class.
3.2 Each issued share of a company has a general voting right (a general voting right is a vote which can
be exercised “generally at a shareholders’ meeting”), unless the MOI provides otherwise. This is
interpreted to mean that a voting right can be limited but not taken away entirely. (See note (a).)
Note (a): On a matter which affects the preferences, rights or limitations of a share, the shareholder of that
share has an irrevocable right to vote on that matter. (The MOI cannot change this.)
Note (b): If the company has only one class of share:
• the shareholder has a right to vote on every matter to be decided by the shareholders, and
• is entitled to receive the net assets of the company upon its liquidation.
Note (c): If the company has more than one class of share, the MOI must ensure:
• at least one class of share has voting rights for each particular matter which may be submitted
to the shareholders (note that all classes may be entitled to vote on all matters, but not neces-
sarily)
• at least one class of share is entitled to receive the company’s net assets on its liquidation
(note again that all classes may be entitled to a portion of the net assets).
Note (d): The company’s MOI may:
• confer special, conditional or limited voting rights
• provide for redeemable or convertible shares, specifying how the share will be redeemed,
when it will be redeemed, how the price will be determined, etc.
• entitle the shareholders to distributions (e.g. dividends) calculated in any manner, and
designed as cumulative, non-cumulative, etc., and
• designate a share as preferent (over other classes) about dividends and other distributions.
Chapter 3: Statutory matters 3/25

Note (e): If the preferences, rights or limitations attached to a share have been materially and adversely
altered, a holder may apply for relief (s 164 covered later).

4. Section 38 – Issuing shares


4.1 The board of the company may issue shares at any time (shares must be authorised, etc., in the MOI).
Note (a): If the board issues shares that have not been authorised or are in excess of the number of
authorised shares per the MOI, the issue can be retroactively authorised within 60 business days
(this will be by special resolution).
Note (b): If this resolution is not passed, the issue is null and void to the extent that authorisation has been
exceeded. Subscribers must be repaid, including interest, and all share certificates (and entries in
the share register) must be nullified.
Note (c): A director who was party to the issue may be liable for any loss suffered by the company due to
the invalid issue.

5. Section 39 – Subscription of shares


5.1 If a private company proposes to issue shares, each (existing) shareholder, has a right, before any per-
son who is not a shareholder, to be offered, and within a reasonable time, to subscribe for a per-
centage of the shares to be issued, equal to the voting power of that shareholder’s general voting
rights, immediately before the offer was made.
For example:
Joe Egg has general voting rights to 35% of the company’s shares. The company wishes to issue 1 000
shares. Joe has a pre-emptive right to 350 shares but could also decide to subscribe to a lesser number
of shares, for example, 150 shares.
5.2 A company’s MOI may limit, negate, restrict or place conditions upon this pre-emptive right.

6. Section 40 – Consideration for shares


6.1 The board may issue authorised shares only:
• for adequate consideration as determined by the board, or
• in terms of existing conversion rights, or
• as a capitalisation issue.
Note (a): The consideration determined by the directors cannot be challenged on any basis other than that
the directors did not act in good faith, in the best interests of the company and with the degree of
skill and diligence reasonably expected of a director.
Note (b): Only once a company has received the consideration, will the share be considered to be fully
paid. Once issued and paid, the shareholder’s details must be entered in the “securities register”.

7. Section 41 – Shareholders’ approval for issuing shares in certain cases


7.1 If a share (option, security convertible into a share etc) is to be issued to:
• a director, future director, prescribed officer, or future prescribed officer
• a person related or inter-related to the company or a director, future director, etc., or
• a nominee of any of these persons, the issue must be approved by special resolution of the share-
holders.
Note (a): Don Ndungane is a director of Wingerz (Pty) Ltd. The board wishes to issue shares to:
i. Don Ndungane – special resolution
ii. Mary Ndungane (Don’s wife) – special resolution
iii. Dons (Pty) Ltd – (the company controlled by Don and his wife) – special resolution
iv. Mike Zuma as a nominee to Don Ndungane (Mike Zuma is Don Ndungane’s second
cousin) – special resolution because of nominee relationship (not because of family connec-
tion).
Note (b): The special resolution requirement will not be required where the issue:
• is under an agreement underwriting the shares (etc.)
• in proportion to existing holdings on the same terms and conditions as have been offered to
all shareholders (or to all shareholders of the class of shares being issued)
• is the fulfilment of a pre-emptive right
3/26 Auditing Notes for South African Students

• is in accordance with an employee share scheme, and


• is an offer to the public.
Note (c): A “future” director or prescribed officer who becomes a director or prescribed officer more than
six months after the issue is not considered a “future” director or prescribed officer for the pur-
poses of this section.

8. Section 43 – Securities other than shares


8.1 The board may authorise the issue of debt instruments except to the extent provided by the MOI (e.g.
convertible debentures).
8.2 Debt instruments can be unsecured or secured.
8.3 Other than to the extent provided by the MOI, a debt instrument may grant special privileges to the
holder.
For example:
• attending and voting at general meetings
• voting on the appointment of directors, and
• redemption of the instrument or conversion to shares.

9. Section 44 – Financial assistance for subscription of securities


9.1 A company may provide financial assistance to any person for the purchase of any security (share,
etc.) of the company itself or a related company, for example, a holding company, provided:
• any conditions or restrictions in respect of the granting of financial assistance set out in the MOI
are adhered to, and
• the board is satisfied that:
– immediately after providing the financial assistance, the company would satisfy the liquidity/
solvency test
– the terms under which the financial assistance is proposed, are fair and reasonable to the com-
pany, and
• a special resolution is obtained (see note (d)).
Note (a): The requirements of this section do not apply to a company whose primary business is the
lending of money.
Note (b): Financial assistance can be a loan, guarantee, or provision of security.
Note (c): If financial assistance is given in contravention of this section or the MOI, the transaction will be
void and a director will be liable for any losses incurred by the company, if:
• the director was present at the meeting when the board approved the resolution, or partici-
pated in the making of the decision, and
• failed to vote against the resolution knowing that the provision of financial assistance was
inconsistent with the Act or MOI.
Note (d): The special resolution must have been passed within the previous two years. The approval given
by the special resolution can be for a specific recipient or generally for a category of potential
recipients.
Note (e): A special resolution is not required if the financial assistance is in accordance with an employee
share scheme (other requirements must be satisfied).
Note (f): The MOI (or company or board) cannot permit the granting of financial assistance in contra-
vention to this section, for example, the MOI cannot contain a clause, and the directors cannot
pass a resolution that overrides the requirement to apply the liquidity/solvency test.

10. Section 45 – Loans or other financial assistance to directors


10.1 A company may provide direct or indirect financial assistance (for any purpose) to:
• a director of the company or a related company, for example, a holding company, or
• to a related or inter-related company or corporation, or
• to a member of a related or inter-related corporation, or
Chapter 3: Statutory matters 3/27

• to any such person related to such corporation, company, director, prescribed officer or member
provided
• any conditions or restrictions in respect of the granting of financial assistance set out in the MOI
are adhered to, and
• the board is satisfied that:
– immediately after providing the financial assistance, the company would satisfy the liquidity/
solvency test
– the terms under which the financial assistance is proposed are fair and reasonable to the com-
pany, and
• a special resolution is obtained (see note (d) below).
Note (a): The requirements of this section do not apply to:
• a company whose primary business is the lending of money
• financial assistance in the form of an accountable advance to meet
– legal expenses about a matter concerning the company, or
– anticipated expenses to be incurred by the person on behalf of the company, or
– amounts to defray the recipient’s expenses for removal (relocation) at the company’s
request.
Note (b): Financial assistance can be a loan, guarantee, or provision of security.
Note (c): If financial assistance is given in contravention of this section or the MOI, the transaction will be
void, and a director will be liable for losses suffered by the company, if:
• the director was present at the meeting when the board approved the resolution or partici-
pated in making such decision, and
• failed to vote against the resolution, despite knowing that the provision of financial assistance
was inconsistent with the Act or the MOI.
Note (d): The special resolution must have been passed within the previous two years. The approval given
by the special resolution can be for a specific recipient or generally for a category of potential
recipients.
Note (e): If the loan is made to a director according to an employee share scheme, a special resolution is
not required (other requirements must be satisfied).
Note (f): The MOI (or company or board) cannot permit the granting of a loan in contravention of this
section, for example the MOI cannot contain a clause, and the directors cannot pass a resolution
that overrides the requirement to apply the liquidity/solvency test.
Note (g): Where the board adopts a resolution to provide financial assistance (as contemplated by this
section), the company must provide written notice of the resolution to all shareholders (unless
every shareholder is a director) and to any trade union representing the company’s employees.
• If the total value of all financial assistance given within the financial year exceeds one-tenth
of 1% of the company’s net worth at the time of the resolution, this notice must be given
within ten business days of the adoption of the resolution.
• If the total value does not exceed one-tenth of 1% of net worth, the notice must be given
within 30 days after the end of the financial year.
Note (h): This section is simpler than its predecessor (Companies Act 1973 s 226) but is still cast very
wide. The intention is to control abuse by the directors by, for example, making loans to
themselves which are not in the interests of the company. The section does not seek to prejudice
the directors but rather to control them. The section seeks to control financial assistance to a
director in whatever “form” that director may be, for example, a CC or company controlled by
the director, or a person related (as defined) to the director, such as his wife. The section also
covers directors of companies related to the company granting the loan, for example, its holding
company, subsidiary or fellow subsidiary.
Note (i): The section also applies to “prescribed officers” of the company.
3/28 Auditing Notes for South African Students

11. Section 46 – Distributions must be authorised by the board


11.1 A “distribution” has a defined meaning in the context of the Act. It amounts to a transfer of money or
other property to or for the benefit of one or more holders of any of the company’s shares or of
another company within the same group of companies. A person receives a “distribution” by virtue of
being a shareholder.
11.2 Examples are:
• dividends
• payments instead of capitalisation shares
• share “buy-backs”
• incurring a debt for the benefit of a shareholder, and
• cancelling a debt owed by a shareholder (forgiveness).
11.3 A company must not make a distribution unless the distribution:
• is according to an existing legal obligation or court order, or
• the board of the company has passed a resolution authorising the distribution, and
• it reasonably appears that after the distribution, the company will satisfy the liquidity and solvency
test, and
• the board resolution states that the directors applied the liquidity and solvency test and reasonably
concluded that the test requirements were satisfied.
Note (a): If a distribution has not been carried out within 120 business days of making the resolution, the
board must reconsider the liquidity and solvency of the company and may not proceed with the
distribution unless a further resolution is taken to make the distribution. The resolution must
again acknowledge that the directors carried out the liquidity and solvency test.
Note (b): If a director was present at the meeting, or participated in the making of the decision to make the
distribution and failed to vote against it knowing that it was contrary to the requirements of this
section (s 46), he may be liable for any loss, damage or cost sustained by the company.

12. Section 47 – Capitalisation shares


12.1 Except as the MOI provides otherwise, the board may, by resolution, approve the issuing of any auth-
orised shares of the company as capitalisation shares on a pro-rata basis to existing shareholders.
Note (a): When resolving to award a capitalisation share, the board may permit a shareholder to receive a
cash payment instead at a value determined by the board. This would amount to a distribution
and require applying the liquidity and solvency test by the directors.

13. Section 48 – Company or subsidiary acquiring company’s shares


13.1 A company may acquire (buy back) its own shares. This will be a distribution as defined and the
requirements of section 46 must be satisfied (board resolution, liquidity/solvency requirements).
13.2 A subsidiary of a company may acquire shares of its holding company but:
• not more than 10% of the total issued shares of any class may be held by all of the subsidiaries of
that holding company taken together, and
• the voting rights attached to the shares held by the subsidiary(ies) may not be exercised while held by
the subsidiary (while it remains a subsidiary).
Note (a): Where a buy-back has taken place, the stated capital must be reduced by the amount arrived at
by using the following “formula”:
stated capital
Number of shares acquired ×
number of issued shares
If there are various classes of shares, the formula will be applied by class of share.
Note (b): The share certificates pertaining to the shares acquired will be cancelled and revert to the
authorised shares status.
Chapter 3: Statutory matters 3/29

Note (c): If the company acquires any shares contrary to section 46 or this section (s 48), the company
must apply for a court order to reverse the acquisition no more than two years after the
acquisition. The court may order that:
• the person from whom the shares were acquired return the amount paid by the company,
and
• the company re-issue an equivalent number of shares of the same class.
Note (d): A director of the company will be liable for any loss, damages or costs arising from an acquisi-
tion of shares contrary to section 46 or section 48 if:
• he was present at the meeting when the board approved the acquisition or he participated in
the making of the decision, and
• failed to vote against the acquisition despite knowing it was contrary to sections 46 or 48.
Note (e): A decision by the board to “buy back” shares held by a director or prescribed officer or a person
related to the director or prescribed officer must be approved by a special resolution.
If any buy-back involves the acquisition of more than 5% of the issued shares of any particular
class of the company’s shares, the decision is subject to the requirements of sections 114 and
115, which deal with “schemes or arrangements”.

Chapter 2 – Part E – Securities registration and transfer

1. Section 49 – Securities to be evidenced by certificates or uncertificated


1.1 Any security (e.g. share) must either be:
• certificated (evidenced by the issue of a certificate), or
• uncertificated (no certificate issued).
Note (a): Simplistically stated, the company will issue a hard copy certificate when a security is certificated.
Where the security is uncertificated its details will be held in a central securities depository
database.
Note (b): Whether security is certificated or uncertificated does not affect the rights and obligations attaching
to the security.

2. Section 50 – Securities register and numbering


2.1 Every company must establish and maintain a register of its issued securities which contains the
details of the security and the holder, and any “transfers” of securities.
Note (a): Where a company issues uncertificated securities, a record is maintained (usually) by a central
securities depository, and this acts as the company’s uncertificated securities register.
Note (b): Unless all the shares of a company rank equally for all purposes, the shares or each class of
shares must be distinguished by an “appropriate numbering system”.

3. Sections 51, 52 and 53 – Registration and transfer of certificated and uncertificated securities
3.1 A certificate evidencing any certificated security must state on its face:
• the name of the issuing company
• the name of the person to whom security was issued
• the number and class and designation, if any, of the share being issued, and
• any restrictions on transfer.
Note (a): The certificate must be signed (manually or by electronic or mechanical means) by two persons
authorised by the company’s board.
Note (b): In the absence of evidence to the contrary, the certificate is satisfactory proof of ownership.
3.2 A company that has its uncertificated securities administered by a central securities depository may
request the depository to furnish it with all details of its uncertificated securities reflected on the
depository’s database.
Note (c): A person who holds a beneficial interest in any security of the company and who wishes to
inspect the uncertificated securities register, may do so, but must do it:
• through the relevant company, and
• following the rules of the central securities depository.
3/30 Auditing Notes for South African Students

The depository must, within five business days, produce a record of the company’s uncertifi-
cated securities register reflecting the names and addresses of the persons to whom securities
were issued, the number of securities issued to them, and any other recorded details pertaining
to the security, for example, restrictions on transfer.
Note (d): The depository may only effect the transfer of uncertificated securities held in an uncertificated
securities register:
• on receipt of an authenticated instruction, or
• an order of court.
The transfer must comply with the rules of the depository.

4. Section 55 – Liability relating to uncertificated securities


4.1 A person who takes any unlawful action which results in any of the following, concerning the
securities register or uncertificated securities ledger, is liable to any person who has suffered any direct
loss or damage arising from that unlawful action:
• the name of any person (unlawfully) remains in the register or is removed or omitted
• the number of securities is (unlawfully) increased, reduced or left unaltered, or
• the description of the securities is (unlawfully) changed.

Chapter 2 – Part F – Governance of companies

1. Section 57 – Interpretation and application of this part


1.1 In this part, a shareholder is defined as any person entitled to exercise any voting right irrespective of
the form, title or nature of the security to which the voting right attaches.
1.2 This section recognises certain ownership/directorship arrangements which exist in some companies,
and seeks to simplify the governance of those companies.
• If a profit company has only one shareholder, that shareholder may exercise any or all of the voting
rights pertaining to any matter, at any time, without notice or compliance with internal
formalities, except to the extent that the MOI provides otherwise.
• If a profit company has only one director, that director may exercise or perform any function of the
board at any time, without notice or compliance with internal formalities, except to the extent the
MOI provides otherwise.
• If every shareholder of a company is also a director of that company, any matter that is required to be
referred by the board to the shareholders may be decided by the shareholders at any time after the
matter has been referred without notice or compliance with any other internal formalities, except
to the extent that the MOI provides otherwise, provided that:
– every such person was present at the board meeting when the matter was referred to them in
their capacity as shareholders
– sufficient persons were present in their capacities as shareholder to satisfy quorum require-
ments, and
– a resolution adopted by those persons in their capacity as shareholders has at least the support
that would be required for it to be adopted as an ordinary or special resolution at a properly
constituted meeting.
Note: If these requirements are not satisfied, a properly constituted shareholder’s meeting will have to be
held.

2. Section 58 – Shareholders right to be represented by proxy


2.1 A shareholder may appoint an individual as a proxy to:
• participate in, speak and vote at a shareholders’ meeting
• give or withhold written consent when shareholders’ consent is sought outside of a meeting of
shareholders.
Note (a): A proxy appointment:
• can be made at any time
Chapter 3: Statutory matters 3/31

• must be in writing, dated and signed by the shareholder, and


• will be valid for one year or a longer or shorter time expressly stated in the proxy.
Note (b): Except to the extent the MOI provides otherwise:
• a shareholder may appoint two or more proxies concurrently and may appoint different
proxies to vote in respect of different securities held by the shareholder
• a proxy may delegate the authority to act to another person (not necessarily a shareholder)
subject to any restrictions set out in the document appointing the shareholder, and
• a copy of the document appointing the proxy must be delivered to the company before
exercising the shareholder’s rights at a meeting of shareholders.
Note (c): An individual appointed as a proxy need not be a shareholder.

3. Section 59 – Record date for determining shareholder rights


3.1 The board must set the record date. This is the date that is set to determine which shareholders are
entitled to receive notice of the shareholders’ meeting, participate and vote in the meeting, and receive
a distribution (e.g. dividend).
Note (a): Shareholders in listed companies frequently change, so it is important to establish this cut-off
date.

4. Section 60 – Shareholders acting other than at meetings


4.1 A resolution that could be voted on at a shareholders’ meeting may instead be
• submitted to the shareholders for consideration, and
• voted on in writing by the shareholders.
Note (a): The resolution must be voted on within 20 business days of submitting the resolution to the
shareholders.
Note (b): The resolution will have the same voting requirements for adoption as if it had been proposed at
a meeting (e.g. ordinary resolution, special resolution), and if adopted, will have the same effect
as if it had been approved by voting at a meeting.
Note (c): The election of a director may also be conducted by written polling.
Note (d): The results of any written polling, and the adoption of any resolution not voted on at a meeting
must be communicated to every shareholder who was entitled to vote within ten business days.
Note (e): Any company business that must be conducted at an AGM in terms of the MOI or the Act,
cannot be conducted by written polling.

5. Section 61 – Shareholders’ meetings


5.1 The board of a company, or any person specified in the MOI or rules, may call a shareholders’
meeting at any time.
5.2 Subject to section 60, the company must hold a shareholders’ meeting:
• at any time that the Act or the MOI requires the board to refer a matter to the shareholders for
decision
• whenever required to fill a vacancy on the board
• when otherwise required to by the MOI
• when the AGM of a public company is required.
Note (a): The company must also call a shareholders’ meeting if one or more written and signed demands
for a meeting are received from shareholders holding at least 10% of the shares entitled to vote
on the proposal for which the demand is lodged. The demand must describe the specific purpose
for the meeting. “Frivolous or vexatious” demands can be set aside by the court on the
application of the company or a shareholder. The MOI can set the required percentage at less
than 10% (but not more).
5.3 A public company must convene an AGM. This meeting must be convened, initially no more than
18 months after the date of incorporation, and thereafter once in a calendar year but no more than
15 months after the date of the previous AGM.
3/32 Auditing Notes for South African Students

Note (b): The AGM of a public company must, at a minimum, provide for the following business to be
transacted
• presentation of:
– the directors’ report
– audited financial statements
– an audit committee report
• election of directors to the extent required by the Act or the MOI
• appointment of:
– an auditor
– an audit committee
• any matters raised by shareholders (with or without advance notice to the company).
Note (c): Except to the extent that the MOI provides otherwise:
• the board may determine the location of any shareholders’ meeting
• any shareholders’ meeting may be held in the Republic or in a foreign country.
Note (d): Every shareholders’ meeting of a public company must be reasonably accessible within the
Republic for electronic participation by shareholders (see s 63) irrespective of whether the meet-
ing is held in the Republic or elsewhere.

6. Section 62 – Notice of meeting


6.1 A public company (or a non-profit company) must deliver notice of a shareholders’ meeting to each
shareholder, 15 business days before the meeting is to begin. For all other companies, the notice must
be delivered 10 business days before the meeting begins.
Note (a): The MOI can provide for longer or shorter minimum periods.
6.2 The notice of the meeting must include:
• date, time and location and record date (cut-off date for shareholders)
• general purpose of the meeting and any specific purpose for which the meeting has been demand-
ed by a shareholder where applicable
• a copy of any proposed resolution of which the company has received notice and a notice of the
percentage of voting rights (e.g. ordinary or special) which will be required to adopt the resolution
• a reasonably prominent statement that:
– a shareholder may appoint a proxy (or two or more proxies if the MOI permits)
– the proxy need not be a shareholder
– it is a requirement of the Act that personal identification (by shareholders/proxies) is required
• notice that the meeting provides for electronic communication, if applicable. (See s 63.)
Note (b): In addition, the notice of an AGM must include the annual financial statements or a summar-
ised form thereof to be presented and instructions for obtaining a copy of the complete annual
financial statements for the preceding year.
Note (c): A company may call a meeting with less notice than the prescribed period (15 or 10 business
days) or the period stipulated in the MOI. However, for this meeting to proceed, every person
who is entitled to exercise voting rights in respect of any item on the agenda must:
• be present at the meeting, and
• must vote to waive the required minimum notice for the meeting.

7. Section 63 – Conduct of meetings


7.1 Before a person may attend and participate in a shareholders’ meeting:
• that person must present “reasonably satisfactory identification”
• the person presiding at the meeting must be reasonably satisfied that the right of the shareholder
(or proxy) to participate and vote has been verified.
7.2 Unless prohibited by the MOI, a company may provide for:
• a shareholders’ meeting to be conducted entirely by electronic communication, or
Chapter 3: Statutory matters 3/33

• one or more shareholders (proxies) to participate by electronic communication provided the


electronic communication method enables all persons participating in the meeting to do so
reasonably effectively and communicate concurrently and directly with each other.
7.3 Voting on any matter will be done by show of hands or polling those present and entitled to vote. On a
show of hands, each shareholder will have one vote only, irrespective of the number of shares held,
but on a poll the shareholder is entitled to exercise all his voting rights.
Note (a): If at least five persons having the right to vote on a matter, or a person or persons holding at
least 10% of the voting rights entitled to be voted on that matter, demand that a vote be polled
and not voted on by show of hands, then voting must be by poll.

8. Section 64 – Meeting quorum and adjournment


8.1 Section 64 provides for both a votes quorum and a person quorum.
8.2 Votes quorum: A shareholders’ meeting may not begin until persons holding 25% of all the voting
rights that can be exercised in respect of at least one matter to be decided at the meeting are present
and
a matter to be decided at the meeting may not begin to be considered unless persons are present at the
meeting to exercise at least 25% of all the voting rights that are entitled to be exercised on that matter,
at the time the matter is called (dealt with) on the agenda.
8.3 Person quorum: If a company has more than two shareholders, a meeting may not begin, or a matter
be debated unless:
• at least three shareholders are present
• the votes quorum is satisfied.
Note (a): The MOI may specify a lower or higher percentage to replace the 25% in 8.2.
Note (b): Remember that different voting rights can attach to different shares. For example, a preference
shareholder may only be able to vote on matters affecting preference shares, so a preference
shareholder can count towards the quorum to begin the meeting provided there is a matter to be
decided pertaining to preference shares, and can count towards the quorum to debate the matter.
However, at least 25% of the “preference votes” must be present before the matter affecting the
preference shares can be debated.
Note (c): If within one hour of the appointed time for the meeting to begin, the quorum requirements (votes
and person) are not satisfied, the meeting is postponed without motion (to postpone), vote or
further notice, for one week.
Note (d): If the quorum requirements to debate a particular matter are not satisfied, the matter may be
moved to a later “slot” on the agenda, and if at this time the matter is still not quorate, the
matter is postponed for one week.
Note (e): The MOI may specify a different (longer or shorter) time for the stipulated one hour and one
week.

9. Section 65 – Shareholders’ resolutions


9.1 Every resolution of shareholders is either an ordinary or a special resolution.
9.2 The board may propose any resolution to be considered by the shareholders and determine whether
the resolution will be considered at a meeting or by vote or by written consent (no meeting).
9.3 Any two shareholders:
• may propose a resolution concerning any matter in respect of which they can exercise votes
• may require that the resolution be considered at:
– a meeting demanded by shareholders
– the next shareholders’ meeting, or
– by written vote.
Note (a): Proposed resolutions must be expressed with sufficient clarity and specificity and be accom-
panied by sufficient information to enable a shareholder to decide whether to participate in the
meeting and “influence the outcome” of the vote on the resolution.
3/34 Auditing Notes for South African Students

If a director or shareholder believes that the notice does not satisfy these requirements, he may
apply, before the start of the meeting, for a court order restraining the company from putting the
resolution to the vote. The court order may also require that the deficiencies in the notice be
rectified. Once a resolution has been accepted it cannot be challenged because the notice of the
resolution did not comply with the Act.
Note (b): For an ordinary resolution to be approved, it must be supported by more than 50% of the voting
rights exercised on the resolution.
Note (c): The MOI can stipulate a higher percentage for ordinary resolutions or one or higher percentages
for resolutions relating to different resolutions, for example, 55% for resolutions relating to
capital expenditure, 60% for resolutions relating to investments. (The “more than 50%”
requirement for removing a director cannot be increased). There must always be at least 10%
between the highest ordinary resolution percentage and the lowest special resolution percentage.
Note (d): For a special resolution to be approved, it must be supported by at least 75% of the voting rights
exercised on the resolution.
Note (e): The MOI can stipulate a different (lower or higher) percentage for a special resolution (or
variable higher or lower percentages for different matters) but at all times, there must be a margin
of at least 10% between the highest requirements for an ordinary resolution and the lowest
requirement for special resolution, on any matter.
Note (f): A special resolution is required to:
• amend the MOI (ss 16 and 32)
• ratify a consolidated revision of a company’s MOI (s 18)
• ratify actions by the company or directors in excess of their authority (s 20)
• approve an issue of shares to a director (s 41)
• authorise the granting of financial assistance (ss 44 and 45)
• approve a decision by the directors to buy back shares from a director (s 48)
• authorise the basis for compensation to directors (s 66)
• approve the voluntary winding up of the company (ss 80 and 81)
• approve an application to transfer the registration of the company to a foreign jurisdiction
(s 82), and
• approve any fundamental transaction (Chapter 5), including:
– disposal of all or the greater parts of the assets of the company
– amalgamations or mergers, and
– schemes of arrangement.
Note (g): The MOI can stipulate that a special resolution be required to approve matters other than those
listed in note (f).

10. Section 66 – Board, directors and prescribed officers


10.1 The business and affairs of the company must be managed by, or under the direction of, a board of
directors.
10.2 The board will have the authority to exercise the powers and perform the company’s function, except
to the extent the MOI provides otherwise, for example, the MOI may prohibit the company (and
therefore the directors) from acquiring financial derivatives.
10.3 A private company (and a personal liability company) must have at least one director. A public company
must have at least three directors.
In addition, a public company must appoint an audit committee and a social and ethics committee in some
cases (e.g. a listed company). The audit committee will require at least three independent non-executive
directors (s 94) and the three required to manage the business and affairs of the company. The social and
ethics committee must have at least three directors, one of whom is a non-executive director (not involved
in the day-to-day operations) (regulation 43). An individual who is independent and non-executive could
serve on both committees.
Chapter 3: Statutory matters 3/35

Note (a): The MOI may stipulate a higher minimum number of directors.
Note (b): The MOI may provide for:
• the direct appointment and removal of one or more directors by any person named in the
MOI, for example, the Chairperson
• a person to be an ex officio director, for example, the senior labour relations manager could be
an ex officio director by virtue of his status and position in the company. A person, despite
holding the relevant office, may not be appointed an ex officio director if he or she becomes
ineligible or disqualified to act as a director
• the appointment of alternate directors
but in a profit company (other than an SOC) the MOI must provide for at least 50% of the
directors (and 50% of any alternates) to be elected by the shareholders.
Note (c): A person who is ineligible or disqualified from being a director cannot be elected or appointed as
a director (such an appointment will be nullified).
Note (d): A director must consent (in writing) to serve as a director.
Note (e): The company may pay remuneration to its directors for services as a director except to the
extent that the MOI provides otherwise. Remuneration for services as a director may be paid
only according to a special resolution approved by the shareholders within the previous two
years.

11. Section 67 – First director or directors


11.1 Each incorporator of a company is a first director and will serve until sufficient other directors have
been appointed.

12. Section 68 – Election of directors of profit companies (by shareholders)


12.1 Each director must be:
• elected by the persons entitled to exercise voting rights in the appointment of directors
• to serve for an indefinite term (or a term set out in the MOI)
• voted on separately (as an individual candidate).
12.2 Each voting right can only be exercised once (per candidate), and a majority of voting rights is
required.
Note (a): Unless the MOI provides otherwise, in any election of directors:
• the election is to be conducted as a series of votes, each of which is on the candidacy of a
single individual to fill a single vacancy
• each voting right may be exercised once per vacancy, and
• the vacancy is filled only if a majority of the voting rights support the candidate.
Example 1: One vacancy, two candidates, Seb Green, Fred Black
• voting rights exercised = 100
• votes for Seb Green: 55
• votes for Fred Black: 45
Result: appoint Seb Green
Example 2: One vacancy three candidates, Ben Blue, Rose Red, Joe Grey
• voting rights exercised = 100
• votes for Ben Blue: 35
• votes for Rose Red: 40
• votes for Joe Grey: 25
Result: No appointment (no majority of votes cast). Note: In this situation, Joe Grey would probably be
required to withdraw and Ben Blue and Rose Red would contest the vacancy.

13. Section 69 – Ineligibility and disqualification of persons to be director or prescribed officer


13.1 An ineligible or disqualified person must not be appointed, elected, consent to be, or act as a director.
3/36 Auditing Notes for South African Students

13.2 A person is ineligible if the person:


• is a juristic person, or
• is an unemancipated minor, or under similar legal disability, or
• does not satisfy any qualification set out in the MOI.
13.3 A person is disqualified if the person:
• has been prohibited from being a director, or been declared delinquent by a court
• is an unrehabilitated insolvent
• is prohibited in terms of any public regulation from being a director
* has been removed from an office of trust on the grounds of misconduct involving dishonesty or
*** has been convicted in the Republic or elsewhere, and imprisoned without the option of a fine (or
fined more than the prescribed amount), for theft, fraud, forgery, perjury or an offence:
– involving fraud, misrepresentation or dishonesty
– in connection with the promotion, formation or management of a company, or
– under the Insolvency Act, Companies Act, Close Corporations Act, the Financial Intelligence
Centre Act, the Securities Service Act or Chapter 2 of the Prevention and Combating of
Corruption Activities Act.
13.4 A director who has been disqualified in terms of ** above (removal from office) or *** above
(conviction) will have the disqualification lifted five years after the removal date or the completion of
his sentence. However, the CIPC may apply to the court for an extension or extensions of this five-
year period. The court may extend the disqualification but not for longer than five years at a time.
The extension is made on the grounds of protecting the public.
13.5 A court may exempt a person from the application of any disqualification in terms of 13.3 above.
13.6 If a director is sequestrated, issued an order of removal from an office of trust, or convicted as in 13.3,
the Registrar of the Court must send a copy of the relevant order or particulars of the conviction to the
CIPC.
13.7 The CIPC must in turn, notify each company of which the person is a director.
13.8 The CIPC must establish and maintain a public register of persons disqualified from serving as a
director or subject to an order of probation as a director.
Note (a): The MOI may impose additional grounds for ineligibility or disqualification of directors and/or
minimum qualifications to be met by the directors.

14. Section 71 – Removal of directors


14.1 Despite anything to the contrary in the MOI or rules or any agreement between a company and a
director, or between shareholders and a director, a director may be removed by an ordinary resolution
at a shareholders’ meeting by the persons entitled to exercise voting rights in the election of that
director.
14.2 However, before the shareholders can remove a director:
• the director must be given notice of the meeting and the resolution to remove him. The notice
period must be at least equivalent to that which a shareholder is entitled to receive (public
company 15 business days’ notice, 10 business days for other companies, or any longer or shorter
notice per the MOI), and
• the director must be afforded a reasonable opportunity to present (in person or through a
representative) to the meeting before voting takes place.
14.3 If a shareholder or director alleges that a fellow director has become
• ineligible or disqualified, or
• incapacitated to the extent that he cannot perform as a director, or
• has neglected or been derelict in his duties as a director
the board must consider the allegation and may vote on the removal of the director.
Note (a): In situation 14.3 above, where the director is to be removed by the board, the “accused” director
may not vote on his removal. He must still be afforded the “notice” and “representation”
requirements laid out in 14.2 above.
Chapter 3: Statutory matters 3/37

Note (b): A director removed by the board may apply (within 20 business days) to the court for a review.
If the director is not removed, any director or shareholder who voted to have the said director
removed may also apply to the court for a review. Any holder of voting rights that may be
exercised in that director’s election can also apply to the court for a review.
Note (c): If a company has less than three directors, this section cannot operate as there would either be no
remaining director to vote (one director company) or one remaining director to vote (two dir-
ector company). In this case, the aggrieved director or shareholder can apply to the Companies
Tribunal.

15. Section 72 – Board committees


15.1 Except to the extent the MOI provides otherwise, the board may:
• appoint any number of committees of directors, and
• delegate any authority of the board to any committee.
15.2 Except to the extent the MOI (or the resolution to appoint a committee) provides otherwise, the
committee:
• may include persons who are not directors of the company, but
– such a person must not be ineligible or disqualified from being a director, and
– will not have a vote on any matter to be decided by the committee
• may consult with or receive advice from any person, and
• has the full authority of the board in respect of a matter referred to it.
Note (a): The creation of a committee, a delegation of any power to a committee or action taken by a
committee, does not alone satisfy or constitute compliance by a director with his duties
(standards of conduct) as a director of the company, in other words, the directors (as a board)
remain responsible.
Note (b): The Minister has prescribed that certain companies appoint a social and ethics committee (see
regulation 43 below) if it is desirable in the public interest having regard to:
• its annual turnover
• the size of its workforce, and
• the nature and extent of its activities.

Regulation 43
In terms of this regulation, the following companies must appoint a social and ethics committee:
• listed public companies
• SOCs, and
• any other company that has scored above 500 points in its public interest score in any two of the
previous five years.
See the start of this chapter for more information on this regulation (at 3/9).

16. Section 73 – Board meetings


16.1 A director authorised by the board, for example, a managing director:
• may call a meeting of directors at any time
• must call a meeting of directors if required to do so by at least:
– 25% of the directors in the case of a company that has at least 12 directors (e.g. 4 of 14 direct-
ors)
– two directors in any other case (e.g. 2 of 9 directors).
Note (a): The MOI may specify a higher or lower percentage or number.
Note (b): Except as to the extent the MOI or Companies Act provides otherwise, a board meeting may be
conducted by electronic communication, or a director(s) may participate electronically, as long
as the electronic communication facilitates concurrent and effective communication between
directors.
3/38 Auditing Notes for South African Students

Note (c): Notice


• The board must determine the form and time for giving notice of the meeting in compliance
with the MOI.
• Notice must be given to all directors.

Quorum
• A majority of the directors must be present before a vote may be called.
Except to the extent that the company’s MOI provides otherwise, if all of the directors of the company
acknowledge actual receipt of the notice, are present at the meeting, or waive the notice of the meeting, the
meeting may proceed even if the required notice period was not given or there was a defect in giving the
notice.

Voting
• Each director has one vote, and a majority of votes cast approves a resolution.
• In the case of a tied vote, the chair has a casting vote if the chair did not initially have a vote or cast a
vote, otherwise the matter being voted on fails (the chair does not get two votes in the event of a tie).
Note (d): The board and its committees must keep minutes that reflect every resolution adopted by the
company (and other important discussions etc held at the meeting).
Note (e): Resolutions adopted must be dated and sequentially numbered and become immediately effect-
ive unless the resolution states otherwise. Any minute of a meeting or a resolution signed by the
chair of the meeting, or by the chair of the next meeting is evidence of the proceedings of that
meeting, or adoption of that resolution.
Note (f): The MOI may alter the requirements for directors’ meetings.

17. Section 74 – Directors acting other than at meeting


17.1 Except to the extent that the MOI provides otherwise, a resolution that could be voted on at a meet-
ing can be adopted by written consent or by electronic communication, provided each director has
received notice of the matter to be voted on.

18. Section 75 – Directors’ personal financial interests


18.1 The common-law situation is that all contracts between a director and the company are voidable at
the option of the company. This flows from the principle that there should be no “conflict of interest”
between the director and the company. Remember that a director is required to look after the interests
of the company and not his own interests. The statutory arrangement presents a means of accommo-
dating this common-law principle, but does not replace it.
18.2 If a director has a personal financial interest, or knows that a person related (as defined) to him has a
personal financial interest, in a matter to be considered at a meeting of the board, that director:
• must disclose the interest and its general nature before the matter is considered at the meeting. For
example, the director should disclose a 15% shareholding he has in the company with which the
board is considering entering into a contract
• must disclose to the meeting any material information he has relating to the matter, for example,
he may be aware that the other company is in financial difficulty (a fact not known to his fellow
directors)
• may disclose any observations/insights if requested to do so by the other directors, for example, his
opinion on the extent of the financial difficulties
• must not take part in the consideration of the matter (other than as above) and must leave the
meeting.
Note (a): A director may, at any time, notify the company in writing of his financial interests. This will
suffice as a general disclosure for the purposes of this section.
Note (b): When an “interested” director has left the meeting, he remains part of the quorum, but cannot
vote and will not be counted as being present in determining whether the resolution can be
adopted.
Chapter 3: Statutory matters 3/39

Note (c): If a director (or related person) acquires a personal financial interest in an “agreement/matter”
in which the company of which he is a director has an interest after the “agreement/matter” has
been approved, the director must promptly disclose to the board:
• the nature and extent of that interest, for example, 15% shareholding, and
• the material circumstances relating to the acquisition of the interest (this is to determine
whether there has been any irregular/fraudulent intention on the part of the director to get
around declaring his interest before the contract was approved).
Note (d): A contract in which a director (or related person) has a financial interest will be valid if approved
after full disclosure as in 18.2 above.
If the contract was approved without the necessary disclosure, the contract would be valid if:
• it has been subsequently ratified by an ordinary resolution (interest must be disclosed)
• it has been declared to be valid by a court (any interested party can apply to the court).
Note (e): If the director does not declare his interest, any interested party can apply to the court to declare
the contract valid. However, if neither note (d) nor (e) applies, the contract is voidable at the
option of the company.
Note (f): There are several exclusions to this section. The section will not apply to:
• a director or a company if one person holds all the issued securities (shares) and is the only
director. Effectively there is no real “conflict of interest” as the company and the individual
are one and the same
• a director in respect of a decision which may generally affect all directors in their capacity as
directors, for example, a decision on directors’ bonuses
• a decision to remove the director from office.
Note (g): If a director who has a financial interest is the sole director but does not hold all the issued secur-
ities (shares) in the company, the said director cannot approve the agreement:
• it must be approved by ordinary resolution of the shareholders
• after the director has disclosed the nature and extent of his interest to the shareholders.
Note (h): For the purposes of this section, the term director includes:
• an alternate director
• a prescribed officer
• a person who is a member of a committee of the board, irrespective of whether or not the per-
son is also a member of the company’s board. (Note that a person who is not a member of the
board may be appointed to a board committee but will not have a vote on the committee.)

19. Section 76 – Standards of directors’ conduct


19.1 A director of a company must
• not use the position of director, or any information obtained while acting as a director:
– to gain an advantage for himself or any other person other than the company (or its wholly
owned subsidiary), or
– knowingly cause harm to the company (or a subsidiary of the company)
• communicate to the board at the earliest practicable opportunity any information that comes to his
attention, unless he reasonably believes that the information is:
– immaterial to the company, or
– generally available to the public or known to the directors, or unless
– he is bound not to disclose that information by a legal or ethical obligation of confidentiality
• exercise the powers and functions of director:
– in good faith and for a proper purpose
– in the best interests of the company
– with the degree of care, skill and diligence reasonably expected of a director.
3/40 Auditing Notes for South African Students

Note (a): To ensure that he has exercised his powers and functions in compliance with the above, a
director:
• should take reasonably diligent steps to be informed about any matter to be dealt with by the
directors
• should have had a rational basis for making a decision and believing that the decision was in
the best interests of the company
• is entitled to rely on the performance of:
– employees of the company whom the director reasonably believes to be reliable and
competent
– legal counsel, accountants or other professionals retained by the company
– any person to whom the board may have reasonably delegated authority to perform a
board function
– a committee of the board of which the director is not a member, unless the director has
reason to believe that the actions of the committee do not merit confidence
• is entitled to rely on information, reports, opinions and recommendations made by the
above-mentioned persons.
Note (b): For the purposes of this section, the term “director” includes:
• an alternate director
• a prescribed officer
• a person who is a member of a committee of the board, irrespective of whether or not the
person is also a member of the company’s board. Note that a person who is not a board
member may be appointed to a board committee but will not have a vote on the committee.

20. Section 77 – Liability of directors and prescribed officers


20.1 A director may be held liable:
• in terms of the common law for a breach of fiduciary duty for any loss, damages or costs sustained by
the company as a consequence of any breach by the director of his duty to the company, such as:
– failing to disclose a personal financial interest (s 75)
– using the position of director to gain an advantage for himself or harm the company (s 76)
– failing to act in good faith and for a proper purpose
– failing to act in the best interests of the company
• in terms of the common law relating to delict for any loss, damages or costs sustained by the com-
pany as a result of any breach of the director of:
– the duty to act with the necessary degree of care, skill and diligence
– any provision of the Act not specifically mentioned in section 77
– any provision of the MOI.
20.2 A director may be held liable to the company for any loss, damage or costs arising as a direct or
indirect consequence of the director:
• acting for the company despite knowing that he lacked authority
• agreeing to carry on business knowing that to do so was “reckless” (s 22)
• being party to an act or omission despite knowing that it was calculated to defraud a creditor,
employee or shareholder, or that the act or omission had another fraudulent purpose
• having signed, or consented to the publication of a document, for example, financial statements or
prospectus, which was false, misleading or untrue, despite knowing the publication to be so
• being present at a meeting, or participating in the taking of a decision and failing to vote against:
– the issuing of unauthorised shares, securities or the granting of options, while knowing the
shares, securities or options were not authorised (ss 36, 42)
– the issuing of authorised shares, despite knowing that the issue was inconsistent with the Act
(s 41)
Chapter 3: Statutory matters 3/41

– the provision of financial assistance to any person including a director (as defined) while
knowing that the financial assistance was in contravention of the Act or MOI
– a resolution approving a distribution (as defined) while knowing the distribution was in con-
tradiction of the Act (s 46) (only applies if liquidity/solvency test is not satisfied, and it was
unreasonable at the time to think the test would be satisfied)
– the acquisition by a company of its own shares, while knowing that the acquisition was con-
trary to the Act (ss 46, 48)
– an allotment (of securities) while knowing that the allotment was contrary to the Act.
Note (a): In addition, each shareholder has the right to claim damages from any director who fraudulently
or due to gross negligence causes the company to do anything inconsistent with the Act.
Note (b): The MOI and rules will be binding between each director (prescribed officer) and the company.
Note (c): For the purposes of this section, the term “director” includes:
• an alternate director
• a prescribed officer
• a person who is a member of a board committee, irrespective of whether or not the person is
also a member of the board. Note that a person who is not a director may be appointed to a
board committee but will not have a vote on this committee.
Note (d): The liability of a director in terms of this section will be joint and several with any other person
who is held liable for the same act.

21. Section 78 – Indemnification and directors insurance


21.1 Any provision of an agreement, the MOI or rules, or a resolution of a company is void if it directly or
indirectly seeks to relieve a director of any of that director’s duties in respect of:
• personal financial interests (s 75), or
• the standards of directors conduct (s 76), or
• liability arising from section 77 (e.g. fiduciary duty, breach of good faith, any provisions of the Act
or MOI).
21.2 Any provision, rule, MOI or resolution which seeks to limit, or negate or limit any legal consequence
from an act or omission which constitutes wilful misconduct or wilful breach of trust, will also be
void.
21.3 A company may not directly or indirectly pay any fine that may be imposed on a director of the com-
pany (or a related company) who has been convicted of an offence.
21.4 Except to the extent that the MOI provides otherwise, a company may advance expenses to a director
to defend litigation in any proceedings arising out of the director’s service to the company.
21.5 Except to the extent that the MOI provides otherwise, a company may indemnify (protect) a director
in respect of any liability except where the director:
• acted in the name of the company despite knowing he lacked the authority to do so or
• acquiesced (agreed without protest) in the carrying on of the business recklessly, with gross negli-
gence, with intent to defraud any person or to trading under insolvent circumstances, or
• was a party to an act or omission intended to defraud a creditor, employee or shareholder, or
• committed wilful misconduct or wilful breach of trust.
The company may not indemnify the director against any fine suffered by the director in respect of
the above four situations.
Note (a): The broader definition of director applies to section 78, namely,. prescribed officer, a board
committee member and includes a former director.
Note (b): The prohibition in 21.3 does not apply to a private company if:
• a single individual is the sole shareholder and sole director of the company
• two or more related individuals are the only shareholders and there are no directors, other
than one or more of the related individuals,

Chapter 2 – Part G – Winding up of solvent companies and deregistering companies


This part is beyond the scope of this text.
3/42 Auditing Notes for South African Students

3.4.3 Chapter 3 – Enhanced accountability and transparency


Chapter 3 – Part A – Application and general requirement of this chapter
1. Section 84 – Application of chapter
1.1 The requirements of this chapter apply to:
• public companies
• SOCs (subject to exemptions in s 9)
• a private company, personal liability company or a non-profit company:
– if the Act or Regulations require the company to have its AFS audited every year, for example,
a private company with a public interest score which is at least 350. However, Parts B
(company secretary) and D (audit committees) will not apply to these companies
• a private company, personal liability company or a non-profit company (not required to be
audited) but only to the extent required by the company’s MOI.
1.2 The requirements of the chapter hinge on the appointment of:
• a company secretary PART B
• an external auditor PART C
• an audit committee PART D
The intention of the section is to enhance the accountability and transparency of the company.
Note (a): Any person who is disqualified from acting as a company director may not be appointed as company
secretary, auditor, or to the company’s audit committee.

2. Section 85 – Registration of company secretary and auditor


2.1 Every company (public, state-owned, private etc) which appoints a company secretary or auditor
whether in terms of the act, regulations or voluntarily:
• must maintain a record of its company secretary and auditor:
– name of the person
– date of appointment
• if a firm or juristic person is appointed:
– name, registration and registered office address of the firm or juristic person
– the name of the “designated auditor,” that is, the individual who takes responsibility for the
audit (s 44 of the APA).
Note (a): Within ten business days of making an appointment of the above, or after the termination of
such appointment, the company must file a notice of the appointment or termination. All
changes must be recorded.

Chapter 3 – Part B – Company secretary

1. Section 86 – Mandatory appointment of secretary


1.1 A public company or SOC must appoint a company secretary.
Note (a): The company secretary must be resident in the Republic and must remain so while serving in
that capacity (this will also be the case for voluntary appointments of a company secretary, for
example, by a private company in terms of section 34(2)).
The only other requirement is that the company secretary has “the requisite knowledge of”, and
experience in, relevant laws. Do not forget that a person who is disqualified from acting as a
director is also disqualified from being appointed company secretary.
Note (b): The first company secretary of a public company or SOC may be appointed by:
• the incorporators of the company, or
• within 40 business days after incorporation by:
– either the directors, or
– an ordinary resolution of the shareholders.
Chapter 3: Statutory matters 3/43

Note (c): Within 60 business days after a vacancy in the office of company secretary arises, the board must
fill the vacancy by appointing a person who has the “requisite knowledge and experience” – no
formal qualification or membership of a professional body required!

2. Section 87 – Juristic person or partnership may be appointed company secretary


2.1 A juristic person or partnership may be appointed company secretary provided:
• no employee of the juristic person, or partner and employee of that partnership is disqualified from
acting as a director of that company, and
• at least one of the employees (or partners) is:
– resident in the Republic, and
– has the requisite knowledge of and experience in relevant laws.
Note (a): A change in the membership/partners/employees of the juristic person or partnership holding
the appointment of the company secretary does not constitute a casual vacancy if the juristic
person or partnership continues to satisfy the requirements as indicated in 2.1 above. If circum-
stances change and the juristic person/partnership no longer satisfies the basic requirements of
2.1, it must notify the company. A vacancy will then have arisen.

3. Section 88 – Duties of company secretary


3.1 The company secretary is accountable to the company’s board. The company secretary’s duties
include:
• providing the directors of the company with guidance as to their duties, responsibilities and
powers
• making the directors aware of any law relevant to the company
• reporting to the board on any failure on the part of the company or a director to comply with the
Act or MOI
• ensuring that minutes of all meetings of:
– shareholders
– directors
– board committees, including the audit committee, are properly recorded
• certifying in the company’s AFS, that the company has filed the necessary returns and notices in
terms of this Act, and whether all such returns and notices appear to be true, correct and up to date
• ensuring that a copy of the AFS is sent to everyone entitled to receive it.

4. Section 89 – Resignation or removal of company secretary


4.1 A company secretary may resign by giving:
• one month’s written notice, or
• less than one month with the approval of the board.
4.2 If the company secretary is removed from office, he may require the company to include a statement of
reasonable length in the AFS, setting out the secretary’s “opinion” on the circumstances which
resulted in his removal. This statement will appear in the directors’ report.

Chapter 3 – Part C – Auditors


1. Section 90 – Appointment of auditor
1.1 Public companies and SOCs must appoint an auditor at the AGM.
If a private (or any other company) is required by the Act or Regulations to have its financial state-
ments audited, for example, it has a public interest score of 350 points or more, the appointment of
the auditor must take place at the AGM at which the requirement first applies and at every AGM
thereafter.
3/44 Auditing Notes for South African Students

1.2 To be appointed as auditor, an individual or firm


• must be
– a registered auditor (IRBA)
• must not be
– a director or prescribed officer of the company
– an employee or consultant of the company who was or has been engaged for more than one
year in the maintenance of any company’s financial records or preparation of any of its finan-
cial records
– a director, officer or employee of a person appointed as company secretary
– a person who alone or with a partner or employee, habitually or regularly performs the duties
of accountant or bookkeeper, or performs related secretarial work for the company
– a person who at any time during the five financial years immediately preceding the date of
appointment, was a person contemplated in any of the four categories above, for example,
must not have been a director for any period during the preceding five years
– a person related (as defined) to a person contemplated in the five categories above.
Note (a): The person appointed as auditor must be acceptable to the company’s audit committee (public
companies and SOCs must appoint an audit committee) as being independent of the company. To
do this, the audit committee must:
• ascertain that the auditor does not receive any direct or indirect remuneration or other
benefits from the company except:
– as auditor, or
– for rendering other non-audit services which have been determined by the audit com-
mittee
• consider whether the auditor’s independence may have been prejudiced:
– as a result of any previous appointment as auditor, or
– having regard to the extent of any consultancy, advisory or other work undertaken by the
auditor for the company, and
• consider whether the auditor complies with the “rules and regulations” of the IRBA, for
example, the Code of Professional Conduct, in relation to independence and conflict of
interest.
The audit committee must evaluate the auditor’s independence in the context of the company
itself and within the group of companies if the company is a member of a group.
Note (b): Any person who is disqualified from serving as a director of the company is also disqualified
from being the auditor of the company.
Note (c): Where a firm is appointed as auditor, the person designated as the auditor to be responsible for
the audit function, must satisfy the above requirements.
Note (d): A retiring auditor (i.e. an auditor coming to the end of the annual appointment) may be auto-
matically re-appointed without a resolution being passed at the AGM unless:
• the retiring auditor is:
– no longer qualified for appointment
– no longer willing to accept the appointment, and has notified the company
– required to be “rotated” in terms of the Act (s 92)
• the audit committee objects to the reappointment, or
• the company has notice of an intended resolution to appoint some other person/firm as
auditor.
Note (e): If an AGM of a company does not appoint/reappoint the auditor, the directors must fill the
vacancy within 40 business days.
Chapter 3: Statutory matters 3/45

2. Section 91 – Resignation of auditors and vacancies


2.1 The resignation of an auditor is effective when the notice (of resignation) is filed with the CIPC.
2.2 The procedure to be followed where a vacancy arises is as follows:
• the board must propose to the audit committee, within 15 business days, the name of at least one
registered auditor to be considered for appointment
• the audit committee has five business days after the proposal is delivered to it, to reject the
proposed replacement auditor in writing, if they so wish, otherwise the board may make the
appointment
• whatever the situation, a new auditor must be appointed within 40 business days of the vacancy
arising.
Note (a): If the company has appointed a firm as auditor, a change in the composition of the firm’s
members (partners/shareholders) does not create a vacancy in the office of auditor unless less
than half of the audit firm members remain. If this situation (less than half remain) does arise, it
will constitute a resignation of the auditor and a vacancy will have arisen.
Note (b): If there is no audit committee the board will make the appointment.

3. Section 92 – Rotation of auditors


3.1 The same individual may not serve as auditor (or designated auditor in the case of a firm holding the
appointment) of a company for more than five consecutive years.
3.2 If an individual has served as auditor (or designated auditor) for two or more consecutive financial
years and then ceases to be the auditor, the individual may not be appointed again as auditor (desig-
nated auditor) of that company until the expiry of at least two further financial years.
For example:
Jake Blake was the designated auditor of Craneworks Ltd for the financial year-ends 31 December
0001 and 0002. In 0003 he resigned from the audit firm but returned in January 0004. He cannot be
appointed as the auditor of Craneworks Ltd until after the financial year-end 0004. There appears to
be nothing to prevent him from being part of the audit team, however.
Note (a): If a company (e.g. a bank) has appointed joint auditors, the rotation must be managed so that
both joint auditors do not relinquish office in the same year (i.e. there must be continuity).

4. Section 93 – Rights and restricted functions of auditors


4.1 The auditor of a company has the right of access at all times, to the accounting records and all books
and documents of the company and is entitled to require from the directors (or prescribed officers)
information and explanations necessary for the performance of his duties.
4.2 The auditor of a holding company, who is not the auditor of the holding company’s subsidiary com-
pany(ies) has right of access to all current and former financial statements of the subsidiary(ies) and is
entitled to require from the directors (or prescribed officers) of the holding company and the
subsidiary, any information and explanations in connection with any such statements and accounting
records, books and documents of the subsidiary as necessary for the performance of his duties.
4.3 The auditor is entitled to:
• attend any general shareholder meeting (including an AGM)
• receive all notices of, and other communications relating to, any general shareholders’ meeting
• be heard at any general shareholders’ meeting on any part of the business of the meeting that
concerns the auditor’s duties or functions.
Note (a): The audit function cannot be carried out if an auditor does not have “access”. Access enables
the auditor to be independent.
Note (b): An auditor may apply to a court for an appropriate order to enforce his rights. The court may
make any order (with costs) that is just and reasonable to prevent the frustration of the auditor’s
duties by the company, directors, prescribed officers or employees. The court may also make an order of
costs personally against any director or prescribed officer whom the court has found to have
wilfully and knowingly frustrated or attempted to frustrate the performance of the auditor’s
functions.
3/46 Auditing Notes for South African Students

Chapter 3 – Part D – Audit committees


1. Section 94 – Audit committees
1.1 At each AGM, a public company or SOC (or any other company that has voluntarily decided in
terms of its MOI to have an audit committee) must elect an audit committee comprising at least three
members, unless:
• the company is a subsidiary of another company that has an audit committee, and
• the audit committee of that company will perform the functions of the audit committee on behalf
of that subsidiary.
1.2 Each member of an audit committee:
• must
– be a director of the company, and
– satisfy any minimum qualifications the Minister may prescribe to ensure that the audit commit-
tee, taken as a whole, comprises persons with adequate financial knowledge and experience
(see note (a) below).
• must not be
– involved in the day-to-day management of the company’s business or have been involved at
any time during the previous financial year, or
– a prescribed officer, or full-time executive employee of the company or another related or inter-
related company, or have held such a post at any time during the previous three financial years,
or
– a material supplier or customer of the company, such that a reasonable and informed third
party would conclude that in the circumstances, the integrity, impartiality or objectivity of that
member of the audit committee would be compromised
– a “related person” to any person subject to the above prohibitions.
Note (a): Regulation 42 requires that at least one-third of the members of a company’s audit committee
must have academic qualifications, or experience in economics, law, accounting, commerce,
industry, public affairs, human resources or corporate governance.
Note (b): The board must fill any vacancy on the audit committee within 40 business days.
Note (c): The duties of an audit committee are to:
• nominate for appointment as auditor of the company, a registered auditor who, in the
opinion of the audit committee, is independent of the company
• determine the fees to be paid to the auditor and the auditor’s terms of engagement.
• ensure that the appointment of the auditor complies with the provisions of this Act, and any
other legislation relating to the appointment of auditors
• determine the nature and extent of any non-audit services that the auditor may provide to the
company, or that the auditor must not provide to the company or a related company
• preapprove any proposed agreement with the auditor for the provision of non-audit services
to the company
• prepare a report to be included in the AFS for that financial year:
– describing how the audit committee carried out its functions
– stating whether the audit committee is satisfied that the auditor was independent of the
company, and
– commenting in any way the committee considers appropriate on the financial statements,
the accounting practices and the internal financial control of the company
• receive and deal appropriately with any concerns or complaints, whether from within or
outside the company, or on its own initiative, relating to:
– the accounting practices and internal audit of the company
– the content or auditing of the company’s financial statements
Chapter 3: Statutory matters 3/47

– the internal financial controls of the company, or


– any related matter
• make submissions to the board on any matter concerning the company’s accounting policies,
financial control, records and reporting, and
• perform such other oversight functions as determined by the board.

3.4.4 Chapter 4 – Public offerings of company securities


The offering of securities in a company to the public is governed by Chapter 4 of the Companies Act. The
offering of shares is regarded as specialist knowledge by both the IRBA and SAICA and is therefore not
covered by this text.

3.4.5 Chapter 5 – Fundamental transactions, takeovers and offers


This chapter identifies three fundamental transactions, namely:
• the disposal of all or the greater part of the assets or undertaking of a company
• amalgamations or mergers, and
• schemes of arrangement.
As the implementation of any of these transactions is, by definition, fundamental to the ongoing state of
the company, strict requirements are laid down for their approval.
Again, takeovers, mergers, amalgamations, and schemes of arrangement are expected to be regarded as
specialist knowledge from an audit perspective and thus are not covered in detail in this text. However, it
has been decided to include a brief summary of the approval requirements to supplement the financial
accounting knowledge that students will gain through their accounting studies.

Chapter 5 – Part A – Approval for certain fundamental transactions


1. Section 112 – Proposals to dispose of all or a greater part of assets or undertaking
1.1 A company may not dispose of all or the greater part of its assets or undertaking unless:
• the disposal has been approved by a special resolution of the shareholders
• notice of the meeting to pass the resolution is delivered in the prescribed manner within the pre-
scribed time, and
• the notice includes a written summary of the terms of the transaction and the provisions of sec-
tions 115 and 164 (s 164 deals with the rights of dissenting shareholders).
Note (a): In terms of section 115, the special resolution must be:
(i) adopted by persons entitled to exercise voting rights on the matter
(ii) at a meeting called to vote on the proposal, and
(iii) at which sufficient persons are present to exercise, in aggregate, at least 25% of all of the
voting rights that are entitled to be exercised on that matter.
Note (b): If the company proposing the sale (of its assets etc) is a subsidiary company and the sale will also
constitute the disposal of the greater part of the holding company’s assets or undertaking, a
special resolution must be obtained from the holding company shareholders.
Note (c): Neither the MOI, nor the resolution taken by the Board or the shareholders, can override the
approval requirements of sections 112 and 115.
Note (d): The requirements of sections 112 and 115 will not apply to a proposal to dispose of all or the
greater part of the assets or undertaking if the disposal would constitute a transaction:
(i) pursuant to a business rescue plan
(ii) between a wholly-owned subsidiary and its holding company
(iii) between or among:
• two or more wholly-owned subsidiaries of the same holding company, or
• a wholly-owned subsidiary and its holding company and other wholly-owned subsid-
iaries of that holding company.
3/48 Auditing Notes for South African Students

2. Section 113 – Proposals for amalgamation or merger


2.1 Two or more companies proposing to amalgamate or merge must enter into a written agreement
which sets out:
• the proposed MOI of any new company to be formed
• the name and identity of each proposed director of any new company to be formed
• how securities in the merging companies will be converted into securities of any new company to
be formed
• the consideration (and method of payment) which holders of securities of the merging companies
will receive where those securities are not being converted into securities of any new company to
be formed
• details of the proposed allocation of assets and liabilities of the merging companies to any new
companies to be formed or which will continue to exist
• details of any arrangement or strategy to complete the merger and the subsequent management
and operation of the new entity
• the estimated cost of the proposed amalgamation or merger.
Note (a): Two or more profit companies may amalgamate or merge if, upon amalgamation or merging,
each amalgamated or merged company will satisfy the solvency/liquidity test.
Note (b): In terms of section 115, a proposed merger (amalgamation) must be approved:
(i) by a special resolution
(ii) adopted by persons entitled to exercise voting rights in respect of such a matter
(iii) at a meeting called to vote on the proposal, and
(iv) at which sufficient persons are present to exercise, in aggregate, at least 25% of all the
voting rights that are entitled to be exercised on that matter.
Note (c): The notice of the meeting at which the proposal will be considered must be sent to each
shareholder of all of the companies proposing to merge and must contain a copy of the
(i) merger (amalgamation) agreement
(ii) a summary of the requirements of sections 115 and 164 (s 164 deals with the rights of dis-
senting shareholders)
Note (d): Neither the MOI nor any resolution of the Board or the shareholders can override the approval
requirements of sections 114 and 115.

3. Section 114 – Proposals for scheme of arrangement


3.1 The board of a company may propose (and implement if approval is granted) an arrangement
between the company and its security holders to:
(i) consolidate securities of different classes
(ii) divide securities into different classes
(iii) expropriate or re-acquire securities from the holders
(iv) exchange any of its securities for other securities or
(v) implement a combination of the above (i to iv).
3.2 Any Board proposing such a scheme must engage an independent expert to prepare a report to the
Board which must, as a minimum:
(i) state all information relevant to the value of the securities affected by the proposed arrangement
(ii) identify every type and class of holders of securities affected by the proposed arrangement
(iii) describe the material effects that the arrangement will have on the holders of these securities
(iv) evaluate the adverse effects of the arrangement on the rights and interests of holders against:
– any compensation received by any holder, and
– any reasonably probable benefits to be derived by the company
(v) state any material interest of any director of the company or trustee for security holders and state
the effect of the arrangement on those interests
Chapter 3: Statutory matters 3/49

(vi) include a copy (or summary) of sections 115 and 164 (s 164 deals with the rights of dissenting
shareholders).
Note (a): In terms of section 115, such a scheme of arrangement must be approved by special resolution.
Note (b): The expert engaged by the company must be:
• qualified and have the competence and experience to:
– understand the type of arrangement proposed
– evaluate the consequences of the arrangement, and
– assess the effect of the proposed arrangement on the value of securities and on the rights
and interests of a holder of any securities, or the creditor of the company
• able to express opinions, exercise judgment and make decisions impartially.
Note (c): The expert engaged must not:
• have any relationship with the company which would lead a reasonable and informed third
party to conclude that that relationship compromises the integrity, impartiality or objectivity
of the expert
• have had any such relationship within the immediately preceding two years, or
• be related to any person who has or has had such a relationship.
Note (d): Neither the MOI nor any resolution of the board or security holders can override the require-
ments of sections 113 or 115 in respect of a scheme of arrangement.
Chapter 5 – Part B – Authority of Panel and Takeover Regulations – nil
Chapter 5 – Part C – Regulation of affected transactions and offers – nil

3.4.6 Chapter 6 – Business rescue and compromise with creditors


For students following the IRBA and SAICA qualifying syllabuses, this chapter is expected to be regarded
as specialist knowledge. However, “business rescue” is linked to the going concern ability of a company
and it has been decided that this text should provide students with an understanding of the basics
underlying the chapter.

Chapter 6 – Part A – Business rescue proceedings


1. Section 128 – Definitions (selected)
1.1 Business rescue means proceedings that are implemented to facilitate the rehabilitation of a company
that is financially distressed, by providing for:
(i) the temporary supervision of the company, and of the management of its affairs, business and
property
(i) a temporary moratorium on the rights of claimants against the company or in respect of property
in its possession (e.g. attaching an asset given as security for a loan), and
(ii) the development and implementation (if approved) of a plan to rescue the company, restruc-
turing its affairs, business, property, debt, equity, etc.
1.2 Financially distressed means that:
(i) it appears to be reasonably unlikely that the company will be able to pay all of its debts as they
fall due and payable within the immediately ensuing six months, or
(ii) it appears to be reasonably likely that the company will become insolvent within the immedi-
ately ensuing six months.
1.3 An affected person means:
(i) a shareholder or creditor of the company
(ii) any registered trade union representing employees of the company
(iii) any employee(s) not represented by a trade union.
1.4 Business rescue practitioner means a person(s) appointed to oversee the company during rescue.
Note (a): A business rescue practitioner must be licensed with the CIPC and the Minister may prescribe
qualifications (see regulation 126) to practice as a business rescue practitioner. The CIPC has a
right to revoke the licence.
3/50 Auditing Notes for South African Students

Regulation 126
For the purposes of business rescue, this regulation categorises companies (basically in terms of their public
interest score) and business rescue practitioners in terms of their experience. This is done to identify which
practitioners can be appointed to “rescue” which companies. The categorisations are as follows:
Company Score Practitioner Experience
Large 500 or more Senior Member of accredited professional body, for
example SAICA. At least ten years’ business
turnaround/rescue experience.
Medium Public: less than 500 Experienced Member of accredited professional body, for
Other: 100 to 499 example SAICA. At least five years’ business
turnaround/rescue experience.
Small Less than 100 Junior Member of accredited professional body, for
example SAICA but less than five years’
experience, or no experience at all.

Note: The regulations do not include SOCs in the categorisation.


(i) A senior practitioner may be appointed as a practitioner for any company.
(ii) An experienced practitioner may be appointed as a practitioner for any small or medium com-
pany but not for a large company or SOC unless as an assistant to a senior practitioner.
(iii) A junior practitioner may be appointed as a practitioner for any small company but not for a
large or medium company or an SOC unless as an assistant to a senior or experienced
practitioner.
2. Section 129 – Company resolution to begin business rescue proceedings
2.1 The board may resolve that the company commence business rescue proceedings if the board has
reasonable grounds to believe that:
• the company is financially distressed, and
• there appears to be a reasonable prospect that the company can be rescued.
If liquidation proceedings have been initiated by or against the company, such a resolution may not
be adopted.
2.2 The resolution must be filed with the CIPC.
2.3 Thereafter, the company must:
(i) publish a notice of the resolution to every affected person within five business days of filing
(ii) appoint a business rescue practitioner within five business days of filing
(iii) file the name of the business rescue practitioner (with the CIPC) within two business days of
appointment, and within five business days of that appointment, notify all affected persons of
the notice of appointment.
Note (a): In terms of section 138, a person may be appointed as a practitioner only if the person is:
(i) a member in good standing of a profession which is regulated (such as SAICA or IRBA)
(ii) not disqualified from acting as a director of the company or subject to an order of proba-
tion
(iii) does not have any relationship with the company which would lead a reasonable and
informed third party to conclude that that relationship compromises the integrity,
impartiality or objectivity of that person
(iv) is not related to a person who has a relationship contemplated in (iii) above.
Note (b): In terms of section 130, an affected person can apply to the court at any time after the adoption
of the rescue resolution but before the adoption of the rescue plan (s 150) to:
(i) set aside the resolution on the grounds that:
• there is no reasonable basis for believing the company is financially distressed
• there is no reasonable prospect of rescuing the company
• the procedural requirements for obtaining the resolutions were not complied with
Chapter 3: Statutory matters 3/51

(ii) set aside the appointment of the practitioner on the grounds that he or she:
• is not qualified, or
• is not independent of the company
• lacks the necessary skills.

3. Section 131 – Court order to begin business rescue proceedings


3.1 An affected person may apply to the court for an order to place the company under supervision and
commence rescue proceedings.
3.2 An applicant (the affected person) must:
• serve (send) a copy of the application on the company and the CIPC, and
• notify each affected person of the application.
Note (a): The court can place the company under supervision if it is satisfied that:
(i) the company is financially distressed
(ii) the company has failed to pay over any amount in terms of an obligation in terms of a
public regulation (e.g. pay municipal rates/levies), contract (e.g. pay creditor) or in respect
of employment-related matters, or
(iii) it is just and equitable to do so for financial reasons, and
(iv) there is a reasonable prospect of rescuing the company.

Chapter 6 – Part B – Practitioner’s functions and terms of appointment


1. Section 140 – Powers and duties of practitioners
1.1 During the business rescue proceedings, the practitioner:
(i) has full management control of the company in substitution for its board and management
(ii) may delegate any power to a person who was a member of the board or management
(iii) may remove a member of management from office or appoint a person as part of management.
1.2 The practitioner is responsible for developing a business rescue plan and implementing it.
Note (a): During a company’s business rescue proceedings the practitioner:
• is an officer of the court and must report to the court as required
• has the responsibilities, duties and liabilities of a director of the company
• is not liable for any act or omission in good faith in the course of carrying out his function as
practitioner, but can be held liable for gross negligence in respect of his performance as
practitioner.

2. Section 141 – Investigation of affairs of the company


2.1 As soon as practicable after being appointed, the practitioner must investigate the company’s affairs,
business, property and financial situation to evaluate whether there is a reasonable prospect of the com-
pany being rescued.
2.2 If, at this stage, or at any stage of the business rescue proceedings, the practitioner concludes that
there is no reasonable prospect of the company being rescued, the practitioner must:
(i) inform the court, the company and all affected persons of this fact, and
(ii) apply to the court for an order discontinuing the business rescue proceedings and placing the
company in liquidation.
2.3 If at any time during the business rescue proceedings, the practitioner concludes that the company is
not financially distressed, the practitioner must:
(i) inform the court, the company and all affected persons of this fact and apply to the court (where
applicable) to set aside the business rescue proceedings, or
(ii) file a notice of termination of business rescue proceedings (with the CIPC).
2.4 If at any time during the business rescue proceedings, the practitioner concludes that in the dealings of
the company before business rescue proceedings began, there is evidence of:
(i) voidable transactions, or
3/52 Auditing Notes for South African Students

(ii) a failure by the company or the directors to perform any material obligation, the practitioner must take
necessary steps to rectify the situation and may direct management to rectify the situation
(iii) reckless trading, fraud or other contravention of any law relating to the company, the practitioner must
forward the evidence to the appropriate authority (for further investigation and possible prosecu-
tion) and direct management to take the necessary steps to rectify the situation, including recov-
ering any misappropriated assets of the company.
Note (a): When a company is financially distressed, shareholders and/or directors may be tempted to act
in a manner that is reckless, fraudulent or which results in voidable transactions, for example, a
director purchasing one of the company’s machines for an amount considerably below its
market (fair) value, before the company is liquidated. In other words, the shareholders/directors
may place their own interests above those of the company and creditors, in an attempt to min-
imise their own losses.

3. Section 142 – Directors to co-operate with and assist the practitioner


3.1 As soon as practical after business rescue proceedings begin, each director must deliver to the prac-
titioner all books and records that relate to the company which are in his possession, and if the
director has knowledge of the whereabouts of other books and records, must inform the practitioner.
3.2 Within five business days after the business rescue proceedings begin, the directors must provide the
practitioner with a statement of affairs of the company, including, as a minimum, particulars of:
• any material transactions involving the company or its assets which occurred within the
12 months preceding the rescue proceedings
• any court, arbitration or administrative proceedings the company is involved in
• the assets and liabilities of the company, and its income and disbursements within the preceding
12 months
• the number of employees and any agreements relating to the rights of employees
• debtors and creditors of the company, their rights and obligations.

Chapter 6 – Part C – Rights of affected persons during business rescue proceedings


1. Sections 144, 145, 146 – Rights of affected persons during business rescue proceedings
1.1 For the purposes of this text the detail of these sections is not important, but it is essential to under-
stand that a business rescue plan is a collective effort by the practitioner and affected persons to save
the company. The Act draws employees, creditors and holders of the company’s securities into the
process by stipulating the “rights” these groupings have.
In general terms, employees, trade unions, creditors and holders of the company’s securities, are
entitled to:
(i) receive notice of all court proceedings, decision, meeting or event relating to the business rescue
plan
(ii) participate in court proceedings
(iii) form representative committees
(iv) be consulted by the business rescue practitioner
(v) be present and make submissions at meetings of the holders of voting interests
(vi) vote on the approval of the business rescue plan
(vii) propose and develop an alternative business plan if the (practitioner’s) proposed rescue plan is
rejected.

2. Sections 147 and 148 – First meetings of creditors and employees’ representatives
2.1 In terms of these sections, the practitioner must, within 10 days of being appointed, convene and
preside over the first meeting of creditors and a (separate) first meeting of employees’ representatives.
2.2 The purpose of these meetings is to inform these groups whether the practitioner believes that there is
a reasonable prospect of rescuing the company.
Note (a): The practitioner must give notice of the respective meetings to every creditor, and employee
(trade union if applicable) setting out the date, time and place of the meeting, and the agenda for
the meeting.
Chapter 3: Statutory matters 3/53

Chapter 6 – Part D – Development and approval of business rescue plan


1. Sections 150 to 154 – Development and approval of business rescue plan
1.1 It is the practitioner’s duty, after consulting the creditors, management and other affected parties, to
prepare a business rescue plan.
1.2 The plan must contain all the information required to facilitate affected persons in deciding whether
to accept or reject the plan. The plan must be divided into three parts (this is a requirement of s 150):
• Part A – background
• Part B – proposals
• Part C – assumptions and conditions
and must conclude with a certificate by the practitioner stating that:
• actual information provided appears accurate, complete and up to date
• projections provided are estimates made in good faith based on factual information and the
assumptions set out in the plan.
1.3 The business plan must be published within 25 business days after the date on which the practitioner
was appointed (this can be extended by the court or the majority of creditors’ voting interests).
1.4 The practitioner must, in terms of section 151, then convene and preside over a meeting of creditors
and other holders of a voting interest to consider the plan. (This must occur within ten business days
of publishing the plan.)
1.5 Approval on a preliminary basis will then be sought from the creditors, and if more than 75% of the
creditor voting interests supports the plan, preliminary approval is obtained.
1.6 If the rescue plan does not alter the rights of the holders of any class of the company’s securities, the
preliminary approval becomes final approval and the plan is adopted.
1.7 If the rescue plan does alter the rights of the holders of any class of such securities, the practitioner
must convene a meeting of those security holders and put the plan to the vote. If a majority (over
50%) of the affected security holders vote to adopt the plan, the preliminary approval becomes final
approval and the plan is adopted.
1.8 If the rescue plan is rejected, the practitioner may seek approval to prepare and publish a revised plan.
If this is granted, the “prepare, publish, approve procedure” will be carried out again.
Note (a): If the practitioner or an affected person believes that the decision to reject the rescue plan was
egregious (outstandingly bad), irrational or inappropriate, he may apply to the court to set aside
the result of the vote.

Chapter 6 – Part E – Compromise with creditors


1. Section 155 – Compromise between company and creditors
1.1 The board of a company or the liquidator of such a company may propose an arrangement or
compromise of its financial obligations to its creditors if it is being wound up.
1.2 Any such proposal must be divided into three parts, namely:
• Part A – Background
• Part B – proposals
• Part C – Assumptions and Conditions, and
must include a certificate by an authorised director stating that:
• factual information provided appears to be accurate, complete and up to date
• projections provided are estimates made in good faith on the basis of the factual information and
assumptions in the proposal.
Note (a): Such a proposal will be binding on all affected creditors if the proposal is supported by a majority
in number of creditors who represent at least 75% in value of the creditors.

3.4.7 Chapter 7 – Remedies and enforcement


The detail of this chapter is expected to be outside the requirements of SAICA and the IRBA, but it is
important for students to have a broad understanding of what is contained in the chapter. Much of what is
3/54 Auditing Notes for South African Students

contained in the chapter is unlikely to affect the everyday practice of auditing, and will be more relevant to
lawyers. Thus only a few sections have been included in these summaries, along with brief comments
where appropriate.

Chapter 7 – Part A – General principles


1. Section 156 – Alternative procedures for addressing complaints or securing rights
The essence of this section is to provide a range of persons (in various forms) with ways of proceeding
against a company and/or its directors to:
• address alleged contraventions of the Act, or
• enforce any provision, or right in terms of the Act, of the company’s MOI or rules, and
• provide mechanisms for addressing complaints or securing rights.
Note (a): In terms of this section, a person may attempt to resolve a dispute by:
i. mediation, conciliation or arbitration with the company
ii. applying to the Companies Tribunal for adjudication
iii. applying to the High Court
iv. applying to the CIPC
v. applying to the Takeover Regulation Panel (TRP).
The route the complainant takes depends on the nature of the dispute.

2. Section 158 – Remedies to promote purpose of the Act


2.1 When deliberating on any matter, the court must develop the common law to improve the realisation
and enjoyment of rights established by the Act, and all parties to whom disputes are referred
(including the court) must promote the spirit, purpose and objects of the Act.

3. Section 159 – Protection for whistleblowers


3.1 The purpose of this section is to provide protection, for example, against dismissal, demotion, court
action, etc., for a shareholder, director, secretary, prescribed officer or employee of a company,
representative of employees (e.g. trade union), a supplier of goods or services to the company or an
employee of such a supplier, who discloses information about the company or the directors (whistle-
blowing).
Note (a): The section covers disclosures made in good faith to the CIPC, the Companies Tribunal, the
TRP, a regulatory authority, an exchange, a legal adviser, a director, prescribed officer, com-
pany secretary, auditor (internal or external), board or committee of the company.
Note (b): The section covers information that showed or tended to show that the company or a director
(or prescribed officer) has:
(i) contravened the Companies Act or any other Act enforced by the CIPC, for example,
Close Corporations Act, Copyright Act, Trade Marks Act as listed in Schedule 4, for
example, a company selling counterfeit goods
(ii) failed or is failing to comply with any legal obligation to which the company is subject, for
example, a company not paying VAT on cash sales
(iii) engaged in conduct that has endangered or is likely to endanger the health or safety of any
individual, or damage the environment, for example, a company dumping toxic waste in a
river
(iv) unfairly discriminated, or condoned unfair discrimination, against any person as per sec-
tion 9 of the Constitution, for example, company dismissing women who become pregnant
(v) contravened any other legislation in a manner that could expose the company to an actual
or contingent risk or liability, or is inherently prejudicial to the company’s interests, for
example, transport company bribing government officials to provide roadworthy certifi-
cates for its trucks without testing.
Chapter 3: Statutory matters 3/55

Note (c): In terms of this section, the whistle-blower:


(i) has qualified privilege in respect of the disclosure and
(ii) is immune from any civil, criminal or administrative liability for that disclosure.
Note (d): The company cannot override this section in its MOI or rules, for example, it cannot include a
clause that provides for instant dismissal of whistle-blowers.

Chapter 7 – Part B – Rights to seek specific remedies


1. Section 161 – Application to protect rights of securities holders
1.1 A holder of issued securities may apply to the court for an order to protect the rights pertaining to his
securities (shares) in terms of the Act or the MOI or to rectify harm done to the securities by a
company or any of the directors.

2. Section 162 – Application to declare director delinquent or under probation


2.1 This section gives certain parties, for example, the company, shareholders, director, company secre-
tary, or trade union, the power to apply to the court to have a director declared delinquent or under
probation.
The section relates to a present director or an individual who was a director within the 24 months
preceding the application to the court.

3. Section 163 – Relief from oppressive or prejudicial conduct


3.1 This section gives a shareholder or director the power to apply to the court for relief if:
i. any act or omission of the company, or
ii. the manner in which the business of the company has been conducted, or
iii. the abuse of his powers by a director, etc.,
has had a result that is oppressive or unfairly prejudicial to, or unfairly disregards, the interests of the
applicant.
Note (a): If the court finds in favour of the applicant, it may make any interim or final order it considers
fit. These range from an order restraining the conduct complained of to appointing additional
directors, and ordering compensation to be paid to an aggrieved party.

Chapter 7 – Parts C to F
The remaining sections in this chapter of the Companies Act 2008 are mainly procedural and are beyond
the scope of this text.

3.4.8 Chapter 8 – Regulatory agencies and administration of act


This chapter establishes four “regulatory agencies”, lays out their objectives and functions, gives them
powers and determines how they should be staffed. It is unnecessary to detail all of the above. However,
prospective auditors should be aware of the agencies and their broad functions, particularly the Financial
Reporting Standards Council (FRSC). A brief overview of the agencies is given below.

Chapter 8 – Part A – Companies and Intellectual Property Commission


1. Sections 185 to 192 – Establishment, objectives, functions, etc.
1.1 The CIPC is a juristic person which must be independent and must perform its functions impartially,
without fear, favour or prejudice.
1.2 Its objectives are to:
• efficiently and effectively register companies or other juristic persons arising from various Acts
under its control (see Schedule 4) and intellectual property rights
• maintain up-to-date, accurate and relevant information pertaining to companies, etc.
• promote awareness of the company and intellectual property laws
• promote compliance with the Act and other applicable legislation
• enforce the Companies Act and other Schedule 4 Acts.
3/56 Auditing Notes for South African Students

1.3 The CIPC is also responsible for advising the Minister on national policy relating to companies and
intellectual property law.
1.4 The CIPC will be headed by a Commissioner and Deputy Commissioner, both appointed by the
Minister. Specialist Committees may be appointed by the Minister to advise on matters relating to
company law or policy and the management of the Commission’s resources.

Chapter 8 – Part B – Companies Tribunal


1. Section 193 to 195 – Companies Tribunal
1.1 The Companies Tribunal is a juristic person which must be independent and must perform its func-
tions impartially and without fear, favour or prejudice, and in an appropriate transparent manner.
1.2 The Minister will appoint the chairperson and other members (at least 10) of the Tribunal. Members
must comprise persons suitably qualified and experienced in economics, law, commerce, industry or
public affairs. The Minister must designate a member of the tribunal as deputy chairperson.
1.3 The functions of the Companies Tribunal are to:
• adjudicate in relation to any application made to it in terms of the Act
• assist in voluntary resolutions of disputes
• perform any function allocated to it in terms of the Companies Act or any Act mentioned in
Schedule 4.

Chapter 8 – Part C – Takeover Regulation Panel


1. Sections 196 to 202 – Establishment, composition, functions, etc.
The TRP is a juristic person which must be independent and must perform its functions impartially without
fear, favour or prejudice.
1.1 The TRP will be made up of the Commissioner, various other stipulated persons (posts) and several
other individuals appointed by the Minister. The Minister may designate members of the TRP to be
chairperson and deputy chairpersons (two). The panel may appoint an executive director and one or
more deputy executive directors.
1.2 The functions of the TRP are to:
(i) regulate affected transactions, and investigate complaints relating to affected transactions (amal-
gamations, mergers, etc.)
(ii) apply to the court to wind up a company where the directors etc have acted fraudulently or
illegally and have not responded to compliance “warnings” by the CIPC or TRP itself
(iii) consult the Minister in respect of changes to the Takeover Regulations.
1.3 Section 202 provides for establishing a Takeover Special Committee to hear and decide on any matter
referred to by the TRP or, if applicable, the Executive Director of the TRP.

Chapter 8 – Part D – Financial Reporting Standards Council


1. Sections 203 and 204 – Establishment, composition and functions
1.1 The functions of the Financial Reporting Standards Council (FRSC) are to:
(i) receive and consider any relevant information relating to the reliability of, and compliance with,
financial reporting standards and adopt international reporting standards for local circumstances
(ii) advise the Minister on matters relating to financial reporting standards, and
(iii) consult with the Minister on the making of regulations establishing financial reporting standards.
1.2 The Minister is responsible for establishing a committee (i.e. the FRSC) by appointing suitably
qualified persons, in terms of the requirements of the Act, for example, four practising auditors, two
persons responsible for preparing financial statements for a public company, two people know-
ledgeable on company law, a person nominated by the Governor of the South African Reserve bank,
etc. (see s 203).

Chapter 8 – Part E – Administrative provisions applicable to agencies


The balance of the sections in this chapter of the Companies Act are generally procedural and beyond this
text’s scope.
Chapter 3: Statutory matters 3/57

3.4.9 Chapter 9 – Offences, miscellaneous matters and general provisions


Chapter 9 – Part A – Offences and penalties
1. Section 213 – Breach of confidence
1.1 It is an offence to disclose any confidential information concerning the affairs of any person obtained
in carrying out any function in terms of this Act or participating in any proceedings in terms of the
Act.
Note (a): Obviously, this does not apply to information disclosed:
• for the purpose of proper administration or enforcement of this Act
• to administer justice
• at the request of a regulatory agency (or its inspectors) entitled to receive the information, or
• when required to do so by any court or under any law.
Note (b): In terms of section 216, a person convicted of breaching this section is liable to a fine or impris-
onment not exceeding ten years, or to both!

2. Section 214 – False statements, reckless conduct and non-compliance


2.1 A person is guilty of an offence if he:
• is party to the falsification of any accounting records
• knowingly provided false or misleading information, with a fraudulent purpose, in any circum-
stance in which the Act requires the person to provide information
• was knowingly a party to an act or omission calculated to defraud a creditor, employee or security
holder or with another fraudulent purpose
• is a party to the preparation, approval, dissemination or publication of:
– financial statements, knowing that the financial statements do not comply with the require-
ments of section 29(1), for example, do not satisfy the financial reporting standards, or do not
indicate whether they have been audited or not (see s 29 (6))
– financial statements, knowing that they are false or misleading
– a prospectus which contains any untrue statement.
Note (a): Again, in terms of section 216, a person convicted of breaching this section is liable to a fine or
imprisonment not exceeding ten years, or to both.

3. Section 215 – Hindering administration of the Act


3.1 It is an offence to hinder, obstruct or improperly attempt to influence the CIPC, the Companies
Tribunal, the TRP, an investigator/inspector or the court when any of them is exercising a power or
duty in terms of the Act.
Note (a): A breach of this section may result in a fine or imprisonment not exceeding 12 months, or both.

Chapter 9 – Part B – Miscellaneous matters – nil


Chapter 9 – Part C – Regulations, etc.
1. Section 225 – Short title
This Act will be called the Companies Act, 2008.

3.5 The Close Corporation Act 69 of 1984


3.5.1 Introduction
The idea of a close corporation (CC) is that the members all work together for the good of the whole, and
in doing so, they monitor each other’s actions, thus making strict external regulation less important.
The Close Corporations Act 69 of 1984 (the Close Corporations Act) created a legal entity that was far
simpler than a company to administer and which required far less formality. With the introduction of the
Companies Act (2008), the formation and administration of companies has been simplified to the extent
that the option of a CC as a business entity has been withdrawn, effective from the date on which the
3/58 Auditing Notes for South African Students

Companies Act came into operation, namely, 1 May 2011. Existing CCs can convert themselves into
companies or may elect to remain as CCs. Those CCs that do not convert will, for the time being, be
controlled by the existing Close Corporations Act, but there have been some important amendments to this
Act to bring it into line with the Companies Act.
At its inception, the Close Corporations Act was built around what has been termed the liquidity/
solvency principle, as opposed to the capital maintenance concept, around which the former Companies
Act was built. The new Companies Act moves away from the capital maintenance concept, towards the
liquidity/solvency principle. Simplistically, the capital maintenance concept requires prohibitions or strict
requirements to be in place in respect of transactions involving the capital of a company. This is in contrast
to the liquidity/solvency principle, which primarily requires that the liquidity and solvency of the entity
remain intact after any transaction relating to the entity’s capital.

3.5.2 Important changes to the Close Corporations Act 1984


2.1 Now that the Companies Act is effective, no new CCs can be formed. An existing CC can be
converted to a company or continue to operate as a CC in terms of the Close Corporations Act 1984.
2.2 Requirements for the transparency and accountability of CCs have been enhanced. Most significant of
these changes is that section 10 of the Close Corporations Act has been amended to include the
requirement that “Regulations made by the Minister in terms of the Companies Act 2008, sections
29(4) and (5) and 30(7) will apply to a close corporation”. In effect this means that:
• every CC must calculate its public interest score, and
• prepare its financial statements in terms of the financial reporting standards relevant to its public
interest score, and
• some CCs will need to be audited, depending on their public interest scores and whether their
financial statements are internally or independently compiled.
2.3 Chapter 6 of the Companies Act, which deals with the rescue of financially distressed companies, will
apply to CCs as well.

3.5.3 Calculation of the Close Corporations public interest score


3.1 The score must be calculated annually as follows. It will be the sum of the following:
(i) a number of points equal to the average number of employees of the CC during the financial
year
(ii) one point for every R1m (or portion thereof) in third party liabilities of the CC at the financial
year-end
(iii) one point for every R1m (or portion thereof) in turnover of the CC during the financial year, and
(iv) one point for every individual who, at the end of the financial year, is known by the CC to
directly or indirectly have a beneficial interest in the CC.

3.5.4 Preparation of financial statements


4.1 As indicated above, the public interest score will determine which financial reporting standards will
apply to the CC.
4.2 The options are essentially IFRS, and IFRS for SMEs.

3.5.5 Audit requirement


5.1 The public interest score and activity of the CC and whether the financial statements were internally
or independently compiled, will determine the audit requirement.
5.2 The following CCs must be audited:
• any CC that in the ordinary course of its primary activities, holds assets (which had an aggregate
value of R5m at any time during the year) in a fiduciary capacity for persons who are not related
to the CC
Chapter 3: Statutory matters 3/59

• any CC with a public interest score of 350 or more, or


• any CC with a public interest score of at least 100 but less that 350, if its financial statements were
internally compiled.

3.5.6 Breakdown of the Close Corporations Act by part


The Close Corporation Act itself is broken up into 10 parts, each dealing with a separate aspect. The
following list identifies those sections which are regarded as important for a general understanding of the
Act.
Definitions : Refer to when studying individual sections
Part I : Formation Section 2
Part II : Administration of Act Sections 5, 10
Part III : Registration, etc. Sections 12, 17, 22, 23, (27 withdrawn)
Part IV : Membership Sections 29, 33, 35, 36, 37, 39, 40
Part V : Internal Relations Sections 42, 43, 44, 46, 47, 48, 49, 51, 52
Part VI : External Relations Sections 53, 54
Part VII : Accounting and Disclosure Sections 58, 59,62
Part VIII : Liability of Members Sections 63, 64
Part IX : Winding up Nil
Part X : Penalties Nil

3.5.7 Section summaries and notes


Part I Formation and juristic personality

1. Section 2 – Formation and juristic personality


1.1 New CCs can no longer be formed since the introduction of the Companies Act 2008. However, CCs
that existed before 1 May 2011 (the date on which the Companies Act became effective) continue to
exist.
1.2 The original requirement that the CC must have one or more members but not more than 10 still
applies (s 28).

Part II Administration of the act


1. Section 5 – Inspection of documents
1.1 Any person can, on payment of the prescribed fee and subject to the availability of the original
document
• inspect any document kept by the CIPC in respect of a corporation or,
• obtain a certificate from the CIPC as to the contents of any such document
• obtain a copy or extract from any such document.
Note (a): The administration of the Close Corporations Act now falls under the CIPC.

2. Section 10 – Regulations and policy


2.1 Regulations made by the Minister in terms of section 29(4) and (5) of the Companies Act relating to
the preparation of financial statements in terms of the financial reporting standards, and section 30(7)
relating to audit requirements, will now apply to CCs (see discussion in the introduction to CCs).

Part III Registration, deregistration and conversion


1. Section 12 – Founding statement
1.1 The founding statement is the basic document that brought all existing CCs into being.
3/60 Auditing Notes for South African Students

1.2 It is signed by all members who formed the CCs and contained:
• the name of the CC
• principal business of the CC
• postal address, physical address
• full name and ID of each member
• the percentage of each member’s interest
• particulars of each member's contribution (s 24)
• the accounting officer’ name and address
• the date of the financial year-end.
Note (a): This document equates partially to the MOI of a company.
Note (b): Founding Statements of existing CCs are lodged with the CIPC (s 13).
Note (c): All existing CCs have a CC registration number, and are issued with a certificate of incorpor-
ation (s 14)).
Note (d): Any changes to the information in the founding statement will result in an amended founding
statement having to be lodged (s 15). Circumstances at existing CCs can still result in the need for
an amended founding statement, for example a new member may join the CC.
Note (e): Each year the CC must lodge an annual return to confirm the validity of the CC’s founding data
(s 15A).
Note (f): A CC must keep a copy of its founding statement and annual return at its registered office.

2. Section 17 – No constructive notice of particulars in founding statement


2.1 No person shall be deemed to know any information in the founding statement simply because it is
lodged with the Registrar.

3. Section 22 – Formal requirements as to names


3.1 A CC must attach the letters CC (or other official language abbreviation) to its name.

4. Section 23 – Use and publication of names


4.1 Essentially section 23 of the CC Act states that the CC must comply with section 32 of the Companies
Act:
• A CC must provide its full registered name or registration number to any person on demand.
• A CC must not misstate its name or registration number in a manner likely to mislead or deceive
any person.
• The name and number must also appear on all notices, publications and stationery, for example
bills of exchange, invoices, etc. (whether hard copy or electronic).
Note (a): This requirement is to ensure that people dealing with the CC are aware that they are dealing
with a “juristic person” in its own right.

5. Section 27 – Conversion of companies into corporations.


Note: This section has been withdrawn and it is no longer possible for a company to convert to a CC. It
is, however, possible for a CC to convert to a company. The procedure is dealt with in Schedule 2
of the Companies Act.
5.1 Schedule 2 section 1(1). A CC may file a notice of conversion in the prescribed manner and form at
any time with the CIPC.
5.2 A notice of conversion must be accompanied by:
• a written statement of consent approving the conversion of the CC to a company (signed by mem-
bers holding at least 75% of the members’ interests)
• an MOI
• a prescribed filing fee.
5.3 After acceptance of a notice of conversion, the CIPC must:
• assign a unique registration number to the (new) company
Chapter 3: Statutory matters 3/61

• enter the details of the company in the Companies Register


• endorse the notice of conversion and MOI filed with it
• issue a registration certificate to the (new) company
• cancel the registration of the CC
• give notice in the Gazette of the conversion and enable the Registrar of Deeds to effect necessary
changes resulting from conversion and name changes.
Note (a): Every member of the CC is entitled to become a shareholder of the (new) company:
• the shareholders in the company need not necessarily be in the same proportion as the mem-
bers’ interests were in the CC
• a member of the CC who does not wish to become a shareholder in the company does not
have to become a member and can arrange for the disposal of his interest prior to the
conversion.
Note (b): On the registration of the (new) company:
• the juristic person that existed as a CC continues to exist as a juristic person but in the form
of a company
• all the assets, liabilities, rights and obligations of the CC vest in the (new) company
• any legal proceedings instituted against the CC may be continued against the (new) company
• any enforcement measures that could have been instituted against the CC can be brought
against the (new) company
• any liability of a member of the CC arising out of the Close Corporation Act continues as a
liability of that person as if the conversion has not taken place.
For all practical purposes, things remain the same.

Part IV Membership
1. Section 29 – Requirements for membership
1.1 Subject to some exceptions, only natural persons may be members of a CC.
1.2 A natural person will qualify for membership:
• if he is entitled to a members’ interest (i.e. made a contribution or purchased the interest)
• in his official capacity as a trustee of a testamentary trust, provided that no juristic person is a bene-
ficiary of the trust
• in his official capacity as a trustee, administrator, executor of an insolvent, deceased or mentally
disordered member’s estate or his duly appointed/authorised legal representative
• in his official capacity as trustee of an inter vivos trust (with certain provisos), for example no juristic
person shall directly or indirectly be a beneficiary of the trust.
1.3 Joint memberships (two or more persons holding a single member’s interest) are not allowed (s 30).
1.4 The intention of the legislature is to keep membership as natural as possible so that the “closeness” of
the corporation is not complicated by juristic entities (non-people).
1.5 A corporation may have one or more members, but not more than ten (s 28).

2. Section 33 – Acquisition of a member’s interest


2.1 There are two ways to acquire a members’ interest:
• Pursuant to a contribution made to the CC: other members’ interests will be amended accordingly
(total must always equal 100%).
• Purchase from an existing member/members: no contribution to the CC is made.
Note (a): A member’s interest will be expressed as a percentage and will be regarded as moveable property
(s 30).
Note (b): Each member will be issued with a membership certificate that states the interest percentage held
by the member (s 31).
3/62 Auditing Notes for South African Students

3. Section 35 – Disposal of interest of deceased member


3.1 The executor of a deceased member’s estate will arrange the transfer of the deceased member’s
interest to an heir, if:
• the heir is eligible (qualifies) for membership of a CC, and
• the remaining members consent thereto.
Note (a): If the other members’ consent is not given within 28 days of it being requested, the executor
may:
• sell the interest to the corporation (if there is another member or other members)
• sell the interest to any other remaining member(s)
• sell the interest to any other person who qualifies for membership. In this case, the other mem-
bers (if any) will have the right to reject the “other person” and purchase the interest them-
selves. They may not approve of the person to whom the executor intends to sell the interest.
Note (b): The association agreement may stipulate other arrangements in respect of the deceased mem-
ber’s interest. The executor should adhere to these stipulations.

4. Section 36 – Cessation of membership by order of the court


4.1 On application of any member, the Court may rule that a member shall cease to be a member on any
of the following grounds:
4.1.1 The member is permanently incapable of performing his role, for example, of unsound mind.
4.1.2 The member is guilty of conduct that is likely to be prejudicial to the business, for example,
negligence or recklessness on the part of the member.
4.1.3 The other members find it impractical to carry on business due to the member’s conduct; for
example, such member is never present.
4.1.4 Circumstances have arisen which render it just and equitable that such a member should cease to
be a member, for example, the member continues to act in his own interests to the detriment of the CC.
Note (a): This section is designed to protect members against members who do not “pull their weight” one
way or another.
Note (b): The court, in ruling on this matter, may order as it deems fit concerning the acquisition of the
departing member’s interest by the other members and the amount and method of payment
therefor.

5. Section 37 – Disposition of a member’s interest (other than insolvent, deceased and s 36


dispositions)
5.1 A member may dispose of his interest to:
5.1.1 the corporation itself
5.1.2 any other person (qualified for membership) provided that the disposition is made in terms of
the association agreement (if any) or with the consent of every other member of the corpor-
ation.

6. Section 39 – Payment by the corporation itself where it acquires a member’s interest


6.1 The CC itself may acquire a member’s interest provided:
6.1.1 every member other than the selling member has given prior written consent
6.1.2 after payment for the member’s interest, the assets, fairly valued, exceed the CC’s liabilities
(solvency)
6.1.3 the corporation can pay its debts as they become due (liquidity)
6.1.4 the payment itself does not render the corporation unable to pay its debts as they become due.

7. Section 40 – Financial assistance given by the corporation in respect of acquisition of member’s


interests
7.1 A CC may give financial assistance directly or indirectly, in any form, for the purchase of a member’s
interest.
7.2 The requirements indicated in 6.1.1 to 6.1.4 must be adhered to.
Chapter 3: Statutory matters 3/63

Part V Internal relations


1. Section 42 – Fiduciary position of the members
1.1 Each member of the CC stands in a fiduciary relationship to the corporation.
1.2 This means that the member must:
1.2.1 act honestly and in good faith
1.2.2 exercise his powers to manage or represent the corporation in the interests of and for the
benefit of the corporation
1.2.3 not act without, or exceed the power he has been granted
1.2.4 avoid conflict between his own interests and those of the corporation; in particular:
• not derive personal economic benefit in conflict with the corporation
• notify every other member at the earliest opportunity of the nature and extent of any per-
sonal “interest in contracts” of the corporation
• not compete in any way with the corporation in its business activities.
Note (a): Remember a CC is a separate legal entity, hence the fiduciary duty between itself and the mem-
bers arises.
Note (b): A member who breaches his fiduciary duty shall be liable to the corporation for:
• any loss suffered by the corporation as a result thereof
• any economic benefit derived by the member as a result thereof.
Note (c): A member will not be in breach of any fiduciary duty if his conduct was preceded or followed by
the written approval of all members, provided that all the members were cognisant (aware) of
the facts.
Note (d): The detail of how and when a “member’s interest in contracts” should be disclosed is not
specified (the Act does not seek to regulate internal relations too strictly). However, logic should
apply, but where a member fails to disclose his interest, the contract will be voidable at the option
of the corporation.

2. Section 43 – Liability for negligence


2.1 If a member fails to act with the care and skill that may reasonably be expected from a person of his
knowledge and experience, he will be liable for any loss suffered by the corporation as a result of that
failure.
Note (a): Negligence is a separate issue from breach of contract – a member could be guilty of both.
Note (b): Once again, written approval of a member’s “negligent” action by all of the members, if they are
cognisant of the facts, will render this section ineffective.
Any member of the CC may proceed against a fellow member of the CC in relation to sections 42 and
43. Such member must notify the other members of his intention to do so.

3. Section 44 – Association agreements


3.1 Association agreements are voluntary.
3.2 An existing association agreement is binding on all present and new members.
3.3 Its aim is to regulate the internal affairs of the corporation.
3.4 There is no constructive notice with regard to association agreements (s 45).
3.5 The agreement may be altered or dissolved. Amendments and dissolutions must be in writing and
signed by each member.

4. Section 46 – Variable rules regarding internal relations


4.1 The following rules will apply unless they are replaced or varied by an association agreement:
4.1.1 Every member is entitled to participate in the carrying on of the business.
4.1.2 Every member has equal rights in respect of the management of the business.
3/64 Auditing Notes for South African Students

4.1.3 For the following transactions, consent in writing of members (or a member) holding at least
75% of the members’ interests will be required:
• a change in the principal business
• a disposal of the whole, or substantially the whole, undertaking of the corporation
• a disposal of all, or the greater portion of, the assets
• any acquisition or disposal of immovable property by the corporation.
4.1.4 Differences between members will be decided by a majority vote of members.
4.1.5 At any meeting, the members of the corporation shall have the number of votes which
corresponds with his percentage interest.
4.1.6 A corporation shall indemnify every member in respect of expenditure incurred or to be
incurred by him (on behalf of the corporation).
4.1.7 Payments as defined (see point 8) shall be made in terms of agreement between members, but
in proportion to their members’ interest.

5. Section 47 – Disqualification from managing the business of the corporation


5.1 This section identifies persons who are disqualified from the management of a CC. The section has
been aligned with the Companies Act, particularly section 69(8) to (11) of the Act.
5.2 In terms of section 69(8) to (11) of the Companies Act, a person is disqualified from taking part in the
management of the corporation if:
5.2.1 A court has prohibited that person from being a director or has declared that person to be
delinquent or on probation in terms of section 162 of the Companies Act. This section covers
such situations as:
• a person acting as a director when disqualified or ineligible to do so
• a director grossly abusing the position as a director
• a director taking personal advantage of information
• a director, intentionally or by gross negligence, inflicting harm on the company, or
• a director acting in a manner that amounted to gross negligence, wilful misconduct or
breach of trust in relation to the performance of his duties.
5.2.2 The person is an unrehabilitated insolvent.
5.2.3 The person is prohibited in terms of any public regulations from being a director.
5.2.4 The person has been removed from an office of trust on the grounds of misconduct involving
dishonesty.
5.2.5 The person has been convicted in the Republic or elsewhere and imprisoned without the
option of a fine, or fined more than the prescribed amount (prescribed in the regulations) for
theft, fraud, forgery, perjury or an offence:
• involving fraud, misrepresentation or dishonesty
• in connection with the promotion, formation or management of a company, etc., or
• under the Companies Act, Insolvency Act, Close Corporations Act, Competition Act,
Financial Intelligence Centre Act, Securities Act or Chapter 2 of the Prevention and
Combating of Corruption Activities Act.
Note (a): A court may exempt a person from a disqualification imposed in terms of 5.2 above.
Note (b): As a general rule, disqualifications arising from 5.2.4 or 5.2.5 end five years after the date of
removal from office or the completion of the sentence. However, the commissioner may apply
for an extension of the disqualification period.
Note (c): This section disqualifies persons from managing the company. It does not prevent them from
becoming members. Membership is determined in terms of section 29.
Note (d): Despite being disqualified by section 69 of the Companies Act, a member of a CC may
participate in the management of the CC if 100% of members’ interests are held by that person,
or that person and other persons, all of whom are related to that disqualified person and have
consented in writing to that person participating in management, for example a husband and
wife may hold all the members’ interests. The wife can consent to the husband continuing to
manage the CC even if he is disqualified in terms of section 69.
Chapter 3: Statutory matters 3/65

6. Section 48 – Meetings of members


6.1 Any member of a corporation may, by notice to every other member, call a meeting of members for
any purpose disclosed in the notice.
6.2 Unless the association agreement provides otherwise (i.e. stipulates specific requirements for meet-
ings):
• the notice of the meeting must stipulate “reasonable” date, time and venue
• three-quarters of the members present, in person, shall constitute a quorum
• only members present, in person, may vote.

7. Section 49 – Unfairly prejudicial conduct


7.1 A member who believes that any particular act or omission of the corporation or by one or more of
the members is unfairly prejudicial, unjust or inequitable to him, or to some members including him, may
make an appeal to the Court.
Note (a): In settling the dispute, the Court may make such order it deems fit including the purchase of the
aggrieved member’s interest by the corporation.
Note (b): This section is a form of protection for members against other members.

8. Section 51 – Payments to members


8.1 A payment (as defined) to a member may only be made if the liquidity/solvency requirements are met.
Note (a): “Payments” in this section refer to payments made to a member specifically by virtue of the fact
of that membership. This includes:
• repayment of a member’s contribution
• a distribution of profits.
Note (b): If the payment is being made by virtue of any other contractual obligation, for example, the
member is also a creditor, or earns a salary for services to the corporation, then it is not subject
to the liquidity/solvency test.
Note (c): “Payments” do not need to be in cash to be subject to this section, for example, transfer of
property would also qualify.
Note (d): This section protects creditors of the corporation from the members “bleeding” the corporation
to the creditors’ detriment.
Note (e): Members will be liable to the corporation for any payment received contrary to this section.

9. Section 52 – Loans (security) to members and others


9.1 A CC shall not make a loan directly or indirectly:
9.1.1 to any of its members
9.1.2 any other corporation in which one or more of its members together hold more than 50%
9.1.3 any company or other juristic person controlled by one or more member of the corporation.
9.2 This section shall not apply where the (previously obtained) consent of all members in writing is obtained.
Note: Any member who authorises or permits a loan contrary to the requirements of this section will be
liable to indemnify the corporation against any loss resulting from the invalidity of such loan.

Part VI External relations


1. Section 53 – Pre-incorporation contracts
1.1 Any contract entered into by a person professing to act as an agent or a trustee for a corporation yet to
be formed will be deemed to have been entered into as if the corporation had been formed if:
1.1.1 the contract is in writing
1.1.2 it is, after incorporation, ratified or adopted
1.1.3 by all members, in writing
1.1.4 within the time stipulated by the contract or within a reasonable time.
Note (a): This section is included in the Act, but in reality should not be required because since 2011 no new
CC could or can be formed.
3/66 Auditing Notes for South African Students

2. Section 54 – Power of members to bind the corporation


2.1 Any act of a member will bind the corporation if:
2.1.1 such act is expressly or impliedly authorised by the corporation, or
2.1.2 if the act is performed in the usual way of the corporation’s business (as stated in the founding
statement) or in terms of the business actually being carried on by the corporation at the time
of the act unless:
• the said member had no power to act, and
• the third party ought reasonably to have known that the member had no such power.
Note (a): The important distinction which needs to be made is whether the act falls within the scope of the
CC’s usual business.
If it does: The company will be bound regardless of whether the member had power to act, unless the CC
can show that the third party should have known that the member did not have power.
If it does not: The company will not be bound unless the third party can prove that the member had
authority, express or implied.

Part VII Accounting and disclosure


1. Section 58 – Annual financial statements
1.1 AFS must be made out within 6 months of the year-end in one of the official languages and must be
approved by members’ interests of at least 51%.
1.2 As discussed in the introduction to the notes on CCs, every CC must calculate its public interest score
and this will form the basis on which the CC must prepare its financial statements. A second
consideration will be whether the CC’s financial statements have been internally or independently
prepared. The following diagram summarises these requirements:

Public Interest Score Financial Reporting Standard Audit Required?


Equal to or greater than 350 IFRS or Yes
IFRS for SMEs
At least 100 but less than 350 and AFS IFRS or Yes
were internally compiled IFRS for SMEs
At least 100 but less than 350 and AFS IFRS or No
were independently compiled IFRS for SMEs
Less than 100 and independently IFRS or No
compiled IFRS for SMEs
Less than 100 and internally compiled The financial reporting standard as No
determined by the company for as long as no
financial reporting standard is prescribed

• Wherever IFRS for SMEs is an option, the CC must meet the scoping requirements outlined in the
IFRS for SMEs.
• It appears that the Accounting Officer’s Report will be required to accompany all annual financial
statements, regardless of the financial reporting standard used or whether an audit was conducted.

2. Section 59 – Appointment of accounting officers


2.1 Every CC must appoint an accounting officer:
• the accounting officer must be a member of a recognised (relevant) professional body which has
been named in the Gazette, for example SAICA, ACCA, CIMA, SAIPA, CIS (s 60).
2.2 If the members wish to remove the accounting officer, he must be notified by the members in writing:
• if the accounting officer believes that he has been removed for improper reasons, he must notify
the Registrar and every member in writing.
2.3 A member or employee of the CC, and a firm whose partner or employee is a member or employee of
the corporation may be appointed accounting officer, but all members must consent in writing (s 60).
Chapter 3: Statutory matters 3/67

2.4 The accounting officer may be a person, a firm of auditors (APA), any other firm or CC, provided
each partner or member is qualified to be appointed.

3. Section 62 – Duties of the accounting officer


3.1 Section 61 provides the accounting officer with the right of access to the information needed to fulfil
his duties.
3.2 The accounting officer (which a CC must have, and who must be a member of an accredited body)
must:
Procedures
3.2.1 Determine whether the AFS are in agreement with the accounting records.
3.2.2 Review the appropriateness of the accounting policies used.
Report
3.2.3 Make a report in respect of the above.
3.2.4 Describe in his report any contraventions of the Act.
3.2.5 If applicable, state that he is a member or employee of the CC.
Commission
3.2.6 report to the CIPC if:
• the CC is no longer carrying on business
• any changes to information required by the founding statement have not been reported
• at the year-end the liabilities of the CC exceed its assets
• the financial statements incorrectly indicate that the assets of the corporation exceed its
liabilities.
Note (a): In terms of the Regulations, certain CCs will have to be audited. This will result in an audit
report which will carry considerably more weight than an accounting officer’s report. However,
there is nothing in the legislation which says the accounting officer’s report can be omitted
where the CC is audited.

Part VIII Liability of members and others for the debts of the CC
1. Section 63 – Joint liability for the debts of the corporation
This section must be read bearing in mind that it is designed to secure compliance with various provisions
of the Act by exposing members to joint and several liability with the corporation for the debts of the
corporation if they do not comply.
1.1 Abbreviation CC
If the name of the corporation is used in any way without the abbreviation CC or equivalent, any
member who is responsible for, or who authorised or knowingly permits the omission of the
abbreviation, will be jointly and severally liable to any person who enters into any transaction with
the corporation from which a debt accrues for the corporation while that person, as a result of the
omission of the CC or equivalent abbreviation, is unaware that he is dealing with a corporation.
1.2 Contribution payment outstanding
Where a member fails to pay over his contribution to the CC, he will be liable for every debt of the
corporation incurred from date of registration of the founding statement, to the date when the
contribution payment is actually made by the member.
1.3 Invalid member
Any juristic person or trustee of an inter vivos trust who purports to hold, directly or indirectly, a
member’s interest in contravention of section 29 – Requirements for membership, shall be liable for
every debt of the corporation incurred during the time the contravention continued (despite the
invalid membership).
1.4 Acquisition of members’ interest
Any payment made by a CC in respect of the acquisition of a member’s interest which does not have
the prior written consent of all members, or does not meet the solvency/liquidity requirements, will
3/68 Auditing Notes for South African Students

result in every member, including the member who received the payment, being liable for the debts of
the corporation incurred prior to making such payment (unless the member was unaware of the
payment or was aware but took all reasonable steps to prevent the payment), .
1.5 Financial assistance
Where the CC gives financial assistance for the acquisition of a member’s interest in contravention of
the Act, 1.4 shall apply.
1.6 Disqualified from management
Where any person who is disqualified from managing the company performs a management function,
that person shall be liable for every debt of the corporation which it incurs as a result of that member’s
participation in management.
1.7 Vacancy: Accounting officer
When the position of accounting officer has been vacant for a period of six months, any person who
was a member of the corporation during the period and at the end of it, and was aware of the
vacancy, is liable for every debt incurred by the corporation incurred during the six month period.
The member will also be liable for debts incurred after the six month period until the vacancy is filled.

2. Section 64 – Liability for reckless or fraudulent carrying on of business


2.1 The court may, on the application of:
• the Master
• any creditor, member or liquidator of the company
declare that any person who was knowingly a party to the carrying on of the business recklessly, with
gross negligence or with intent to defraud, shall be personally liable for all or any debts or liabilities as the
court deems fit.
2.2 If any business of a CC is carried on in the manner described in 2.1, every person who is knowingly a
party to the carrying on of the business in such manner will be guilty of an offence.

Part IX Winding up – nil

Part X Penalties and general – nil

3.6 Auditing Profession Amendment Act 5 of 2021


3.6.1 Introduction
This Act plays an important role in the lives of all registered auditors and trainee accountants. It is the Act
which created the Independent Regulatory Board for Auditors (IRBA), which has the responsibility of
controlling the auditing profession in South Africa. The APA was amended:
• to strengthen the governance of the Regulatory Board
• to strengthen the investigating and disciplinary processes
• to provide for the power to enter and search premises and to subpoena persons with the information
required for an investigation or disciplinary process
• to provide for the power to issue a warrant for purposes of entering and searching of premises
• to provide for processes to be followed after an investigation
• to provide for sanctions in the admission of guilt process and following a disciplinary hearing
• to provide for offences relating to investigation and disciplinary process
• to provide for the protection and sharing of information, to provide for transitional measures, and
• to provide for matters connected in addition to that.
The Auditing Profession Amendment Act 5 of 2021 became effective on 26 April 2021.The preamble to the
Act states that the Act is designed to:
• provide for the establishment of the Independent Regulatory Board for Auditors
• provide for the education, training and professional development of registered auditors
• provide for the accreditation of professional bodies
Chapter 3: Statutory matters 3/69

• provide for the registration of auditors, and


• regulate the conduct of registered auditors.

3.6.2 Structure of the Act


The Act consists of 60 sections which are broken down into seven Chapters. Many of the sections are not
important for academic study purposes:
Chapter 1 : Interpretation and Objects of the Act
Chapter II : Independent Regulatory Board for Auditors
Chapter III : Accreditation and Registration
Chapter IV : Conduct by and Liability of Registered Auditors
Chapter V : Accountability of Registered Auditors
Chapter VI : Offences
Chapter VII : General Matters

3.7 Summaries and notes


3.7.1 Chapter I: Interpretation and objects of the act (ss 1 and 2)
In essence, this chapter provides definitions of words used in the Act and states that the objects of the Act
are to:
• protect the public by regulating audits performed by registered auditors
• provide for the establishment of an Independent Regulatory Board for Auditors
• improve the development and maintenance of internationally comparable ethical standards and
auditing standards for auditors
• set out measures to advance the implementation of appropriate standards of competence and good
ethics in the auditing profession, and
• provide for procedures for disciplinary action in respect of improper conduct.

3.7.2 Chapter II: Independent regulatory board for auditors (ss 3 to 31)
This chapter is broken down into seven parts.
• Part 1 establishes the IRBA as a juristic person and orders that the IRBA must exercise its functions in
accordance with the APA and any other relevant law. It also states that the IRBA is subject to the
Constitution.
• Part 2 spells out the functions of the IRBA. The matters which are dealt with include accreditation and
registration, education, fees for being a member of IRBA, etc, promoting the integrity of the profession,
prescribe standards, etc.
• Part 3 gives the IRBA its general powers and its powers to make rules. General powers make it possible
for the IRBA to operate, for example, by giving it the power to appoint staff, enter into agreements,
acquire property, borrow money, etc. The power to make rules allows the IRBA to execute its
responsibilities in terms of the Act.
• Part 4 lays out the governance requirements of the Regulatory Board. These sections cover such matters
as appointment of members of the Regulatory Board, their terms of office, disqualification from
membership, meetings, the role of the Chief Executive Officer, etc., for example, the board must consist
of not less than six but not more than 10 non-executive members appointed by the Minister.
• Part 5 deals with committees of the Regulatory Board. Most significantly, it lays down the requirement
that at least the following permanent committees must be established:
Section 20 and 21 : committee for auditor ethics
Section 20 and 22 : committee for auditing standards
Section 20 : an education, training and professional development committee
Section 20 : an inspection committee
Section 20 and 24 : an investigating committee
Section 20 and 24 : a disciplinary committee
3/70 Auditing Notes for South African Students

• Part 6 deals with the funding and financial management of the Regulatory Board and covers the
collection of fees, an annual budget and strategic plan, and the preparation of financial statements.
• Part 7 deals with national government oversight and executive authority. This explains that the Minister
of Finance is the executive authority for the IRBA, and that the IRBA is accountable to the Minister.

3.7.3 Chapter III: Accreditation and registration (ss 32 to 40)


This chapter is broken down into two parts.
• Part 1 deals with the accreditation of professional bodies. For an individual to register with the IRBA,
he must satisfy the prescribed education, training, competency and professional development require-
ments. As IRBA is not in the business of supplying the above, its model is to “outsource” these activ-
ities to professional bodies, which it accredits. If an individual then satisfies the requirements of the
accredited professional body, he or she may apply for registration with the IRBA. The only accredited
professional body at present is SAICA.
• Part 2 deals with the registration of individuals and firms as registered auditors and contains the follow-
ing important sections:

1. Section 37 – Registration of individuals as registered auditors


1.1 This section states that an individual may be registered if he:
• has complied with the prescribed education, training and competency requirements
• is resident in the Republic
• is a fit and proper person to practice the profession.
Note (a): If the individual is not a member of an accredited professional body, he will have to satisfy the
IRBA that arrangements for his continuing professional development have been made. (Note:
An individual does not have to join SAICA to be registered with the IRBA.)
Note (b): On payment of the prescribed fee, the individual must be entered in the register and issued with
a certificate of registration.
Note (c): The Regulatory Board may not register an individual who:
• has at any time been removed from an office of trust because of misconduct related to carry-
ing out duties relating to that office
• has been convicted and sentenced to imprisonment without the option of a fine, or to a fine
exceeding a prescribed limit in the Republic or elsewhere, for fraud, theft, forgery, uttering
(putting into circulation) a forged document, perjury or an offence under the Prevention and
Combating of Corrupt Activities Act 12 of 2004 or any offence involving dishonesty, other
than an offence committed prior to 27 April 1994 associated with political objectives.
• is for the time being, of unsound mind or unable to manage his affairs
• is disqualified from registration under a sanction imposed by the APA, for example, for a
disciplinary matter.
Note (d): The Regulatory Board may decline to register an individual who:
• is an unrehabilitated insolvent
• has entered into a compromise with creditors, or
• has been provisionally sequestrated.

2. Section 38 –Registration of firms as registered auditors


The only firms that may be registered are:
2.1 partnerships of which all the partners are individuals who are themselves registered auditors
2.2 sole proprietors where the proprietor is a registered auditor
2.3 companies that comply with the following:
(i) The company must be incorporated and registered in terms of the Companies Act:
• with a share capital, and
• its MOI must provide that its directors and past directors shall be jointly and severally liable
with the company for its debts and liabilities contracted during their periods of office.
Chapter 3: Statutory matters 3/71

(ii) Only individuals who are registered auditors may be shareholders. (If the company is a private
company, its membership is not limited to 50).
(iii) Every shareholder must be a director and every director must be a shareholder.
(iv) The MOI of the company provides that the company may, without the confirmation of the
Court, purchase any shares held in it and allot those shares per the company’s MOI.
(v) Only a shareholder may act as a proxy for another shareholder, in other words, no outsiders
may attend, speak or vote at any company meeting. This must be stipulated in the MOI.
Note (a): An accounting company is required to comply with all sections of the Companies Act, for
example, produce AFS, hold meetings, etc.
Note (b): Section 38 ensures that registration with the IRBA is restricted to auditors, regardless of the form
the firm takes. Registration requirements are strict. For example, an auditor and a lawyer cannot
form a partnership and apply to be a firm of registered auditors. Likewise, a firm that wishes to
constitute itself as a company cannot include lawyers or others as shareholders or directors.
Many auditing firms (partnerships and companies) have lawyers, engineers, IT specialists on
their staff, but they cannot be partners or shareholders.
3.7.4 Chapter IV: Conduct by and liability of registered auditors (ss 41 to 46)
1. Section 41 – Practice
1.1 Only a registered auditor may engage in public practice.
1.2 A person who is not registered in terms of the APA, may not:
• perform any audit (see notes (a), (c) and (e))
• pretend to be, or hold out to be, registered in terms of the APA (note (b))
• use the name of any registered auditor (see note (d))
• perform any act to lead persons to believe that he is registered in terms of the APA.
Remember: the term “audit” is defined as meaning an examination, in accordance with applicable
auditing standards, of:
(i) financial statements, with the objective of expressing an opinion as to their fairness in terms of
an identified reporting framework, or
(ii) financial and other information, prepared in accordance with suitable criteria with the objective
of expressing an opinion on the financial and other information.
Note (a): This section does not prohibit a non-registered individual from performing an audit under a
registered auditor’s direction, control and supervision, for example, an employee in an auditing
firm.
Note (b): An individual or firm may not use the descriptions “registered auditor”, “public accountant”,
“registered accountant and auditor”, “accountant in public practice” or any other designation
likely to create the impression of being a registered auditor in public practice unless they are
registered with the IRBA. Remember, this is a prohibition created by law; it is similar to the
medical profession, you cannot call yourself a medical doctor if you are not registered as such
with the Health Professions Council of South Africa.
Note (c): The section does not prohibit:
• any person from using the description “internal auditor” or accountant. Any person can offer account-
ing services (not auditing) to the public and call themselves a “financial advisor” or a “management
accountant”, etc.
• any member of a not-for-profit club or similar entity, from acting as auditor for that club or entity,
provided he receives no fee or other considerations for the audit
• the Auditor-General from appointing any person who is not a registered auditor, to carry out on his
behalf, any audit in terms of the Public Audit Act 25 of 2004.
Note (d): For example, Joe Janks is a registered auditor practicing under the name of “J Janks Registered
Auditor and Accountant”. He retires and sells his practice to Paul Paris who is a very competent
accountant but not eligible to register with the IRBA. Paul Paris would not be allowed to retain
the name of the firm as “J Janks Registered Auditor and Accountant” and would not be able to
retain the firm’s audit clients.
3/72 Auditing Notes for South African Students

Note (e): Except with the consent of the IRBA, a registered auditor may not knowingly employ
• any person (formerly registered but) no longer registered as a result of the termination or
cancellation of registration, or
• any person who was declined registration on the grounds of having been removed from an
office of trust, convicted and sentenced for fraud, theft, etc., as laid out in section 37, note (c).
Note (f): Section 41(6) states that a registered auditor may not
• practice under a firm name unless every letterhead bears the firm name, the first name (or
initials) and surname of the registered auditor, the names of the managing or active partners
in the case of a partnership, or in the case of a company, the present first names, or initials,
and surnames of the directors.
• sign any account, statement, report or other documents which purports to represent an audit
unless the audit was performed by, or under the supervision of that auditor (or a co-partner
or co-director) in accordance with prescribed auditing standards (see note (a))
• perform audits unless adequate risk management practices and procedures are in place
• engage in public practice during any period in respect of which the registered auditor has
been disqualified from registration
• share any profit derived from performing an audit with a person that is not a registered
auditor.

2. Section 44 – Duties in relation to an audit


2.1 In terms of section 44 (1), where a firm accepts the appointment to perform an audit, it must imme-
diately decide which individual registered auditor within the firm will be responsible and accountable
for the audit (see note (a)).
2.2 In terms of section 44(2) and (3), the registered auditor may not express an opinion, without qualifi-
cation, that the financial statements
• fairly present in all material respects, the financial position of the entity and the results of its oper-
ations and cash flow, and
• are properly prepared in all material respects in accordance with the basis of accounting and finan-
cial reporting framework as disclosed in the financial statements
unless
• the audit has been carried out free of restriction
• in compliance with applicable auditing pronouncements
• the registered auditor has satisfied himself of the existence of all assets and liabilities shown in the
financial statements (see note (b))
• proper accounting records have been kept in at least one of the official languages
• all information, vouchers and other documents which, in the registered auditor’s opinion, were
necessary for the proper performance of the auditor’s duty, have been obtained
• the registered auditor has not had to report a reportable irregularity to the Regulatory Board (see
note (c))
• the registered auditor has complied with all laws relating to that entity, and
• the registered auditor is satisfied as to the fairness of the financial statements.
Note (a): The name of the individual registered auditor responsible for the audit must be conveyed to the
client and made available to the Regulatory Board on request. This is an important section as it
isolates responsibility and provides the IRBA with an identified individual (as opposed to the
firm at large), against whom action can be taken in respect of certain offences.
Note (b): The word “existence” in this section is not used in the narrow sense of the existence assertion
only. It should be taken as meaning that the assets and liabilities shown in the financial state-
ments are fairly presented in all respects. Of course, to be in a position to satisfy this require-
ment, the auditor will test all assertions applicable to the asset and liability account balances,
including the disclosure assertions.
Note (c): Reportable irregularities are dealt with extensively in section 45.
Chapter 3: Statutory matters 3/73

2.3 In terms of section 44(4), (5) and (6), if a registered auditor was responsible for keeping the books,
records or accounts of an entity on which he is reporting on anything in connection with the business
or financial affairs of the entity, details of the dual roles undertaken must be included in the report.
Note (d): In terms of section 90 of the Companies Act, a person who, alone or with a partner or
employees, habitually or regularly performs the duties of accountant or bookkeeper or performs
related secretarial work may not be appointed auditor.
Note (e): The passing of closing entries, assisting with adjusting entries or framing financial statements or
other documents are not regarded as “being responsible for keeping the books, records or
accounts” (see s 44 (5)).
Note (f): A registered auditor who has or has had a conflict of interest (as prescribed by the IRBA) may
not conduct an audit of that entity.

3. Section 45 – Duty to report irregularities (see Appendix page 3/79)


This is a very important section as it places a significant responsibility on the registered auditor. The dis-
cussion which follows is based on the section itself and advice issued to registered auditors by the IRBA.
3.1 Section 1 – Definitions
In terms of the definition, a reportable irregularity (RI) means:
• any unlawful act or omission committed by
• any person responsible for the management of an entity which
• has caused or is likely to cause financial loss to the entity or to its partner, member, shareholder,
creditor or investor, or
• is fraudulent or amounts to theft, or
• represents a material breach of any financial duty owed by such person to the entity or any part-
ner, member, shareholder, creditor or investor of the entity under any law applying to the entity or
the conduct of management thereof.
3.2 Section 45(1) and (2) – Duty to report on irregularities
This section stipulates that the individual registered auditor (responsible and accountable for the
audit) who
• is satisfied or has reason to believe that
• an RI has taken or is taking place must
• without delay
• send a written report, giving particulars of the irregularity to the Regulatory Board and must
• within three days, notify the management board of the entity in writing, of the sending of the
report, and must provide the management board with a copy of the report.
3.3 Section 45(3) stipulates that the registered auditor must:
• as soon as reasonably possible, but within 30 days of the date on which the report was sent to the
Regulatory Board
• take all reasonable measures to discuss the report with the management board of the entity
• afford the management board the opportunity to make representations in respect of the report
• send another report to the Regulatory Board, including a statement by the registered auditor that
– no RI has taken place or is taking place (detailed information must support this option), or
– the suspected RI is no longer taking place and that adequate steps have been taken for the
prevention or recovery of any loss, or
– the RI is continuing.
3.4 Section 45(4) requires that should the Regulatory Board be informed that the RI is continuing, it must
notify any appropriate regulator “as soon as possible” in writing of the details of the RI and provide it
with a copy of the report.
3.5 Section 45(5) states that a registered auditor may carry out such investigation he deems necessary in
performing any duty in terms of section 45.
3/74 Auditing Notes for South African Students

3.6 Section 45(7) states that if an individual registered auditor has reported an irregularity to the
Regulatory Board in terms of subsection (1)–
• the individual registered auditor may not be removed; and
• the entity may not remove the registered auditor until subsection (3) is complied with.
On the face of this, it does not seem too difficult, but as with most legal matters, clarity is required on
several aspects. The following notes apply to the phrases or terms used in the definition and the section.
Note (a): Any unlawful act or omission
• An unlawful act will be
(i) an act which is contrary to any law passed by a government
(ii) an act which is contrary to regulation (e.g. regulations pertaining to pollution)
(iii) an act which is contrary to accepted common-law principles.
• The unlawful act may arise out of negligence or intentionally (negligence arises where the person ought
to have known that the act or omission committed was unlawful).
• Auditors are not legal experts but, in terms of ISA 250 Consideration of Laws and Regulations in an
Audit of Financial Statements, should be capable of recognising instances where non-compliance with
laws and regulations by the entity may materially affect fair presentation. The auditor is not required to
introduce additional audit procedures to detect unlawful acts.
Note (b): Committed by any person responsible for management of an entity
• To be an RI, the irregularity must have been committed by a person responsible for the management of
the entity.
• For a company, this can generally be interpreted as:
(i) the board of directors of a company and the holding company in group situations, and
(ii) any person who is a principal executive officer of the company, and
(iii) any person who exercises executive control.
• For other types of entity, it can generally be interpreted as the
(i) board of the entity, and
(ii) the individuals responsible for the management of the company, and
(iii) any person who exercises executive control.
• If an employee of an entity commits an unlawful act with the knowledge or direction of any person respon-
sible for management, the auditor would regard this as an unlawful act committed by management.
Note (c): Has caused or is likely to cause, material financial loss to the entity, or to any member, shareholder, creditor
or investor . . .
• If the unlawful act or omission is committed by any person responsible for management, which has
caused, or is likely to cause, loss to any of the above parties, it is reportable.
• If the act will not cause financial loss, it is not reportable in terms of this requirement but it may still be
reportable in terms of the other two conditions, namely, the act amounts to fraud/theft or is a breach of
fiduciary duty.
• Whether the loss is material is a matter of professional judgement; it does not relate to the materiality
levels set for the audit. The absolute and relative size of the loss is considered, for example a loss of
R1m as a result of an unlawful act is in absolute terms material, but in the context of a large listed
entity, it may be immaterial.
• If a benefit has been accrued from the unlawful act, it may not be set off against the “loss” incurred, for
example, a R1m bribe which results in a contract for the entity of R20m, cannot be ignored because the
entity is R19m “to the good” (see note (d) below).
Note (d): Is fraudulent or amounts to theft
• As indicated above, if the fraudulent act is theft or fraud but does not result in financial loss to the
entity, for example, a company submits and is paid out on a false insurance claim, the act is reportable as
it is fraud. (Note: The insurance company has in fact suffered loss.)
• Fraud is defined as “the unlawful and intentional making of a misrepresentation which causes actual or
potential prejudice to another”, for example, submitting a false insurance claim.
Chapter 3: Statutory matters 3/75

• Theft is the “unlawful taking of a thing which has value with the intention to deprive the lawful owner
or the lawful possessor of that thing”, for example, members of the management team sell inventory
belonging to the entity, falsify the inventory records, and keep the proceeds.
Note (e): Represents a material breach of any fiduciary duty owed by such person to the entity or any partner,
member, shareholder, creditor or investor of the entity, under any law applying to the entity or the conduct
or management thereof.
• A fiduciary duty can generally be defined as an obligation to act in the best interests of another party.
• A person generally comes into a fiduciary relationship when he controls the assets of another, or holds
the power to act. Fiduciaries are expected to be loyal and to act in good faith towards the person to
whom they owe the fiduciary duty and must not profit from their position as a fiduciary.
• Common examples of fiduciary relationships which the registered auditor will encounter are:
(i) a director in relation to his company
(ii) a member in relation to his CC
(iii) a partner in relation to his co-partners.
• The measurement of the materiality of the breach is again a matter of professional judgement and will
bear no relationship to audit materiality. Only inconsequential or trivial breaches should be regarded as
non-material.
• The key obligations in terms of the directors’ fiduciary duties owed to their company include:
(i) preventing a conflict of interest between themselves and the company
(ii) not exceeding the limitations of their powers (ultra vires)
(iii) considering the affairs of the company in a objective manner and in its best interests (unfettered
discretion)
(iv) exercising their powers for the purpose for which they were granted.
Note (f): Section 45(1) and (2) place a duty on the individual registered auditor to report the irregularity
• You will remember from section 44 that an individual registered auditor must be identified as responsible
and accountable for an audit; it is this individual who is required to report any RI.
• In order to report, the registered auditor does not need absolute or irrefutable proof that a reportable act
has taken place; he needs only to be “satisfied or have reason to believe”. If challenged, the auditor will
have to show that there were sufficient grounds to report the irregularity. It is important to note that
there is no legal protection for the registered auditor if he reports the irregularity without sufficient grounds to
do so.
• It is important to note that in respect of the RI, the registered auditor may consider information that
comes to his knowledge (or the knowledge of the firm) from any source. This will include knowledge
obtained from
(i) providing other services to an audit client, for example, a reportable fraud is picked up while
preparing a VAT return
(ii) providing services to another client, for example, at an audit of a client (company B), the auditor
learns that another audit client (company A) in the same industry is paying bribes to obtain con-
tracts
(iii) third parties, for example, press coverage of court cases, or articles about illegal importing in a
particular business sector such as sports footwear.
Obviously, the auditor would be expected to consider the reliability of the source of information.
• Using information from any source will not be regarded as a breach of the fundamental principles of
confidentiality as spelled out in the Code of Professional Conduct as it is a legal requirement that the
registered auditor “considers such information”.
Note (g): Reporting without delay
• From the point of “being satisfied or having reason to believe”, the auditor must report “without
delay.” This time period is not defined and should be interpreted as the period a “reasonable auditor”
would take to report.
3/76 Auditing Notes for South African Students

Note (h): In terms of the APA, a registered auditor only has an obligation to report RIs in respect of an audit client
(but see note (k) below (very important!))
• In terms of section 1 – “Definitions”, an audit means the examination of, in accordance with the applic-
able auditing standards:
(i) financial statements with the objective of expressing an opinion as to their fairness or compliance
with an identified framework and any applicable statutory requirements, or
(ii) financial and other information prepared in accordance with suitable criteria, with the objective of
expressing an opinion on that financial and other information.
• Take note that the auditor has a responsibility to report in respect of an audit client, not solely in respect
of the service rendered.
For example:
Green and Brown, a firm of registered auditors, is carrying out an “agreed-upon procedures” engagement
for Tacksi (Pty) Ltd (no opinion is given for this type of engagement). Green and Brown also perform the
annual audit of Tacksi (Pty) Ltd, and Bill Brown is the registered auditor responsible for the audit. During
the course of conducting the “agreed upon procedures engagement”, Gary Green, the individual
performing the engagement, suspects that a management fraud is taking place at Tacksi (Pty) Ltd. In terms
of Green and Brown’s appointment to perform agreed-upon procedures, this is not an RI, but as Tacksi
(Pty) Ltd is an audit client, Bill should be informed of the suspected management fraud and should consider
whether it is a reportable irregularity.
• It is also important to note that the definition of “audit” is not restricted to the audit of financial state-
ments.
• Where an individual registered auditor performs an audit on behalf of the Auditor-General, “reportable
irregularities” will be reported to the Auditor-General, not the IRBA. This is because the entity has not
appointed the auditor, i.e. the formal relationship is between the entity and the Auditor-General.
Note (i): Reasonable measures
• The registered auditor is required to take “reasonable measures” to discuss the report submitted to the
IRBA with the client. Most often, this should be a straightforward exercise as the client will want to
discuss it. If this is not the case, reasonable measures will be judged in terms of what a reasonable
auditor would do.
Note (j): Section 45(4) places a duty on the IRBA to notify any appropriate regulator in writing of the RI.
• The term “appropriate regulator”, is defined in section 1 and covers a wide range of parties, for
example, a national government department, commissioner, regulator, authority, agency, board
appointed to regulate, oversee or ensure compliance with any legislation, regulation or licence, rule,
directive, notice in terms of or in compliance with, any legislation as appears appropriate to the
Regulatory Board.
• Where the RI is a criminal act, the Regulatory Board is likely to inform the Director of Public
Prosecutions, who may, in turn, request the Commercial Branch of the SAPS to investigate the matter.
(i) If this occurs, the auditor should expect a visit from the Commercial Branch. As no legal privilege
between a practitioner and a practitioner’s client exists, and as the practitioner is not protected by
the Code of Professional Conduct in respect of confidentiality, the practitioner cannot legally
refuse to hand over documents to SAPS, provided the SAPS is acting within its powers. Legal
advice should be sought immediately.
Note (k): In terms of the Companies Act and the Companies Regulations 2011, all companies must
calculate their public interest score. This score, combined with other factors, identifies certain
companies which must subject their AFS to an independent review by a registered auditor
(chartered accountants or other categories of accountant may carry out certain reviews). As this
company is not an “audit client” section 45 of the APA will not apply, so an RI uncovered
during an independent review, will not be reportable to the IRBA in terms of the APA. However,
in terms of regulation 29, an independent reviewer (who will frequently be a registered auditor),
will be obliged to report an “RI” uncovered on a review engagement, but to the CIPC, not the
IRBA. Requirements and procedures are essentially the same and are described in chapter 3 of
this text.
Chapter 3: Statutory matters 3/77

4. Section 46 – Limitation of liability


• Section 46 relates to liability of the registered auditor in respect of an audit conducted in accordance
with the ISAs of financial statements with the objective of expressing an opinion as to their fairness in
relation to an identified financial reporting framework, for example IFRS.
• An auditor shall, in respect of any opinion expressed, or report or statement made:
(i) incur no liability to a client or third party
(ii) unless it is proved that such opinion, report or statement was made
(iii) maliciously, fraudulently or pursuant to the negligent performance of the auditor’s duties.
• Where it is proved that such opinion, report or statement was given pursuant to negligent performance,
the auditor will only be liable to third parties if it is proved that at the time of the negligent performance,
the registered auditor knew or could reasonably have been expected to know that:
(i) his client would use the opinion to induce a third party to act or refrain from acting, or that
(ii) the third party would rely on the opinion for the purpose of acting or refraining from acting in
some way.
Note (a): If after the opinion was given, the registered auditor represented to a third party that it was
correct, while at the same time he knew or could reasonably have been expected to know that
the third party would rely on the opinion, he will be liable if the third party suffers loss as a result
of the reliance on the negligently given opinion.
Note (b): The mere fact that a registered auditor performed the duties of auditor shall not in itself be proof
that he “could reasonably have been expected to know”. In other words, just because you are
the auditor does not mean that you are expected to know or be able to foresee who might rely on
the audit opinion and under what circumstances the reliance might occur.
Note (c): A registered auditor’s liability hinges on negligent performance by the auditor. As can be seen in
section 46(2), the auditor can incur no liability to client or third party, unless it is proved that the
opinion, report or statement was given maliciously (the vast majority of auditors do not act
maliciously) or fraudulently, pursuant to a negligent performance.
Note (d): A distinction must be drawn between liability to clients and liability to third parties.
An auditor’s liability to clients is based upon breach of contract or delict, in other words, the
client could sue the auditor for financial loss on the grounds that the auditor did not meet the
terms of the engagement (contract) or in delict on the grounds that the auditor did not meet his
“duty of care”.
An auditor’s liability to third parties cannot be based upon breach of contract as there is normally
no contract between the auditor and the third party, in other words, the auditor “contracts” with
his client, not with the parties who may use the audited financial statements. The third party will
therefore have to bring a delictual action against the auditor and prove that:
• the auditor was negligent in expressing the opinion, or making his report or statement
• the third party relied upon the opinion, report or statement, and
• suffered loss as a result of the reliance, and
• that the auditor knew or reasonably could have been expected to know (at the time the
negligence occurred) that
• the third party would rely on the opinion, report or statement.
Note (e): The most important consideration is how is negligence proved? The basis of the answer is provided
by the following:
A court of law, when considering the adequacy of the work of an auditor, is likely to seek confirmation that in
the performance of his or her work, the auditor has in all material respects, complied with the statements on
auditing standards. In the event of significant deviation from the guidance on specific matters contained in the
statements on auditing standards, the auditor may be required to demonstrate that such deviation did not result
in failure to achieve the generally accepted auditing standards.
3/78 Auditing Notes for South African Students

The auditing statements in effect provide the standards to which the registered auditor must
adhere in the performance of his function. It stands to reason, therefore, that if the performance
of the auditor is to be judged, it will be judged against the standards which the profession itself
has set.

The impact of RIs on the audit opinion


1. An RI may or may not have an effect on fair presentation of the financial statements.
• If the RI does affect fair presentation, then the auditor must qualify the report in accordance with ISA
705, Modifications to the opinion in the Independent Auditor’s Report.
• If the RI does not affect fair presentation (but nevertheless exists), the audit report must be modified
by the inclusion of an additional paragraph in the audit report. This paragraph would be headed
“Report on Other Legal and Regulatory Requirements” and is similar to an emphasis of matter
paragraph. Note that even where the RI existed but has been rectified/resolved, it cannot be ignored
for audit reporting purposes. Refer to chapter 18, The Audit Report, for further discussion.
• If a matter which the auditor reported to the IRBA as an RI turns out not to be an RI, then no
mention of the matter should be made in the audit report.

Consequences for the individual registered auditor for failing to report an RI


1. These can be severe. In the first instance, the individual registered auditor may face investigation and
disciplinary action by the IRBA in terms of sections 48, 49 and 50. This would amount to an investi-
gation into improper conduct and could result in the punishments described in Chapter V section 51.
See below.
2. In addition, the individual registered auditor, or the firm, may face a civil claim for damages brought by
aggrieved parties, for example, someone who suffered loss due to the auditor failing to report the
irregularity.
3. In terms of section 52, which deals with the failure to report an RI, a registered auditor may face
criminal charges which could result in a jail term not exceeding ten years, and/or a fine. Criminal
charges are complicated but simplistically stated – if a registered auditor is satisfied that an RI exists, but
intentionally/deliberately does not pursue it, he may face criminal charges.

3.7.5 Chapter V: Accountability of registered auditors (ss 47 to 51)


This chapter gives the IRBA the powers to inspect or review the practice of a registered auditor (s 47),
investigate a charge of improper conduct against a registered auditor (s 48), to enter and search premises
(s 48A), issue warrants (s 48B), processes following investigation (s 49), and proceed with a formal
disciplinary hearing (s 50). It also lays down sanctions in admission of guilt processes (s 51). The punish-
ments are:
• a caution or reprimand
• a fine
• suspension of the right to practice for a specified period, or
• cancellation of the registered auditor’s registration, and his removal from the register
• a combination of the above.

3.7.6 Chapter VI: Offences (s 52)


1. Section 52 – Reportable irregularities and false statements in connection with audits
This section, the only section in Chapter VI, states that a registered auditor who
• fails to report an RI, or
• knowingly or recklessly expresses an opinion or makes a report or other statement which is false in a
material respect, shall be guilty of an offence.
Note (a): A registered auditor convicted in a court of law under this section is liable to a fine or imprison-
ment of up to 10 years, or both.
Note (b): For a criminal conviction to be obtained against a registered auditor for failing to report an RI,
he must have intentionally/deliberately not reported it.
Chapter 3: Statutory matters 3/79

3.7.7 Chapter VII: General matters (ss 55 to 60)


This chapter consists of six sections, none of which are particularly pertinent to academic study. The chap-
ter deals with the powers of the Minister of Finance (s 55), Indemnity (s 56), Administrative matters (s 57),
Protection of information (s 57A), Repeal and amendment of laws (s 58), and Transitional matters (s 59).
This section facilitated the transition of the former Public Accountants’ and Auditors’ Board to the
Independent Regulatory Board for Auditors (IRBA). The final section states that the name of the Act will
be the “Auditing Profession Amendment Act, 2021”.

Appendix – Is it a reportable irregularity (RI)? – 10 questions


1 Is (was) the act committed by a person(s) responsible Yes Proceed to question 2
for management of the entity?
No No RI exists – nothing further to be done

2 Is the act an unlawful act or omission? Yes Proceed to question 3

No No RI exists – nothing further to be done


3 Does the act result in material financial loss? Yes Yes to Q1, Q2, Q3 means that an RI exists
No Consider question 4
4 Is the act fraud or theft? Yes Proceed. Yes to Q1, Q2 and Q4 means that an RI
exists
No Consider question 5
5 Is the act a material breach of fiduciary duty? Yes Proceed. Yes to Q1, Q2 and Q5 means that an RI
exists.
No No RI exists if the answers
to Q3, Q4 and Q5 are also No
6 Must the matter be reported to the IRBA? Yes If the answer to Q1, Q2 and any of Q3, Q4,
or Q5 is yes

7 When must the first report be made to the IRBA? “Without delay” from when the auditor is
satisfied or has reason to believe that an RI has
taken place
When must management be notified of the report? Within 3 days of the auditor making the
first report to the IRBA
9 What must the auditor do next? Take all reasonable steps to discuss the report
with management and having done so must make
a second report to IRBA which states that
no RI has or is taking place
or
the suspected RI is no longer taking place and
that adequate steps have been taken for the
prevention or recovery of any loss
or
that the RI is continuing
10 Is there a time limit on this second report? Yes As soon as reasonably possible, but no later than
30 days from the date of the firstt report to the
IRBA.
CHAPTER

4
Corporate governance

CONTENTS
Page

4.1 Section 1 – Background, fundamental concepts, application and disclosure ....................... 4/2
4.1.1 Introduction ........................................................................................................... 4/2
4.1.2 Brief background to corporate governance in South Africa ....................................... 4/2
4.1.3 Application regimes for codes of corporate governance ............................................ 4/3
4.1.4 The King IV Report on corporate governance for South Africa ................................. 4/4
4.1.5 King IV and the International Integrated Reporting Council (IIRC) .......................... 4/12
4.1.6 Application and disclosure ...................................................................................... 4/14

4.2 Section 2 – King IV code of corporate governance .............................................................. 4/16


4.2.1 Leadership, ethics and responsible corporate citizenship ........................................... 4/16
4.2.2 Strategy, performance and reporting ........................................................................ 4/21
4.2.3 Governing structures and delegation ........................................................................ 4/23
4.2.4 Governance functional areas ................................................................................... 4/35
4.2.5 Appendix I – The 17 principles and summary of recommended principles ................. 4/54

4/1
4/2 Auditing Notes for South African Students

4.1 Section 1 – Background, fundamental concepts, application and disclosure


4.1.1 Introduction
Anyone who follows the news, whether on the television, radio or internet, will be familiar with the term
“corporate governance”, and unfortunately, it will be news associated with a lack of good corporate
governance. Tender fraud, lack of service delivery, environmental damage, directors of companies paying
themselves exorbitant salaries, unfair labour practices, monopolistic trade practices, and price rigging seem
to be constantly in the news. All of these, individually and collectively, represent poor corporate
governance. Although we may think of “good corporate governance” as being specifically a requirement
for large companies that is not the case; good corporate governance should be an integral part of running
any business or enterprise. Clearly, how good corporate governance is achieved in businesses or enterprises
of different sizes, resources, objectives and complexity will differ, and good corporate governance is not a
“one size fits all” situation. Whilst the focus of this chapter will be on corporate governance in larger
companies, do not forget that the principles and governance outcomes discussed extensively in this chapter
apply to government departments, municipalities and other state or provincial enterprises, non-government
organisations (NGOs) and SMEs, etc.
As indicated above, this chapter will focus on good corporate governance in companies. Companies are
an integral part of modern society and we are all linked in numerous ways to companies. Companies
produce the goods we purchase, many people are employed by companies and we invest in companies,
whether through direct shareholdings, pension funds or unit trusts. Companies often support our leisure
activities through advertising and sponsorship, and many public facilities are paid for by the taxes which
companies contribute to the government. It follows, therefore, that healthy, honest, open, competently and
responsibly controlled companies will improve the quality of modern society.
Informally, we might say that corporate governance is the system or process whereby companies (and
other organisations) are directed or controlled. It is about companies being good corporate citizens, which,
in effect, recognises that a company has rights and obligations and responsibilities to society.
A more formal definition of corporate governance is provided by the King IV Report on Corporate
Governance for South Africa 2016, as follows:
Corporate governance is defined as the exercise of ethical and effective leadership by the governing body towards the
achievement of the following governance outcomes:
• ethical culture
• good performance
• effective control
• legitimacy.

4.1.2 Brief background to corporate governance in South Africa


1. The King Report 1994
Whilst many companies have embraced good corporate governance for many years, it was only in 1994
that the first King Report on Corporate Governance was issued. This Report “formalised” an approach to
corporate governance by recommending that a Code of Corporate Practices and Conduct be adopted by
“big business”. The JSE made it a requirement for all companies listed on the exchange to include a
statement by the directors on their compliance with the Code in their annual financial statements.
It would be a gross exaggeration to state that the King Report had a dramatic effect on business ethics
and morality in South Africa or that companies suddenly embraced the principles of openness, integrity and
accountability as advocated in the Report. This is clearly evidenced by the number of high-profile financial
scandals, corporate failures and dishonest conduct by company directors that have been blazoned across
the financial and popular press. At the same time, however, it must be acknowledged that the King Report
started to get “things rolling” – to bring a level of consciousness to the general public and the financial
world that companies have an accountability and responsibility to a broader front, not simply their share-
holders. Indeed, without the King Report, many of the scandals, referred to above may not have received
the coverage they did!

2. The King Report 2002


The 1994 King Report was followed by the 2002 King Report (frequently referred to as King II). A commit-
tee was constituted under the chairmanship of Mervyn King S.C. to primarily “review the King Report
Chapter 4: Corporate governance 4/3

1994 and to assess its currency against developments, locally and internationally, since its publication in
1994” and to “consider and recommend reporting on issues associated with social and ethical accounting,
auditing and reporting on safety, health and environment”. The committee also sought to recommend how
the success of a company’s compliance with a new Code of Corporate Governance could be measured.
The King Committee consisted of representatives from all major interest groups, including the internal
and external audit professions. The report was issued in March 2002. The product of the 2002 King Report
was the Code of Corporate Practices and Conduct. This was a set of principles/recommendations, not a
prescriptive set of instructions or an Act. It did not in any way supersede laws and regulations on
companies or business in general and did not lay down a set of “punishments” for breaches of the Code. As
with King I, the JSE required compliance with the recommendations of King II by listed companies.

3. Developments in legislation between King II (2002) and King III (2009)


During the period between King II (2002) and King III (2009), the new Auditing Profession Act 2005 and
The Corporate Laws Amendment Act 2006 were promulgated. Both of these Acts contained sections
designed to strengthen and support good corporate governance.
These Acts were both part of the larger “corporate reform” initiative, culminating in the promulgation of
the Companies Act 2008. This Act places significant emphasis on corporate governance.

4. King III Code of Governance Principles


Like most legislation, regulations and recommendations, corporate governance codes are not static, and
2009 saw the publication of King III. Many of the ideas, principles and characteristics of good governance
developed in King I and II were incorporated and developed in King III, and some new ideas were intro-
duced. Importantly, King III included a discussion on the various bases/regimes that can be adopted for
governance compliance. Knowledge of the different bases/regimes will provide you with a better under-
standing of the thinking behind governance codes, their adoption and application by organisations.

4.1.3 Application regimes for codes of corporate governance


1. The basis of a code
1.1 The basis of any “code” on corporate governance can be legislated (a set of rules), or voluntary
(principles and practices) or a combination of both. Essentially, the legislated basis is the “big stick”
approach that lays down rules to which organisations and related individuals (companies, directors,
etc.) must adhere, and punishments that will be meted out if the rules are broken. The voluntary
approach presents organisations with a set of principles and best practices to get organisations to
voluntarily adopt these principles and best practices because it is the best way to go for the company
and society, in other words, positive governance outcomes are created. A combination of the two is
possible. Some matters of governance are, however, legislated, for example public companies must be
externally audited and must have audit committees, and other matters are expressed in principle, for
example the board must show leadership and the company should be a good corporate citizen.
1.2 Following on from this, King III identified two application regimes: “comply or else” or “comply or
explain”, and described a variation of the latter, namely, “apply or explain”.
• “Comply or else” conveys that organisations must adhere to the rules and if they do not, they will be
punished.
• “Comply or explain” conveys that the principles and practices recommended by the code must focus
on the organisation’s corporate governance. However, if the directors consider that compliance
with a particular recommendation is not in the company’s best interests, then the directors are at
liberty not to comply but must explain the reason behind their decision.
• “Apply or explain” as indicated above, is simply a variation of the “comply or explain” basis. In the
opinion of the King III committee (and other similar international bodies), the word “comply” is
too strong and inflexible. Using the word “apply” suggests a more accommodating, non-prescrip-
tive approach. Thus King III was founded on the “apply or explain” basis.
4/4 Auditing Notes for South African Students

1.3 The King IV Report has introduced a further variation, namely “apply and explain” which is explained
on page 4/16.
As far as possible, King IV has been drafted in a non-prescriptive format, and an apply and explain (as
opposed to apply or explain) application regime has been adopted. In effect, King IV assumes the
voluntary application of the Code’s principles and recommended practices and requires an
explanation of how the organisation is doing in achieving the principles laid out in the Code.

4.1.4 The KING IV Report on corporate governance for South Africa


1. Introduction
Essentially, King IV was introduced to keep South Africa abreast with local and international develop-
ments in international corporate governance since King III was issued, and, as with the three previous King
Reports, to guide organisations that are relevant to the current world economic, environmental and social
situation. The drafting of King IV took place while organisations were having to contend with an
increasingly dynamic and demanding external environment. In this environment, good corporate govern-
ance is essential if an organisation achieves prosperity for itself and the broader society.
In the foreword to the King IV Report, the King committee points out that the 21st century has been
characterised by fundamental changes in both business and society and that new global realities are
severely testing the leadership of companies and other organisations. These realities include:
• A growing societal inequality: The growing divide between the “haves” and the “have nots” concerning
resources, access to education and opportunity, healthcare and living conditions, all of which give rise
to growing social tension.
• Climate change: Floods, drought and rising temperatures appear to be more intense and are causing
more damage. Industries are threatened; for example, fishing and agriculture, placing food security at
risk. The atmosphere contains significantly more CO2 and other greenhouse gases now than it did
before the Industrial Revolution. The atmosphere and oceans are warmer, the planet’s ice cover is vastly
reduced, and severe weather is more common today than it was in the past
• Over-consumption of natural resources: Natural assets are being consumed at a greater rate than nature
can reproduce, to satisfy the demands of growing populations. This is not sustainable.
• Geological tensions: Increasing wars, terrorism and civil unrest are contributing to global tension.
• Stakeholder expectations and transparency: The ever-present social media platforms mean that companies
(and other organisations) can no longer conceal their actions and secrets. Stakeholders express their
expectations and frustrations instantly and widely. A company’s reputation can be significantly
damaged, justifiably or unjustifiably, in a very short period of time.
• Rapid advancements in technology: Advances in robotics, artificial intelligence, nanotechnology, just to
name a few, are transforming businesses. The proliferation of applications (apps) and their ease of use
in a widely connected society have placed traditional business models and ways of doing business under
serious pressure. Businesses that do not adapt will not survive.
• Less stable financial systems: The interlinking and inter-dependence of the world’s financial markets
means that financial crises arising within a single large economy will have far-reaching adverse effects
on numerous other lesser economies and the global economy.
• Increased corruption: Corruption and other unethical practices undermine confidence in the business
world and discourage investment in companies that engage in such practices.
The question is, what do these changes have to do with corporate governance? The simple answer is that
all of these changes present companies with significant risks that will directly threaten the company's
sustainability if not appropriately responded to. This, in turn, places a critical responsibility on boards of
directors to lead effectively and ethically. To counter the negative aspects of this global reality, companies
must be governed by competent ethical individuals operating within appropriate structures. Risks must be
recognised and managed in whatever form they come. Businesses need to acknowledge that companies are
an integral part of society and must be governed with economic, societal, and environmental sustainability.
Corporate governance is about leadership, and corporate governance codes are about defining principles
and recommending the best practice to obtain outcomes that will deal with this new global reality.
Chapter 4: Corporate governance 4/5

2. Structure
The following paragraphs indicate how the King IV Report is structured and provide a brief explanation of
how the matters raised in each part of the Report have been dealt with in this chapter. The approach
adopted in this chapter is to include all pertinent information from the King IV Report (without
unnecessary duplication) in a manner that is “easy to work with” in gaining an understanding of the topic.
Additional information other than that contained in the King IV Report has been included in this chapter.
Students should make use of the Report itself when working with this chapter.
This chapter has been presented in two sections:
Section 1 – Background, Fundamental Concepts, Application and Disclosure.
Section 2 – The King IV Code on Corporate Governance.
• Foreword. The report contains a foreword that discusses several issues pertinent to the topic. These
issues have been covered where necessary in this chapter in this chapter in section 1.
• Part 1: Glossary of Terms. The glossary has not been included in this chapter. When it is necessary to
clarify a word or a phrase in the text, its meaning has been reproduced.
• Part 2: Fundamental concepts. Explanations of the fundamental concepts have been included with, in
some cases, additional information in this chapter in section 1, or where it is desirable, as an addition to
the explanation of a principle in section 2.
• Part 3: King IV application and disclosure. The matters dealt with in this part of the King IV Report have
been included in this chapter in section 1.
• Part 4: King IV on a page. This diagrammatical summary has not been reproduced. A complete list of
the 17 principles and a summary of the recommended practices for each principle cover has been
included as an Appendix at the end of section 2.
• Part 5: King IV Code on Corporate Governance. This part of the King IV Report deals with each of the
principles and lists the recommended practices that should be implemented to achieve the desired
governance outcomes. This part of the King IV Report has been comprehensively covered in this
chapter, in section 2. Additional information has been included.
• Part 6: Section supplements. This part contains supplements intended to demonstrate how the Code
should be interpreted in the context of certain identified organisations, such as municipalities, non-
profit organisations, retirement funds, SMEs, and state-owned enterprises (SOEs). Essentially, the prin-
ciples remain the same, but the relevance and application of the recommended practices will vary, in
other words, an SME is unlikely to have an audit committee (or any other board committee for that
matter), or to appoint non-executive directors. This part has not been covered any further in this
chapter.
• Part 7: Content development process and King Committee. This part deals with the process of “putting
King IV together” and lists the individuals who did so. It has not been reproduced in this chapter.

3. Objectives of King IV (in the context of a company)


3.1 Promote responsible corporate governance as integral to running the company and delivering govern-
ance outcomes such as:
• an ethical culture
• good performance (see note (a))
• effective control
• legitimacy.
3.2 Broaden (increase) the acceptance of the King IV Report by making it accessible and fit for implemen-
tation across a variety of sectors and organisational types (see note (b)).
3.3 Reinforce corporate governance as a holistic and interrelated set of arrangements to be understood
and implemented in an integrated manner (see note (c)).
3.4 Encourage transparent and meaningful reporting to stakeholders.
3.5 Present corporate governance as concerned with structure, process, ethical consciousness and
behaviour (see note (d)).
Note (a): In terms of the King IV Report’s glossary, performance is the result, negative or positive, of the
company’s value creation process. Good performance is the organisation achieving its strategic
objectives and positive outcomes in terms of its effects on the capitals it uses, and affects
4/6 Auditing Notes for South African Students

the triple context in which it operates. The value creation process is the process that results in
increases, decreases or transformations of the capitals caused by the company’s business activ-
ities and outputs.
Note (b): There is a popular misconception that “corporate governance” is a concept which applies only
to large companies. It is undoubtedly true that small and medium-sized companies will not have
the resources or the need to implement “good corporate governance” in the same manner or
method as a large company.
For example, medium and smaller companies do not usually have audit committees, risk com-
mittees or numerous non-executive directors, but there is no reason that these companies cannot
aspire to and achieve the highest levels of good corporate governance based on the principles
and practices recommended by King IV. Such concepts as ethical leadership and responsible
corporate citizenship are not unique to large companies; they are for all corporate entities.
The essence of King IV is that the principles and intended governance outcomes apply to all
organisations, but the recommended practices can be applied to suit the circumstances of the
specific organisation. King IV introduces proportionality, which it describes as the “appropriate
application and adaption of practices”. This means that the recommended practices are meant to
be applied proportionally, taking into account:
• the size of turnover and workforce
• resources (the organisation has available to apply the practices)
• the complexity of the organisation’s strategic objectives and operations.
Note (c): The point made in 3.3 above is that good corporate governance is not some stand-alone concept
that has a life of its own. Instead it is something that permeates all aspects of the company. This
holistic approach is an essential requirement for achieving good governance. It requires what is
termed integrated thinking, which means that when the board and management make business
decisions, they do so in the context of the company being an integral part of society, its role as a
corporate citizen, its stakeholder relationships and its economic, environmental and societal
sustainability.
Note (d): The point made in point 3.5 above is that good corporate governance is not only about putting
in place the right structures and processes. For example, while having a properly constituted
board and clear lines of authority and reporting, along with detailed procedure manuals are
essential, requirements of good corporate governance must be implemented and applied
throughout the company in an environment that promotes ethical behaviour.

4. The board’s primary governance role and responsibilities


In broad terms, King IV expresses the role and responsibilities of the board as follows:

This means that in the context of corporate governance, the board assumes responsibility for:
4.1 Providing the direction for how each governance area (e.g. ethics, risk, remuneration, assurance)
should be approached, address and conducted (strategy).
Chapter 4: Corporate governance 4/7

4.2 Formulating policy in frameworks, codes, standards and plans to articulate and put the strategy into
place.
4.3 Overseeing and monitoring the policy’s implementation and execution and the plan in terms of
recommended practices.
4.4 Ensuring accountability for the performance in each of these governance areas through reporting and
disclosure.
Recommended practices in the King IV Code are organised following the sequence of responsibilities (4.1–
4.4 above).

5. The foundation stones of King IV


In the foreword to the King IV Report, the committee states that certain concepts form the foundation
stones of King IV. These concepts are addressed in 5.1 to 5.7 below and are important for your under-
standing of the King IV Code itself and the broader topic of corporate governance. Equally, these fun-
damental concepts could be referred to as the “philosophical underpinnings” of corporate governance.

5.1 Ethical leadership


Good corporate governance is about ethical and effective leadership
5.1.1 Ethical leadership is an embodiment of the ethical values of:
• Responsibility – those that will lead the company, for example the board, must assume respon-
sibility for the running of the company, that is, assume the duties of setting strategy, approve the
policy, oversee and monitor management and ensure accountability. The board may delegate
duties to management, but it remains accountable for ensuring that the duty is appropriately
carried out.
• Accountability – those that are responsible must be held accountable. For example, the board
should be held accountable by the company’s stakeholders for its decisions and actions.
Accountability cannot be delegated or abdicated. Note that the board should be accountable to
all stakeholders, not only the shareholders.
• Fairness – the board should ensure that it balances its decisions, and the legitimate and
reasonable needs, interests, and expectations of the company’s material stakeholders with the
company’s best interests. Equitable and responsible treatment for all should be the manifestation
of fairness.
• Transparency – in the context of ethical leadership, this means that the board conducts and
accounts for its decision-making and business activities in an open, unambiguous and truthful
manner (as opposed to being underhand and secretive).
• Integrity – in the context of corporate governance, this requires that individuals, for example,
directors, are capable of thinking and acting objectively, and that they are not swayed by
pressure from others to act contrary to how they believe they should act. Directors should
exercise objective, unfettered judgement.
• Competence – a director should have the ability, knowledge and skills to fulfil his (or her)
obligations and responsibilities.
5.1.2 Effective leadership
This is about achieving strategic objects and positive outcomes ethically, by embracing ethical
leadership. Effective leadership is goal orientated and ethical. If corruption is the foundation on which
the company’s success is built, that success cannot be regarded as a result of effective leadership. It
may be effective in generating massive profits for the shareholders and the perpetrators, but in the
long run, corruption eats away at the fabric of society and is not a sustainable manner of conducting
business in the medium or long term.
Note (a): All of the above characteristics are reflected in a director’s legal duty to:
• act with due care, skill and diligence
• maintain a fiduciary relationship to act in good faith in the best interests of the company.
Note (b): Ethics, values and culture. We all have a general understanding of the words “ethics” and
“values” and phrases such as “ethical behaviour”, “ethical culture”, and “professional ethics”.
Simplistically, we can say that ethics amounts to sets of principles or rules of conduct which
4/8 Auditing Notes for South African Students

guide how society and its different components (such as companies behave in that society. It is
certainly true that different religions, races, cultures and backgrounds see ethical issues from a
different perspective and may have different ideas about the meaning of ethical culture and
ethical behaviour. However, there is little doubt that the vast majority of people support a
society that is honest and truthful, rejects such social ills as fraud and corruption, and desires
societal behaviour that engenders trust and integrity. As members of society, companies should
embrace these desires.
Note (c): In terms of King IV, “values” are the convictions and beliefs about:
• how a company and those who represent it should conduct themselves;
– how the company’s resources and stakeholders, both internal, for example, employees,
and external, for example, customers, should be treated
– what the core purposes and objectives of the company are, for example, maximising
profits for shareholders or putting the legitimate needs of greater society first
– how work duties should be performed, for example, delivering excellent service, rejecting
any form of corrupt practice.
Again in terms of King IV culture, in the context of a company, is the way the directors, manage-
ment and other staff relate to each other, their work and the outside world in comparison to
other companies.
Note (d): A company’s values are formalised and documented in mission statements and corporate codes
of conduct in their various forms. For example, employees may be given a code of behaviour,
whilst a potential supplier may be required to sign a code of trade practices or something similar.
Note (e): The governance of ethics refers to the role of the board in ensuring that how the company’s
values are expressed and implemented results in an ethical culture. For example, an ethical
culture is unlikely to be created by ramming rules and regulations down employee’s throats and
adopting an autocratic “big stick” approach. An ethical culture is achieved when the board sets
the example by behaving ethically, and management and other employees want to voluntarily
embrace the company’s values and make an effort to do so. The board, management and
employees must be aware that the “ethical way is the best way” for themselves, the company
and society to prosper. Likewise, they should realise that trust in a company’s integrity and
reputation is hard-earned but easily lost. The importance of managing and protecting the com-
pany’s ethical culture is paramount.

5.2 The company as an integral part of society


The societal context
A company operates in a “societal context”. The company affects and is affected by society. The company
has its society, which consists of internal and external stakeholders and is itself part of the broader society
in which it operates. Thus companies, their societies and greater society are strongly intertwined, and the
decisions they make and the actions they take individually will usually affect them collectively.
For example, the decision taken by a company to close a factory will directly affect the lives of all those
who lose their jobs and their families (its own society). The decision may also affect the broader society in
which the company operates; for instance, the municipality will receive less income from rates necessary to
provide services. Small businesses that were partially dependent on the factory may need to close (broader
society).
Companies are dependent on broader society to provide skills, customers, and an appropriate operating
environment. Companies provide goods and services and employment in return. They create wealth and
pay taxes which are used to develop society in a multitude of ways. As a logical consequence of this inter-
dependency, companies benefit by serving their own and the broader society.

5.3 Corporate citizenship


A corporate citizen
This fundamental concept is closely linked to 5.2 above and proposes that a company is a corporate citizen
by virtue of being an integral part of society. Thus, like any other citizen, the company has rights,
obligations and responsibilities to society and the natural environment on which society depends.
Chapter 4: Corporate governance 4/9

Note (f): Concerning rights, as a corporate citizen, a company has a right to a suitable operating infra-
structure, a functional legal and police system and an administrative infrastructure.
Note (g): Concerning its obligations and responsibilities to society, a company as a corporate citizen is
obliged among other things, to operate within the law, pay its taxes, consider the legitimate
needs of society, and respect the natural environment. The status of a company in society means
that it is accountable not only for financial performance or for isolated corporate social
initiatives but for outcomes in the economic, social and environmental context. It is unethical
for organisations to expect society and future generations to carry its operations’ economic,
social and environmental costs and burdens.

5.4 Sustainable development


A primary ethical and economic imperative
Sustainable development is regarded as development that meets the needs of the present without compro-
mising the ability of future generations to meet their needs. King III placed a fair amount of emphasis on
the importance of sustainability and the link between it and corporate governance – the essence is that a
poorly governed company is not sustainable. King IV proposes that achieving sustainable development is a
“primary ethical and economic imperative. Achieving sustainability is a fitting response to the fact that the
company is an integral part of society and its status as a corporate citizen”. In essence, boards of companies
have a moral/ethical duty to run their companies in a manner that promotes the sustainability of the
company. As pointed out before, companies that engage in large-scale corruption or ravage natural
resources and disregard such matters as the threat of pollution and global warming are not sustainable.
Strong ethical leadership is required to meet growing global challenges.
Note (h): The important aspects of sustainability
Although King III has been superseded by King IV, much of King III’s content remains relevant
and informative in understanding corporate governance. King III dealt with the important
aspects of sustainability as follows:
• Inclusivity of stakeholders – to achieve sustainability, all stakeholders’ legitimate interests and
expectations must be taken into account in decision-making and strategy. Stakeholders will
include employees, suppliers, the community in which the company operates, investors, and
customers, to name a few.
• Innovation, fairness and collaboration – these are key aspects in achieving sustainability. Inno-
vation provides new ways of achieving sustainability; fairness is vital because social injustice
is unsustainable, and collaboration (and co-operation) is required as companies cannot do it
on their own as they cannot operate in isolation. They are part of an integrated society.
• Social transformation – to achieve (move towards greater) sustainability, social transformation
must be part and parcel of a company’s performance. This will provide benefits for both the
company and society. However, it does not mean making a token gesture to a community
and then sitting back – it means developing an achievable long-term strategy to uplift that
community. Integrating sustainable development and social transformation will produce
greater opportunities, efficiencies and benefits for both the company and the broader society.
Note (i): None of the above should be interpreted to mean that companies should not be in business to
make profits – a company that does not make a profit is not sustainable – but there is much more
to running a company than just making a profit.
Note (j): King IV proposes that leadership (company boards) should make sustainable development
mainstream. In this context, strategy, risk, opportunity, performance and sustainable develop-
ment have become inseparable (alternatively, a company strategy that does not give due consid-
eration to sustainable development is of little real value to the economy, society and the natural
environment (i.e. the triple context).

5.5 Stakeholder inclusivity


The stakeholder inclusive approach
The approach adopted by King III and King IV concerning the execution of duties is that, in the context of
a company, the board must “take account of the legitimate and reasonable needs, interests and expec-
tations of all the company’s material stakeholders”. This approach further requires that decisions taken in
the execution of duties should be made in the “best interests of the company”. King IV goes on to
4/10 Auditing Notes for South African Students

explain that the “best interests of the company” should be interpreted “within the parameters of sustainable
development and being a responsible corporate citizen”. This basis of decision-making is termed the stake-
holder-inclusive approach, and in terms of this model, the best interests of the company are not necessarily equated
with the best interests of the shareholders. The interests of the shareholders do not automatically take precedence
over the interests of other stakeholders, that is, the interests of providers of financial capital are not
prioritised.
Note (k): The stakeholder-inclusive approach to decision-making supports the enhancements of the six
capitals and, therefore, sustainable development.
Note (l): At this point, you may be thinking that shareholders want their companies to consider the
interests of all stakeholders as this will promote sustainability and good corporate citizenship. It
seems so logical. However, bear in mind that many companies and shareholders are short-term
profit-driven. Boards are put under severe pressure to produce dividends for shareholders. Many
shareholders, including corporate shareholders such as “speculative” investment companies, are
not necessarily “long-term shareholders” but move their investments in and out of different
companies in an attempt to maximise their short-term profits and cash flow.

5.6 Integrated thinking


Holistic decision-making
The International Integrated Reporting Council described integrated thinking as the proactive con-
sideration by the company of the relationships between its various operating and functional units and the
capitals that the company uses or affects. According to King IV, integrated thinking considers the
connectivity and interdependencies between the range of factors that affect the company’s ability to create
value over time. The creation of value is the positive consequence of the company’s business activities and
there are many factors that need to be considered when making material decisions. The concept urges
companies not to consider these factors in isolation, but rather to think holistically in the context of the
company being an integral part of society, good corporate citizenship, sustainable development, the six
capitals concept and the stakeholder-inclusive approach. In essence, company boards need to think
carefully about the wider effect their decisions will have on their ability to create value (in respect of its
capitals) over time.

5.7 Integrated reporting


Primary reason
Reporting by a company in the context of corporate governance is considered a means for the board to
reflect its accountability for the company’s performance. Before the advent of “formalised” corporate
governance reporting requirements, the board’s major legal reporting duty was to report to the shareholders
on the financial performance of the company in the form of the annual financial statements. However, annual
financial statements provide only historical information of a financial nature. They do not reflect the
company’s reality.
For example, its strategy, the risks it faces, its position within society, its role as a corporate citizen and
its future sustainability, are all important to its stakeholders. This does not mean that the annual financial
statements are not important but rather that to be meaningful to all material stakeholders; corporate reporting
must demonstrate integrated thinking and provide a holistic account of organisational performance and
reflect the reality of the company in the triple context, that is, economic, social and environmental.
An integrated report should explain the company’s performance and should have sufficient information
on how the organisation has positively and negatively affected the economy, society and the environment.
The report should show what value the company has created (or not created), through the increase or
decrease of each of the six capitals. An integrated report should also look to the future, enabling stake-
holders to judge whether the company can sustain the delivery of value.

The Report itself


Over the past number of years (arising from King III), companies have issued “sustainability reports” in
addition to, or in combination with, annual financial statements, and listed companies, among other
things, are required to issue a social and ethics committee report in terms of the Companies Act 2008.
However, it is now considered that all these reports are inadequate if they are not integrated because they
do not show how the company’s capitals are interconnected and interdependent. The latest thinking
Chapter 4: Corporate governance 4/11

requires that a report which is a “concise communication about how an organisation’s strategy, governance
performance and prospects, in the context of its external environment, lead to the creation of value over the
short, medium and long term, should be produced”.
So how do all these reports fit together? In order to clarify the standing of the integrated report with other
reports, King IV deals with it “as one of the many reports that may be issued by the company as is
necessary to comply with legal requirements and/or to meet the particular information need of material
stakeholders”.
King IV is not prescriptive. It is recommended practice that:
• an integrated report could be a stand-alone report which connects the more detailed information in other reports, or
it could be
• a distinguishable, prominent part of another report that includes the financial statements, a sustainability report
and any other reports issued in compliance with legal requirements.
The practice recommended in the King IV Code is for the company to “issue a report annually that presents
material information in an integrated manner and that provides its users with a holistic, clear, concise and
understandable presentation of the organisation’s performance in terms of sustainable value creation in the
economic, social and environmental context”.

6. Paradigm shifts in the corporate world


Expressed simply, “a paradigm shift” means a move away from a particular model or standard. In the con-
text of the corporate world, King IV proposes that there are three paradigm shifts that connect to the fun-
damental concepts discussed above. Each of the three describes a change in thinking within the corporate
world.

6.1 From financial capitalism to inclusive capitalism


• As illustrated by the six capitals model (refer to page 4/12), companies are considered to have six
sources of capitals, and there is now general acceptance that the employment, transformation and
provision of financial capital represent “only a fraction” of a company’s activities. Inclusive capitalism, on
the other hand, requires that the employment, transformation and provision of all sources of available
capital (human, manufactured, intellectual, social and relationship, financial and natural capitals) should be
considered in the company’s decision-making in respect of all elements/activities of the business, from
setting strategy to reporting. Value creation should also be measured in terms of all of the capitals, not
just financial capital. Capitalism is the engine of “shared prosperity”, but if the future risks are to be
appropriately responded to, an inclusive capital market system must be adopted. This thinking is well
illustrated in King IV concerning the system of donor aid, namely, developed countries giving money to
developing countries. Rather than simply supplying countries with large sums of money (which is
probably a quick and easy “solution”), aid should aim to promote inclusive capitalism. This may
manifest itself in many ways, such as the donor developing infrastructure, educating and training the
local population, enabling the recipient to develop its environmental resources, and promoting sound,
sustainable and equitable relationships between “donor and recipient”. The adoption of inclusive
capitalism would create value in a sustainable manner, which would positively affect the prospects of
the donor and the recipient.

6.2 From short-term capital markets to long-term sustainable markets


• Simply stated, this means that a company’s performance should be assessed over the longer term. The
shift from short-term thinking to long-term thinking arises from the need to create value sustainably.
Providers of financial capital should look to investing in long-term sustainability, not just in “making a
quick buck”.

6.3 From siloed reporting to integrated reporting


• Corporate reporting needs to change if it is to be consistent with the shift to the concept of an inclusive,
sustainable market system. Siloed reporting is essentially the practice of issuing one or more “stand-
alone reports””. Thus, a company may issue audited financial statements, which report on financial
capital as required by law, a separate sustainability report, a social and ethics committee report, and
other reports such as a corporate governance report. These reports will deal indirectly with some of the
other capitals to a varying extent. The reality is that the capitals used by companies interconnect and
interrelate. Corporate reporting should reflect this and indicate how the company’s activities affect, and
4/12 Auditing Notes for South African Students

affected by, the six capitals it uses in the economic, social and environmental context in which it
operates. Integrated reporting is a process founded on integrated thinking that results in a periodic
integrated report about value creation over time. An integrated report is a concise communication about
how a company’s strategy, governance, performance and prospects fit together.

4.1.5 King IV and the International Integrated Reporting Council (IIRC)


1. Introduction
The King IV Report (and by implication, the King IV Code) is strongly influenced by the International
Integrated Council’s (IIRC) Reporting Framework. The IIRC’s long-term vision is that integrated reporting
becomes the corporate reporting norm. Historically, a company’s duty to report on its performance was
limited to satisfying a statutory obligation to present a set of audited annual financial statements (the AFS)
to its shareholders. The contents of the AFS were generally basic financial information, that is, a simple
balance sheet and a profit and loss account. The attitude of most companies was one of “minimum
disclosure”, which amounted to disclosing no more information than was required by law. Over time,
financial reporting requirements have increased significantly; among other things, accounting standards
requiring extensive disclosure have emerged and regulatory bodies of various kinds, for example, the JSE,
have continuously called for more information to be presented. These calls for more information eventually
evolved into an attempt to get companies (essentially large listed companies) to embrace the concept of
reporting on what was termed the “triple bottom line”, namely the economic, social and environmental
aspects of a company’s performance. The terms “integrated reporting” and “sustainability reporting”
emerged along with calls to follow a “stakeholder inclusive” approach to reporting, in other words, to
report not only to shareholders by way of the AFS, but instead report to all stakeholders in a manner that
meets their needs. This brings us to where we are now, in other words, to the drive towards wide
acceptance of the International Integrated Reporting Framework.
To gain a solid understanding of corporate governance, you do not need to have a detailed
understanding of the Framework but, as indicated above, the King IV Report is strongly influenced by the
Framework and supports its implementation.
1.1 The Framework defines an integrated report as a concise communication about how a company’s strat-
egy, governance, performance and prospects, in the context of its external environment, lead to the
creation of value over the short, medium and long term (in effect its sustainability).
1.2 The primary purpose of an integrated report is to explain to providers of financial capital how the
company creates value over time, and to provide meaningful information to all stakeholders, including
employees, customers, suppliers, local communities, legislators, etc., about the company’s ability to
create value.
1.3 The key to understanding the thinking behind the integrated report is to realise that, in terms of the
Framework, value creation does not mean creating only financial value but rather creating value in
terms of the “six capitals” which a company has available to it.

2. The six capitals


2.1 Financial capital – the pool of funds available to the company to carry on its operations. Financial
capital is obtained through, for example, financing, borrowing or by making profits.
2.2 Manufactured capital – the physical objects which are available to the company for use in its oper-
ation, such as buildings and equipment, as well as roads, bridges, harbours, etc. (Note that the
company does not necessarily own manufactured capital. Roads, bridges and harbours are usually
owned by the government but are an essential part of most company’s operations, e.g. a company that
imports goods usually needs the use of a harbour.)
2.3 Intellectual capital – the knowledge-based intangibles which the company has, such as patents, copy-
rights, software, and licences or rights.
2.4 Human capital – employees’ competencies, capabilities and experience, including their ability to sup-
port the company’s governance framework, risk management approach and ethical values, and their
loyalties and motivations to improve the company.
Chapter 4: Corporate governance 4/13

2.5 Social and relationship capital – the institutions and relationships and other networks which the
company can use (and contribute to) to enhance individual and collective well-being, for example:
• the trust that a company has developed with the community in which it operates, or with other
key stakeholders such as its suppliers and workforce, and
• the trust and other intangible benefits derived from the company’s brand and reputation.
2.6 Natural capital – the renewable and non-renewable environmental resources that support the
company’s past, current or future prosperity, including air, water, land, minerals and forests, and the
ecosystem in general.
Obviously not all capitals are equally relevant or applicable to all companies. As the Framework points out,
while most (large) companies interact with all capitals to some extent, these interactions might be relatively
minor (immaterial) or so indirect that they are not sufficiently important to include in the integrated report.

3. The six capitals into the context of integrated reporting


3.1 The framework does not require an integrated report to rigidly adopt the categories of capital described
above, or to structure the report in terms of the six capitals, but
3.2 The framework requires that the capitals be used as a guideline by the company to ensure that it does
not overlook a capital that it uses or affects in its reporting.
3.3 The framework does require that the integrated report conveys the interdependence and interconnect-
ivity of the six capitals as manifested by material enhancements (increases), diminutions (decreases),
or transformations (changes in form) of the six capitals. Some simple examples will illustrate this:
• A company’s financial capital is increased if it makes a profit.
• If a company makes a material financial contribution to the community in which it operates to
build a community centre, it reduces its financial capital but increases its social and relationship
capital.
• If a motor company fraudulently circumvents emissions regulations and is found out (as was
Volkswagen), it reduces its financial capital (legal costs, penalties and recalling vehicles), and
reduces its social and relationship capital (damage to the brand and its reputation). It may also
reduce its human capital (employees may be demotivated by the lack of ethics on the part of man-
agement and the board, and well qualified and experienced staff may leave the company).
• A company that invests heavily in research and development may initially reduce its financial
capital, but may also, in the long run, transform that financial capital decrease into a financial
capital increase (by selling new products) and an increase in its intellectual capital (e.g. by
registering a new patent).
• A manufacturer that pollutes wetlands surrounding its facility by pumping untreated effluent into
it may increase its financial capital (by not incurring the costs of cleaning the water, which would
reduce profits) but will reduce its social and relationship capital and its natural capital.
• When a company increases the capacity of its plant and invests in training employees, its
manufactured capital is increased, as has the quality of its human capital. Its financial capital has
been decreased, but in effect, its financial capital has been transformed into manufactured capital
and human capital.
• A company that remunerates its directors exorbitantly and out of proportion to their performance
reduces its financial capital, human capital (other employees become demotivated and less loyal to
the company, and strikes may increase because of dissatisfaction). In all likelihood, its social and
relationship capital will decrease (e.g. dissatisfied shareholders, negative effect on the company’s
reputation as a good corporate citizen). Note: this is why reporting on directors’ remuneration is
comprehensively dealt with in the King IV Code.
The above examples are simple, but they adequately illustrate the continuous interaction and transforma-
tion between the capitals.
In a nutshell, the IIRC wants all (large) companies to adopt the Framework. This would require com-
panies to report in one form or another on its creation of value in respect of the six capitals in the social,
economic and environmental context.
4/14 Auditing Notes for South African Students

4. How does integrated reporting tie into corporate governance?


4.1 Think about it like this; if companies were required to report to all stakeholders in the manner
required by the integrated framework in the context of the six capitals, they would be required
(forced) into governing the company in a manner that enables them to report as required.
For example, having to actually report on social and relationship capital may cause the directors to
consider far more carefully the social/reputational outcomes of their decisions before they make the
decision. Suppose Volkswagen had conscientiously considered the effect on the six capitals of its
decision to fraudulently circumvent emissions regulations, including the effect on the brand and the
company’s reputation. In that case, it is improbable that they would have taken such a decision. The
fact that the company did what it did has had an enormous effect on its value creation and reflects
very poor corporate governance. The decision to manipulate emissions data relating to their vehicles
would seem to have been made in an attempt to sell more cars and thus make greater profits, a
decision based purely on the effect on financial capital.
4.2 Furthermore, having to satisfy the requirements of the Framework, the board will need to implement
and maintain processes and procedures which produce the information which has to be included in
the integrated report, so how the board governs is directly affected by the duty to produce an
integrated report. In a sense, having to report on matters it controls makes the board more account-
able. Consider the major effect that the financial reporting standards have on governance. The vast
amount of information of a financial nature that must go into the financial statements forces the
board to ensure that sound systems of internal financial control are implemented and maintained to
provide the necessary information. Essentially a set of annual financial statements is a report to the
shareholders on financial capital. It stands to reason then that if we had standards of reporting
covering the other five capitals, the directors would be accountable to report to all stakeholders on all
capitals as applicable. Theoretically, if you are to be held accountable, you will act in a manner that
enables you to demonstrate that you have met your responsibilities.
4.3 Having to report in terms of an integrated framework should lead to integrated thinking on the
company’s part. Integrated thinking is the proactive consideration by a company of the relationships
between its various operating and functional units and the capitals that the company uses or affects.
Integrated thinking leads to integrated decision-making and actions that consider the creation of value
over the short, medium and long term in the context of the six capitals.

4.1.6 Application and disclosure


1. Legal status of King IV
1.1 The legal status of King IV is that of a set of voluntary principles and leading practices, it is not “law”.
As we discussed earlier in the chapter, corporate governance could apply as a set of legislated rules, a
voluntary code of principles and practices, or a combination of both, which is the situation in South
Africa.
1.2 Legislating corporate governance amounts to creating a set of rules and regulations that companies
must follow and which, if transgressed, will result in some form of punishment. This is the “comply
or else” basis/application. It is generally regarded as being unsuitable for two reasons:
• A one-size-fits-all set of rules cannot be suitable because the types of businesses and activities
carried out by corporate entities are so varied and diverse.
• There is a real danger that companies will simply become focused on “mindless compliance with
the law” instead of applying its mind to the best governance practice for the issue in question.
1.3 Of course, there is a fair amount of legislation related to corporate governance that is intertwined with
the principles and practices contained in King IV. These laws must be adhered to, and if there is a
conflict between legislation and King IV, the law will prevail.
1.4 It is also important to note that the court may look to the Code to resolve a governance issue.
For example, in a situation where directors need to defend aspects of their conduct that may
contravene the law, the court may look to the directors’ compliance with the Code of Corporate
Governance to assist it in its judgment. In the absence of robust and sound governance structures and
processes, it may be difficult for the directors to defend their conduct successfully.
Chapter 4: Corporate governance 4/15

1.5 Note that whilst it is not compulsory in terms of the law, for companies to apply the King IV Code,
other bodies to which the company is connected may require the company to do so.
For example, the JSE requires that listed companies apply the Code, or a holding company may
require that subsidiaries do so.

2. Scope of application of King IV


2.1 The King IV Code is concerned with the role and responsibilities of the governing body of an
organisation and its interaction with management and other material stakeholders. For a company,
the Code is aimed at the board of directors.
2.2 The King IV Report has, as one of its objectives, the broadening of acceptance of the Code. Thus an
attempt has been made to make it more accessible and fit for application across various sectors and
types of organisation, for example, listed companies, SMEs, trusts, municipalities.
2.3 To this end, the phrasing of principles and governance outcomes has been done to embody the
essence of the Code and can be applied with the necessary changes in terminology. Recommended
practices can then be adapted to suit the entity in accordance with what has been termed propor-
tionality which is discussed in point 4 below.

3. Practices, principles and governance outcomes


The elements around which the King IV Code on Corporate Governance for South Africa has been devel-
oped are practices, principles and governance outcomes.
3.1 Practices are the actions (leading practice) that the King IV Code recommends should be applied by a
company to support and give effect to what the principle is intended to achieve, taking into account
proportionality (the size, resources and complexity of the company). Each recommended practice
relates to a principle.
3.2 Principles are an embodiment of good corporate governance. There are 17 principles which build on
and reinforce one another. They guide the company as to what it should achieve by implementing the
recommended practices.
3.3 Governance outcomes are the benefits that could be realised by the company if the related principles are
achieved. There are four governance outcomes; ethical culture, good performance, effective control
and legitimacy.

4. Proportionality
4.1 Implementing the King IV Code should be done based on proportionality, as it cannot be applied in
the same manner and to the same extent in all companies. For example, SMEs are unlikely to have
the necessary resources to implement the recommended practices which a listed company might
implement and in fact will not need to implement practices to the same extent. For example, SMEs
will normally not require a chief audit executive or an audit committee, and will be less concerned
about the composition of the board in respect of non-executive directors.
4.2 However, this does not mean that SMEs should not strive for good corporate governance, or that they
do not need to concern themselves with being good corporate citizens or ethically conducting
business. Therefore, the principles promoted by the King IV Code are applied by all entities.
4.3 Regarding practices, the King IV Code seeks to instil a qualitative approach in which recommended
practices are implemented in a manner and to an extent which achieves that principle, that is, the
King IV recommended practices are adapted to suit the entity’s situation.
4.4 Practices should be scaled per the following proportionality considerations particular to the entity:
• size and turnover
• size and workforce
• resources
• extent and complexity of activities, including the entity’s impact on the triple context in which it
operates, namely the economy, society and the environment.
4/16 Auditing Notes for South African Students

5. Disclosure on the application of King IV


5.1 The application regime for King IV is “apply and explain”, which means that principles are applied
and practices are explained.
• The principles are fundamental to good governance and it is assumed therefore that they will be
applied.
• Explanations should be provided in the form of a narrative account that addresses which recom-
mended or other practices have been implemented and how these achieve or give effect to the
related principle.
5.2 What should be disclosed on the application of the King IV Code?
• Specific disclosure recommendations are included for each principle of the Code, and are intended
to act as a starting point and guidance for disclosure on the principle.
• The extent and detail of the narrative should be guided by materiality but should enable the
stakeholder to assess the quality of the company’s governance.
• Materiality in this context is a measure of the effect that the presence or absence (inclusion or
omission) of information pertaining to the explanation of the practices implemented may have on
the accuracy or validity of the explanation. In other words, bearing in mind that the objective of
the explanation is to enable stakeholders to make an informed assessment, will the inclusion or
omission of a particular piece of information, affect the stakeholder’s ability to do so? The
materiality of a piece of information is judged by its inherent nature, impact value, use value and
the context in which it occurs.
5.3 Where should King IV disclosure be made?
• King IV is not prescriptive on this, and the board may decide. The board may choose to make
King IV Code disclosures in the integrated report, sustainability report, social and ethics report, or
any other online or printed information or report. The board may also decide to make the
necessary disclosures in more than one of these reports. Bear in mind the shift from “stand-alone”
(siloed) reports to integrated reporting, as discussed earlier in this chapter.
• King IV disclosure should be:
(i) updated annually
(ii) formally approved by the board
(iii) publically accessible.

4.2 Section 2 The King IV code of corporate governance


For a summary of the 17 principles of the King IV Code, see Appendix 1 at the end of this section.

4.2.1 Leadership, ethics and responsible corporate citizenship


4.2.1.1 Leadership
Principle 1. The board should lead ethically and effectively
1. Recommended practices
The recommended practices in this instance are designed to convey the characteristics that directors should
cultivate and exhibit in their conduct.
1.1 Integrity
• Directors must act in good faith in the best interests of the company. This is a fundamental principle in
law. In terms of the Companies Act 2008, section 76, a director:
– must not use the position of the director to gain an advantage for himself or knowingly cause
harm to the company
– must exercise his powers in good faith and for a proper purpose in the best interests of the
company
– must act with the degree of care, skill and diligence that may reasonably be expected of a
director.
Chapter 4: Corporate governance 4/17

A director has an overriding fiduciary duty to act in good faith, in a manner that the director
reasonably believes is in the company’s best interests, and in terms of the common law, and may
be held liable for loss, damages, or costs of any breach of this duty.
• Directors should avoid conflicts of interest: The personal interests of a director, or a person closely
associated with the director, should not take precedence over those of the company. This principle
has been partially legislated for by section 75 of the Companies Act 2008, which requires that a
director disclose any financial interest which he may have (or which any person related to the
director, as defined by s 2, may have) in any matter which is to be considered at a meeting of the
board.
For example, the board may be considering entering into a contract with a company owned by a
director’s wife (related person). The director must declare this fact before the meeting and should
not take part in the “consideration” or approval of the matter.
• Directors should act ethically beyond mere legal compliance: Conflicts of interest may not be as clear cut
as this example and may only be known to the director himself. It is up to the director’s integrity to
do the right thing, for example, declare the conflict, resign from the board, whatever is
appropriate. Directors should have the courage to act with integrity and honesty in all decisions in
the company’s best interests. A director should not lack the courage to stand up to other board
members, for example a domineering CEO or chairman, when integrity and honesty demand it.
• Directors should set the tone for an ethical organisational culture.
1.2 Competence
• The board as a whole, and directors individually, assume responsibility for the ongoing develop-
ment of their competence to run the company effectively.
For example, a financial director should keep abreast of new accounting standards applicable to
the company, and all directors should, by attending presentations and courses, etc. keep up to date
with international and industry-specific affairs, developments and trends.
• Directors should ensure that they have sufficient knowledge of the company, its industry, the
economic, social and environmental context in which it operates, and the significant laws,
regulations, rules, codes, and standards applicable to it. King IV recommends that subject to
stipulated policies and procedures, a director should have unrestricted access to professional
advice and the company’s information, documentation, records, property and personnel.
• Directors must act with due care, skill and diligence, and take reasonably diligent steps to become
informed about decisions.
Again, in terms of section 76 of the Companies Act, 2008, to discharge his duties (exercise his powers
and duties) a director:
• should take reasonably diligent steps to be informed about any matter to be dealt with by the
directors
• should have had a rational basis for making a decision and believing that the decision was in the
best interests of the company
• is entitled to rely on the performance of:
– employees of the company whom the director reasonably believes to be reliable and competent
– legal counsel, accountants or other professionals retained by the company
– any person to whom the board may have reasonably delegated authority to perform a board
function
– a committee of the board of which the director is not a member unless the director has reason
to believe that the actions of the committee do not merit confidence
• is entitled to rely on information, reports, opinions recommendations made by the above-
mentioned persons.
1.3 Responsibility
• Directors should assume collective responsibility for:
– steering and setting the direction of the company
– approving policy and planning
– overseeing and monitoring of implementation and execution by management
– ensuring accountability for organisational performance.
4/18 Auditing Notes for South African Students


Directors should exercise courage in taking risks and capturing opportunities but in a responsible
manner and in the company’s best interests.
• Directors should take responsibility for anticipating, preventing or lessening the negative outcomes
of the company’s activities and outputs on:
– the triple context (social, economic and environmental) in which it operates, and
– on the capitals that it uses or affects.
• Directors should attend board meetings (and board committee meetings as appropriate) and
devote sufficient time and effort to prepare for those meetings.
1.4 Accountability
• Directors should be willing to answer for (be held accountable for) the execution of their respon-
sibilities even when such responsibilities have been delegated.
1.5 Fairness
• Directors must consider and balance the legitimate and reasonable needs, interests and expecta-
tions of all stakeholders in the execution of their governance role and responsibilities, in other
words, they must adopt a stakeholder inclusive approach.
• Directors should direct the company in a way that does not adversely affect the natural environ-
ment, society or future generations.
1.6 Transparency
• Directors should be transparent in the manner in which they exercise their governance roles and
responsibilities.
2. Disclosure
The arrangements by which the directors are held to account for ethical and effective leadership should be
disclosed, for example, compliance with codes of conduct and performance evaluations.

4.2.1.2 Organisational ethics


Principle 2. The board should govern the ethics of the company in a way that supports the establishment of
an ethical culture
The essence of this principle is that an ethical culture cannot be established and maintained if the board
does not set the tone, convey the company’s ethical norms and values to internal and external stakeholders,
for example, employees and suppliers, and monitor adherence to the ethical values and norms.
The board is responsible for creating and sustaining ethical corporate culture in the company. In terms of
the former corporate governance report, namely King III, an ethical corporate culture requires that:
• ethical practice for directors is a non-negotiable requirement
• sound moral values and ethics are propagated by the conduct of individuals (throughout the company)
• business activity is directed by people with integrity, fairness, responsibility and vision
• laws and regulations are obeyed; unfair practices, abuse of economic power (unfair treatment of sup-
pliers) and collusion (e.g. price fixing) are avoided
• “having to be ethical” cannot be used as an excuse for poor business performance
• the director’s duty is first to his company and shareholders, but the interests of all stakeholders must be
considered.
Recommended practices
• The board should set the direction in which ethics should be approached and addressed.
• The board should approve codes of conduct and ethics policies.
• The directors should ensure that codes of conduct and ethics policies:
– encompass the company’s interaction with internal and external stakeholders; for example,
employees and the local community in which the company operates.
• The directors should ensure that codes of conduct and ethics policies provide for arrangements that
familiarise employees and other stakeholders with the company’s ethical standard including:
– publishing the codes and policies on the company’s website or other social media platforms
Chapter 4: Corporate governance 4/19

– incorporating such codes in employment and supply contracts; for example, a supply contract may
include a clause that stipulates that the company will not do business with a company that engages in
any form of unfair labour practices such as “sweatshop labour”
– holding workshops and seminars to inform employees about the relevant codes and how they are
implemented in the workplace.
• The directors should delegate the responsibility for implementing and executing the codes and ethics
policy to management.
• The directors should exercise ongoing oversight of the management of ethics and oversee that it results
in the following:
– application of the company’s ethical standards to the recruitment process, evaluation of performance
and reward of employees as well as the sourcing of suppliers
– having sanctions and remedies in place to deal with breaches of the ethical standards; for example, a
formal disciplinary procedure
– the use of protected disclosure or whistle-blowing mechanisms to detect breaches
– monitoring and assessing adherence to the codes of ethics and conduct by employees, business asso-
ciates, contractors and suppliers.
For example, this may involve monitoring the nature and frequency of complaints/instances of
alleged unethical behaviour and having “ethics” as an agenda item for meetings with employee
bodies, business associates etc. Suppliers may be asked to provide annual written confirmation that
they are complying with the ethical terms of their supply contracts, or business associates may be
asked to comment on any unethical behaviour by them, which may have been alleged in the financial
press.
• Disclosure: The following should be disclosed:
– an overview of the arrangements for governing and managing ethics
– key focus areas during the reporting period
– measures taken to monitor organisational ethics and how the outcomes of monitoring were addressed
– planned areas of future focus.

4.2.1.3 Responsible corporate citizenship


Principle 3. The board should ensure that the company is, and is seen to be, a responsible corporate citizen
The introduction to the King IV Report states that being a “corporate citizen is about a company’s status in
the broader society . . . and a corporate citizen has rights, but also obligations and responsibilities”. How-
ever, a little more explanation (based on King III) of the phrase is required.
• The success of a company should not only be judged in terms of the company’s financial performance,
but also in terms of the company’s impact on the economy, society and the environment, that is, the
triple context.
• The company should protect, enhance and invest in the well-being of the economy, society and the
environment, that is, the triple context.
• Being a responsible citizen for a company means establishing an ethical relationship of responsibility
between the company and the society in which it operates. Companies have rights, but they also have
legal and moral obligations regarding their social and natural environments.
• Being a responsible corporate citizen and sustainable development are inseparable; a company that is an
irresponsible corporate citizen, for example, does not treat its employees fairly, engages in illegal/
corrupt practices and has no regard for the environment is sooner or later going to fail.
• Being a responsible corporate citizen is far more than projecting an image and getting public relations
right. It is about genuine commitment and leadership, not a series of publicity stunts or a passing phase.
The following chart has been included to better understand what being a responsible corporate citizen
means. The chart provides examples of factors of being a responsible corporate citizen that a company
should consider, and how a company might act. Neither the list of factors nor the actions are exhaustive.
4/20 Auditing Notes for South African Students

Factor to be considered A good corporate citizen would


1 Sustainable development reject a short-term lucrative mining contract because it
would lead to the destruction of the local environment and
community
2 Human rights assist in providing basic human needs such as housing and
fresh water; or refuse to do business with companies that
use child labour
3 The impact on communities in which the company control the impact of air pollution, and provide training
conducts its activities for members of the community
4 Protection of the natural environment and prevent the pollution of wetlands adjoining production
responsible use of natural resources facilities, and efficient use of water and electricity
5 Fair labour practice provide acceptable health and safety conditions in the
workplace
6 Fair and responsible remuneration not pay directors exorbitant salaries
7 Employee wellbeing and development provide literacy classes, study bursaries, and in-house
social programs
8 Employee and public health and safety provide clinics for employees and local community,
support public health campaigns, for example HIV/AIDS
9 Compliance with legislation related to economic, strictly comply with emission control regulations,
social and environmental responsibility transport regulations, and effluent regulations
10 Prevention, detection and response to fraud and implement strict policies against any form of bribery
corruption
11 Economic transformation mentor and develop emerging businesses, promote
BBBEE, and promote employee share ownership
12 Fair treatment of customers adopt fair pricing (no price fixing), honour warrantees,
and provide efficient service
13 Fair competition with industry peers not disseminate false information (rumour), and not
engage in destructive price wars
14 Fair treatment of associates, suppliers and pay suppliers promptly, and refuse to renew/cancel con-
contractors as well as holding them to account on tracts with existing suppliers known or suspected to be
their own “responsible citizenship” practices in involved in fraud, corruption or other unethical business
relation to any agreed to codes of conduct practices
15 Responsible tax policies not engage in the practice of “shifting profit” (to reduce
tax) (see note (b) below).

Recommended practices
1. The board should set the direction for how corporate citizenship should be approached and addressed
by the company.
2. The board should ensure that the company’s responsible citizen efforts include compliance with:
• the Constitution of South Africa (including the Bill of Rights)
• the law
• leading standards on corporate citizenship
• adherence to its codes of conduct and policies.
3. The board should oversee that the company’s core purpose and values, strategy and conduct are con-
gruent with it being a responsible corporate citizen.
4. The board should oversee and monitor, on an ongoing basis how the consequences of the company’s
activities and outputs affect its status as a responsible corporate citizen. This oversight and monitoring
should be performed against measures and targets agreed with management in all of the following
areas:
• workplace, for example, fair remuneration, development of employees, health and safety
• economy, for example, economic transformation, fraud and corruption, tax policy
Chapter 4: Corporate governance 4/21

• society, for example, public health and safety, community development, consumer protection
• environment, for example, pollution prevention, waste disposal.
5. Disclosure. The following should be disclosed:
• an overview of the arrangements for governing and managing responsible corporate citizenship
• key areas of focus during the reporting period
• measures taken to monitor corporate citizenship and how outcomes were addressed
• planned areas of future focus.
Note (a) In terms of Regulation 43 of the Companies Regulations 2011, every state-owned company,
listed public company and any other company that has in two of the previous five years scored
above 500 points in its public interest score, must appoint a Social and Ethics committee. This
committee is required to monitor the company’s activities concerning any relevant legislation,
legal requirements or codes of best practice about:
• social and economic development
• good corporate citizenship
• the environment, health and public safety
• consumer relationships, and
• labour and employment.
King IV has recommended additional requirements for the Social and Ethics committee, namely, that the
committee directs and oversees:
• the management of ethics, and
• the social responsibility aspects of the remuneration policy.
Thus, it is an essential committee in the creation and maintenance of the company’s ethical culture and its
status as a responsible corporate citizen.
Note (b) Tax strategy and policy. King IV adopts the attitude that it is no longer acceptable to have overly
aggressive tax strategies, such as exploiting mismatches between the tax regimes of various juris-
dictions to minimise tax, even if these actions are legal, for example, companies shifting profits
from the country where they have their customer-base to a country which has a lower tax rate.
In terms of current thinking, the due payment of tax is linked to corporate citizenship and
reputation. King IV requires that the board and audit committee should be responsible for a tax
strategy and policy which is legal and reflects good corporate citizenship.

4.2.2 Strategy, performance and reporting


4.2.2.1 Strategy and performance
Principle 4. The board should appreciate that the company’s core purpose, its risks and opportunities
strategy, business model, performance and sustainable development are all inseparable elements of the
value creation process
In terms of King IV, the term “value creation process” describes the process that results in increases,
decreases or transformation of the (company’s) capitals caused by the company’s business activities and
outcomes. Note: For an explanation of the six capitals model see page 4/12.

Recommended practices
1. The board should steer and set the direction for realising the company’s core purpose and values
through its strategy.
2. The board should delegate the formulation and development of the company’s short-, medium- and
long-term strategy to management.
3. Management’s strategy should be approved by the board. When considering approval, the board should
challenge (question and consider) it constructively concerning:
• the timelines and parameters which determine the meaning of the short, medium and long term
• the risks, opportunities and other matters connected to the triple context
4/22 Auditing Notes for South African Students

• the extent to which the proposed strategy depends on resources and relationships connected to the
various forms of capital (six capitals)
• the legitimate and reasonable needs, interests and expectations of (all) material stakeholders
• the increase, decrease or transformation of the various forms of capitals that may result from the
execution of the proposed strategy
• the interconnectivity and interdependence of all of the above.
4. The board should ensure that it approves the policies and operational plans developed by management
to effect the strategy, including key performance measures and targets for assessing the achievement of
strategic objectives and positive outcomes over the short, medium and long term.
5. The board should delegate the responsibility to implement and execute the approved policies and plans
to management.
6. The board should exercise ongoing oversight of implementing strategy and operational plans against
agreed performance measures and targets.
7. The board should oversee that the company continually assesses and responds to the negative conse-
quences of its activities and outputs on the triple context (social, economic and environmental) in which
it operates and the capitals which it uses or affects.
8. The board should be alert to the organisation’s general liability about its reliance on the capitals, its
solvency and liquidity, and its status as a going concern.

4.2.2.2 Reporting
Principle 5. The board should ensure that reports issued by the company enable stakeholders to make
informed assessments of the performance of the company and its short, medium and long-term prospects
This principle intends to provide stakeholders with useful information about the company within the triple
context, so that stakeholders can better assess the company’s ability to sustain itself by its ability to create
value. Reporting needs to be far more than simply presenting historical financial information such as a set
of annual financial statements – much more information on the economic, social and environmental
aspects and the six capitals of the company must be included.

Recommended practices
1. The board should set the direction for approaching and conducting the company’s reporting.
2. The board should approve management’s determination of the reporting frameworks and standards to
be applied in reports, for example, IFRS, JSE listing requirement, the International Integrated
Reporting Framework, taking into account:
• legal requirements
• the intended users
• purpose of each report.
3. The board should ensure that all reports required in terms of the law, for example, annual financial
statements, and which are required to meet the legitimate and reasonable information needs of material
stakeholders, for example, a sustainability report, are issued.
4. The board should determine the materiality of information to be included in reports. A piece of
information will be material if its inclusion or omission would affect the report users’ ability to properly
assess the report’s subject matter.
5. The board should ensure that the company issues an integrated report annually (at least). This report
may be:
• a stand-alone report which connects the more detailed information in other reports and addresses,
completely and concisely, the matters which significantly affect the company’s ability to create
value, or
• a distinguishable, prominent and accessible part of another report that includes the AFS and other
reports that must be issued.
6. The board should ensure the integrity of external reports.
Chapter 4: Corporate governance 4/23

7. The board should ensure the following information is published on the company’s website or other
platforms or media so that it is accessible to stakeholders:
• corporate governance disclosures required in terms of the Code
• integrated reports
• annual financial statements and other external reports.

4.2.3 Governing structures and delegation


4.2.3.1 Primary role and responsibilities of the board
Principle 6. The board should serve as the focal point and custodian of corporate governance in the company
Recommended practices
1. The board should
• steer and set its strategic direction
• give effect to the strategy by approving policy and planning
• provide oversight and monitoring of implementation, and execution by management
• ensure accountability by, among other things, reporting and disclosure of organisational performance.
2. The board should have a charter that documents its role, responsibilities and membership requirements
(note: membership requirements must consider the legal requirements, e.g. Companies Act 2008) and
procedural conduct. The charter should be regularly reviewed.
3. The board should establish the protocol to be followed if any of its members need to obtain independ-
ent, external professional advice on matters within the scope of their duties.
4. The board should approve the protocol to be followed by its non-executive directors for requisitioning
documents and setting up meetings with management.
5. Disclosure. The following should be disclosed in relation to the board’s primary role and responsibilities:
• the number of meetings held during the reporting period and attendance at those meetings
• whether the board is satisfied that it has fulfilled its responsibilities in terms of its charter.

4.2.3.2 Composition of the board


Principle 7. The board should comprise the appropriate balance of knowledge, skills, experience, diversity
and independence for it to discharge its governance role and responsibilities objectively and effectively
This principle is dealt with in the King IV Code in the following subsections:
• Composition ........................................................................................................................ Page 4/23
• Nomination, election and appointment ................................................................................. Page 4/24
• Independence and conflicts .................................................................................................. Page 4/24
• Chairperson of the board ...................................................................................................... Page 4/26

Recommended practices – Composition


1. The board should set the direction and approve the process for attaining the appropriate composition of
the board (knowledge, skills, diversity, etc.).
2. The board should determine the appropriate number of members of the board based on:
• the collective skills, knowledge and experience needed for the board to meet its responsibilities
• the appropriate mix of executive, non-executive and independent non-executive members
• the need to have sufficient qualified members to serve on board committees, for example the audit
committee should consist of at least three independent non-executive directors
• the need to secure a quorum at meetings
• regulatory requirements, for example, listed companies must appoint a financial director (JSE
requirement) and a social and ethics committee in terms of Regulation 43. Both of these require-
ments will affect the number of directors
• diversity targets (experience, age, race and gender).
4/24 Auditing Notes for South African Students

3. The chief executive officer and at least one other executive should be appointed to the board (note: JSE
regulations require that a financial director be appointed).
4. The board’s composition should have a suitable diversity of academic qualifications, technical expertise,
industry knowledge, experience, nationality, age, race, and gender to conduct the board’s business and
make it effective and promote better decision-making.
5. Staggered rotation of the directors should be implemented to retain valuable skills and maintain
continuity of knowledge and experience and introducing “new blood”.
6. The board should establish a defined succession plan which includes identification, mentorship and
development of potential future directors.
7. The board should have a majority of non-executive directors, the majority of whom should be inde-
pendent.
8. The board should set targets for race and gender representation in its membership.

Recommended practices – Nomination, election and appointment


1. Procedures and recommendations for appointment to the board should be formal and transparent. The
company’s Memorandum of Intent (MOI) may include provisions relating to the appointment of
directors.
2. The nomination of candidates for election as directors should be approved by the board as a whole.
3. Before nominating a candidate for election, the board should consider:
• the collective skills, knowledge and experience required on the board
• the diversity of the board
• whether the candidate meets the appropriate fit and proper criteria, namely:
– whether the appointment of a particular candidate would help or hinder diversity targets
– the candidate’s knowledge skills and experience match those required by the board
– the candidate has ethical integrity and a good reputation
– whether the candidate has the capacity to dedicate the necessary time to discharge his duties
(particularly in the case of non-executive directors).
4. A candidate for an appointment as a non-executive director should provide details of other
commitments and a statement of the time the candidate has available to fulfil the duties of the non-
executive director.
5. Before nomination for election, a candidate’s background should be independently investigated, and
the candidate’s qualifications should be independently verified.
6. Nominations for the re-election of an existing director who has reached the end of his term should be
considered on the basis of the director’s performance, including his attendance at meetings (board and
committee).
7. A brief CV of each candidate standing for election as a director at the AGM should accompany the
notice of the AGM, together with a statement by the board as to whether it supports the election (or
re-election) of the candidate.
8. When a director is elected, a formal appointment letter is sent laying out the terms and conditions of
the appointment.
9. The board should promptly ensure that an incoming director is inducted (introduced and informed
about how the company functions, his responsibilities and fiduciary duties) so that he can make a
contribution as quickly as possible. This is usually the responsibility of the company secretary.
10. Newly appointed directors, particularly those with no or limited governing experience, should be
developed through mentoring and training.
11. All directors should undertake a program of professional development and regular briefings on
legislative and regulatory developments, risks and changes in the business environment, etc.

Recommended practices – Independence and conflicts


1. Each director should submit a declaration of all financial, economic and other interests held by the
director and related parties (as defined by s 2(1) of the Companies Act 2008) at least annually or when-
ever there are significant changes.
Chapter 4: Corporate governance 4/25

2. At the beginning of each board meeting or its committee meetings, all directors should be required to
declare whether any of them has any conflict of interest in respect of a matter on the agenda.
3. Non-executive directors may be categorised by the board as independent if it concludes that there is no
interest, position, association or relationship which, when judged from the perspective of a reasonable
and informed third party, is likely to influence or cause bias in decision-making in the best interests of
the company. Each case should be looked at individually and considered on a substance over form
basis. However, the following situations suggest that a non-executive director should not be classified as
independent. The director:
• is a significant provider of financial capital or ongoing funding to the company or is an officer,
employee or representor of such provider of financial capital or funding
• participates in a share-based incentive scheme of the company
• owns shares in the company, the value of which is material to the personal wealth of the director
• has been employed by the company as an executive manager during the preceding three financial
years or is a related party to such executive manager, for example spouse
• has been the designated (external) auditor for the company, or has been a key member of the exter-
nal audit team during the preceding three years
• is a significant or ongoing professional advisor to the company (other than as a director)
• is a member of the board or the executive management of a significant customer of, or supplier to
the company
• is a member of the board or executive manager of another company which is a related party to the
company
• is entitled to remuneration contingent on the performance of the company.
Note (a): Executive director: a director who is involved in the management of the company and/or is a full-
time salaried employee of the company and/or its subsidiary.
Non-executive director: a director who is not involved in the management of the company.
The role of the non-executive director is to provide independent judgment and advice/opinion on
issues facing the company, (provide an “outsiders” view). They are required to attend board and
board committee meetings to which they have been appointed.
Independent non-executive director: to be classified as independent, a non-executive director would
need to be regarded as such by a reasonable and informed third party.
Note (b): This Code’s recommended practice mirrors the Companies Act 2008, section 75 requirements
relating to a director’s personal financial interest in a matter to be considered at a meeting of the
board, but “widens the net” by requiring that any conflict of interest be declared. In terms of
King IV, a conflict of interest occurs when there is a direct or indirect conflict, in fact, or in
appearance, between the interests of the director and that of the company.
Note (c): If any of the above applies to the director, it does not mean he cannot be appointed as a non-
executive director, it simply means that he cannot be categorised as an independent non-executive
director.
Note (d): If a director has served as an independent non-executive director for nine years, he may continue
to serve categorised as independent but only if the board concludes, based on an annual assess-
ment that the director “exercises objective judgement” and the board concludes there is no
interest, position, association or relationship which, when judged by a reasonable and informed
third party, is likely to influence the director unduly or cause bias in his decision-making. The
question here is whether an individual who has had a strong nine-year “link” with a company
can reasonably be seen to be independent of that company.
Note (e): King IV emphasises that the board must have a balance of skills, experience, diversity,
independence and knowledge of the organisation. It must be composed in a manner that enables
it to discharge its duties fully. King IV also makes the point that balance is not simply achieved
by having independent non-executive directors and executive directors. All directors are legally
required to act independently regardless of whether they are classified, executive, non-executive
or independent non-executive. “Balanced composition” means balanced in terms of skills,
experience, diversity, etc.
4/26 Auditing Notes for South African Students

4. Disclosure. The following disclosures about the composition of the board should be made:
• whether the board is satisfied that the composition reflects the appropriate mix of knowledge, skills,
experience, diversity and independence
• the targets set for gender and race representation on the board and progress made against these
targets
• categorisation of each director as executive or non-executive
• categorisation of non-executive directors as independent or not – where an independent non-execu-
tive director has been serving for longer than nine years, details of the board’s assessment and find-
ings regarding that director’s independence
• the qualifications and experience of the directors
• the length of service and age of directors
• reasons for removal, resignation or retirement of any director
• other directorships and professional positions held by each director.

Recommended practices – Chairperson of the board


1. The board should elect an independent non-executive director as the chairperson.
2. The board should appoint an independent non-executive director as the lead independent director to fill
the following functions:
• to lead in the absence of the chairperson
• to serve as a sounding board for the chairperson
• to act as an intermediary between the chairperson and other directors
• to deal with shareholders’ concerns where the normal channels have failed to resolve the concerns
• to strengthen independence on the board if the chairperson is not an independent non-executive
director
• to chair discussions and decision-making by the board on matters where the chair has a conflict of
interest
• to lead the performance appraisal of the chairperson.
3. The chairperson’s and the lead independent non-executive’s role, responsibilities and term of office
should be documented in the board’s charter (or elsewhere).
4. The chief executive officer should not be the chairperson (the CEO cannot be categorised as a non-execu-
tive officer) and a former CEO should not be elected as chairperson until three full years have passed
since he vacated his position.
5. The chairperson, and the board, should agree on the number of outside “governing” positions that the
chairperson is allowed to hold (this is to ensure that the chairperson has the time available to carry out
his duties as chair appropriately).
6. The chairperson:
• should not be a member of the audit committee
• should not chair the remuneration committee (but may be a member)
• should be a member of the nominations committee and may also be the chair
• may be a member of the risk committee and may also be its chair
• may be a member of the social and ethics committee but should not be its chair.
7. The board should ensure that there is a succession plan for the position of chairperson.
8. Disclosure. The following should be disclosed in relation to the chairperson:
• whether the chairperson is considered to be independent
• whether or not an independent non-executive director has been appointed as the “lead independent”
and the role and responsibilities assigned to the position.
Chapter 4: Corporate governance 4/27

4.2.3.3 Committees of the board


Principle 8. The board should ensure that its arrangements for delegation within its own structures promote
independent judgement and assist with balance of power and the effective discharge of its duties
This principle is dealt with in the King IV Code in the following subsections:
General ............................................................................................................................... Page 4/27
Audit committees ................................................................................................................ Page 4/28
Nominations committee ....................................................................................................... Page 4/30
Risk governance committee .................................................................................................. Page 4/30
Remuneration committee ..................................................................................................... Page 4/31
Social and ethics committee ................................................................................................. Page 4/31
Note: The board is entitled to form other committees (see 1 below).

Recommended practices – General


1. The board should consider and establish standing or ad hoc (temporary) committees to assist in ful-
filling its obligations. The decision as to which committees should be established will be determined by
legislation and the needs of the board (to function effectively) and the size of the company.
For example, section 94 of the Companies Act 2008 requires that all public and state-owned
companies appoint an audit committee, and Regulation 43 of the Companies Regulations 2011 requires
that various companies such as public-listed companies must appoint a Social and Ethics committee.
The King IV Code recommends the committees listed above. Smaller private companies may not need
any of these committees and are unlikely to have the necessary resources, for example, non-executive
directors, independent or otherwise.
2. Terms of reference. Delegation to an individual member(s) of the board should be recorded in writing and
approved by the board. The record should set out:
• the nature and extent of the responsibilities delegated
• decision-making authority
• the duration of the delegation and the delegate’s reporting responsibilities.
3. Terms of reference. Delegation to committees should be recorded by means of formal terms of reference.
Each committee’s terms of reference, which should be reviewed annually and be approved by the board,
should deal with the following:
• composition and, where necessary, the process and criteria for the appointment of any members of
the committee who are not directors
• role and responsibilities
• authority to make decisions
• tenure of the committee
• access to resources and information
• meeting procedures
• arrangements for evaluating the committee’s performance
• when and how the committee should report to the committee and others.
4. Roles, responsibilities and membership. The board should consider the roles, responsibilities and member-
ship of committees holistically, so that:
• the functioning of committees is integrated and collaborative, for example, the social and ethics
committee collaborating with the remuneration committee on executive remuneration
• the composition of the board and its committees ensures that no individual(s) can dominate
decision-making or that there is undue reliance on a particular individual.
For example, the balance of power would be adversely affected if the same non-executive director
were appointed to all board committees as chairperson.
5. The board should ensure that each committee as a whole has the necessary knowledge, skills, expe-
rience and capacity to execute its duties effectively.
4/28 Auditing Notes for South African Students

6. Each committee should have a minimum of three members.


7. Attendance at meetings and conditions:
• Members of the executive and senior management should be invited to attend committee meetings
or part thereof) to provide information and insight as necessary.
• Every director is entitled to attend any committee meeting as an observer (remember that these are
board committees). However, a director who is not a member of the committee, is:
– not allowed to participate without the consent of the chair
– does not have a vote
– is not entitled to fees for such attendance unless otherwise agreed by the board and the share-
holders.
8. Accountability. When a board delegates its responsibility to a board committee, it does not discharge
(satisfy) its accountability. The board must apply its collective mind to the information, opinions,
recommendations, reports and statements presented by the committee or individual to whom the
responsibility has been delegated.
9. Disclosure. The following information about each committee should be disclosed:
• role, responsibilities and functions
• composition including each member’s qualifications and experience
• external advisers who regularly attend committee meetings
• key areas and focus
• whether the committee has satisfied its responsibilities in accordance with its terms of reference
• the number of meetings held during the reporting period and attendance at those meetings.

Recommended practices – Audit committees


1. In terms of section 94 of the Companies Act 2008, a public company, state-owned company or any
company whose MOI requires it to have an audit committee, must appoint an audit committee.
However, the King IV Code recommends that any company that issues audited financial statements
establish an audit committee.
2. Composition
In terms of the King IV Code:
• all members of the audit committee should be independent non-executive directors
• the audit committee should consist of at least three members
• the board should appoint an independent non-executive director as the chairperson
• the members of the audit committee should have the necessary financial literacy, skills and
experience to execute their duties effectively.
3. Responsibilities and function
In terms of King IV, the role of the audit committee is to provide independent oversight of:
• the effectiveness of the company’s assurance functions and services, with particular focus on the
combined assurance arrangements including external assurance providers, internal audit and the
finance function
• the integrity of the financial statements and to the extent delegated by the board, other external
reports issued by the company
• the audit committee carries ultimate decision-making power and accountability for its statutory
duties. However, if the audit committee is assigned responsibilities beyond its statutory duties by the
board, the board will be ultimately accountable for such delegated responsibilities
• the management of financial and other risks that affect the integrity of external reports issued by the
organisation
• the audit committee should meet annually with the external auditor and internal auditor without
management being present (this creates an opportunity for opinions/concerns to be raised
“privately”).
Chapter 4: Corporate governance 4/29

Note (a): In terms of section 94 of the Companies Act, each member of an audit committee:
• must
– be a non-executive (King IV) director of the company, and
– satisfy any minimum qualifications the Minister may prescribe to ensure that the audit
committee taken as a whole comprises persons with adequate financial knowledge and
experience (see note (a) below).
• must not be
– involved in the day to day management of the company’s business or have been involved
at any time during the previous financial year, or
– a prescribed officer, or full-time executive employee of the company or another related or
inter-related company, or have held such a post at any time during the previous three
financial years, or
– a material supplier or customer of the company, such that a reasonable and informed
third party would conclude that in the circumstances, the integrity, impartiality or object-
ivity of that member of the audit committee would be compromised
– a “related person” to any person subject to the above prohibitions.
Note (b): Regulation 42 requires that at least one-third of the members of a company’s audit committee
must have academic qualifications or experience in economics, law, accounting, commerce,
industry, public affairs, human resources or corporate governance.
Note (c): Section 94 is far more detailed and specific concerning the duties of a (statutory) audit com-
mittee. The duties of an audit committee are to:
• nominate for appointment as auditor of the company, a registered auditor who, in the
opinion of the audit committee, is independent of the company
• determine the fees to be paid to the auditor and the auditor’s terms of engagement
• ensure that the appointment of the auditor complies with the provisions of this Act, and any
other legislation relating to the appointment of auditors
• determine the nature and extent of any non-audit services that the auditor may provide to the
company, or that the auditor must not provide to the company, or a related company
• preapprove any proposed agreement with the auditor for the provision of non-audit services
to the company
• prepare a report to be included in the annual financial statements for that financial year:
– describing how the audit committee carried out its functions
– stating whether the audit committee is satisfied that the auditor was independent of the
company, and
– commenting in any way the committee considers appropriate on the financial statements,
the accounting practices and the internal financial control of the company
• receive and deal appropriately with any concerns or complaints, whether from within or
outside the company, or on its own initiative, relating to:
– the accounting practices and internal audit of the company
– the content or auditing of the company’s financial statements
– the internal financial controls of the company, or
– any related matter
• make submissions to the board on any matter concerning the company’s accounting policies,
financial control, records and reporting, and
• perform such other oversight functions as determined by the board.
4. Performance evaluation. In terms of Principle 9, the board should evaluate the performance of the audit
committee. The board should determine the methodology and frequency (at least every three years) of
the evaluation.
4/30 Auditing Notes for South African Students

5. Disclosure. In addition to any statutory disclosure requirements and the general disclosure requirements
relating to committees of the board (see page 4/27), there should be disclosures on:
• whether the audit committee is satisfied that the auditor is independent of the company with refer-
ence to:
– the policy and controls that address the provision of non-audit services and the nature and extent
of non-audit services rendered
– how long the audit firm has served (tenure)
– audit partner rotation and significant management changes during the audit firm’s tenure may
affect the familiarity risk between external audit and management.
• significant matters that the audit committee has considered in relation to the annual financial state-
ments and how these were addressed by the committee, for example, contentious accounting pol-
icies, the need to modify the audit report
• The audit committee’s view on:
– the quality of the external audit
– the effectiveness of the chief audit executive and the arrangements for internal audit
– the effectiveness of the design and implementation of internal controls
– the nature and extent of any significant weaknesses in the design, implementation or execution of
internal financial controls that resulted in material financial loss, fraud, corruption or error
– the effectiveness of the CFO and the finance function
– the arrangements in place for combined assurance and the committee’s views on its effectiveness.

Recommended practices – Committee responsible for nominations of members of the board


1. The board should consider establishing a nominations committee to oversee:
• the process for nominating, electing and appointing directors
• succession planning in respect of directors
• evaluation of the performance of the board.
2. Composition
• All members of the nominations committee should be non-executive directors.
• The majority of members should be independent non-executive directors.
• In terms of King IV, the chairperson of the board (assumed to be an independent non-executive
director) should be a member of the committee and may be elected as chair.
3. Performance evaluation. As with all board committees, Principle 9 requires that the board evaluate the
nominations committee’s performance. The methodology of frequency (at least every three years) of the
evaluation should be determined by the board.
4. Disclosure. The general disclosures as set out on page 4/27 pertaining to board committees should be
made regarding the nominations committee.

Recommended practices – Committee for risk governance


1. The board should consider allocating the oversight of risk governance to a dedicated committee, or
adding it to the responsibilities of another committee, for example the audit committee.
2. Composition
• The committee should include at least three directors.
• The committee should be made up of executive and non-executive directors the majority of whom
are non-executive.
• The chairperson of the board may be a member of the risk committee and may be the chairperson.
• If the audit and risk committees are separate, there should be an overlap of membership, namely,
certain individuals serving on both committees.
3. Performance evaluation. In terms of Principle 9, the board should evaluate the performance of the risk
committee. The board should determine the methodology and frequency (at least every three years).
Chapter 4: Corporate governance 4/31

4. Disclosure. The general disclosures as set out on page 4/27 pertaining to board committees should be
made in respect of the risk committee.
Note (a): The King IV Code recognises that companies operate in an increasingly volatile environment,
for example, constant change, developments in technology, civil protest and financial/economic
instability. The code addresses the fact that organisations need to strengthen their ability to
analyse complex situations, including the “not so obvious” risks (and opportunities) related to it.
Note (b): King IV also points out that risks and opportunities are closely related, and any form of risk
analysis should consider the associated opportunities.

Recommended practices – Committee responsible for remuneration


1. The board should consider allocating the oversight of remuneration to a dedicated committee or adding
it to the responsibilities of another committee.
2. Composition
• All members of the committee should be non-executive directors.
• The majority of members should be independent non-executive directors.
• The chairperson of the committee should be a non-executive director.
• The chairperson of the board should not be the chairperson of the remuneration committee.
3. Performance evaluation. In terms of Principle 9, the board should evaluate the performance of the remu-
neration committee. The methodology and frequency (at least every three years), should be determined
by the board.
4. Disclosure. The general disclosures as set out on page 4/27 pertaining to board committees should be
made in respect of the remuneration committee.

Recommended practices – Social and ethics committee


1. For companies that are not required in terms of the statute (see note (a) below), to appoint a social and
ethics committee, the board should consider allocating the oversight of, and reporting on, organisa-
tional ethics, responsible corporate citizenship, sustainable development and stakeholder relationships
to a dedicated committee or adding them to the responsibilities of another committee.
2. The responsibilities of a social and ethics committee should include its statutory duties (if applicable)
and any other responsibilities delegated to it by the board.
3. Composition
• The committee should include executive and non-executive directors.
• The majority should be non-executive directors.
• The committee should consist of no less than three directors.
• The chairperson of the board may be a member of the committee but should not be its chairperson.
Note (a): In terms of the Companies Act 2008:
• every state-owned company, and
• every public company, and
• any other company that has, in any two of the previous five years, had a public interest score
above 500 points must appoint a social and ethics committee.
Note (b): In terms of Companies Regulation 43, the function of this committee is to monitor the com-
pany’s activities, having regard to any relevant legislation, legal requirements or codes of best
practice, with regard to:
• social and economic development, including the company’s standing in terms of the goals and
purposes of:
– the United Nations Global Compact Principles
– the OECD recommendations regarding corruption
– the Employment Equity Act
– the Broad Based Black Economic Empowerment Act
4/32 Auditing Notes for South African Students

• good corporate citizenship


– promotion of equality, prevention of unfair discrimination and reduction of corruption
– development of communities in which it operates or within which its products are
predominantly marketed
– sponsorship, donations and charitable giving.
• the environment, health and public safety, for example, the impact of its products/services on
the environment
• consumer relationships, for example, advertising, public relations and compliance with con-
sumer protection laws
• labour and employment, for example, compliance with the International Labour Organisation
Protocol on decent work and working conditions, and its contribution to educational devel-
opment.
Note (c): King IV expands on the statutory duties of a social and ethics committee to have its activities
contributing to ethics, strategy and objectives beyond just concerning itself with compliance.
4. Performance evaluation. In terms of Principle 9, the board should evaluate the performance of the social
and ethics committee. The board should determine the methodology and frequency (at least every three
years).
5. Disclosure. The general disclosures as set out on page 4/27 pertaining to board committees should be
made in respect of the social and ethics committee.

4.2.3.4 Evaluations of the performance of the board


Principle 9. The board should ensure that the evaluation of its own performance and that of its committees,
its chairperson and its individual directors, supports continued improvement in its performance and
effectiveness
Recommended practices
1. The board should assume responsibility for evaluating its own performance and that of its chairperson
and individual directors by determining how it should be approached and conducted.
2. The board should appoint an independent non-executive director to lead the evaluation of the chair-
person if a “lead independent” non-executive director has not been appointed.
3. A formal process should be followed to evaluate the board’s performance, its committees, its
chairperson, and its directors at least every two years.
• The methodology for this process will be approved by the board.
• The process may be internally or externally facilitated.
4. Every alternate year, the board should schedule in its yearly work plan an opportunity for the board to
consider, reflect and discuss its performance and that of its committees, chairperson and directors.
5. Disclosure. The following should be disclosed in relation to the evaluation of the performance of the
board:
• A description of the evaluations undertaken during the reporting period:
– scope
– formal or informal
– internally or externally facilitated
• an overview of the evaluation results and remedial actions taken
• whether the board is satisfied that the evaluation process is improving its performance and effective-
ness.

4.2.3.5 Appointment and delegation to management


Principle 10. The board should ensure that the appointment of and delegation to management contribute to
role clarity and the effective exercise of authority and responsibilities
Recommended practices – CEO appointment and role
1. The board should appoint the CEO.
Chapter 4: Corporate governance 4/33

2. The CEO should be responsible for leading the implementation and execution of approved strategy,
policy and operating planning and should serve as the chief link between management and the board.
3. The CEO should not be:
• the chairperson
• a member of the remuneration, audit or nomination committees, but should attend by invitation
(recusing himself when matters of personal interest arise) if needed to contribute pertinent informa-
tion and insights.
4. The CEO and the board should agree on whether the CEO takes up additional positions, including
directorships of other companies. Time constraints and potential conflicts of interest should be balanced
against the director’s professional development.
5. The board should ensure a succession plan for the CEO, for succession in an emergency and in the long
term.
6. Performance evaluation
• The board should evaluate the CEO’s performance against agreed performance measures and targets
at least once a year.
• The board should determine the methodology and frequency (at least once a year) of the evaluation
of the CEO.
7. Disclosure. The following should be disclosed in relation to the CEO:
• the notice period stipulated in the CEO’s employment contract and the contractual conditions
related to termination
• any other professional commitments which the CEO has, including any directorships outside the
company (group), and
• whether a succession plan is in place for the position of CEO, in terms of emergency or longer-term
succession.

Recommended practices – Delegation


1. The basic premise is that although the board delegates certain powers and responsibilities, it does not
abdicate (give up) its accountability.
2. To this end, the board should:
• set the direction and parameters on the powers reserved for itself, and those delegated to manage-
ment via the CEO
• formalise the above by providing a “delegation-of-authority framework” and ensure that it is imple-
mented
• ensure that the delegation of authority addresses the authority to appoint executives who will serve
as ex officio executive members and other executive appointments, with the final approval of execu-
tive appointments being given by the CEO.
3. The board should oversee that key management functions, for example, risk management, ethics,
human resources, etc., are:
• headed by an individual with the necessary competence and authority
• properly resourced.
4. The board should ensure a succession plan for executive management and other key positions which
provides for both an emergency and long-term succession.
5. Disclosure. A statement by the board on whether it is satisfied that the delegation of authority frame-
work contributes to role clarity and the effective exercise of authority and responsibilities.

Recommended practices – Professional corporate governance services to the board


1. The board should ensure that it has access to professional and independent guidance on corporate gov-
ernance and its legal duties.
2. The boards of companies for which the appointment of a company secretary is not a statutory
requirement, should consider appointing a company secretary or other professional to provide corporate
governance services to the board.
4/34 Auditing Notes for South African Students

3. The board should:


• approve the arrangements for the provision of these services, including whether they should be out-
sourced to a juristic person, or whether a full-time or part-time appointment should be made
• ensure that the office of the company secretary/professional provider is empowered to carry the
necessary authority
• approve the appointment, employment contract and remuneration of the individual appointed to
render the services
• oversee that the person appointed has the necessary competence, gravitas (seriousness and decorum)
and objectivity to provide independent guidance and support at the highest level
• have primary responsibility for the removal of the company secretary/professional provider.
4. The company secretary/professional provider should:
• have unrestricted access to the board but should maintain an arm’s-length relationship for reasons of
independence; therefore, the company secretary/professional provider should not be a member of
the board
• report to the board (via the chairperson) on all functional matters and a member of the executive
management on administrative matters.
5. Performance evaluation. The performance and independence of the company secretary should be evaluated
by the board at least annually.
6. Disclosure. The arrangements in place for assessing professional corporate governance services and a
statement on whether the board believes the arrangements are effective should be disclosed.
Note (a): The company secretary is a key component of corporate governance. Section 86 to 89 of the
Companies Act 2008 make it mandatory for a public company or state-owned enterprise to
appoint a company secretary, describe the duties of the company secretary, and the resignation
or removal of the company secretary.
Note (b): Qualifications. The qualifications for a company secretary stipulated by the Companies Act 2008
are simple; the company secretary must have “the requisite knowledge of, and experience in,
relevant laws and be a permanent resident of the Republic”. However, King IV takes it further
by recommending that the company secretary (or corporate governance professional) should
have the necessary experience, expertise and qualifications to discharge the role effectively and
with the necessary “gravitas” (earnestness, seriousness, thoughtfulness). Remember that an
individual who is disqualified from being appointed as a director is disqualified from being
appointed as company secretary.
Note (c): In terms of section 88, the company secretary has the following duties:
• Provide the directors with guidance as to their duties, responsibilities and powers.
• Make the directors aware of any law relevant to the company.
• Report to the board on any failure on the part of the company or a director to comply with
the Companies Act 2008 or its MOI.
• Ensure that minutes of all meetings of:
– shareholders
– directors of the board
– board committees (including the audit committee)
are properly recorded.
• Certify in the AFS that the company has filed the necessary returns and notices in terms of
the Act, and whether all such returns and notices appear true, correct and up to date.
• Ensure that a copy of the AFS is sent to every person entitled to receive it.
These are statutory duties – the board may assign other duties to the board if it so wishes, for example:
• assist with director induction
• assist with the evaluation of the board and its committees
• keep board and committee charters up to date
• prepare and circulate board papers (for meetings)
• advise on matters of corporate governance.
Chapter 4: Corporate governance 4/35

4.2.4 Governance functional areas


4.2.4.1 Risk governance
Principle 11. The board should govern risk in a way that supports the company in setting and achieving its
strategic objectives
Recommended practices
1. The board should assume responsibility for risk governance by setting the direction for how risk should
be approached and addressed. Risk governance should include:
• the opportunities and associated risks to be considered when developing strategy (see note (a) below)
• the potential positive and negative effects of the same risks on achieving the company’s objectives.
2. The board should:
• treat risk as an integral part of making decisions and executing its duties
• approve the policy that articulates and gives effect to the direction it has set on risk
• evaluate and agree on the nature and extent of the risks that the company is prepared to take in
achieving its objectives, and should approve:
– the company’s risk appetite (propensity to take risks)
– the limit of the potential loss the company can tolerate.
3. The board should delegate to management the responsibility to implement and affect effective risk
management (see note (b) below).
4. The board should exercise ongoing oversight of risk management and in particular, oversee that it
results in the following:
• an assessment of risks and opportunities emanating from the triple context (social, economic and
environmental) in which the company operates and from the capitals that the company uses and
effects
• an assessment of the potential positive (upside) or adverse effects on achieving the company’s
objectives
• an assessment of the organisation’s dependence on resources and relationships as represented by the
various forms of capital
• the design and implementation of risk responses (see note (f) below)
• the establishment and implementation of business continuity arrangements that enable the company
to operate under conditions of volatility and to withstand and recover from acute shocks (see
note (e) below)
• the integration and embedding of risk management in the business activities and culture of the com-
pany (see note (e) below)
• See also note (d) below.
5. The board should consider the need to obtain periodic independent assurance on the effectiveness of
risk management.
6. Disclosure. The following information should be disclosed:
• the nature and extent of the risks and opportunities the company is willing to take (sensitive infor-
mation need not be disclosed)
• an overview of the arrangements for governing and managing risk
• key areas of focus during the reporting period including:
– key risks the company faces
– unexpected or unusual risks
– risks taken outside the company’s tolerance levels (if any)
• actions taken to monitor the effectiveness of risk management and how the outcomes (of moni-
toring) were addressed
• planned areas of future focus.
4/36 Auditing Notes for South African Students

Note (a): Risk and opportunity go hand in hand and are treated as a combination in terms of King IV.
Think of it like this: A pharmaceutical company has as one of its strategic objectives, to expand
its markets into Africa. The outbreak of serious viruses, for example Ebola or Zika, and more
recently Covid–19, presents the company with an opportunity to develop a suitable vaccine or
treatment to counter the virus, but this will require significant investment in research,
development and manufacture of the drug. This poses risks for the company, for example, the
risk that the company will not find a cure or that another company will beat them to it; or the
risk that the company’s reputation will suffer because it will exploit the situation for commercial
gain. There are many risks that need to be identified and evaluated before the opportunity is
taken.
Note (b): The board should delegate to management the responsibility for designing, implementing and
monitoring the process of managing risk and opportunity and integrating it into the day to day
activities of the company; for example a second-hand car parts dealer needs to have processes
(controls and procedures) in place to ensure that the company is not buying and selling parts
from stolen cars; a chicken producer needs to have processes to minimise the risk of disease; a
retailer must have processes in place to minimise loss from bad debts.
• As can be seen from the point above, risks are very diverse, but management, led by the chief
executive officer, remains responsible to manage those risks (and opportunities).
• In larger companies, a chief risk officer (CRO) may be appointed to manage risk and
opportunity. He should have access to the board and regularly interact with it on strategic
matters.
Note (c): In the performance of their day-to-day activities, all staff members are faced with a level of risk.
For example, a worker on an assembly line may be exposed to significant health risks, and a
credit controller is exposed to the risk of overextending credit. Some risks are far more
significant than others, but management should attempt to inculcate, by training and re-
enforcement, a culture of risk management. For example, the factory manager, foreman and
worker should ensure that the necessary protective clothing is worn and safety procedures are
followed to the letter.
Equally, a culture of identifying and following through on opportunities should be encouraged,
for example sales personnel may identify opportunities in the market, whilst a factory foreperson
or worker may identify an opportunity to reduce costs by changing an existing process.
Note (d): The board should oversee the adequacy and effectiveness of risk management, including:
• whether the existing fraud risk management policies and procedures are effective in
preventing, detecting and responding to fraud
• whether frameworks and methodologies to understand and deal with the probability of
anticipating unpredictable risks, for example collapse in the oil price
• in effect, this requires some “crystal ball gazing” by directors! The future is uncertain, and
any number of unexpected occurrences can severely affect a company’s sustainability. Such
occurrences can range from natural disasters, such as drought, flooding, war, and financial
collapse, and are frequently not predictable.
• However, directors are tasked with the duty to consider the sustainability of their companies,
and this principle requires that they keep abreast with political, physical, environmental,
economic, social, technological and trade trends. The company’s risk assessment process
should include sessions for directors at which the “unknown future” is analysed, brain-
stormed and debated possibly on a “what if” basis.
Note (f): Risk assessment and response. There are several frameworks for assessing risk which a company
might use. King IV is not prescriptive and does not provide such a framework. However, the
following paragraphs provide two simple frameworks which a company may use to assess risk
and which may give you a better understanding of the topic.

Risk assessment and response


1. There are models which quantify risk and companies may choose to make use of these. It may be suf-
ficient however, to classify risk as low, medium or high. The important point is that the board and man-
agement should develop a clear understanding of the severity of the risks and how they will manage the
Chapter 4: Corporate governance 4/37

risk. In determining the severity/significance of the risk, the board (risk committee) may consider such
things as:
• the probability of the risk occurring
• the potential effect of the risk (on the six capitals)
• how effective a risk response might be
• the threat to solvency, liquidity, and going concern.
2. In assessing risk, the board (risk committee) may take into account, among other things:
• stakeholder risks: for example, what risks will a proposed expansion of the company pose for the
community in which the expanded business operation will occur, such as an increase in pollution,
increased crime, or loss of recreational land?
• reputational risks: for example, will the company suffer a loss to its reputation if it fails to support a
particular cause or does not take appropriate action against a director convicted of fraud?
• compliance risk: in relation to legislation that significantly affects the company, for example, what
risks arise for the company if it does not adequately implement the Companies Act requirements?
Does an agreement with a competitor in the same business amount to price-fixing?
• ethics risk: for example, will introducing a bonus scheme for sales employees based on sales increase
the risk of unethical selling practices by sales personnel?
• sustainability issues: for example, is the risk of loss of employees through HIV/AIDS on the increase?
What is the risk of causing environmental damage if the company undertakes a particular project?
• corporate social investment, employee equity, BEE, skills development and retention: for example, is
there a risk of losing valuable skills because of poor remuneration packages? Is there a risk that a
new employee promotion strategy will fail to satisfy employee equity requirements?
• financial risk: for example, is there a risk that a new venture will not generate sufficient cash flow to
sustain itself? Is there a risk of severe adverse currency fluctuations?
• A company may also choose to use the six capitals as a framework for assessing risk (and oppor-
tunity), that is, consider risk in terms of the effect on the company’s financial, manufactured, human,
social and relationship, environmental and intellectual capitals.
3. Another framework for risk assessment may be to consider risk in the following categories:
• strategic risks: for example, the risks associated with adopting or changing company strategy, such as
the expansion of the manufacturing facility, entering a new market in a foreign country, or acquiring
another company
• operating risks: for example, risks relating to health and safety, and the environment, for a chemical
manufacturer
• financial risks: for example, the effect on cash flows should a company decide to move from a cash
sales basis to a credit sales basis, or the risk associated with committing the company to long-term
borrowing to finance an expansion
• information risks: for example, the risks associated with introducing electronic funds transfer for pay-
ment of creditors, or a retail company deciding to introduce online trading (note, this could also be
classified as a strategic risk)
• compliance risks: for example, the risk that a business decision may result in significant breaches of
legislation relating to pollution, the environment, taxation, price-fixing, foreign exchange, fraud, etc.
• reputational risks, for example, as above.
Risk identification should not simply amount to risk committee members giving their opinions; it
should be a process that uses data analysis, business indicators, market information, portfolio analysis,
etc.
4. Once the risks have been identified, the board, risk committee and management, should consider the
possible risk response options. Again there are various models to respond to risk, but options will
normally include:
• avoid or terminate the risk by not commencing or ceasing the activity which creates the exposure to
the risk, for example, if the company can no longer tolerate the risk of doing business in a foreign
country, then close that business down
4/38 Auditing Notes for South African Students

• treat, reduce or mitigate the risk for example, exposure to the risk of foreign exchange losses may be
treated, reduced or mitigated by taking forward cover
• transfer the risk to a third party, for example, if the company considers that the proper maintenance
of its computer system, database, etc., is at risk, it may decide to outsource this responsibility.
Taking out insurance is a common method of transferring risk
• accept the risk, for example, if a transport company’s risk assessment reveals that a 100% increase in
the cost of diesel to say R25 a litre will seriously jeopardise its going concern ability, but that the risk
of this occurring is low, the company may simply decide to accept the risk, rather than perhaps
replacing its fleet of vehicles with more fuel-efficient vehicles
• exploit the risk, for example, where a retailer of expensive clothing anticipates loss of market share
due to the economic downturn, it may decide to introduce a range of cheaper clothing to regain its
market share. This amounts to identifying and following through on opportunities.
• integrate several of the options given above.

4.2.4.2 Technology and information governance


Principle 12. The board should govern technology and information in a way that supports the company
setting and achieves its strategic objectives
Recommended practices
1. The board should assume responsibility for technology and information governance by setting the
direction for how they should be approached and addressed in the organisation.
2. The board should:
• approve a policy that articulates and gives effect to its set direction on the employment of technology
and information
• delegate the responsibility to implement and execute effective technology and information
management to management
• exercise ongoing oversight of technology and information management and ensure, in particular,
that it results in:
– integration of people, technologies, information and processes across the company
– integration of technology and information risks into company-wide risk management
– arrangements to provide for business resilience
– proactive monitoring of information to identify and respond to incidents, including cyber attacks
and adverse social media events
– management of the performance and risks associated with third parties and outsourced service
providers
– the assessment of value delivered to the company through significant investment in technology
and information
– the responsible disposal of obsolete technology (hardware) with regard to the environment and
information about information security (e.g. confidentiality)
– ethical and responsible use of technology and information
– compliance with relevant laws.
3. The board should exercise ongoing oversight of the management of information and oversee that it results
in the following:
• the use of information to sustain and enhance the company’s intellectual capital
• an information architecture that supports confidentiality, integrity and availability of information
• the protection of privacy of personal information
• the continual monitoring of the security of information.
4. The board should exercise ongoing oversight of the management of technology and oversee that it results
in:
• a technology architecture that enables the achievement of the company’s strategic and operational
objectives
• monitoring responses to developments in technology.
Chapter 4: Corporate governance 4/39

5. The board should consider the need to receive periodic independent assurance on the effectiveness of
the company’s technology and information arrangements.
6. Disclosure. The following should be disclosed about technology and information:
• an overview of the arrangements for governing and managing information and technology
• key areas of focus during the reporting period, for example, changes in policy, significant acquisi-
tions, response to major incidents
• actions taken to monitor the effectiveness of technology and information management and how
outcomes were addressed
• planned areas of future focus.
The notes to this section are included to provide you with a better understanding of the importance of
appropriate technology and information governance. They are based on King III and an initial draft of
King IV.
Note (a): It is not difficult to understand why technology and information governance is so important to
the modern-day business and why the associated risk is so vital to sustainable development.
Similarly, a company that does not take the opportunities offered by technology to develop its
business (or even keep up) will disappear. A bank that does not offer the latest computer-based
services, for example, electronic fund transfer, full internet banking, and ATMs, will lose cus-
tomers fast. Manufacturing companies may depend upon computers for inventory control,
production control and its entire integrated financial reporting system. An insurance company or
medical aid may have vast databases of confidential information which must not be com-
promised in any way if, among other things, reputational and financial damage is to be avoided.
Note (b): In addition to the types of risks arising from the few examples given above, the costs of
installing, running and maintaining a sophisticated computerised system can be considerable;
there is, therefore, a risk that the company could be wasting money if costs are not properly
controlled.
All of this requires a process of information technology (IT) governance that should focus on:
(i) strategic alignment with the business and collaborative solutions, including a focus on
sustainability. This simply means that IT and the business are totally interlinked. IT cannot
“stand alone” and equally, the business operations depend upon IT. It is, therefore,
imperative that IT supports the objectives of the business and that IT and business
managers collaborate in solving problems and developing both IT and the business itself;
for example, a company that wishes to introduce trading over the internet cannot hope to
be successful without working with its IT department. Similarly, an IT department should
not be busy developing software that does not meet the needs of the business!
(ii) value delivery, optimising expenditure and proving the value of IT. The board should not
approve IT projects before a thorough cost/benefit analysis that demonstrates the value of
the IT project has been done. Once a project is up and running, it should be regularly
evaluated to determine whether the expected “return on investment” is being achieved
(iii) risk management, safeguarding IT assets, disaster recovery and continuity of operations
(iv) resource management, optimising knowledge and IT infrastructure. This means that part of
IT governance is ensuring that maximum (optimal) benefit is gained from the use of the IT
resources which the company has at its disposal.
Note (c): The responsibility for implementing policy and for embedding it into the day-to-day, medium-
and long-term decision-making, activities and culture of the company should be delegated to
management; for example, an IT steering committee may be formed, and a chief information
officer (CIO) appointed to interact regularly with the board on strategic and other matters.
Note (d): The board should oversee the adequacy and effectiveness of the technology and information
management, including:
(i) exploitation (making use of) opportunities offered by technology and digital developments,
for example, social media for communicating with customers, developing company-
specific apps for smartphones
(ii) ethical and responsible use of technology and information, for example, selling customer
information, or bombarding customers with unwanted or undesirable advertising on
cellphones
4/40 Auditing Notes for South African Students

(iv) whether management manages information in a manner that increases the intellectual
capital in the company, for example analysing data and making use of Internet search
engines to obtain the latest information
(v) the integration of people, technology, information and processes within the company and
its environment; for example, the ongoing assessment of return on investment in tech-
nology or an investment in a new inventory control system
(vi) compliance with relevant laws, for example, laws relating to electronic trading and privacy
of information.
Note (e): The board should oversee the management of cyber-security risks:
(i) Cyber-security risks should be integrated into risk and opportunity management.
(ii) Responsibilities for cyber-security should be delegated to competent and capable individ-
uals expert in cyber-security. (Cyber-security is of paramount importance to the company
and therefore should be of paramount importance to the board. Substandard cyber-security
threatens virtually all aspects of a large company and can pose a significant threat to the
company’s sustainable development, reputation and financial well-being.)
(iii) Management of cyber-security should include a cyber-security plan that has:
• the technical tools for defence, for example, hacking of the data on the system
• training, education, and actions create a culture where employees are alert to cyber-
security risks and proactive in raising concerns.
(iv) Critical IT-related events and incidents must be monitored, for example, attempted
hacking, assisting with preventing and detecting cyber breaches, combined with an ongoing
revision of cyber-security policy based on external (and internal) developments, for
example, the emergence of new viruses.
(v) A continuity and disaster recovery plan must be implemented and maintained.
(vi) Periodic formal review of the adequacy and effectiveness of the company’s technology and
information management
Note (f): Information security has three components:
• confidentiality: information should be accessible only to those authorized to have access
• integrity: the accuracy and completeness of information and processing must be safeguarded
• availability: authorised users have access to information when required.
Note (g): Sound cyber-security contributes, for example:
• to building trust between the company and its business partners, customers and employees;
for example, if weaknesses in IT security in an online trading company such as Amazon or
Takealot result in confidential information about registered customers becoming freely
available, customers will simply not be prepared to use the site. Without this trust, new
business strategies attempted by the online trading company are unlikely to succeed.
• sustaining normal business operations: for example, if a company’s system “crashes” frequently
and users cannot get information, the company will lose business. If your bank is frequently
offline you are eventually going to look for a new bank. If you cannot access an online
trading store, you are going to search for another store.
• avoiding unnecessary costs: brought about by failures in cyber-security. This is similar to the
previous benefit but perhaps less obvious. For example, breaches in confidentiality could lead
to litigation (very costly) and/or the need to spend money on repairing the reputational
damage (marketing campaigns, etc.) which such litigation often brings.
• meeting compliance requirements: companies must comply with the law in numerous ways, for
example, a company must pay VAT. If the process of recording VAT is not secure and the
database on which the VAT information is stored is not safeguarded, the amount of VAT
indicated as payable may be inaccurate and incomplete or may not be available at all.
These are just a few examples of the importance of cyber-security but should be sufficient to illustrate its
major importance.
Chapter 4: Corporate governance 4/41

4.2.4.3 Compliance governance


Principle 13. The board should govern compliance with applicable and adopted laws non-binding rules, codes
and standards in a way that supports the organisation being ethical and a good corporate citizen
Recommended practices
1. The board should assume responsibility for compliance governance by setting the direction for how
compliance should be approached and addressed in the company.
2. The board should approve a policy that articulates and gives effect to its direction on policy and
identifies which non-binding rules, codes and standards the company has adopted.
3. The board should delegate responsibility for the implementation and execution of effective compliance
management to management.
4. The board should exercise ongoing oversight of compliance and oversee that it results in:
• compliance being understood for not only the obligations it creates but also for the rights and protec-
tions it creates
• compliance is viewed holistically concerning how laws, rules, codes and standards relate to one
another
• continual monitoring of the regulatory environment and appropriate responses to changes and devel-
opments.
5. The board should consider the need to receive periodic independent assurance on the effectiveness of
compliance management.
6. Disclosure. The following should be disclosed about compliance:
• an overview of the arrangements for governing and managing compliance
• key areas of focus during the reporting period
• actions taken to monitor the effectiveness of compliance management and how the outcomes were
addressed.
• planned areas of future focus
• any material or repeated regulatory penalties, sanctions or fines for contraventions of, or non-com-
pliance with statutory obligations imposed on the company, or on directors or officers
• details of monitoring and compliance inspections by environmental regulators, findings of non-com-
pliance with environmental laws, or criminal sanctions and prosecutions for such non-compliance.
Note (a): The responsibility for implementing policy, and embedding it into the day-to-day, medium and
long-term decision-making activities and culture of the company should be delegated to manage-
ment, for example a compliance officer may be appointed to take on this responsibility.
Note (b): The board should oversee the management of compliance to ensure that:
(i) directors, management and employees across the company, understand the obligations the
law creates but also the protection it affords in relation to their particular functions, for
example an employee working on the factory floor should be aware of the rights he has
with regard to safety in the workplace
(ii) compliance about how laws, rules, codes and standards relate to one another is viewed
holistically
(iii) management has relationships with regulators and professional bodies which enable it to
contribute to (influence) the regulatory environment in which the company operates, for
example by serving on committees that formulate industry-specific regulations and
standards
(iv) compliance management is responsive to changes in laws, regulations, etc., such as
implementing labour legislation changes.

4.2.4.4 Remuneration governance


Principle 14. The board should ensure that the company remunerates fairly, responsibly and transparently so
as to promote the achievement of strategic objectives and positive outcomes in the short, medium and long
term
1. Perhaps due to the numerous scandals relating to executive remuneration (particularly relating to, but not
confined to, the banking industry), King IV seeks increased accountability on remuneration. Fair and
4/42 Auditing Notes for South African Students

responsible remuneration is now seen as a corporate citizenship matter, and King IV recommends that
it be overseen by the social and ethics committee in collaboration with the remuneration committee.
King IV also recommends extended remuneration disclosures (in a prescribed format), which
supplements the disclosure requirements of the Companies Act 2008.
2. The recommended practices are covered in the following subsections:
Remuneration policy....................................................................................................... Page 4/42
Remuneration report
(i) background statement ............................................................................................. Page 4/42
(ii) overview of the policy ............................................................................................. Page 4/43
Implementation report .................................................................................................... Page 4/43
Voting on remuneration .................................................................................................. Page 4/43
3. Bear in mind that in terms of King IV, the company should have a remuneration committee:
• the chairperson should be an independent non-executive director
• all members should be non-executive directors, the majority of whom should be independent.
4. Also, bear in mind that section 30 of the Companies Act 2008 requires full disclosure of directors’ (and
prescribed officers’) remuneration to be made in the annual financial statements of each company
required by the Act to have its financial statements audited.
Recommended practices – Remuneration policy
1. The board should assume responsibility for the governance of remuneration by setting the direction for
how remuneration should be approached and addressed on an organisation-wide basis.
2. The board should approve a policy that articulates and gives effect to its direction on fair, responsible
and transparent remuneration.
3. The remuneration policy should be designed to achieve the following:
• attract, motivate, reward and retain human capital
• promote the achievement of strategic objectives
• promote positive outcomes
• promote an ethical culture and responsible corporate citizenship.
4. The remuneration policy should specifically provide for:
• ensuring that the remuneration of executive management is fair and responsible in the context of
overall employee remuneration in the company
• the use of performance measures that support positive outcomes across the economic, social and
environmental context and/or all the capitals the company uses or effects
• voting by shareholders on the remuneration policy and implementation report.
5. All elements of remuneration and the mix of these should be set out in the remuneration policy,
including:
• basic salary, plus financial and non-financial benefits
• variable remuneration, including short- and long-term incentives
• payments on termination of employment or office
• sign-on, retention and restraint payments
• commissions and allowances
• fees of non-executive directors.
6. The board should oversee that the implementation and execution of the remuneration policy achieve
the policy’s objective.
Recommended practices – The remuneration report
1. The background statement. This should briefly provide the context for remuneration considerations and
decisions with reference to:
• internal and external factors that influenced remuneration, for example, the need for specialist skills,
and remuneration levels in the industry
Chapter 4: Corporate governance 4/43

• the most recent results of voting on the remuneration policy and the implementation report and the
measures taken in response to it
• the focus areas of the remuneration committee, and any substantial changes to the remuneration
policy, for example, a project focused on devising and implementing a fair incentive scheme for all
grades of employee
• whether remuneration consultants have been used and whether the remuneration committee is
satisfied that they were independent and objective
• the opinion of the remuneration committee on whether the implementation of the policy has
achieved stated objectives, for example, the retention of talented individuals
• future areas of focus, for example, pre-empting remuneration issues relating to a potential skills
shortage in the medium term.
2. Overview of the remuneration policy. The overview should address the policy’s objectives and how the
policy seeks to accomplish these. The overview should include the following:
• the remuneration elements, for example basic salary and commissions and design principles (e.g.
mix, tax efficiency) driving and influencing the remuneration for executive management and other
employees
• details of obligations in executive employment contracts which could give rise to payments on ter-
mination of employment or office; for example, a director being compensated for loss of office is a
change in business strategy and makes his position as a director redundant
• a description of the framework and performance measures used to assess the achievement of strat-
egic objectives and positive outcomes
• an illustration of the potential consequences on total remuneration for executive management of
applying the remuneration policy under minimum, on-target and maximum performance outcomes;
for example, if performance outcomes exceed t targets, what the potential increase in remuneration
is expected to be
• a statement of how fairness and responsibility were achieved in employees’ remuneration in relation
to executive directors and vice versa
• for non-executive directors, the basis of computation of fees, for example, could be based on the
skills the non-executive director brings to the board or could be an appropriate attendance fee
• justification for using benchmarks; for example, for performance evaluation or selling remuneration
in terms of industry norms
• a reference (electronic link) to the company’s full remuneration policy for public access.

Recommended practices – The implementation report


The report, which includes the remuneration disclosures in terms of the Companies Act, should reflect:
• the remuneration of each member of executive management, which should include in separate tables:
– a single, total figure of remuneration received and receivable for the reporting period, and all the
remuneration elements that it comprises, each disclosed at fair value
– the details of all awards made under variable remuneration incentive schemes that were settled
during the reporting period
• an account of the performance measures used and the relative weighting of each, as a result of which
awards under variable remuneration incentive schemes have been made
• separate disclosure of, and reasons for, any payments made on termination of employment or office
• a statement regarding compliance with, and any deviations from, the remuneration policy.

Recommended practices – Voting on remuneration


1. Fees for non-executive directors for their services as directors must be submitted for approval by specific
resolution by shareholders within the two years preceding payment.
2. The remuneration policy and implementation report should be tabled every year for separate non-binding
advisory votes by shareholders at the AGM. (See note (a) below.)
3. The remuneration policy should record the measures that the board commits to take if either the
remuneration policy or the implementation policy or both have been voted against by 25% or more of the
4/44 Auditing Notes for South African Students

voting rights exercised. Such measures should provide for taking steps in good faith and with best
reasonable effort towards at least:
• an engagement process to ascertain the reasons for the dissenting vote
• appropriately addressing legitimate and reasonable objections and concerns raised.
4. In the event that either or both the policy or report are voted against by 25% or more of the voting rights
exercised, the following should be disclosed in the background statement of the remuneration report for
the following year:
• with whom the company engaged, and the manner and form of the engagement to ascertain the
reasons for dissenting votes
• the nature of steps taken to address legitimate and reasonable objections and concerns.
Note (a): A non-binding advisory vote takes place when the directors ask the shareholders to endorse, for
example (in this case) the remuneration policy. If the shareholders do not approve the resolution
(endorse the policy), the vote is not binding on the directors, in other words, they do not have to
change the policy, but they should “be advised” that the shareholders are not satisfied. This
should obviously be taken into account by the remuneration committee in setting future policy.
Note (b): In terms of King IV, in the event that either or both the remuneration policy or the implementation
policy are voted against by 25% or more of the voting rights exercised, the remuneration
committee should proactively address the shareholders’ concerns. The remuneration committee
should ensure that there is disclosure in the following year of the steps that were taken to address
shareholders’ concerns regarding the nature of the engagement with the shareholders; for
example, meetings, questionnaires, etc., and their outcomes.
Note (c): When evaluating the performance of the remuneration committee (and considering re-appoint-
ments to the committee), the board should consider the results of any non-binding advisory
votes and the committee’s subsequent actions, for example, the rejection of the policy by a
majority of the shareholders is a strong indication that the remuneration committee is not doing
its job!

4.2.4.5 Assurance
Principle 15. The board should ensure that assurance services and functions enable an effective control
environment and that these support the integrity of information for internal decision-making and of the
organisation’s external reports
This principle is dealt with in the King IV Code in three sections:
• Combined assurance ........................................................................................................ Page 4/44
• Assurance of external reports............................................................................................ Page 4/45
• Internal audit ................................................................................................................... Page 4/46

Recommended practices – Combined assurance


1. The board should assume responsibility for assurance by setting the direction concerning the arrange-
ments for assurance services and functions.
2. The board should delegate to the audit committee, the responsibility for overseeing that the arrangements
are effective in achieving the following objectives:
• enabling an effective internal control environment
• supporting the integrity of information used for internal decision-making by management, the board
and its committees
• supporting the integrity of external reports.
3. The board should satisfy itself that a combined assurance model is applied that incorporates and
optimises the various assurance services and functions so that, taken as a whole, these support the
objectives in point 2 above (see note (a) below).
4. The board should ensure that the combined assurance model is designed and implemented to cover the
company’s significant risks and material matters effectively through a combination of the following
assurance service providers and functions:
• the company’s line functions that own and manage risks
Chapter 4: Corporate governance 4/45

• the organisation’s specialist functions that facilitate and oversee risk management and compliance
• internal auditors, internal forensic fraud examiners, safety assessors, etc.
• independent external assurance service providers, for example external auditors
• other external assurance providers, for example, environmental auditors, and external actuaries
(who provide assurance with regard to pension liabilities)
• regulatory inspectors, for example health and safety inspectors.
5 The board and its committees should assess the output of the organisation’s combined assurance with
“objectivity” and “professional scepticism” and, by applying an enquiring mind, form their own
opinion on the integrity of information and reports and the effectiveness of the control environment.
Note (a): The concept of the combined assurance model was introduced into corporate governance by
King III. Perhaps think about it like this; providing assurance means adding credibility to some-
thing. Ultimately a stakeholder using reports and other information disclosed by the company
wants to be satisfied (assured) that the information is reliable and can be “believed”. For
example, the company’s bank wants assurance that the company’s annual financial statements
are fairly presented, so they require externally audited financial statements. Similarly, a director
who is required to issue a report to the local community on the environmental impact of a
proposed mining operation will want to be assured that the information he is passing on to the
community, is reliable and factually correct. He wants to be sure that the risk (and opportunities)
related to the project have been carefully and reliably assessed by the risk committee and that
any environmental impact reports have been “audited” by suitably qualified company personnel
such as geologists and engineers. The board itself will want to be satisfied (assured) that the
external audit has been efficiently and effectively carried out and that the internal audit function is
achieving its objectives. This assurance is obtained by appointing an audit committee to oversee
these two assurance providers. At a lower level, line managers, section heads, etc. want
assurance that the information they are receiving and on which they base their decision, is
reliable. Much of this information is provided by the internal control system. If the system is
properly designed and appropriate control activities are implemented (e.g. approval and author-
isation), line managers and section heads gain some assurance that the information on which
they are basing their decisions is valid, accurate and complete. However, do they and others
such as the directors, not want assurance that the internal control system is operating as it
should? Yes, they do, and this assurance is going to be provided by the internal and external
audits which are likely to “test” the system, and possibly by the risk committee to ensure that the
system addresses any relevant risks adequately. There are any number of decisions being taken
in a large company by many individuals and committees on a wide variety of matters. The
combined assurance model attempts to intertwine the various levels of assurance to provide all
decision-makers with information that they believe can be relied upon when making decisions.

Recommended practices – Assurance of external reports


1. The board should assume responsibility for the integrity of external reports issued by the company by
setting the direction for how assurance of these should be approached and addressed.
2. The board’s direction in this regard should take into account legal requirements in relation to assurance
(e.g. financial statements to be externally audited) with the following additional considerations:
• whether assurance should be applied to the underlying data used to prepare a report, or to the pro-
cess of presenting a report, or both
• whether the nature, scope and extent of assurance are suited to the intended audience and purpose
of a report
• whether the specification of applicable criteria for the measurement or evaluation of the underlying
subject matter of the report has been done (see note (a) below).
3. The board should satisfy itself that the combined assurance model is effective and sufficiently robust to
be able to place reliance on the combined assurance underlying the statements the board makes about
the integrity of the company’s external reports, in other words, does the quality of the combined
assurance model justify the board’s confidence in the integrity of the reports?
4/46 Auditing Notes for South African Students

4. Disclosure. External reports should disclose information about the type of assurance process applied to
each report in addition to the independent external audit opinions required in terms of legislation. This
information should include:
• a brief description of the nature, scope and extent of the assurance functions, services and processes
underlying the preparation and presentation of the report
• a statement by the board on the integrity of the report and the basis for this statement.
Note (a): As we have seen, the board of a company will want to ensure that reports issued by the company
have integrity. This means that the reports are reliable (i.e. valid, accurate and complete) and
useful (i.e. the reports reflect relevance, consistency and measurability). Users also want to be
appropriately assured of a report’s integrity. However, assurance cannot be given without pro-
viding some set of standards against which the assurance is measured. In the case of annual
financial statements, this is reasonably straightforward – an external auditor provides assurance
that the financial statements are fairly presented in terms of the reporting standards of IFRS and
the requirements of the Companies Act 2008. The auditor also knows what he is required to do
to be in a position to give that assurance, namely that he must comply with the auditing
standards. For other reports, such as an environmental report or a report on the company’s social
responsibility performance, there may be no overriding standards/criteria that must be complied
with. Thus the audit committee is tasked with “applying its mind to assurance requirements over
reports” and how “overseeing of assurance provided” will be carried out.

Recommended practices – Internal audit


1. The board should assume responsibility for the internal audit by setting the direction for the internal
audit arrangements needed to provide objective and relevant assurance that contribute to:
• the effectiveness of governance
• risk management
• control processes.
2. The board should delegate oversight of internal audit to the audit committee.
3. The board should approve an internal audit charter which defines:
• the role and responsibilities of the internal audit
• the authority of the internal audit
• the role of the internal audit within combined assurance
• the internal audit standards to be adopted.
4. The board should ensure that the arrangements for the internal audit:
• provide the necessary skills and resources to address the complexity and volume of risk faced by the
company
• ensure the internal audit is supplemented as required by specialist services by, for example, forensic
fraud examiners, safety assessors, etc.
5. With regard to the chief audit executive (CAE):
• The CAE should function independently from management, which designs and implements
controls.
• The CAE should carry the necessary authority.
• The CAE’s appointment, employment contract and remuneration should be approved by the board.
• The board should ensure that the individual appointed has the necessary competence, gravitas
(seriousness and decorum) and objectivity.
• For reasons of independence, the CAE:
– should have access to the chairperson of the audit committee
– should not be a member of executive management but should be invited to attend executive
meetings.
• The CAE should report functionally to the chairperson of the audit committee and administratively
to a member of the executive management.
• Where internal audit services are co-sourced or outsourced, the board should ensure clarity on who
fulfils the role of CAE.
Chapter 4: Corporate governance 4/47

• The board should have primary responsibility for the removal of the CAE.
• The board should obtain annual confirmation from the CAE that the internal audit conforms to the
profession’s code of ethics.
6. The board should monitor, on an ongoing basis that the internal audit:
• follows the approved risk-based internal audit plan
• reviews the organisational risk profile regularly and proposes adaptations to the audit plan accord-
ingly.
7. The board should ensure that the internal audit provides an annual overall statement y about the effect-
iveness of the company’s governance, risk management and control processes.
8. The board should ensure that an external, independent quality review of the internal audit function is
conducted at least once every five years.
Note (a): King IV confirms that the internal audit plays a pivotal role in corporate governance, and that an
internal audit function should strive for excellence. Change, the complexity of business,
organisational dynamics and a more stringent regulatory environment require that (large)
companies maintain an effective internal audit function.
Note (b): Internal audit services may be provided by a department within the company itself, or may be
outsourced; for example, many large auditing firms provide internal audit services to non-audit
clients.
Note (c): The internal audit’s key responsibility is to the board through the audit committee. It assists the
board in discharging its governance responsibilities by:
• performing reviews of the company’s governance process, including ethics
• performing an objective assessment of the adequacy and effectiveness of risk management
and internal controls
• systematically analysing and evaluating business processes and associated controls
• providing a source of information regarding fraud, corruption, unethical behaviour and
irregularities.
Note (d): The internal audit function should adhere to the Institute of Internal Auditors Standards for the
Professional Practice of Internal Auditing and Code of Ethics.
Note (e): The audit committee should ensure that the internal audit:
• brings a systematic, disciplined approach to its function which results in
• an ongoing improvement to risk governance and the control environment.
Note (f): The audit committee should ensure that the internal audit follows a risk-based internal audit plan.
• A compliance-based approach to internal audit sets out to determine whether or not the com-
pany is complying sufficiently with internal controls and other rules and regulations. This
was not regarded as sufficiently productive by King III and the recommendation (which has
been confirmed by King IV) was that internal audit be risk based, that is, that the internal
audit function gains a thorough understanding of the risks which the business faces as well as
considering whether there are risks which have not been identified, and then conducts tests to
determine that an appropriate risk management process is in place and being properly
conducted. This does not mean that there will be no “internal control or other compliance
testing”. This will still occur as part of the overall function of the internal audit.
• A risk-based audit approach to internal audit (as opposed to a compliance-based approach)
should be adopted. An audit plan should be developed and discussed with the audit com-
mittee. The plan should:
– address the full range of risks facing the company; for example, strategic, operational,
financial, ethical, fraud, IT, human and environmental
– identify areas of high priority, the greatest threat to the company, risk frequency and
potential change
– indicate how assurance will be provided on the risk management process and how the
plan reflects the level of maturity of the risk management process. Note: The more mature
(developed, effective, and well-implemented) the risk management process, the more
4/48 Auditing Notes for South African Students

comprehensive the plan can be – it is very difficult to give assurance on an immature risk
management process
– have any changes to it timeously approved/ratified by the audit committee.
Note (g): The CAE will set the tone of the internal audit function and should have at least the following
attributes:
• strong leadership
• command respect for his competence and ethical standards
• be a strong communicator, facilitator, influencer, networker and innovator
• have a practical approach
• be able to think strategically and have strong business analysis skills.

4.2.4.6 Stakeholder relationships


Principle 16. In the execution of its governance role and responsibilities, the board should adopt a stake-
holder-inclusive approach that balances the needs, interests and expectations of material stakeholders in the
best interests of the organisation over time
Recommended practices – Stakeholder relationships
1. The board should assume responsibility for the governance of stakeholder relationships by setting the
direction for how stakeholder relationships should be approached and conducted.
2. The board should approve policy that articulates and gives effect to the direction on stakeholder
relationships.
3. The board should delegate to management, the responsibility for implementation and execution of
effective stakeholder relationship management.
4. The board should exercise ongoing oversight of stakeholder relationship management and oversee that
it results in the following:
• methodologies for identifying individual stakeholders and stakeholder groupings (see note (a)
below).
• determination of material stakeholders based on the extent to which they affect, or are affected by,
the activities, outputs and outcomes of the company.
• management of stakeholder risk as an integral part of company risk management, for example the
risk of causing harm to a community due to pollution from production
• formal mechanisms for engagement and communication with stakeholders (see note (g) below),
including the use of dispute resolution mechanism and associated processes (see note (h) below)
• measurement of the quality of material stakeholder relationships and responses to the outcomes (of
the measurement exercise).
5. The board should ensure that the company encourages proactive engagement with shareholders,
including engagement at the AGM.
6. All directors should be available at the AGM to respond to shareholder’s queries on how the board
executed its governance duties.
7. The board should ensure that the designated auditor (external) attends the AGM.
8. The board should ensure that the shareholders are equitably treated and that the interests of minorities
are protected.
9. The minutes of the AGMs of listed companies should be made public.
10. Disclosure. The following should be disclosed:
• an overview of arrangements for governing and managing stakeholder relationships
• key areas of focus during the reporting period
• actions taken to monitor the effectiveness of stakeholder management and how the outcomes were
addressed
• future areas of focus.
Chapter 4: Corporate governance 4/49

Note (a): Stakeholders in a company go well beyond the obvious, for example shareholders and employ-
ees. Stakeholders are any group that can affect or be affected by the company, and include share-
holders, employees, creditors, lenders, suppliers, customers, regulators, the media, analysts, the
community in which the company may operate, etc. A company does not operate in a vacuum –
it is a widely interactive entity. The board should therefore identify stakeholders to ensure that
they are accommodated in the reporting process.
Note (b): A particular stakeholder group’s effect on the company may be direct or indirect. For example, it
is reasonably obvious that a long-term strike will directly affect the operations of the company
(and hence sustainability); it is less obvious that there may be an indirect negative effect on the
reputation of the company (perceived to be a poor employer), which may also affect its ability to
create value sustainably because it cannot attract quality staff.
Note (c): The stakeholder-inclusive corporate governance approach aims to manage the relationship
between a company and its stakeholders. Such an approach will have a good chance of
enhancing stakeholder confidence, relieving tensions and pressures, enhancing/restoring the
company’s reputation, and aligning differing expectations, ideas and opinions on issues. This
increases social and relationship capital.
Note (d): Managing stakeholder relations should be proactive. It is mainly about communication (and
constructive engagement) both formal (AGM, meetings with regulators) but can also be through
informal processes, such as social functions, websites, media, “feedback” sessions to the com-
munity, employees, etc.
Note (e): Essentially, this principle requires that companies promote positive, constructive stakeholder
activism. Obviously, the board needs to act in the company’s best interests and must guard
against activism that seeks to damage the company’s operations or reputation. For example, a
disgruntled journalist may seek to damage the company by constant negative reporting. The
board will need to react carefully to this to ensure that the journalist’s cause is not strengthened
by, for example, aggressive personal attacks in the media on the journalist.
Note (f): The major stakeholders and the underlying factors on which the relationships with these stake-
holders should be built are as follows:
Suppliers: • It is in the company’s interest to have stable suppliers who supply products
or services of the necessary quality at an acceptable price when required.
• This is especially important for suppliers of strategic products or services; for
example, a sugar milling company is entirely reliant on its transport supplier
to deliver sugar cane to the mill if it has outsourced this function. Equally,
the transport company will have invested heavily in capital expenditure and
needs the contract with the sugar milling company to remain in business.
• A mutually beneficial relationship contributes to the sustainability of both
companies.
Creditors: • These are stakeholders to whom the company owes money. The company
should be mindful that creditors, if not paid, have the power to have business
rescue processes imposed on the company and, in more severe situations,
have the company liquidated.
• Creditors should be managed accordingly, paid on time at the correct
amount. Payment terms should be fair to both parties.
• Creditors are usually suppliers either of goods, services or finance and a
mutually beneficial relationship should be developed. For example, a
supermarket chain should not push its payment terms for smaller suppliers to
120 days when they should be 60 days, just because it has the power to do
so, knowing that the small supplier depends on the supermarket chain.
Employees: • Employees are arguably the most important asset the business has and are
very often the difference between successful and unsuccessful businesses.
• Companies should engage their employees in improving the business,
ensuring that employees at all levels benefit from the improvement: for
example, incentive schemes, bonuses, etc.
4/50 Auditing Notes for South African Students

• The company should also ensure that employees can develop their potential
and capabilities by providing training, a healthy and safe working
environment and the opportunity for employees to advance in the company.
• Proper leadership, which includes strong communication with employees, is
essential. Failing to manage employees properly may result in low morale,
poor productivity and work quality, strikes, “go-slows”, or even sabotage.
Good quality staff may be difficult to recruit and keep in the business.
Government: • Although perhaps not obviously, government is very much a stakeholder.
• A company should abide by the laws of the land and pay taxes due by it in
whatever form the tax may be; for example, normal tax, VAT, import duties,
etc. Where a company is required to comply with withholding tax
provisions, it should do so.
• All employees who deal with government (including local and provincial)
and civil servants at any level should:
– act in a manner which promotes mutual respect and co-operation
– not engage in any form of corruption with government at large or any
civil servant.
• Companies should not give “major gifts” to politicians or other government
officials and should consider carefully whether it is appropriate to make
financial contributions to political parties or similar groupings.
External
auditors: • The company should not view the external audit function as an unnecessary
cost or threat to, or imposition on, management.
• There is little doubt that a properly conducted external audit is of real value
to a company. It adds significant credibility to the financial statements and is
an integral independent element of the combined assurance model. The audit
may also be an early warning system of pending problems.
• Essentially, the external auditor is appointed by and accountable to the
shareholders, but in reality he indirectly benefits all stakeholders.
• External audits work mainly with management and the audit committee,
and company policy should promote co-operation between the parties, a free
flow of information and an appreciation of the independence requirements of
external audit.
Consumers/
customers: • The saying “the customer is king” has a great deal of truth to it. Without
customers, the company is not sustainable – it cannot create value.
Customers using the company’s products and services can range from
individuals to government to large corporations.
• For customers to respect a company, the company:
– should market responsibility; for example, not glorify products that can
be harmful to health, such as cigarettes, alcohol, certain food products
– should communicate product information’ for example, content break-
down on foodstuffs, and safety precautions for electrical products
– should not sell products that, for example, are harmful to the environ-
ment, customers’ health or that have been manufactured in labour
“sweatshops” or under other adverse situations
– should price goods fairly and in line with the quality of the goods.
Industry: • A company’s sustainable development and value creation are dependent on
other entities within its sphere of operations. A company should therefore
acknowledge its responsibility to its industry as a whole.
• To achieve this, a company should participate in or facilitate forums to
address industry risks and opportunities, and most industries have such
bodies.
Chapter 4: Corporate governance 4/51

• Companies should not engage in anti-competitive practices/price-fixing. It is


against the law and counter-productive to the general economy and public.
For example, price-fixing by fertiliser companies will result in substantial
fines for the companies involved, considerable increases in fertilizer costs for
farmers, and increases in food prices for the public.
Local
communities: • Every company operates in a community to some degree or another. A
community may be dependent on the company and may have been created
by the company; for example, a remote mining or forestry operation.
• Looking after its community amounts to a company being a good corporate
citizen and should be geared to enhancing the lives of local communities by
health programs, schooling, sporting opportunities, etc.
Media: • The media provides a window into the company for many stakeholders.
Media companies employ financial journalists, many of whom have signifi-
cant knowledge about the company and a platform to air their views.
• It is important that a mutual relationship of trust be developed between the
company and the media. If this is to be achieved, the company should be:
– open to communication with the media
– accurate and truthful with the information it provides to the media
– professional in its approach; for example, not aggressive or condescend-
ing
– objective when assessing reporting by the media; for example, not over-
reacting when a journalist criticises the company.
• Likewise, the reporting journalist should:
– be knowledgeable and experienced
– report accurately and fairly without sensationalism.
• As with all forms of communication, the company is not expected to com-
promise its confidentiality standards or its competitive edge.
Regulators: • A regulator is defined as a body that seeks compliance either on a mandatory
or voluntary basis, with a set of rules or regulations or a code. For example,
the JSE “regulates” listed companies and most industries have bodies that
regulate practices within their specific industries.
• The relationship between a company and its regulators is similar to that
between a company and government. The company should comply with
regulations, pay any fees due, deal with the regulator’s employees with pro-
fessionalism and not engage in dubious practices to circumvent a regulation
such as attempting to bribe an official who is carrying out a regulatory health
inspection.
Potential
investors: •Potential investors, namely those who may be seeking to invest as opposed
to existing shareholders, will expect high standards of corporate governance,
board integrity and confidence in the sustainability of the business of the
company.
• To enable potential investors to evaluate these aspects, clear and transparent
disclosure should be available to them, possibly on a website, contained in
media releases, etc. Frequently, large companies will meet with financial
journalists and potential institutional investors (e.g. pension funds) to com-
municate this information.
Note (g): The board should oversee stakeholder relationship management to ensure that:
• it contributes to value creation and to achieving strategic objectives
• it includes an integrated stakeholder communications plan which:
– uses digital and other communication platforms such as websites and cellphones, for
example, for marketing and improving transparency and communication
4/52 Auditing Notes for South African Students

– complies with standards and processes for developing content and sharing (disseminating)
it: for example, approval of information to be sent out to stakeholders
– provides for gathering and analysis of information from relevant communication plat-
forms to assess reputational risk and formulate responses; for example, following
industry-related blogs and public reaction sites such as Twitter
– includes a plan for addressing communication in crises, like a bank having its system
hacked
• it facilitates the measurement of the quality of stakeholder relationships
• it facilitates a dispute resolution mechanism as part of the terms and conditions of the com-
pany’s contractual arrangements with employees and other stakeholders.
Note (h): Dispute resolution. Dispute resolution is an essential aspect of stakeholder relationships. Disputes
can be internal (e.g. with an employee or shareholder) or external (e.g. with a supplier,
customer, local community), and are simply a part of “doing business”. Obviously, disputes can
be taken to court, but this is generally costly and time-consuming.
• In terms of the six capitals model, relationships are a form of capital and King IV makes the
point that a dispute resolution process should be regarded as an opportunity, not only to
resolve the dispute at hand, but also to maintain and enhance the social and relationship
capital of the company.
• It is recommended practice that the board sets up mechanisms/processes to resolve disputes,
for example, where a dispute arises with an employee, there must be a laid down procedure
for that employee and the company to follow. Where there is a dispute (e.g. unlawful strike)
with a labour union, an established legal procedure must be followed and the company must
have processes in place to adhere to that procedure.
• Alternative dispute resolution (ADR) is now a widely accepted practice (and considered to be
“good corporate governance”) that involves the parties to the dispute taking the matter to
arbitration, adjudication or mediation. This essentially amounts to a party independent of the
disputing parties hearing both sides of the dispute and “presenting a finding or solution”.
Note (i): The Companies Act 2008 recognises the principle of ADR for disputes arising out of Companies
Act provisions. See section 156 and related sections.
• The directors should select a dispute resolution method that best serves the interests of the
company. For example, going to court, arbitration or adjudication results in a judgment,
whereas mediation or conciliation allows the disputing parties and an impartial and neutral
third party to work together to resolve their dispute. This implies a settlement agreement
rather than a handed down judgment.
• In deciding on which dispute resolution method to follow, the board should consider at least
the following factors:
– Time available to resolve the dispute – court proceedings can continue for years with
postponements, appeals, etc. ADR can be concluded more promptly. It is usually in
the interests of the disputing parties to resolve the matter speedily.
– Principle and precedent – where the company wants a binding decision on an important
matter of principle which will result in a precedent for any future disputes, court action
is likely to be more suitable.
– Business relationships – ADR, especially mediation/conciliation, is normally far more
“friendly” than court proceedings. It is important to maintain good business
relationships (sustainability) and mediation/conciliation is more likely to contribute to
the continuation of good business relationships.
– Expert recommendations – where the parties do not wish to go to court, but do not have
the necessary expertise to devise a solution, an expert may be required to facilitate a
solution. (This constitutes conciliation.)
– Confidentiality – where confidentiality for the disputing parties is very important, ADR
may be more suitable, as dispute resolution proceedings may be conducted in confi-
dence.
Chapter 4: Corporate governance 4/53

– Rights and interests – as indicated in the point above, court proceedings, arbitration and
adjudication result in the decision-maker (e.g. judge) imposing a resolution of the dispute
on the parties based on the principles and rights applicable to the dispute. This will
usually result in a narrow range of outcomes. Mediation and conciliation allow the
parties a level of flexibility, innovation and creativity in fashioning a mutually beneficial
solution.
For example: A court decision regarding a breach of contract between a company and
its major supplier might impose a significant financial penalty on the supplier, which
would be detrimental to the supplier and the business relationship between the two
parties. Mediation or conciliation on the same dispute could result in no financial
penalty but an agreement by the supplier to change its pricing policy and have the
contract between the company and supplier redrafted.
– Empowerment of participants – if mediation or conciliation is to be promptly and
successfully concluded, the personnel involved must be given the necessary powers to
act.
• The success of ADR is mainly dependent on the willingness of the parties to resolve the
dispute. Obviously, presentation skills, a thorough knowledge of the dispute’s subject matter
and a professional approach are prerequisites. Those who fall short of the “will and
capacity” to resolve the dispute should be excluded. Thus the board should select the
appropriate individuals to represent the company in ADR.
• As discussed earlier, it is becoming more and more common for companies to include an
“alternative dispute resolution” clause in business contracts. This clause essentially commits
both parties to ADR in the event of a dispute. It is interesting to note that the ADR clause
recommended by the Institute of Directors and the Arbitration Foundation of South Africa
includes the phrase “the parties (to the dispute) shall seek an amicable resolution to such
dispute . . . ”. This will depend mainly on the attitude and will of the participants.

4.2.4.7 Responsibilities of institutional investors


Principle 17. The board of an institutional investor company should ensure that responsible investment is
practiced by the organisation to promote good governance and the creation of value by the companies in
which it invests
This principle is aimed at the boards of institutional investors; for example, unit trust companies, pension
funds, etc.

Recommended practices – Responsibilities of shareholders


1. The board (of an institutional investor) should provide direction on responsible investment and ensure
that it approves policy that formulates and facilitates its direction on responsible investment, that is, a
policy which adopts recognised reasonable investment principles and practices.
2. The board should delegate the responsibility for implementing responsible investment to management
or an outsourced service provider.
3. If the company (institutional investor) outsources any of its investment activities to service providers;
for example, asset managers, the board should ensure that a formal mandate is in place that sets out the
company’s policy on responsible investment practices, and ensure that its service providers are held
accountable for acting in terms of the mandate.
4. The institutional investor company should disclose the responsible investment code it has adopted.
4/54 Auditing Notes for South African Students

4.2.5 Appendix 1
The 17 principles of the King IV Code and a brief summary of what the recommended principles cover
(Note: This has been compiled in the context of a company.)
Principles: Leadership, ethics and corporate citizenship Summary of what the recommended practices cover
1. The board should lead ethically and effectively. 1.1 Characteristics which the directors should cultivate
and exhibit to lead ethically and effectively.
2. The board should govern the ethics of the company 2.1 Setting and approving codes of conduct.
in a way that supports the establishment of an 2.2 Communicating codes of conduct to stakeholders
ethical culture. (including employees).
2.3 Overseeing whether the desired results of managing
ethics are being achieved.
2.4 Disclosure requirements relating to organisational
ethics.
3. The board should ensure that the organisation is 3.1 Overseeing that the company’s core purpose and
and is seen to be a responsible corporate citizen. values, strategy and conduct are congruent with
responsible corporate citizenship in relation to:
• the workplace
• the economy
• society
• the environment.
3.2 Disclosure in relation to corporate citizenship.
Principles: Strategy, performance and reporting
4. The board should appreciate that the company’s 4.1 The factors against which the strategy should be
core purpose, its risks and opportunities, strategy, measured/challenged before approval.
business model, performance and sustainable
development are all inseparable elements of the value
creation process.
5. The board should ensure that reports issued by the 5.1 Determining the reporting frameworks to be used.
company enable stakeholders to make informed 5.2 Complying with legal requirements and meeting the
assessments of the company’s performance and its information needs of material stakeholders.
short-, medium- and long-term prospects. 5.3 Annual issue of an integrated report.
5.4 The integrity of external reports.
5.5 Materiality for the purposes of deciding what should
be included in external reports.
Principles: Governing structures and delegation
6. The board should serve as the focal point and 6.1 How the board exercises its leadership role.
custodian of corporate governance in the company. 6.2 Creating a board charter.
6.3 External professional advice protocols.
6.4 Disclosures in relation to the board’s role and
responsibilities.
7. The board should comprise the appropriate balance of 7.1 Composition of the board
knowledge, skills, experience, diversity and • factors in determining the number of directors;
independence for it to discharge its governance role for example, mix of knowledge, skills, diversity
and responsibilities objectively and effectively. • non-executive/independent non-executive
directors
• rotation and succession
7.2 Nomination, election and appointment of directors
to the board.
7.3 Independence and conflicts:
• factors to consider when classifying a director as
an independent non-executive director.
continued
Chapter 4: Corporate governance 4/55

Principles: Leadership, ethics and corporate citizenship Summary of what the recommended practices cover
7.4 Disclosure of the composition of the board.
7.5 Disclosure of the composition and the lead
independent non-executive director’s:
• role and responsibilities
• membership and positions on board committees
• succession plans.
7.6 Disclosures relating to the chair.
8. The board should ensure that its arrangements for 8.1 Delegation to, and formal terms of reference for,
delegation within its own structures promote board committees.
independent judgement, and assist with the balance 8.2 Roles, responsibilities and composition of:
of power and the effective discharge of its duties. • audit committees
• nomination committees
• risk-governance committees
• remuneration committees
• social and ethics committees.
8.3 Disclosures relating to committees both general and
specific.
9. The board should ensure that the evaluation of its 9.1 Who should conduct the evaluations.
performance and that of its committees, its 9.2 Frequency of evaluations.
chairpersons and its individual members, support 9.3 Disclosure in relation to the evaluations.
continued improvement in its performance and
effectiveness.
10. The board should ensure that the appointment of, 10.1 The appointment of a chief executive officer:
and delegation to, management contribute to role • role and responsibilities
clarity and the exercise of authority and • membership and positions on board committees
responsibilities.
• additional professional positions
• succession plans.
10.2 Disclosure relating to the CEO.
10.3 Delegation of powers and authority to management.
10.4 Key management functions.
10.5 Company secretary/corporate governance
professional:
• appointment and removal
• access and independence
• authority and powers
• qualities
• evaluation.
10.6 Disclosure relating to the position.
11. The board should govern risk in a way that 11.1 Setting and approving risk strategy/policy.
supports the company in setting and achieving its 11.2 Risk appetite/loss tolerance.
strategic objectives. 11.3 Overseeing whether the desired results of managing
risk are being achieved.
11.4 Disclosures relating to risk and opportunity.
12. The board should govern technology and information 12.1 Setting and approving technology and information
in a way that supports the company setting and risk strategy/policy.
achieving its strategic objectives. 12.2 Overseeing whether the desired results of technology
and information technology management
collectively, and of its two components separately,
are being achieved.
12.3 Disclosures relating to technology and information.
continued
4/56 Auditing Notes for South African Students

Principles: Leadership, ethics and corporate citizenship Summary of what the recommended practices cover
13. The board should govern compliance with 13.1 Setting and approving compliance policy.
applicable laws and adopted non-binding rules, 13.2 Delegating compliance management to management
codes and standards in a way that supports the 13.3 Overseeing whether the desired results of managing
company being ethical and a good corporate compliance are being achieved.
citizen.
13.4 Disclosures relating to compliance.
14. The board should ensure that the company 14.1 Setting and approving remuneration policy.
remunerates fairly, responsibly and transparently so as 14.2 The objectives of a remuneration policy.
to promote the achievement of strategic objectives 14.3 Elements of remuneration to be included in the
and positive outcomes in the short-, medium- and policy.
long-term.
14.4 The Remuneration Report must contain:
• a background statement
• an overview of the remuneration policy
• an implementation report.
14.5 Voting on remuneration.
15. The board should ensure that assurance services and 15.1 Delegation to the audit committee.
functions enable an effective control environment, and 15.2 The combined assurance model.
that these support the integrity of information for 15.3 Different categories of assurance service-providers
internal decision-making and the organisation’s and functions.
external reports.
15.4 Objectivity and scepticism in the assessment of
assurance.
15.5 The integrity of external reports.
15.6 Disclosures relating to the nature, scope and extent
of the assurance process applied to each report.
15.7 The internal audit must show:
• delegation to the audit committee
• an approved charter (role and responsibilities)
• provision of skills and resources to the IA
• details of the chief audit executive’s:
– appointment, remuneration, removal
– lines of reporting, access and independence
• a risk-based internal audit plan
• an annual statement on the effectiveness of
control processes
• quality review of internal control.
Note: Internal audit disclosures are covered under audit
committees.
16. In the execution of its governance role and 16.1 Setting and approving a policy for stakeholder
responsibilities, the board should adopt a relationships.
stakeholder-inclusive approach that balances the 16.2 Delegation to management.
needs, interests and expectations of material 16.3 Overseeing whether the desired results of stakeholder
stakeholders with the best interests of the company relationship management are achieved.
over time.
16.4 Disclosures relating to stakeholder relationships.
16.5 Shareholder relationships.
16.6 Relationships within a group.
17. The board of an institutional investor should ensure 17.1 Setting, approving and implementing a policy for
that responsible investment is practiced by the responsible investing.
company to promote good governance and the 17.2 Disclosure of the responsible investment code.
creation of value by the companies in which it
invests.
CHAPTER

5
General principles of auditing

CONTENTS
Page
5.1 The system of internal control ........................................................................................... 5/2
5.1.1 Introduction ........................................................................................................... 5/2
5.1.2 Limitations of internal control ................................................................................. 5/3
5.1.3 The system of internal control (ISA 315 (revised 2019) para 12) ................................ 5/4
5.1.4 Components of the system of internal control (ISA 315 (revised 2019) para 12) ......... 5/5
5.1.5 The system of internal control in more/less complex entities (scalability) .................. 5/16
5.1.6 The external auditor’s interest in the entity’s system of internal control ..................... 5/18

5.2 Audit evidence .................................................................................................................. 5/18


5.2.1 Introduction ........................................................................................................... 5/18
5.2.2 Sufficient appropriate audit evidence ....................................................................... 5/18
5.2.3 Financial statement assertions ................................................................................. 5/21

5.3 The auditor’s toolbox ........................................................................................................ 5/23


5.3.1 Introduction ........................................................................................................... 5/23
5.3.2 Why perform tests of controls? ................................................................................ 5/25
5.3.3 Why perform substantive procedures?...................................................................... 5/26
5.3.4 Vouching and verifying ........................................................................................... 5/27

5.4 Audit sampling .................................................................................................................. 5/27


5.4.1 Principles of sampling ............................................................................................. 5/27
5.4.2 Definitions ............................................................................................................. 5/28
5.4.3 Tests of controls and sampling................................................................................. 5/28
5.4.4 Substantive procedures and sampling....................................................................... 5/28
5.4.5 Statistical versus non-statistical approaches .............................................................. 5/28
5.4.6 Steps in the sampling exercise.................................................................................. 5/29
5.4.7 Conclusion ............................................................................................................. 5/31

5/1
5/2 Auditing Notes for South African Students

5.1 The system of internal control


5.1.1 Introduction
5.1.1.1 The system of internal control and risk
Before discussing the system of internal control in the context of an audit, we need an understanding of
what a system of internal control is. Why do we need a system of internal control? What does it achieve?
What is its purpose?
We are all exposed to “internal controls” every day of our lives, sometimes without even being aware of it.
For example, if we want to enter the university library, we must produce a student or staff card; if we
want to draw money from an ATM we must enter our PIN, and if we catch a train or bus, or buy some-
thing at a shop, we are given a ticket or receipt. All these procedures are designed to address and limit
potential risks. The university restricts access to its library as it believes that allowing anybody into the
library is a security risk. Books may be damaged, stolen or lost as there will be no efficient means of con-
trolling the issue and return of books. In effect, the university would be failing to protect one of its im-
portant assets, namely its library. Another example is the risk which the bank is addressing – by requiring a
customer to enter a PIN, they are protecting the customer (and, of course themselves) against the risk of
theft. What about the tickets and receipts? The risks that they address may not be that obvious. Firstly, a
ticket or receipt is a “proof of purchase” which provides the customer with a means of protecting himself
from the risk of being wrongly accused of taking a free ride or shoplifting. Secondly, issuing a ticket or
receipt will be one of many controls that the business implements to address the risk that its employee
makes a sale for which there is no record, and steals the proceeds.
Of course, this is a superficial look at an internal control, but it illustrates the very fundamental concept
that the purpose of internal control is to limit the risk of something undesirable, unintended or illegal
occurring.

5.1.1.2 The system of internal control from a business perspective


Even though we are surrounded by internal control as individuals, as auditors, we need to understand an
entity’s system of internal control from a business perspective. In a business, management (in its various
forms) is responsible for running all aspects of the entity. The objectives of the business will be set, the risks
relating to achieving those objectives will be identified, and suitable books, records and documents, policies
and procedures will be in place to address those risks. This will include addressing the risks associated with
such matters as:
• safeguarding the assets of the company; for example, inventory, from theft or damage
• preventing fraud
• complying with the laws and regulations applicable to the entity
• producing reliable financial information necessary to run the business and satisfy the financial reporting
requirements, for example producing the annual financial statements, and
• operating the business efficiently and effectively.
Controls are embedded within the components of an entity’s system of internal control. Management, or
those charged with governance, may mandate and implement control procedures through policies, formal
documentation, or other communication. Control procedures can also be a behavioural part of an entity’s
culture. These procedures may be enforced through IT applications used by the entity. Controls may be
direct or indirect, with direct controls being those that specifically address risks of material misstatement at
the assertion level. Indirect controls support direct controls. Internal control is the responsibility of every-
one in the business, those charged with governance of the company (e.g. the board of directors), manage-
ment at all levels, and ordinary employees:
• the board will have overall responsibility and accountability, especially for identifying the risks of the
business which need to be addressed
• management (at different levels) will also be involved in identifying risk and will be primarily respon-
sible for designing and implementing (putting in place) the necessary books, records, documents, pol-
icies and procedures to address the risks. Management will also be responsible for maintaining the
system of internal control, that is, ensuring that policies and procedures are carried out timeously and
adequately and that they remain effective, and
Chapter 5: General principles of auditing 5/3

• most of the time, ordinary employees are responsible for executing the internal control procedures, for
example, signing a document, issuing a receipt, or reconciling an account, and the success of the control
procedure will depend on them. In addition, ordinary employees often have a far better understanding
of their functions and may be well placed to participate in the risk assessment process. Many companies
have “suggestion box” schemes that reward employees for coming up with better ways of doing things,
including improvements to the entity’s internal control system.
You will probably have realised already that an entity’s internal control system is not one hundred percent
foolproof and that there is no single control that neatly addresses each identified risk. Internal control
policies and procedures are fallible and work best in combinations.
If we further consider the examples given under 5.1.1.1, providing you with a student identity card to
address a security risk is of little value if the issue of the ID cards is not strictly controlled, or if your card is
not used in the process of entering the library. Either a security guard must compare you to the photograph
on your identity card or you should have to scan your card through an access turnstile. Again, these con-
trols on their own may also be ineffective – the security guard may not do his job properly, or you might
give your ID card to a non-student friend! Concerning the PIN, someone may obtain your PIN illegally or
you may give it to somebody. Even if the cashier gives you a receipt for that purchase, it will be of no use
unless a record of the sale, which the cashier cannot alter, is kept, and an individual, other than the cashier,
reconciles the actual cash on hand with the record of sales for the day.
Of course, management could pile one internal control procedure on top of another, for example, employ
two security guards checking every student’s ID card at the library. However, this would be expensive and
probably counterproductive to the smooth operation of the library, and would still not be foolproof!

5.1.1.3 What have we learnt about the system of internal control?


• Internal control is a system. It is a combination of policies and procedures designed, implemented and
maintained to address the risks of running a business.
• The system of internal control is effected by people. It does not consist solely of policy and procedure
manuals, ledgers and documents, computers and machines – it involves people at every level of the organ-
isation carrying out an assortment of tasks.
• The system of internal control is not the sole responsibility of management. There is a shared responsibility
for the internal control process – the directors, management and ordinary employees are all responsible
in their own way.
• The system of internal control is not static. It is essentially a response to the risks of operating a business –
risks change, responses must change.
• The system of internal control is not fool proof. It provides only reasonable assurance that the risks that
threaten the objectives of the business will be addressed to the extent that the objectives will be achieved
(see limitations of internal control below).
• The system of internal control is not a case of a single control addressing a single risk. Internal control pol-
icies and procedures must work in conjunction with each other and with the books, records and docu-
ments used. The control over a risk is best achieved by combinations of actions, policies and
procedures.

5.1.2 Limitations of internal control


As discussed earlier, the control policies and procedures that are put in place at a business do not provide
absolute assurance that the risks that threaten the objectives of the business will be adequately responded
to. Besides the fact that some risks may not be identified in the first place, management may design a system
of internal control which will theoretically achieve its objectives, but, because of the inherent limitations of
internal control, will not do so in its practical application.
Some of these limitations will be discussed below.

5.1.2.1 Limitations due to human judgement in decision making and human error
This includes errors in the design of a control, and errors due to the person implementing or reviewing the
control not understanding the control, or failing to take appropriate action. Management also applies
judgement in the design, change and implementation of controls relating to the risk they choose to assume.
5/4 Auditing Notes for South African Students

For example:
• Management may choose to implement controls based on available resources and make judgements to
cut costs.
• Management designs controls to address certain risks identified. If they misidentify these risks or incor-
rectly implement controls that adequately address the identified risks, the implemented controls will be
ineffective.
• Management may decide to direct controls mainly onto routine transactions; for example internal
controls to record the sale of the company’s normal trading inventory will have been designed around
the receipt of a customer order, a picking slip (a document used to select goods from stores to fill the
order) and a delivery note. The documents will result in an invoice being made out. Occasionally a
company may sell a non-trading item, such as old company furniture or an old vehicle and in this situa-
tion, it is unlikely that there will be a customer order, a picking slip (the item being sold is not picked
from stores) or a delivery note. Hence there is a risk that the sale will not be raised (entered in the
records), as it is a non-routine transaction.
• The potential for human error due to carelessness, distraction, mistakes of judgement and the misunder-
standing of instruction; for example a recently appointed sales clerk calculates discounts on a sale after
VAT has been charged, either because he does not understand what he is supposed to do, or he is simp-
ly careless.
• The possibility that control procedures may become inadequate due to changes in conditions and, there-
fore, that compliance with procedures may deteriorate; for example a company may experience a steady
but definite increase in sales to the extent that the only way that its salespeople can keep up with the
demand from customers is to ignore certain controls. They may stop checking the customer’s credit lim-
it before the sale is made or confirm that their account is up to date. Controls have remained static, but
risks have changed.

5.1.2.2 Circumvention of controls


This can include a breakdown in controls due to collusion between two parties or due to management
override.
For example:
• The possibility of circumvention of internal controls through the collusion of a member of management
or an employee with parties outside or inside the company. The warehouse supervisor in charge of receiv-
ing goods (from suppliers) at a supermarket is required to check the quantity and description of goods
being delivered against the supplier’s delivery note and sign the delivery note to acknowledge the receipt
of (say) 400 cartons of milk powder. The warehouse supervisor colludes (makes a fraudulent secret
agreement) with the supplier’s delivery personnel or the driver to sign for 400 cartons but only take
350 cartons. The driver keeps 50 cartons in his truck, sells them somewhere else and splits the money
with the warehouse supervisor. According to the paperwork, the company has received 400 cartons and
will pay the supplier the amount due for 400 cartons, although it has only received 350 cartons.
• The possibility that a person responsible for exercising an internal control could abuse that responsibil-
ity; for example, a member of management may override an internal control. A clothing retailer may
have a policy which states that a debtor (customer) may not purchase if his account is overdue. The
shop manager may override this control without authority because the customer is a friend or family
member.
The preceding material is designed to give you a general understanding of internal control. The following
paragraphs will look at the system of internal control in a more formal context.

5.1.3 The system of internal control (ISA 315 (revised 2019) para 12)
The system of internal control can be defined as the system designed, implemented and maintained by
those charged with governance, management and other personnel, to provide reasonable assurance about
the achievement of an entity’s objectives with regard to:
• the reliability of the entity’s financial reporting
• the effectiveness and efficiency of its operations, and
• its compliance with applicable laws and regulations.
Chapter 5: General principles of auditing 5/5

5.1.4 Components of the system of internal control (ISA 315 (revised 2019) para 12)
The literature on internal control provides a useful framework for understanding the system of internal
control. This framework suggests that a system of internal control consists of five components which will
each be discussed below.
The controls in the control environment, the entity’s risk assessment process and the entity’s process to
monitor the system of internal control are mainly indirect controls (controls that are not specifically to
prevent, detect or correct misstatements at assertion level, but support other controls, thereby having a
possible indirect effect on the timely prevention or detection of misstatements). However, some of the
controls within these components may also be direct controls. Note that these components may not be an
exact resemblance of the entity’s system of internal control. The entity may also use different technology.
For audit purposes, different terminology or frameworks may also be used.

5.1.4.1 The control environment (mainly indirect controls)


This is the control consciousness of the entity. It includes the governance and management functions and
the attitudes, awareness and actions of those charged with governance and management concerning the
entity’s internal control and its importance. The control environment, although not directly aimed at
preventing, detecting or correcting misstatements, sets the tone of the entity and influences the control
consciousness of its people, providing the overall foundation on which the other components of the system
of internal control operate. Control consciousness is influenced by those charged with governance; there-
fore the effectiveness of the design of the control environment is influenced by:
x those charged with governance’s independence from management and its ability to evaluate manage-
ment’s actions
x those charged with governance’s understanding of the entity’s business transactions
x the extent to which those charged with governance evaluate whether the financial statements are
prepared in accordance with the applicable financial reporting framework, including adequate disclo-
sures.
The control environment comprises five elements which are discussed below (a–e).

(a) How management’s responsibilities are carried out


This includes creating and maintaining the entity’s culture and demonstrating management’s commitment
to integrity and ethical values. Control effectiveness is subject to the integrity and ethical values of the
people who create, administer, and monitor those controls. If employees at all levels (directors, manage-
ment and lower level employees) do not act with integrity (straightforwardly and honestly) and a strong
sense of ethics, internal controls will not be effective. A corrupt individual will find ways of stealing from
the organisation through devious and dishonest methods. Theft and fraud are risks that all organisations
face, and the internal control process attempts to address this risk. Having individuals in the process whose
ethics and behavioural standards are dubious will weaken the system. Whilst the vast majority of people
understand the fundamental requirements of integrity and ethical behaviour, they will still need guidance
on situations that arise in the business environment.
For example, we all know that stealing is wrong, but what constitutes stealing in a business context? Is
making that private phone call at the company’s expense stealing? What about taking “sick leave” when
you aren’t sick, sneaking home early, using the entity’s vehicle as a private taxi at the weekends, taking the
odd item because “the company will not miss it”, or accepting that gift from a supplier? The list is endless,
and the point is, employees need guidance and direction. Thus, the entity’s integrity and ethical values,
being a result of an entity’s ethical and behavioural standards or code of conduct, should be communicated
to all employees (e.g., through policy statements or codes of conduct).
Management should also attempt to eliminate or reduce incentives or temptations which might prompt
or encourage employees to engage in dishonest, illegal or unethical behaviour. On a general level, this may
be achieved by providing fair remuneration and pleasant working conditions. At a specific level, it is
achieved by implementing sound control activities. Finally, there must be a disciplinary mechanism that
deals with transgressions of the entity’s ethical and behavioural standards. The reality is that the control
environment is influenced by how individuals know that they will be held accountable for their ethical
behaviour.
5/6 Auditing Notes for South African Students

(b) How those charged with governance demonstrate independence from management and exercise
oversight of the entity’s system of internal control
The entity’s control consciousness is strongly influenced by those charged with governance, primarily the
board of directors. When those charged with governance are separate from management, consideration
should be given to whether there are sufficient individuals who maintain an independent and professional
relationship with management and how they exercise oversight of the entity’s system of internal control.
How those charged with governance identify and accept their responsibilities to oversee the system of
internal control, and whether they retain oversight responsibility for the design, implementation and con-
duct of management in this regard, may also be considered.

(c) How the entity assigns authority and responsibility


A good control environment is enhanced by the identification of key areas and clear lines of reporting, so
everybody in the organisation knows how the entity fits together. Consideration should be given to the
implementation and communication of polices on appropriate business practices, knowledge and experi-
ence of key personnel, and resources provided for carrying out duties. It should be ensured (e.g., through
policies and communications) that personnel understand the entity's objectives and how their actions
interrelate and contribute to them. Personnel should also understand for what and how they will be held
accountable. Individuals should be fully aware of the extent of their authority and how they exercise it
(e.g., making out a document, signing a contract, or voting at a meeting) and their responsibilities within
their section. It is also about management assigning authority to appropriate individuals according to their
function, status in the entity and competence.
For example, a clerk in the creditors section should not authorise electronic funds transfers to creditors.
A single individual should not be authorising the purchase of a R25 million machine (the board of directors
should do so on the recommendations of a capital expenditure committee), and a debtors clerk should not
be authorising the writing off of bad debt. Some transactions within a business may require the authority of
the shareholders, for example, a loan to a director.
Obtaining authority for an action or transaction may require that several steps be followed, and it may
involve employees in different functions and at different levels of responsibility. It is also important to note
that in assigning authority and responsibility, overly strict policies and procedures can be counter-
productive to a healthy control environment. It can irritate employees, frustrate customers, waste time and
squash initiative. This is sometimes referred to as having “too much red tape”.

(d) How the entity attracts, develops, and retains competent individuals
People are an integral part of the internal control process – perhaps the most important. A company that
does not have sound policies regarding its human resource (people) will not have a good control environ-
ment. Thus, the entity should have in place:
• standards for recruiting the most qualified individuals (e.g., minimum qualifications, checking educa-
tional background, prior work experience, past accomplishments and evidence of integrity and ethical
behaviour)
• training policies that communicate prospective roles and responsibilities (e.g., training schools and
seminars to illustrate performance and behaviour expectations), and
• performance appraisals linked to promotions to demonstrate the commitment of the entity to advance
qualified personnel to higher levels of responsibility.

(e) How the entity holds individuals accountable for their responsibilities in pursuit of the objectives of
the system of internal control
As mentioned earlier, individuals should know and understand for what and how they will be held account-
able. Holding individuals accountable for their responsibilities in aiming to achieve the entity’s control
objectives may be accomplished through: mechanisms to communicate and hold individuals accountable
for the performance of controls and implementing necessary corrective actions if any; and performance
measures linked to incentives/rewards for those responsible for the system of internal control (it should
also be established how the measures are evaluated and how it remains relevant). Consideration should be
given to how pressures associated with the pursual of control objectives impact individual responsibility
and performance measures and how disciplinary action is taken.
Chapter 5: General principles of auditing 5/7

5.1.4.2 The entity’s risk assessment process (mainly indirect controls)


This component deals with how the entity assesses the risks facing the entity and how they should be
addressed. However, if the entity's objectives are not defined, the risks of not achieving them cannot be proper-
ly identified, assessed and responded to. Objectives do not apply only to the entity as a whole, such as in
the strategic plan. Objectives must be set for all departments and functions of the organisation, and the risks
which threaten the achievement of the objectives can then be identified, assessed and responded to.
For example, the warehouse manager may set the objective of limiting inventory losses to 1% of the
average inventory held for the year. Risks which may threaten this are theft, damage to, or obsolescence,
acceptance of defective inventory from suppliers, poor record keeping of inventory received from suppliers,
poor record keeping of inventory movements, and so on. Once all of the risks have been identified and
assessed, suitable policies and procedures can be put in place to address the risks, for example, additional
competent staff may be employed, physical security may be improved (to prevent theft), inventory cycle
counts may be introduced, and the accounting system and supporting documentation may be upgraded.
The risk assessment process involves:
• identifying business risks relevant to financial reporting objectives
• estimating the potential impact (significance) if the risk was to occur
• assessing the likelihood (occurrence) of risks identified, and
• deciding about actions to address the risks.
In a large/complex organisation, the risk assessment procedures may be very formal and specific, and the
following are very common:
• the appointment of risk committees and risk officers
• the engagement of external risk consultants
• the use of risk models
• regular meetings at divisional, departmental and sectional level to consider the risks at those levels, and
• strategy meetings involving senior management to assess risk at an overall level.
In a less complex organisation, risk assessment procedures will be far less formal. In a small business for
example, there may be neither the time nor the need for a complex or formal risk assessment. It is far more
likely that management will identify, assess and respond to risk in the natural course of their direct
involvement in the business. In a sense, they know the business and will address the risks most effectively
and practically. Known or expected risks are easier to respond to, but they will still have to be addressed
with the resources the entity has available. It is important to note that, although the size of an organisation
may be an indicator of its complexity, some larger entities may be less complex, while some smaller entities
may be more complex.
(a) Companies classify or describe the risks they face in different ways; strategic risks, financial risks,
environmental risks, etc., but for an understanding of risk assessment as a component of internal con-
trol, we can describe risks as:
• Operational risks: The risks that threaten the entity, its departments and functions, from achieving
effective and efficient operations; for example the risk of inventory theft, the risk of individuals gain-
ing access to confidential information, the risk of unauthorised expenditures being made, or the risk
of running out of raw materials for manufacture. There are numerous other risks as well.
• Financial reporting risks: The risks that the entity does not achieve its objective of having an account-
ing system (part of the information system) which records and processes only transactions (and
events) which have occurred and have been authorised (valid transactions) and which are recorded
and processed accurately and completely; for example, the risk that fictitious wages will be paid, the
risk that unauthorised journal entries will be processed, the risk that discounts and VAT will be
incorrectly calculated, or the risk that a sale will not be raised for goods that were dispatched in
response to a valid customer order. Again, the risks are numerous.
• Compliance risks: The risks that the entity does not achieve its objective of complying with the laws
and regulations applicable to the entity; for example taxation, labour, foreign exchange, reporting
standards, environmental law, road transport and consumer protection. This time, it is the Acts and
regulations that are numerous!
5/8 Auditing Notes for South African Students

(b) Risks may arise or be influenced by, for example:


x changes in the operating/regulatory/economic environment

x new personnel who may have a different view or understanding of the system of internal control

x significant or rapid change to the information system

x significant or rapid expansion of the entity’s operations may place strain on controls

x incorporation of new technology

x new business models, products or activities

x corporate restructuring may change the risk associated with the system of internal control

x expansion or acquisition of foreign operations

x adoption of new accounting principles or changing accounting principles, and

x use of IT, such as maintaining the integrity of data; IT strategy not effectively supporting the busi-
ness strategy; or changes or interruptions in the IT environment (e.g., IT personnel; necessary
updates not being performed).
(c) Once objectives have been defined, and the risks identified and assessed, the risk can be responded to.
The overall response will be for management to:
• put in place an information system, including business processes. These are quite complicated sound-
ing words but essentially:
– an information system is just a combination of machines (which most often include computers),
software where computers are involved, people who carry out procedures, and data, and
– related business processes are the activities designed to purchase, produce, sell and distribute the
entity’s products and ensure compliance with laws and regulations, and record information.
The two are interrelated, and the distinction between them can be blurred. Think of them as a com-
bined process/method of initiating, recording, processing and reporting transactions, either manually
or through computers, or a combination of both.
• put in place control activities: Control activities are the actions, supported by policies and procedures
which, if properly designed and carried out, reduce or eliminate a specific risk or risks.
Both the information system and business processing are dealt with in the next component.

5.1.4.3 The entity’s process to monitor the system of internal control (mainly indirect controls)
Monitoring the system of internal control is a continual process to evaluate the system’s effectiveness and
take timely remedial actions that may be necessary. Successful monitoring may involve assessing internal
control performance through ongoing activities or periodic evaluations, or a combination thereof, by man-
agement itself, supervisory staff such as department heads, or “independent” bodies such as internal audit
or risk committees. Monitoring the system of internal control is not only about determining whether the
control activities are actually taking place; but also about determining whether the controls are effective.
Monitoring can take place in various ways.
Example 1. The internal audit department of Zuma Ltd checks on a random but regular basis whether
bank reconciliations are accurately and timeously carried out.
Example 2. Zuma Ltd installed closed-circuit TV cameras in its receiving bay and warehouse in an
attempt to reduce theft of inventory. The operations manager analyses inventory movements
independently over a period of time to determine whether loss from theft of inventory has
declined. If not, the cameras are not proving to be an adequate response to the risk of theft,
and other control activities will have to be introduced.
Example 3. Ruiz CC has control activities in place to reduce losses from bad debts. By monitoring the
amounts written off over time, management can assess whether the controls are effective.
Example 4. Costa TV Ltd, a service provider, has a phone-in line that customers can call if they are unhap-
py with the company’s fee charging, such as incorrect amounts invoiced. Calls are recorded and
monitored by the service manager, particularly the number and nature of the complaints.
Example 5. Chemicalplus Ltd engages an environmental expert to monitor the government pollution
index with which the company must comply. Substantial fines are payable for failing to meet
the government requirements.
Chapter 5: General principles of auditing 5/9

The important point about monitoring the system of internal control is that if it is not carried out, neither
the board nor management will know whether:
• the entities financial reporting is effective
• operations are being effectively and efficiently conducted, or
• the entity is complying with applicable laws and regulations.
Although the system of internal control consists of the five components, (5.1.4.1 to 5.1.4.5), the system
itself is a process – the components are not independent of each other. To be effective as an internal control
system, the components must all work together.
For example, if there is a poor control environment, it is unlikely that the control activities will be effect-
ively carried out. In theory, the information system may be well-designed, and appropriate control activ-
ities may be stipulated, but if the control environment is one of “don’t worry too much about controls”, the
information system and control activities will not be effective. Similarly, inadequate identification and
assessment of the entity's risks will result in an inadequate system with insufficient control activities. A
well-designed system that is not monitored over time will also become ineffective.

5.1.4.4 The information system and communication (primarily direct controls)


This component consists of activities and policies, accounting and supporting records, all designed and
established to:
• initiate, record, process and report transactions and maintain accountability for the related assets,
liabilities and equity
• resolve incorrect processing of transactions
x process and account for system overrides or bypasses of controls
x incorporate information from transaction processing in the general ledger
x capture and process information relevant to the preparation of the financial statements for events and
conditions other than transactions (such as depreciation), and
x accumulate, record, process and summarise information for the preparation of the financial statements.
This component further encompasses communication of significant matters in the information system and
other components of the system of internal control:
• between those within the entity
• between management and those charged with governance, and
• with external parties (e.g., regulatory authorities).
Communication, which can either be written (e.g., through policy manuals or memoranda), oral, electron-
ic, or through management's actions, involves providing an understanding of the individual roles and
responsibilities relating to the entity’s internal control system. Communication related to the financial
reporting roles and responsibilities and of significant matters relating to financial reporting may include
providing individuals with an understanding of how their activities relate to others, and how exceptions are
reported to a higher level in the entity.
The accounting system is part of the information system and is relevant to successful financial reporting.
The quality of information affects the ability of management to make appropriate decisions related to
managing and controlling the entity's activities and to prepare reliable financial reports.
The objective of the information system and its sub-part, the accounting system, is to produce infor-
mation that is valid (the transactions and events underlying the information actually occurred and were
authorised), accurate and complete, and timeously produced. No doubt these objectives can be expressed
differently, but what the business wants its accounting system to do, whether manually or computerised, is
to produce information that displays these characteristics and is produced promptly enough to be useful.
For example, when the sales director of Gamede Ltd looks at the sales figures for the month, he wants to
be reasonably sure that the sales included in the total have actually been made and that the figure does not
include fictitious sales. He also expects the sales to have been at the correct selling price, discounts given to
have been authorised, and all casts, extensions and VAT calculations to be correct. He will probably also
assume that the sales were made only after the customer's creditworthiness had been checked. Lastly, the
sales director requires the information promptly, not three weeks later when it is too late for him to react to
the information and take any remedial action.
5/10 Auditing Notes for South African Students

So, is the information system with its machines, people, documents and data, a sufficient response on its
own to the risk that the financial information it produces may not be valid, accurate and complete? The
answer is no, the fourth component of internal control, termed the control activities component, must be
added.
(a) The information system will need to define and provide the machines, documents, ledgers and proced-
ures which will guide the entity’s transactions through the system. This will include:
• initiation of the transaction, for example, receipt of a customer’s order over the phone or through
the post
• recording the transaction, for example, entering the details of the customer’s order on an internal
sales order
• processing the transaction, for example, picking the goods ordered from the warehouse and dispatch-
ing them to the customer and raising the sale by preparing a sales invoice, and
• posting (transferring) the transaction to the general ledger, for example, this will usually involve
entering the invoice in the sales journal and posting (transferring) amounts and totals to the general
ledger accounts (sales and accounts receivable) and the debtors ledger.
Within this process, there will be procedures to correct errors that may occur, such as correction of
invoices made out using incorrect prices.
As pointed out above, the activities may take place in a manual or computerised environment. The
vast majority of systems will be a combination of the two.
(b) Books and documents
All of the actions described above will be supported by ledgers, journals, records and documents spe-
cific to the type of transaction, for example a sale should be supported by a customer order, an internal
sales order, a picking slip used to select goods, a dispatch (delivery ) note and an invoice. There should
be a sales journal and a debtors ledger as well as the general ledger. (Documents used in all the major
cycles are described in the subsequent “cycle chapters” of this text.)
(c) Document design
Properly designed documents can assist in promoting the accuracy and completeness of recording
transactions:
• preprinted, in a format that leaves the minimum amount of information to be filled in manually
• prenumbered – consecutive prenumbering facilitates identification of any missing documents either
at the recording stage or subsequently for example, a clerk listing goods received notes at the end of
a week may discover that certain GRNs are missing
• multicopied, carbonised and designed for multiple use; for example a salesclerk taking an order
from a customer over the phone should complete only the top copy of the sales order; stores could
then use the first carbon copy of the sales order as a “picking slip” to select the goods picked, and
the second carbon copy sent to accounting. In addition, each copy should be a different colour for
easy identification
• designed in a manner that is logical and simple to complete, for example key pieces of information
required to execute the transaction should have a prominent position on the document. An essential
piece of information on a sales order would be the customer’s account number, hence the sales
order should display quite clearly the necessary space into which the account number can be
entered. Further good design may be to break the account number space into a series of small blocks
totalling the number of digits in the account number. This enhances the chances of the complete
account number being recorded, and
• contain blank blocks or grids which can be used for authorising or approving the document; for
example, a blank block for the preparer of the document to sign, plus a second blank block for the
person who checked the document to sign. This characteristic facilitates isolation of responsibility.
Obviously, these characteristics relate primarily to manual systems, but remember that some compu-
terised systems still make use of hardcopy documents. The computer may produce the document itself,
but the principles remain the same. As you will see when you study computerised controls, pro-
grammed controls (automated controls) can enhance accuracy and completeness considerably.
Chapter 5: General principles of auditing 5/11

(d) Events and conditions other than transactions


The vast majority of an entity’s activities are reflected in transactions; for example selling goods,
purchasing goods, paying salaries and wages and incurring capital expenditures. There are, however,
other events and conditions which must ultimately be reflected in the financial statements either within
account headings such as depreciation, impairment, bad debt allowances, inventory obsolescence allow-
ances or as disclosure in the notes to the financial statements; for example, the inclusion of a contingent
liability which may have arisen. Generally, these types of events will need to be separately considered
and authorised by senior management and will frequently be recorded by journal entry. It will be the
responsibility of senior financial personnel to ensure that these matters are identified. A checklist of
month- or year-end “matters to consider” may be used, or specific meetings with a standardised agen-
da to deal with these matters may be scheduled.

(e) Journal entries


Many journal entries are routine and simply facilitate the recording of monthly totals in the general
ledger, or adjustments that management wishes to make, for example, write off a bad debt. The point
of the matter is that journal entries alter the balances in the general ledger and thus can be used to
manipulate financial information and conceal irregular or fraudulent activities. This risk should be
addressed by the information systems and particularly by the control activities related thereto. The
emphasis should be on authorisation of the journal entry by a “more senior” level employee.

5.1.4.5 Control activities (primarily direct controls)


These are the actions, supported by policies and procedures, that are carried out to manage or reduce the
risks that the organisation's objectives will not be met.
For example:
The policy of Mokwena Cash-and-Carry (Pty) Ltd is that credit exceeding R50 000 will not be extended
to any customer. Every new customer must submit a credit application with sufficient information for the
entity to establish the applicant’s creditworthiness by following up on the information provided (proced-
ure). Before a sale is made to a customer, the salesperson checks the status of the customer’s account to
ensure that the sale will not push the customer beyond the R50 000 credit limit (action). This “package” of
action, policy and procedure is a control activity designed to address the risk that the entity’s objective of
limiting losses from debtors who may not pay.
Control activities are closely linked to the information system and meeting the objectives of processing
accurately and completely only transactions which have occurred and have been authorised. To illustrate the
point, consider the following:
An accounting system is a series or collection of tasks and records by which transactions are processed to
create financial records. An accounting system identifies, assembles, analyses, calculates, classifies, records,
summarises and reports transactions and other events. The major elements of the accounting system are
people who carry out procedures for example, write out a credit sales invoice, calculate a price, enter the
invoice in a sales journal, etc., and paper such as order forms, ledgers, lists, invoices, etc., which facilitate
the initiation, execution and recording of the transaction. (Of course, even at this early stage, you should
realise that computers can be used to replace people and paper and perform procedures, but that will be
dealt with in later chapters.)
Management must now add control activities (actions) to the accounting system to produce financial infor-
mation that is representative of transactions that have occurred and were authorised and which is accurate
and complete and timeously produced. The paragraph above indicated that an employee writes out an
invoice, calculates a price, enters the invoice in a sales journal, etc. This is the accounting system. Manage-
ment now adds control activities; before the invoice is written out, the salesperson checks that the customer is
a valid account holder and that the customer is not behind on his payments and will not be exceeding his
credit limits; a second salesperson may check the invoice to ensure that pricing, discounts and VAT calcu-
lations are correct. Later, an accounts clerk may confirm that all invoices for the week have been entered
into the sales journal.
There are numerous control activities with different objectives, which are applied at different organ-
isational levels and functions. Control activities can also be described as follows:
Description A: type of control activity
Description B: preventive, detective or corrective control activities
Description C: general and application control activities
5/12 Auditing Notes for South African Students

(a) Description A: type of control activity


Approval, authorisation
Management authorises employees to perform certain tasks within certain parameters.
For example: Making a sale on credit requires the approval of the credit controller of Amanzi (Pty) Ltd.
Management gives the credit controller the authority to authorise the sale but only after the creditworthi-
ness of the customer has been checked. The level of authorisation varies for different transactions and may
be more onerous for some than for others, for instance:
• payments over R250 000 paid by electronic funds transfer (EFT) may only be authorised by the finan-
cial director and the most senior accountant
• a loan to a director must be authorised by the shareholders in terms of the Companies Act, and
• the acquisition of an expensive piece of equipment first requires budget approval (if it is not in the
budget, it cannot be purchased), followed by approval of the production manager.
Authorisation of a transaction is not just a matter of signing a document. Before the approval/authorisation
is given, supporting documentation and/or other evidence must be checked to ensure that the transaction is
valid. A foreman who is authorizing overtime hours worked, by signing a clock card or schedule of over-
time, must satisfy himself that the hours recorded as overtime were genuinely worked. This principle of
“checking before authorising” is simple and logical but often does not happen. The employee whose duty it
is to authorise may be too busy, too trusting or too lazy!

Segregation (division) of duties


Segregation of duties is essential for effective internal control as it plays a major role in reducing the risk of
errors and illegal or inappropriate actions occurring. The principle is that the various actions or procedures
carried out in respect of a transaction should be divided amongst the employees and that the custodian of
the entity’s assets, should not be responsible for the records relating to the asset. Segregation of duties also
facilitates the checking of one employee’s work by another employee.
If we broadly categorise the functions surrounding a transaction, we come up with the following (the
example has been simplified for illustrative purposes):

Function Example
Initiation and approval A purchase order is authorised
Executing The order is placed with a supplier
Custody The goods are delivered and placed in the warehouse
Recording The purchase is entered into the accounting records and the
perpetual inventory records are updated

Let us assume, for example, that Clarence Carter is responsible for all of the functions above. He could
very easily purchase goods for himself which will be paid for by the company. He will have access to an
official company order so he can order the goods he wants and, as he is also placing the order, he can
choose whichever supplier he likes (the supplier could even be his own business run by his wife). As Clar-
ence is also responsible for taking delivery of the goods, he will make out the necessary document (goods
received note) when the goods are delivered. He now has the goods in his possession and can take them
home. If he also updates the perpetual inventory records, he can ensure that the records agree with the
physical inventory (in case anyone checks) by not recording the goods purchased or by writing up a ficti-
tious goods issue. It will be even easier if there are no perpetual inventory records. Concerning paying for
the goods, the necessary documents will be there to support the payment, for example, a signed purchase
order, a supplier delivery note, a goods received note, and a supplier invoice. So even if Clarence is not
involved in the actual payment of the supplier, there is no reason that the goods will not be paid for. Obvi-
ously, if Clarence is really devious, he will restrict his fraudulent purchases to items that the company
normally purchases in order not to draw attention to the purchase. For example, if he works for a garden
tool wholesaler and orders himself a big screen TV, it will be difficult for the transaction not to be noticed.
However, if he buys garden tools for his use or which he intends to sell to make some extra cash, the
transaction will not appear out of the ordinary.
Chapter 5: General principles of auditing 5/13

The idea behind the segregation of duties is that other employees are introduced into the functions sur-
rounding the transaction. In a large organisation with the necessary resources, the purchase transaction
would be divided up as follows:

This example of good segregation of duties illustrates that Clarence Carter would not be able to purchase
goods for himself and have the company pay. His biggest problem would probably be getting his hands on
the goods he has ordered. Even if he could get hold of a purchase order and place an order with the sup-
plier, he still has to obtain the physical goods. Remember that once the goods have been delivered, the
receiving clerk and the storeman can be held accountable, so they are going to make sure they carry out
their duties properly. On top of that, the accounting section is keeping an independent record of what inven-
tory should be on hand. The storeman will want to make sure that his physical inventory agrees with these
records and management will be carrying out reviews to see if the physical inventory and the inventory
records agree. In effect, each step in making a purchase has been allocated to a different employee and the
next employee in the process is checking on the previous employee.
In a perfect situation, all of the functions above would be segregated, but due to cost and insufficient em-
ployees, it is frequently impossible. So which of the divisions are most important? Generally speaking,
“custody” and “recording” are the most incompatible. The reason for this is that if an individual has control
of the asset and keeps the records pertaining to the asset, the record of the asset can be made to agree with the
physical assets on hand.
For example, a storeman who has access to the inventory and the perpetual inventory records can steal
inventory and alter the records to ensure that the theoretical inventory on hand agrees with the physical
inventory. The same logic can be applied to other physical assets such as equipment. The employee in
charge could steal equipment and manipulate the fixed asset register. What about the company’s bank
account? The custodian of the bank account is the employee who has the power to effect EFTs. If this
individual also writes up the cash journals, he can make whatever payments he likes and describe them in
the cash payments journal as valid business payments. If the credit controller (who is the custodian of the
company’s debtors), can make adjusting entries to the debtors ledger, he will be able to invalidly write off
the debt of a friend or customer so that they do not have to pay. If custody and recording are not segregat-
ed, the effectiveness of “review” is diminished as the physical and theoretical will be easily reconciled.
Segregation of duties is not aimed solely at safeguarding the assets of the business. It is a very effective
technique to ensure that transactions are recorded and processed accurately and completely and that only
transactions that actually occurred and were authorised are recorded and processed. In effect, segregation
of duties provides a series of independent checks on whether employees are doing their jobs properly.
The biggest enemy of segregation of duties is collusion. As we discussed under the limitations of internal
control, segregation of duties (and other control activities) can be circumvented if management or employ-
ees collude (work together) intentionally with other individuals inside or outside the company.
For example, if the storeman and the keeper of the perpetual inventory records collude, they will be able
to cover up inventory theft. Essentially if one employee in the process agrees, for whatever reason, not to
check the action of another employee who he is supposed to check, segregation of duties breaks down.
Collusion will frequently be with parties outside the organisation, a buyer colludes with a supplier to charge
the company a higher price and later they share the proceeds, or as described earlier, a receiving clerk
5/14 Auditing Notes for South African Students

colludes with a supplier’s driver and the storeman to accept a short delivery as a full delivery. The driver
will then sell the goods which should have been delivered, and share the proceeds with the receiving clerk
and the storeman. This will be even easier if a person who has access to the perpetual inventory records is
included in the scam.
Good segregation of duties starts by dividing the company’s cycles, for example, acquisitions and
payments, payroll, into functions and then further segregating the duties within the function. (See chap-
ters 10–14.)

Isolation of responsibility
For any internal control system to work effectively, the people involved in the system must be fully aware
of their responsibilities and must be accountable for their performance. It is equally important that the
employees acknowledge in writing, that they have performed the task or control procedures necessary to
fulfil their responsibility. This is usually done by signing. Once a document is signed it isolates the
employee who was responsible for carrying out some control activity. A signature also isolates a transfer of
responsibility from one person to another.
For example:
When a supplier delivers goods to Mbali (Pty) Ltd, the company’s receiving clerk counts the goods re-
ceived and signs the supplier’s delivery note, a copy of which is kept by the company. This signature fulfils
two important functions. Firstly, if there is a subsequent problem with the delivery, management can isolate
who was responsible for receiving the delivery. Secondly, the signature acknowledges the physical transfer of
the goods and responsibility therefore from the supplier to the purchaser. Other examples will be the fore-
man signing a schedule of overtime to approve it, or the chief buyer signing an order to acknowledge that
the detail of the order has been checked, it is supported by a signed requisition and the supplier to whom
the order will be sent is approved by the company.

Physical or logical controls


Control activities will include actions, policies and procedures which protect the company’s assets. Again,
assets must be thought of in the wider context, not just physical assets such as inventory and plant and
equipment. The company will also have cash in the bank, perhaps investments and certainly debtors, for all
of which there is no physical asset but simply “entries in the books”. The company will also have important
documents and confidential information which must be safeguarded. Access/custody controls are designed
to:
• prevent damage to, and deterioration of, physical assets, for example, by proper storage and treatment
of such assets
• prevent deterioration of certain “non-physical” book assets, for example, controls to ensure that debtors
do not get behind in their payments
• prevent unauthorised use, theft or loss of physical assets, for example, by proper security measures, and
• prevent unauthorised use, theft or loss of “non-physical” book assets, for example, by limiting the
number of personnel who have signing powers to transfer cash or sell investments and protecting the
debtors ledger from being altered or destroyed.

Reconciliation
A reconciliation compares two different sets of recorded information (data elements) or of recorded infor-
mation and a physical asset.
For example:
• the cash journal to the bank statement
• the individual creditor’s accounts to creditors statements
• subsidiary ledgers to the general ledger, for example the debtors ledger to the general ledger
• physical inventory and plant and equipment to the perpetual inventory and asset register respectively, or
• the wage expense from one wage period to the next.
There are any number of reconciliations that can take place, but the object of comparison and reconcilia-
tion is to identify, investigate and resolve differences where necessary. There is no point simply performing the
mechanical reconciliation of quantities or amounts without investigating and resolving the reconciling
items.
Chapter 5: General principles of auditing 5/15

Verification
Verification compares two or more items with each other, or comparing an item to, for example, a policy.
Unexpected results or unusual conditions will then be followed up. In practice, verification as a control will
usually be carried out by employees in management or supervisory positions and may include a review of:
• performance against budgets, forecasts, departmental targets, etc.
• key performance indicators, ratios, etc., and
• current to prior period, financial or operating information.
For example, a review of the key performance indicators may reveal that the gross profit percentage has
declined sharply. The follow-up may reveal that breakdowns in the custody controls for inventory have
occurred, resulting in the theft of inventory.

Performance reviews
As a control activity, reviews of performance provide a basis for identifying problems. When carrying out a
review, the reviewer is looking for consistency and reasonableness in the data being reviewed. Unexpected
results or unusual conditions will then be followed up. Review as a control will usually be carried out by
employees in management or supervisory positions and may include review of:
• performance against budgets, forecasts, departmental targets, etc.
• key performance indicators, ratios, etc., and
• current to prior period, financial or operating information.
For example, a review of the key performance indicators may reveal that the gross profit percentage has
declined sharply. The follow up may reveal that breakdowns in the custody controls for inventory have
occurred, resulting in the theft of inventory.

(b) Description B: preventive, detective or corrective control activities


Preventive controls are put in place to prevent or minimise errors or illegal events from occurring. They can
be regarded as proactive actions or procedures designed to prevent a loss. Types of preventive control
activities are physical controls over assets (custody controls), approval and authorisation, and segregation
of duties. Examples of specific preventive controls are EFT payments that can only be effected from certain
terminals and require additional unique passwords to be entered, the chief buyer signing a purchase order
before the order is placed, valuable inventory items being stored in a locked enclosure within the ware-
house, and keeping blank (unused) company documentation under lock and key, for example, credit notes,
etc.

Detective controls
As discussed earlier in this chapter, internal control activities are not foolproof and not all errors will be
prevented. There may be collusion, or employees may be careless or want to take shortcuts. Detective
controls are like a “second line of defence” and are designed and implemented to identify the errors, thefts,
omissions, etc., which got through the “first line of defence”. Reconciliations and reviews are common
types of detective control activities, but segregation of duties (e.g., one employee checking another), as well
as custody controls, have a detective element to them.

Corrective controls
These are controls that are implemented to resolve errors and problems which have been identified by
detective controls. For example, if the accounting department “detects” an invalid charge from a supplier
(an invoice for goods which were not actually received), what procedures must be followed to rectify the
situation and ensure that the invoice is not paid and that the same problem does not keep happening?
Although control activities can be classified in this manner in manual accounting systems, the classifica-
tion into descriptions is more relevant and defined in computerised accounting systems. Because computers
can process vast quantities of transactions at lightning speed and invisibly, preventing unauthorised or
erroneous transactions from entering the system is very important, and because the consequences of not
doing so can be extreme, detective controls are also very important as the problem causing the errors, etc.,
must be corrected very quickly. In addition, the capabilities of the computer and its software allow a wide
range of preventive and detective controls to be implemented. These are discussed in chapter 8.
5/16 Auditing Notes for South African Students

(c) Description C: General and application control activities


ISA 315 (revised) lists, under control activities, policies and procedures that pertain, among other things, to
“information processing”. It then states that two broad groupings of information systems control activities
are automated application controls and general controls. The classification of controls into general and auto-
mated application controls emerged originally from computerised environments and these terms are not
generally used in manual accounting systems. Strictly speaking, general and automated application con-
trols go beyond the “control activities” component. They touch to an extent, all of the other components.
This will become clear to you when you study general and automated application controls. These controls
are dealt with in chapter 8, but a simple distinction between the two would be that general controls are
those which establish an overall framework of control for a computerised environment at large. These are
controls that should be in place before any initiating recording, processing, or reporting of transactions
occurs. Automated application controls are controls that are specific to a particular task, for example prepar-
ing the payroll. Controls such as restricting access to the computer centre would be general control, whilst a
programmed (automated) control that prevents an incorrect employee number from being included on the
payroll would be an application control. Automated application controls can be directly linked to the
control activity component.

5.1.5 The system of internal control in more/less complex entities (scalability)


The system of internal control may be less or more formal, depending on the size and complexity of the
entity. Some systems of internal control will suit more complex companies far better than less complex
entities (remember – as previously noted, although the size of an entity may be an indication of the complexity thereof,
smaller does not always mean less complex). ISA 315 (revised 2019) – identifying and assessing the risk of
material misstatement – is designed to be applicable to all entities, regardless of their size or complexity.
The ISA refers to the concept of “scalability”, which requires the auditor’s professional judgement regard-
ing the nature and extent of the system of internal control. Factors that the auditor would consider in this
regard may include (ISA 315 (revised 2019) A52.):
• the size and complexity of the entity, including its IT environment
• the auditor’s previous experience with the entity
• the nature of the entity’s systems and processes and whether they are formalised, and
• the nature and form of the entity’s documentation.
What follows is an explanation of how the system of internal control might differ in an entity that may be
smaller or less complex in relation to its larger or more complex counterparts.

5.1.5.1 Control environment


• The nature of the control environment in a less complex entity may depend virtually entirely on man-
agement's tone and control consciousness.
• In a less complex entity, management and the lower level employees may be working closely together
so employees will frequently be exposed to how managers behave and conduct themselves. The positive
side of this is that managers can have a strong and direct influence on the employees with whom they
work, and play a far more direct role in control activities.
• There is no reason for a less complex entity not being committed to competence, but putting it into
practice may not be as easy. Firstly, in (for example) a small entity, due to lack of staff numbers,
employees may find themselves responsible for activities for which they do not have the necessary skills
and knowledge and which they are not quite competent to perform. Secondly, there may not be the
necessary resources to attract and retain the best staff. Frequently, there will not be a separate human
resource manager in smaller entities, so the implementation and management of comprehensive human
resource policies and practices is difficult, and activities such as recruiting, training, counselling, etc.,
will suffer.
• Organisational structures and the assignment of authority and responsibility will be negatively affected
by the lack of employees at different levels of authority. This is partially countered by the more direct
involvement of management in the day to day operation of the entity.
Chapter 5: General principles of auditing 5/17

• The size of the organisation is not necessarily a factor when the IT environment is assessed. What
matters is the sophistication of the IT environment. Even small organisations can have well-controlled
IT systems that might be considered for IT control and automated application control testing and reli-
ance by the auditor.
Generally in smaller, less complex entities, there is far less distinction between the board of directors and
management – frequently they are the same individuals. There will probably be no non-executive directors
and as a result, independent oversight “check” on management is not possible. If there is no oversight of
management by those charged with governance, the control environment will be weakened.

5.1.5.2 The entity’s risk assessment process


• It is most unlikely that there will be risk committees, risk officers or formal risk assessments in less
complex enterprises. Managers and staff in less complex entities may not have the time for this (perhaps
they should make time!) and the entity may not have the resources. The assessment of risk in a small
entity is far more likely to be an informal process carried out by managers and others as they go about
their daily duties.

5.1.5.3 The entity’s process for monitoring the system of internal control
• Monitoring the internal control process in a less complex entity will again be left up to management and
carried out informally. It is unlikely that there will be an independent internal audit department, reviews
by external bodies or customer hotlines! Furthermore, as the directors are probably involved in the day
to day operations, there will be little independent monitoring of facts, figures and performance. On the
positive side, this direct involvement should give management a good idea of whether the process is
working successfully.
Do not get the impression that all less complex entities have weak internal control as this is simply not
the case. There are many smaller entities with outstanding internal control systems. Sound systems
design, competent and dedicated employees, combined with ethical and “hands on” management, can
far outweigh the disadvantages of being a smaller or less complex entity.

5.1.5.4 The information system and communication


• A less complex entity is more likely to have a simple accounting system under the charge of an account-
ant and a small number of assistants who run the entire system and produce basic financial information.
This does not mean that the financial information will be poor, but there are likely to be far fewer con-
trol activities in place to reduce the risk of unauthorised transactions, inaccurate or incomplete record-
ing, etc. On the positive side, there is no reason that a less complex entity should not use good, well-
designed documentation and reputable accounting packages that produce reliable information to meet
the financial reporting needs of the entity.

5.1.5.5 Control activities


• Implementing control activities can be expensive and smaller entities may not have the necessary
resources to put in more effective but costly security controls or employ that extra individual to improve
segregation of duties.
• Smaller entities carry out fewer transactions (fewer sales, fewer purchases), and consequently, some
employees may be involved in more than one cycle and invariably will carry out incompatible functions
within a cycle. For example, the storeman may act as the receiving clerk, the custodian of inventory and
the dispatch clerk, and may even maintain the inventory records.
• Segregation of duties is a fundamental control activity, and without it other control activities will be
weakened or impossible. The simple control of one employee checking the work of another becomes
very difficult to implement in a small entity. Usually, there will not be multiple levels of employees
within a cycle or even within the entity. There will be no junior purchase officer, senior purchase officer
and chief purchasing officer, just a purchase officer who may even be responsible for initiating, approv-
ing and executing a purchase order.
5/18 Auditing Notes for South African Students

5.1.6 The external auditor’s interest in the entity’s system of internal control
The external auditor is primarily interested in the fair presentation of the entity’s annual financial state-
ments. The financial statements are a product of the entity’s information systems, which include the
accounting system. Therefore, it stands to reason that the better the system of internal control, the more
likely it is that the financial statement will be fairly presented.
ISA 315 (revised 2019) – Identifying and assessing the risks of material misstatement, requires that the
auditor obtain an understanding of the entity and its environment, the applicable financial reporting
framework, as well as the entity’s system of internal control. The ISA suggests that a good way of doing the
latter may be to evaluate the five components of the system of internal control.
For example, ISA 315 states that the auditor should identify and assess the risk of material misstatement
occurring in the financial statements so where the entity itself has a risk assessment process, it makes sense
for the auditor to understand the entity’s process and benefit from it in obtaining knowledge about the risks
faced by the entity.
Similarly, an assessment of the entity’s control environment will significantly influence the auditor’s
assessment of the risk of material misstatement in general and will in turn directly affect how the audit is
conducted (here it is important to note that the risk assessment process provides the foundation for identifying and
assessing the risks of material misstatement and for designing further audit procedures). An understanding of the
information systems, communication and control activities is equally important for the auditor as, without
understanding these, the auditor is unable to properly assess the risk that management’s objective of pro-
ducing valid, accurate and complete financial information will be achieved. Finally, suppose the system of
internal control process is properly monitored. In that case, the auditor may be in a position to work with
the monitoring bodies such as internal audit and will, at the very least, be able to derive benefit from the
results of the monitoring and how and whether issues in which the auditor is interested, have been
addressed.

5.2 Audit evidence


5.2.1 Introduction
Audit evidence is fundamental to the audit function. As was explained in chapter 1, the auditor has a duty to
gather evidence to support his opinion on whether the assertions of the directors, embodied in the annual
financial statements, are fairly presented. ISA 500 – Audit evidence, states that “the objective of the auditor is
to design and perform audit procedures in such a way as to enable the auditor to obtain sufficient, appropriate
audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion.” The key to
this standard is the phrase “sufficient, appropriate evidence”.

5.2.2 Sufficient appropriate audit evidence


5.2.2.1 Sufficient evidence
The sufficiency of audit evidence relates to the quantity of audit evidence gathered. The auditor must evalu-
ate whether enough evidence has been obtained to support an opinion. This is a particularly important
decision as auditors do not examine every transaction but rather perform procedures on samples of popula-
tions; for example, if an auditor is performing tests of controls on the acquisitions cycle to establish whether
all purchases were authorised, how many purchase requisitions or purchase orders should be inspected for
an authorising signature, to enable the auditor to conclude whether the authorisation control operates?
Similarly, when testing the existence of debtors, how extensive should the positive debtors circularisation
or subsequent receipts testing be for the auditor to be in a position to conclude the existence assertion for
debtors?
The question of sufficiency is further complicated because evidence about an assertion is not gathered by
performing a single procedure, but by performing several procedures, each of which contributes some
evidence. Evidence is cumulative in nature.
For example, evidence relating to the existence of debtors can be gathered by performing a debtors circu-
larisation and by testing subsequent receipts from debtors (this procedure involves tying payments received
from debtors after the reporting date to amounts owed by those debtors at the reporting date and is based on
the premise that if a debtor pays, it is strong evidence that the debtor existed). The auditor has to balance
the extent of each procedure performed.
Chapter 5: General principles of auditing 5/19

There is no hard and fast way in which the quantity of audit evidence needed can be precisely calculated.
It is a very subjective decision requiring a strong dose of professional judgement. Certainly, there are
statistical models which can assist in determining sample sizes, but even these models require the auditor to
make some subjective decisions. The quantity of audit evidence relates to the “extent of testing” compo-
nent of the audit plan (the other two being the nature and timing of tests). The audit plan is only decided
upon once the full exercise of devising the overall audit strategy has taken place. The planning process also
includes making subjective decisions, for example, evaluating risk, so the auditor is really left with using his
professional expertise to determine whether enough evidence has been gathered in light of the prevailing
circumstances surrounding the audit.

5.2.2.2 Appropriate evidence


The appropriateness of audit evidence relates to the quality of audit evidence. This can be further broken
down into the reliability (source and nature) of the evidence and the relevance of the evidence to the assertion
which is being audited.

• Reliability
Some evidence is simply more reliable than other evidence. The hierarchy of reliability for audit evi-
dence can be expressed as follows:
– evidence developed by the auditor is the most reliable source, for example, the auditor inspects inventory to
obtain evidence of its existence
– evidence provided directly by a third party to the auditor (as opposed to the client) is reasonably reliable
evidence, provided that the third party is independent of the client, reputable and competent, for example,
information obtained from the client’s attorneys
– evidence obtained from a third party but which was passed through the client is less reliable as the client may
have had the opportunity to tamper with the evidence, for example, a bank statement or certificate of
balance which is not sent directly to the auditor
– evidence generated through the client’s system will be more reliable when related internal controls are
effective
– evidence provided by the client is the least reliable as it lacks “independence”, that is, it is provided by the
persons who are responsible for the assertion for which the evidence is required
– written evidence (whether paper or electronic) is considered more reliable than oral evidence as oral evidence
is easily denied or misinterpreted, and
– evidence provided by original documents is more reliable than evidence provided by photocopies or
facsimiles.
Clearly, the auditor will have to rely on evidence from all of the above sources, (e.g., developed by the
auditor, provided by the entity, provided by a third party) and would therefore not reject evidence solely
on the grounds of its source. Indeed, even evidence provided by the client may be very reliable, particu-
larly if the accounting systems and internal controls are strong and the directors and employees are
competent, reliable and trustworthy. It follows that the hierarchy should be regarded as a guideline.

• Relevance
The relevance of audit evidence means its relevance to the assertion which is being audited. It is very
important that the auditor understands exactly to which assertion the evidence being gathered, relates.
If this is not understood, incorrect conclusions will be drawn.
For example, when the auditor of Meadows Ltd selects a sample of inventory items from the invent-
ory records to count and inspect at the annual inventory count, he obtains evidence of the existence of
that inventory and (possibly) some evidence of the physical condition of the inventory. The physical
condition is relevant to the valuation assertion as it provides evidence relating to the reasonableness of
the allowance for obsolete inventory. However, the inspection of inventory does not provide evidence to
support the rights assertion applicable to that inventory – simply because the auditor has counted and
inspected the inventory in the client’s warehouse does not mean that the client has the rights (owner-
ship) to that inventory. It may be inventory held on consignment on behalf of another company or it
may be inventory which has been sold, but not yet collected by, or delivered to, the purchaser.
5/20 Auditing Notes for South African Students

Similarly, this test will not provide any evidence relevant to the completeness of inventory. The test for
completeness requires that the items be selected from the physical inventory and traced to the records to
determine whether they have been included in the records.
When performing tests of controls, the auditor attempts to determine whether the major objective of the
accounting system and related internal control, to produce valid, accurate and complete information, is being
achieved. In doing this, the auditor obtains evidence relating to the occurrence, accuracy, cut-off, classification,
and completeness assertions relating to transactions processed through that accounting system. Again, the
auditor must be quite sure which assertion the procedure being performed (and the evidence gathered from
the procedure) is relevant. For example, the auditor may deduce from the tests of controls, that the con-
trols for the recording of sales at the proper amount (accuracy) are sound, however, this does not provide
evidence that all sales actually made, were recorded (completeness) or that all sales recorded, were genuine
sales (i.e., not fictitious) (occurrence).
Finally, a single procedure will not necessarily be relevant to only one assertion, it may provide evi-
dence relevant to a number of assertions.

5.2.2.3 Influencing factors in determining whether sufficient, appropriate evidence


has been obtained
Whilst the decision as to whether sufficient, appropriate evidence has been gathered, cannot be precisely
measured (it remains a matter of professional judgement), the following factors will influence the auditor in
making the decision:
• The significance of the potential misstatement in the assertion and the likelihood of the misstatement having
a material effect on the financial statements. It stands to reason that if there is a high risk of material
misstatement relating to a particular assertion, more evidence from the most reliable source available
would be required by the auditor.
• The materiality of the account heading being examined. For example, suppose inventory is a very material
figure in the financial statements. In that case, the auditor will be more concerned about obtaining suffi-
cient, appropriate evidence for the assertions relating to inventory, than those relating to a far less
material account heading. Simplistically, this is because material misstatement in a material account
heading will have a material effect on the financial statements. The auditor is likely to seek more evi-
dence of the most reliable evidence available.
• Experience gained during previous audits. As the auditor develops a relationship with his client, know-
ledge of potential problem areas will help to guide the auditor in where to focus the audit.
• Results of audit procedures already conducted. For example, if the auditor’s initial positive circularisation
tests on the existence of debtors prove successful, he may decide to perform less additional subsequent
receipts testing on debtors than planned. The opposite situation may also arise.
• Source and reliability of information available. Clearly, the auditor will want to use the best evidence
available; however, if reliable evidence is not available, the auditor may be forced to gather more cor-
roborative evidence from a number of less reliable sources to be in a position to form an opinion on a
particular assertion. Bear in mind, however, that simply gathering more unreliable evidence is not very
helpful.
• The persuasiveness of the audit evidence. For example, evidence gathered on one section of the audit
supported or corroborated by evidence from another section of the audit will be more persuasive than
had the evidence contradicted itself or if there had been no corroborating evidence.

5.2.2.4 Audit procedures for obtaining audit evidence


Audit evidence to draw reasonable conclusions on which to base the auditor’s opinion is obtained by
performing:
• risk assessment procedures, and
• “further” audit procedures, which comprise:
– tests of controls, and
– substantive procedures, including tests of detail and substantive analytical procedures.
These are discussed further later in this chapter and in chapter 6.
Chapter 5: General principles of auditing 5/21

5.2.3 Financial statement assertions


In chapter 1 the importance of financial statement assertions was discussed. This chapter revisits the topic
in an attempt to confirm the link between the assertions and sufficient, appropriate evidence. The objective
of an audit is for the auditor to express an opinion on whether the financial statements are fairly presented.
Simplistically the financial statements are nothing more than an embodiment, in a prescribed format for
example IFRS, of the assertions of the directors to the shareholders concerning the financial position and
results of operations of the company they are managing on behalf of those shareholders.
As described in ISA 315 (revised), management implicitly or explicitly makes assertions regarding recog-
nition, measurement and presentation of classes of transactions and events, account balances and disclo-
sures. The auditor may use the assertions as a “framework” to consider the different types of potential
misstatement that might occur in an account balance and its related disclosures, or in a class of transactions
and its related disclosures. ISA 315 (revised) presents the assertions in two categories as follows (see note
below):
• assertions about classes of transactions and events, and related disclosures for the period under audit
• assertions about account balances and related disclosures at the period end.

5.2.3.1 Assertions about classes of transactions and events and related disclosures:
(i) Occurrence – transactions about events that have been recorded or disclosed, have occurred, and such
transactions and events pertain to the entity.
(ii) Completeness – all transactions and events that should have been recorded have been recorded, and all
related disclosures which should have been included in the financial statements, have been included.
(iii) Accuracy – amounts and other data relating to recorded transactions and events have been recorded
appropriately, and related disclosures have been appropriately measured and described.
(iv) Cut-off – transactions and events have been recorded in the correct accounting period.
(v) Classification – transactions and events have been recorded in the proper accounts.
(vi) Presentation – transactions and events are appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and understandable in the context of the requirements
of the applicable financial reporting framework.

5.2.3.2 Assertions about account balances, and related disclosures, at the period end:
(i) Existence – assets, liabilities and equity interests exist.
(ii) Rights and obligations – the entity holds or controls the rights to assets, and liabilities are the obliga-
tions of the entity.
(iii) Completeness – all assets, liabilities and equity interests that should have been recorded, and all related
disclosures that should have been included in the financial statements, have been included.
(iv) Accuracy, valuation and allocation – assets, liabilities and equity interests have been included in the
financial statements at appropriate amounts and any resulting valuation or allocation adjustments
have been appropriately recorded, and related disclosures have been appropriately measured and
described.
(v) Classification – assets, liabilities and equity interests have been recorded in the proper accounts.
(vi) Presentation – assets, liabilities and equity interests are appropriately aggregated or disaggregated and
clearly described, and related disclosures are relevant and understandable in the context of the
requirements of the applicable financial reporting framework.
5/22 Auditing Notes for South African Students

The following diagram illustrates the breakdown of the assertions and to which categories they apply:
Assertion Transactions, Balances, assets, liabilities, equity
events and related disclosures interests and related disclosures
Occurrence —
Completeness — —
Accuracy —
Cut off —
Classification — —
Existence —
Accuracy, rights and obligations —
Valuation and allocation —
Presentation — —

The auditor’s duty is to gather sufficient, appropriate evidence to support the assertion being audited.
Whilst every assertion should be considered for audit, the auditor will obviously direct his attention to
those assertions which present a risk of material misstatement, which, if not detected, could lead the audit-
or to express an inappropriate opinion on the financial statements (see chapter 7 for a discussion on audit
risk). When the auditor carries out risk assessment procedures for the various account headings, he will
consider the risk of material misstatement in terms of the assertions applicable to the account heading.
For example, the auditor of Skosana-Smit Ltd may look at all of the information that she has gathered
about the company’s inventory and then work through the assertions applicable to the inventory account
balance and related disclosures and assess the impact of the information on her assessment of the risk of
material misstatement in the inventory account heading and its related disclosures. It will be necessary for
the auditor to identify the assertions for which evidence should be gathered and then design an audit plan
that will provide enough relevant and reliable evidence to base an opinion on.
Consider the diagram above in conjunction with the following examples:

Example 1
When the auditor gathers evidence about sales transactions, he will be seeking evidence to support the fol-
lowing assertions:
• occurrence – all sales included are genuine sales (not fictitious) of the entity (a genuine sale of the com-
pany’s goods/services has occurred)
• completeness – all sales which were made, have been included in the total of sales made for the year
• accuracy – all sales have been recorded appropriately: this implies prices are correct and that the correct
discount and VAT rates have been used and correctly calculated
• cut-off – all sales recorded, occurred in the accounting period being audited
• classification – all sales have been posted to (recorded in) the proper account: this implies that a credit
sale has been posted to the correct debtor’s account and that VAT has also been correctly posted, and
• presentation – the sales transactions have been presented in terms of the disclosure requirements of the
relevant financial reporting standard.
Take note that the auditor will also ensure that related disclosures pertaining to “sales” are complete, accu-
rate, relevant and understandable.
The assertions which do not apply to sales are existence (accuracy), valuation and allocation and rights and
obligation. Why is this? It is because these three assertions apply to balances in the statement of financial
position, which are carried forward to the following period, and not to transactions. To explain it slightly
differently, the auditor does not try to establish that a sale existed at the reporting date, he seeks evidence
that the sale, which is included in total sales, actually occurred; furthermore, the auditor does not seek to
value the sale at year-end, he seeks to establish that the amount of the sale was correctly recorded at the
time it was made during the year.
Chapter 5: General principles of auditing 5/23

Example 2
When the auditor gathers evidence about plant and equipment, he will be seeking evidence to support the
following assertions:
• existence – all plant and equipment included in the balance, existed at reporting date
• completeness – all plant and equipment owned by the company, is included in the balance reflected in the
financial statements
• accuracy valuation and allocation – the plant and equipment has been reflected in the statement of finan-
cial position at appropriate amounts; and that reasonable adjustments have been made for depreciation,
impairment and/or obsolescence
• rights – the company has (holds or controls) the right of ownership to the plant and equipment reflected
in the statement of financial position (any encumbrances on that ownership must be disclosed), and
• presentation – plant and equipment has been appropriately aggregated/disaggregated and clearly
described; for example, plant and equipment has been presented in the statement of financial position
aggregated with land and buildings as a separate line item under non-current assets as property, plant
and equipment and has been disaggregated in the property, plant and equipment disclosure notes into
plant and machinery, fixtures and fittings and tools and equipment.
Disclosure is far more comprehensive and complex for plant and equipment than for sales (Example 1) and
obviously presents more risk that there will be material misstatement in the disclosures. The auditor must
satisfy himself that the related disclosures are accurately measured and described, complete, relevant and
understandable in terms of the applicable financial reporting framework.
The assertions which do not apply to the plant and equipment account heading are occurrence and cut-off.
Why is this? These two assertions apply only to transactions/events and not to balances contained in the
statement of financial position. The auditor seeks to establish that plant and equipment appearing in the
statement of financial position actually existed at reporting date; auditing the purchase of the plant and
equipment (a transaction) will provide evidence that the purchase occurred but it will not provide evidence
that the item of plant and equipment was in existence at year-end, (it may have been stolen, sold or
destroyed since being purchased), or that it was fairly valued at year-end, (it may have been severely dam-
aged since it was purchased).
In conclusion, once the auditor has gathered sufficient, appropriate evidence relating to the assertions, he
will be in a position to evaluate the evidence and express an opinion on the fair presentation of the financial
statements.

5.3 The auditor’s toolbox


5.3.1 Introduction
As indicated by ISA 500 – Audit Evidence, audit evidence is obtained by performing:
• risk assessment procedures, and
• further audit procedures which comprise:
– tests of controls, and
– substantive tests, both tests of detail and analytical procedures.
So what are the procedures for carrying out risk assessment, tests of controls and substantive tests? Are
there procedures that apply only to risk assessment? Are tests of controls specific, and can any procedure be
used as a substantive procedure? The answer is that the seven procedures listed below are the “tools” that
the auditor uses to gather evidence and use it as he deems fit. Provided the procedure is appropriate to the
auditor’s objective, it can be used.
For example, risk assessment procedures might include observing the client’s manufacturing process to understand
the client’s operations. Observation may also be used as a test of controls.
For example, when employees in the warehouse of Toy-Box (Pty) Ltd receive goods from suppliers, they
check the details of the delivery before they sign the supplier’s delivery note to acknowledge receipt of the
goods. The auditor of the company observes this control activity to determine whether they do actually carry
it out.
5/24 Auditing Notes for South African Students

Analytical procedures could be part of risk assessment, for example, the auditor performs an analysis of the
company’s sales by month, product, branch etc., to gain an understanding of the entity. Analytical procedures
are also used when carrying out substantive procedures.
For example, when considering the valuation of debtors at Energy-Bars Ltd, the company’s auditor per-
forms a comprehensive comparative analysis of the debtors balance to satisfy herself that the allowance for
bad debts is “fair”.
Note that analytical procedures are not used as tests of controls, as they do not provide evidence that a
control activity is being carried out as it should be.
• Inspection: involves examining records or documents, whether internal or external, in paper form,
electronic form or other medium, for example inspecting a purchase order for an authorising signature
or a physical examination of an asset, for example inspecting a piece of equipment for evidence of its
existence and condition.
• Observation: consists of looking at a process or procedure being performed by others, or of observing the
performance of control activities, for example observing an inventory count performed by the client’s
employees.
• External confirmation: involves obtaining a direct written response from a third party to a request/query
from the auditor to that third party in paper form or by electronic or other medium, for example the au-
ditor requests a client’s debtors to confirm the amounts owed to the client at reporting date.
• Recalculation: consists of checking manually or electronically, the mathematical accuracy of documents
or records.
• Re-performance: involves the auditor’s independent execution of procedures or controls that were origi-
nally performed as part of the entity’s internal control.
• Analytical procedures: involves evaluating financial information through analysis of plausible relation-
ships among both financial and non-financial information.
• Inquiry: consists of seeking information, both financial and non-financial from knowledgeable persons
within the entity or outside the entity.
As discussed above, it is not possible to categorise each of the above procedures as simply a risk assessment
procedure, a test of controls procedure or a substantive procedure. Any of the above procedures (other than
analytical procedures as a test of controls), or a combination thereof, can be used when assessing risk or
carrying out tests of controls or substantive tests. The procedure will be categorised in terms of what the
auditor is trying to achieve.

Example 1
• Inquiry – risk assessment
The auditor inquires of the head of internal audit as to his assessment of the likelihood of material
misstatement of inventory.
• Inquiry – substantive test
The auditor makes inquiries of the factory manager as to the impairment write-downs for a particular
machine.

Example 2
• Re-performance – tests of controls
The auditor re-performs the monthly bank reconciliation to confirm that the control activity of recon-
ciling the balance per the cash book and the balance per the bank statement has been properly carried
out. If the reconciliation is incorrect, the control is not working.
• Re-performance – substantive test
The auditor re-performs the year-end bank reconciliation as part of the verification of the bank balance
reflected in the year-end financial statements (same procedure, different objective!).

Example 3
• Inspection – risk assessment
The auditor examines the minutes of directors' meetings to identify important decisions that have been
taken that may affect the financial statements.
Chapter 5: General principles of auditing 5/25

• Inspection – tests of controls


The auditor inspects a sample of purchase orders over R500 000 for the authorising signature of the
senior purchase officer to confirm that the control over authorising purchases over this amount, is being
exercised. The senior purchase officer must authorise all purchases over R500 000.
• Inspection – substantive test
The auditor inspects a letter from a financial institution confirming the amount, and terms of a loan
made to the client company.

Example 4
• Observation – risk assessment
The auditor observes the operation of the production line in a manufacturing company as part of
assessing the risk of material misstatement in the valuation of work in progress (possibly to decide
whether it will be necessary to engage an expert).
• Observation – tests of controls
The auditor observes the procedures actually conducted by warehouse personnel when receiving goods
ordered.

5.3.2 Why perform tests of controls?


5.3.2.1 Flow of transactions
The diagram below is a simple representation of the flow of transactions through an accounting system:

Balances
Accounting system and
Transactions
related control activities

Totals

For example, when credit purchase transactions are processed through the accounting system the trade
creditors balance is increased as is the total on the purchases account. When creditors are paid, the pay-
ment transactions are processed through the accounting system and the trade creditors balance is
decreased. The total of purchases remains unaffected, but the cash (bank) account balance is reduced.
When wage transactions are processed through the accounting system, the cash (bank) account balance is
reduced, and the wage expense total increased. Remember, as the transactions are recorded on source
documents and passed through the accounting system, they will be subjected to a range of control activ-
ities. The conclusion that can be drawn is that if the accounting system and related control activities are
sound, the balances and totals produced will be sound. The auditor interested in the fair presentation of
balances and totals could test the accounting system and related control activities to determine whether
they produce reliable balances and totals. These tests are known as tests of controls.

5.3.2.2 The system of internal control


ISA 315 (revised) requires that the auditor, as part of his identifying and assessing risk, obtains an under-
standing of the entity’s system of internal control. An understanding of the system of internal control assists
the auditor in identifying types of potential misstatements and factors that affect the risks of material mis-
statement. If the auditor concludes that the internal control system, based on his understanding, is sound,
he will build tests of controls into his audit plan to satisfy himself of the operating effectiveness of the controls.
In other words, his understanding of the internal control system created an expectation that the controls are
operating effectively and now, as a further audit procedure he must test the controls to see if they are
actually working.
If the tests of controls provide sufficient appropriate evidence that the controls are operating effectively,
the auditor will be more confident that the balances and totals produced by the system are valid, accurate
and complete, and hence he will need to spend less time on conducting substantive tests.
5/26 Auditing Notes for South African Students

5.3.2.3 Test of controls


Is it acceptable for the “further audit procedures” to consist only of tests of controls? The answer is no!
Even if the auditor finds that the accounting system and related control activities are excellent and operat-
ing effectively, he must realise that:
• all internal control systems have inherent limitations which make them less than 100% efficient
• the internal control system may have been operating effectively at the time the auditor performed his
tests but this does not mean it did so throughout the year
• there will still be inherent risk at both financial statement level and at assertion level to consider (see
chapter 7), and
• there is a large amount of information in a set of financial statements, which is not generated through
the internal control system and which the auditor will still need to substantiate.
Successful tests of controls will reduce the extent, and possibly change the nature of substantive tests, but
cannot eliminate the need to perform substantive tests.

5.3.3 Why perform substantive procedures?


5.3.3.1 Auditor’s objective
The auditor’s objective is to be in a position to express an opinion on whether fair presentation has been
achieved in the annual financial statements. Financial statements consist of a collection of balances (in the
statement of financial position) and a summary of totals (the statement of comprehensive income), and
accompanying notes. As discussed above, tests of controls on their own cannot provide the auditor with
sufficient, appropriate evidence pertaining to these balances, totals and disclosures and it will therefore be
necessary for the auditor to perform procedures of a substantive nature.

5.3.3.2 Substantive procedures: Tests of detail or analytical procedures


Substantive procedures may be performed on balances and totals themselves or on the individual transac-
tions making up the balance or total and on disclosures. They may be broadly distinguished as tests of detail
or analytical procedures. When conducting tests of detail, the auditor carries out procedures on the specific
detail of a transaction, account balance or disclosure.
He may inspect the date on a sample of purchase invoices to confirm that the purchase was recorded in
the correct accounting period or confirm the cost at which a specific item of equipment was raised in the
accounting records against the purchase invoice and payment records for that item, or he may confirm the
details of a contingent liability disclosed in the notes by inquiry of the financial director and inspection of
correspondence from the client’s attorneys.
When conducting analytical procedures, the auditor does not look at the detail of specific transactions,
balances or disclosures but rather attempts to evaluate financial information through analysis of plausible
relationships among both financial and non-financial data, for example, comparison of sales, month to
month, year to year, by product, by region, to determine whether sales for the current period are “plausi-
ble” or as expected when compared to other periods. If there are fluctuations or inconsistencies, the auditor
will attempt to establish the reason. These analytical procedures might provide the auditor with a general
idea as to whether sales have been overstated (occurrence assertion) and whether accounts receivable have
been overstated (existence assertion).

5.3.3.3 Evidence to support the financial statement assertions


Substantive procedures seek to provide evidence to support the financial statement assertions. When per-
forming substantive tests the auditor is interested in the following assertions:
• balances – completeness, existence, valuation, rights and obligation, presentation and disclosure
• transactions – completeness (totals), occurrence, accuracy, cut-off, classification and, presentation and
disclosure, and
• disclosures – occurrence and rights and obligations, completeness, classification and understandability,
accuracy and valuation.
Chapter 5: General principles of auditing 5/27

5.3.4 Vouching and verifying


Vouching and verifying are terms commonly used by auditors; vouching relates to the audit of transactions,
and verifying relates to balances. Both terms signify a “collection” of different substantive procedures. For
example, to vouch a sales transaction the auditor will, inter alia, inspect documentation, may enquire about
discounts and may check the arithmetical accuracy of the invoice by recalculation. To verify the debtors
balance the auditor may, among other things, obtain written confirmation from the debtors and may make
enquiries as to how the allowance for bad debts was calculated and then re-perform the aging of debtors.

5.4 Audit sampling


5.4.1 Principles of sampling
An auditor can seldom examine every item in a population, for example, all sales invoices or every inven-
tory item, and although this is a limitation of the audit function, it is generally understood that it is a limita-
tion that will always remain. There are populations where all “items” in that population are audited – for
example, all loans to directors will normally be subject to audit, and all minutes of shareholders meetings
will be inspected, but in general, populations are far too large to audit every item. To do so would not be
time or resource efficient.
ISA 530 – Audit Sampling requires that when designing audit procedures, the auditor should determine
appropriate means for selecting items for testing to gather sufficient appropriate audit evidence to draw
reasonable conclusions on which to base the auditor’s opinion. The statement deals with the auditor’s use
of statistical and non-statistical sampling when designing and selecting the audit sample, performing tests of
controls and tests of detail, and evaluating the results from the sample.
It must also be born in mind that the results obtained from auditing a sample of items, will not be the
only evidence gathered about the population being audited. Evidence gained from other audit procedures,
such as analytical procedures, will corroborate the evidence gained from the sampling procedures. The
audit is much like a jigsaw puzzle with numerous pieces of evidence combining to provide the complete
picture.
An important aspect of sampling is that the results of the tests on the sample must be extrapolated over
the population as a whole. The auditor must form an opinion on the population; therefore, it is of little use
to conclude that “we only found three errors in the sample, so there is no problem”. The question to ask is
“how many errors are there in the entire population?” The methods of extrapolating the sample results over
the population will vary depending on whether statistical or non-statistical sampling has been carried out.
Where statistical sampling has been used, the extrapolation will be more defendable than where the auditor
has used some judgmental process to extrapolate.

5.4.2 Definitions
ISA 530 –Audit Sampling provides the following definitions:
• Audit sampling – involves applying audit procedures to less than 100% of the items within a population
of audit relevance such that all sampling units have a chance of selection to provide the auditor with a
reasonable basis on which to draw conclusions about the entire population.
• Anomaly – a misstatement or deviation that is demonstrably not representative of misstatements or
deviations in the population.
• Population – means the entire set of data from which a sample is selected and about which the auditor
wishes to draw conclusions. For example, all items included in an account balance or a class of trans-
actions are populations. A population may be divided into strata, or sub-populations, with each stratum
being examined separately.
• Sampling risk – the risk that the auditor’s conclusion based on a sample may be different from the
conclusion that would be reached if the entire population were subjected to the same audit procedure.
There are two types of sampling risk:
– the risk is that the auditor will conclude, in the case of a test of controls, that controls are more
effective than they are, or in the case of tests of detail, that a material misstatement does not exist
when in fact it does. The auditor is primarily concerned with this type of erroneous conclusion
because it affects audit effectiveness and is more likely to lead to an inappropriate audit opinion, and
5/28 Auditing Notes for South African Students

– the risk is that the auditor will conclude, in the case of a test of controls, that controls are less effect-
ive than they actually are, or in the case of tests of detail, that a material misstatement exists when in
fact is does not. This erroneous conclusion affects audit efficiency because it will usually lead to addi-
tional audit work being carried out to establish that the initial conclusion was incorrect.
• Non-sampling risk – is the risk that the auditor arrives at, an erroneous conclusion for any reason not
related to sampling risk, for example, because he has applied his sampling plan incorrectly, adopted an
inappropriate procedure or misunderstood the results of his sampling exercise.
• Sampling unit – means the individual items constituting a population, for example, credit entries on
bank statements, sales invoices listed in the sales journal, inventory line items, or individual debtors
balances in the debtors ledger.
• Statistical sampling – means any approach to sampling that has the following characteristics:
– random selection of a sample, and
– use of probability theory to evaluate sample results, including measurement of sampling risk.
A sampling approach that does not have these characteristics is considered non-statistical sampling.
• Stratification – is the process of dividing a population into subpopulations, each of which is a group of
sampling units that have similar characteristics (often monetary value) for example, debtors balance
from R1 to R10 000, R10 001 to R25 000, R25 001 to R50 000.
• Tolerable rate of deviation – a number or percentage of deviations from prescribed internal control pro-
cedures set by the auditor. The auditor seeks to obtain an appropriate level of assurance that actual
deviations do not exceed the number/percentage set by the auditor in the population.
• Tolerable misstatement – a monetary amount set by the auditor in respect of which the auditor seeks to
obtain an appropriate level of assurance that the monetary amount set by the auditor is not exceeded by
the actual misstatement in the population.

5.4.3 Tests of controls and sampling


Having obtained an understanding of the accounting and internal control systems, the auditor will be able
to identify the characteristics or attributes that indicate the performance of a control procedure, for example,
the signature of the credit controller on a customer order indicating credit approval. Once the indicators
have been identified, the auditor can test the control by extracting a sample from the entire population of
customer orders and inspecting the authorising signature.
The auditor should be quite clear about what evidence is provided by the test. For example, this test will
only provide evidence of orders which did not contain the credit controller’s signature and therefore may
have been processed without the approval of the credit controller. The test will, however, not indicate
whether the credit controller actually considered the creditworthiness of the customer before approving the
order. Whether the credit controller is actually performing the control procedure will probably be best
established by investigating whether the customer subsequently paid, and that payment was made on time.

5.4.4 Substantive procedures and sampling


Substantive procedures are concerned with balances and amounts. Sampling may be used to gather evi-
dence about one or more assertions relating to the balance or amount, or to make an independent estimate
(projection) of some amount. For example, a sample of debtors may be selected for positive verification to
obtain evidence about the existence of debtors, or, using an appropriate sampling plan, the total value of
inventory, based upon a sample selected, may be projected for comparison with the value represented by
the directors in the financial statements.

5.4.5 Statistical versus non-statistical approaches


The decision as to whether to use statistical or non-statistical sampling is a matter of professional judge-
ment. Statistical sampling and non-statistical sampling are not mutually exclusive; certain aspects of statis-
tical sampling may be used when performing a non-statistical sample. For example, the sample size may be
decided upon on a judgemental basis (non-statistical) but the items to be selected may be chosen using
computer-generated random numbers (statistical approach). The important point is that valid statistically
based evaluation of the sampling results can only take place where all the characteristics of statistical
sampling have been adopted; for example, sample size, selection of items, extrapolation, and evaluation,
are properly applied in terms of probability theory.
Chapter 5: General principles of auditing 5/29

5.4.6 Steps in the sampling exercise


An important consideration in undertaking a sampling exercise is whether it will be statistically or non-
statistically based. The decision will be one of professional judgement but will be based on the level of
assurance required by the auditor, the skills and time available, and the “defensibility” of the results which
the auditor might require. Regardless of this decision the steps to be taken remain broadly the same.

5.4.6.1 Determine the objectives of the procedure


For example, the auditor may wish to establish:
• that for every entry in the purchase journal, there is a signed goods received note (test of controls), or
• that the individual debtor’s balances in the debtors ledger pertain to debtors who exist (substantive).

5.4.6.2 Determine the procedure to be performed


• This includes specifying clearly the error (deviation or misstatement) condition. So in the first example given
in 5.4.6.1 above, the procedure will be to select a sample of entries in the purchase journal (note direc-
tion of test) and trace to the purchase invoice and see whether it has a signed GRN attached. The devia-
tion is the absence of a GRN (usually the presence of a GRN without a signature will be tested
separately).
• In the second example in 5.4.6.1 above, the procedure may be to select debtors’ balances for positive
circularisation. The misstatement will be the inclusion in the client’s debtors ledger of any debtor who
does not exist.

5.4.6.3 Confirm that the population is appropriate and complete


• This is the population from which the sample is to be selected and the population upon which an audit
conclusion is to be made.
• In the examples in 5.4.6.1, the population will be all purchase journal entries and all debtors’ balances as
per the debtors ledger.
• A very important consideration is that all units in the population must be available for selection. In the
examples used thus far, ensuring that all units in the population are considered for selection will be rela-
tively easy. The problem that arises concerning completeness of the population usually occurs where the
unit of sample is a document. Here extensive checks on sequence and stationery control are necessary to
be sure that all sequences of documents used during the year, are included.

5.4.6.4 Define the units of the population


In the examples in 6.1, the units would be entries in the purchase journal (a numbering system identifying
each entry would have to be developed to implement the sampling plan), and each debtor in the general
ledger. Note that the units of the population selected for the sample become the units of the sample.

5.4.6.5 Determine the sample size


The overriding requirement for determining the sample size is whether the sampling risk will be reduced to
an acceptably low level.
For example, if you have a population of 10 000 items and you select a sample of only 15 items, sam-
pling risk would be very high – so the question of “How many of the items should be selected for the
sample to reduce sampling risk to an acceptable level?” arises.
Whether statistical or non-statistical approaches are to be used, professional judgement will still play a
large role. With non-statistical approaches, the sample size is virtually entirely based on professional judg-
ment. With statistical approaches, the auditor is forced to make judgements about specific matters that are
then applied to a formula or table that will give the sample size. These specific judgments are described as
follows:
• Confidence level: Confidence indicates, as a percentage, how often a sample will correctly represent the
population. The auditor must decide how “confident” he wants to be about his conclusions. The more
confident he wishes to be, the larger the sample needs to be. Remember that the auditor must draw his
conclusion (form an opinion) on the population and therefore wants the sample to be representative of
the population.
5/30 Auditing Notes for South African Students

In the first example from 5.4.6.1, a 90% confidence level would mean statistically that if 100 random
samples were selected, 90 of them would be expected to give a reliable representation of the extent to
which purchase journal entries are supported by GRNs, and 10 may not.
• Tolerable misstatement/tolerable rate of deviation: This is the maximum extent of “error” that the auditor
is willing to accept and still feel that the objective of the sampling procedure has been achieved. The
converse of this is the extent of misstatement or rate of deviation which the auditor decides is unac-
ceptable (which will lead to more extensive or alternative procedures). In the first 5.4.6.1 example, if the
auditor wishes to rely on a GRN supporting purchase journal entries (i.e., goods were received) he or
she must be sure that it happens in, say, 97% of cases. The tolerable deviation will then be 3%. In the
debtors example, the tolerable misstatement would be expressed in rand for example R10 000 of the
balance pertains perhaps to debtors for which the auditor cannot prove existence using the positive cir-
cularisation procedure. The less deviation or misstatement the auditor is prepared to tolerate, the larger
the sample size.
• Expected misstatement/rate of deviation: Most sampling plans require an estimate of the expected “error
rate” to be made because the greater the anticipated misstatement/rate of deviation, the larger the sam-
ple size will be in order to achieve sufficient assurance. The estimate is based either on past experience,
knowledge of the business or a pilot sample.
• The population size (the number of sampling units): Some sampling plans require that the population size
be known to arrive at the sample size, and other sampling plans do not. In our example, the population
will be every entry in the purchase journal, or every debtor in the debtors ledger. For very large popula-
tions, variation in the size of the population has little, if any, effect on sample size.

5.4.6.6 Select the sample


Having calculated the sample size as above, the decision has to be made on how to select these items. The
following methods are suggested:

Data analytics, which are discussed in chapter 8, can assist with sampling.
Chapter 5: General principles of auditing 5/31

5.4.6.7 Perform the audit procedures


As determined (in 5.4.6.2) above.

5.4.6.8 Analyse the nature and cause of deviations and misstatements


The auditor should analyse the sample results and consider the nature and cause of deviations and mis-
statements identified. This is done to provide the auditor with more insight into the “errors” which may
provide evidence that further procedures are necessary or that risk should be reassessed.
Two examples will illustrate the importance of this procedure.
Example 1: When performing tests of controls, the analysis of deviations discovered in the sample indicates
the presence of management override. This may suggest to the auditor that fraudulent activity is taking
place. In turn, this may lead to a reassessment of all information supplied by management and the extension
of testing to other areas of the audit.
Example 2: On analysis the auditor establishes that certain “errors” in the sample arose out of an isolated or
unique event. (This is defined as an anomaly.) This could occur, for example, where the errors can be tied
back to a temporary staff member who had made the “errors” whilst standing in for the permanent staff
member for a short period during the year. If this unique situation is projected over the population, the
result will be very misleading and may result in the performance of unnecessary procedures. (The extrapo-
lation of the sample results must be conducted once the anomalies have been removed from the sample
results.)

5.4.6.9 Project the sample results across the population


At this point the auditor will calculate the actual number of misstatement/deviations (as defined) in the
sample. Where statistical sampling is used, the auditor will arrive at the misstatement/deviation rate for the
population by applying the various determinants to the relevant formula or table.
Where a non-statistical approach is used, some other method of projecting the sample over the popula-
tion must be applied, for example proportion. Although many firms do this, its validity is questionable.

5.4.6.10 Evaluate
Once the sample result is projected over the population, it is compared to the tolerable deviation/mis-
statement. The auditor then concludes on the sample in terms of his confidence level and precision if these
have been set. Should the results of a sampling exercise be unsatisfactory, the auditor may:
• request management to investigate the deviations/misstatements and the potential for further devia-
tions/misstatements, and to make any necessary adjustments, and/or
• modify planned audit procedures, for example in the case of a test of controls, the auditor might extend
the sample size, test an alternative control or modify related substantive procedures.

5.4.7 Conclusion
Sampling is an integral part of auditing. Although it has its limitations in the audit context, it is used exten-
sively on virtually every audit. Both statistical and non-statistical approaches are used, and both have their
place. Evidence obtained from sampling is not in itself complete and is persuasive rather than conclusive.
However, it is an important component in the process of gathering sufficient, appropriate evidence.
CHAPTER

6
An overview of the audit process

CONTENTS
Page

6.1 Introduction ...................................................................................................................... 6/3

6.2 Quality management for an audit of financial statements – ISA 220 (revised) .................... 6/3
6.2.1 Leadership responsibilities for managing and achieving quality on audits .................. 6/3
6.2.2 Ethical requirements, including those related to independence .................................. 6/4
6.2.3 Acceptance and continuance of client relationships and audit engagements ............... 6/4
6.2.4 Engagement resources............................................................................................. 6/5
6.2.5 Engagement performance........................................................................................ 6/5
6.2.6 Consultation and differences of opinion ................................................................... 6/6
6.2.7 Engagement quality control review .......................................................................... 6/6
6.2.8 Monitoring ............................................................................................................. 6/7

6.3 The audit process .............................................................................................................. 6/8


6.3.1 Diagrammatic representation of the audit process and supporting narrative
description .............................................................................................................. 6/8
6.3.2 The role of the International Standards on Auditing (ISAs) in the audit process ........ 6/10

6.4 Preliminary engagement activities..................................................................................... 6/10


6.4.1 Preconditions for an audit ....................................................................................... 6/10
6.4.2 Prospective clients and continuance with an existing client ...................................... 6/11
6.4.3 Compliance with Standards ..................................................................................... 6/11
6.4.4 Procedures to gather “preliminary engagement” information .................................... 6/12
6.4.5 Establishing an understanding of the terms of the engagement .................................. 6/12

6.5 Planning ............................................................................................................................ 6/15


6.5.1 Introduction ........................................................................................................... 6/15
6.5.2 The overall audit strategy ........................................................................................ 6/15
6.5.3 The audit plan itself ................................................................................................ 6/17
6.5.4 Materiality.............................................................................................................. 6/17
6.5.5 Planning and conducting risk assessment procedures ................................................ 6/18
6.5.6 Planning “further” audit procedures based on the risk assessment ............................. 6/19

6/1
6/2 Auditing Notes for South African Students

Page
6.6 Responding to assessed risk .............................................................................................. 6/21
6.6.1 Overall response at financial statement level ............................................................ 6/21
6.6.2 Audit procedures to respond to the assessed risk of material misstatement
at the assertion level (further procedures) ................................................................. 6/22
6.6.3 Audit procedures carried out to satisfy the requirements of the ISAs
(other procedures) ................................................................................................... 6/23

6.7 Evaluating, concluding and reporting................................................................................. 6/23


6.7.1 Sufficient, appropriate evidence ............................................................................... 6/23
6.7.2 Uncorrected misstatements ..................................................................................... 6/23
6.7.3 Applicable financial reporting standards .................................................................. 6/25
6.7.4 Events occurring after the reporting date .................................................................. 6/25
Chapter 6: An overview of the audit process 6/3

6.1 Introduction
This chapter and chapter 7 – Important elements of the audit process, are interrelated and should be
studied in conjunction with each other to obtain a solid understanding of the audit process.
Chapter 6 provides an overview of the audit process, and includes a reasonably comprehensive coverage
of some stages (or aspects of a stage) of the process, for example, preliminary engagement activities, whilst
chapter 7 provides a detailed discussion on the important elements of the audit process, for example,
materiality. This is not to suggest that those aspects covered in chapter 6 are not important, but rather that
the elements covered in chapter 7 require more detailed explanation.
Once you have an idea of what is involved overall, you will better understand how the detail fits in.
Remember that the auditor’s objective is to be in a position to form an opinion on whether the financial
statements fairly present, in all material respects, the financial position of the company at a particular point
in time, and the results of its operations for a period that ended at that point in time. The auditor goes
through a process to achieve this objective.
However, before considering the overview of the audit process it is necessary to gain an understanding of
ISA 220 that deals with quality management for an audit of financial statements. It is of utmost importance
that all stages of the process are carried out with a high level of competence and compliance with the
standards that are expected of a “professional” accountant. To ensure that this happens, audit firms are
required to put in place policies and procedures to ensure that the desired quality standards are achieved for
all aspects of the audit. Quality management is not only motivated by a need and desire to offer a highly
professional and meaningful service but the most effective safeguard for the auditor against the risk of being
sued for negligence by a client is to perform quality audits. Two statements are relevant here ISA 220, and
ISQM1 – Quality management for firms that perform audits or reviews of financial statements, or other
assurance or related services engagements.
ISA 220 is summarised below; reference can be made to ISQM1 for expanded explanations. ISA 220
seeks to provide guidance on the specific responsibilities of firm personnel regarding quality control proced-
ures for audits. In effect the statement places a responsibility on the engagement partner and a collective
responsibility on the engagement team to conduct a quality audit within the context of the firm’s system of
quality management. Every team needs a captain to take charge, and in terms of ISA 220 the engagement
partner fulfils this role.

6.2 Quality management for an audit of financial statements – ISA 220 (revised)
6.2.1 Leadership responsibilities for managing and achieving quality on audits
The engagement partner (designated auditor – Auditing Profession Act of 2005 (APA) is required to take
overall responsibility for managing and achieving quality on the audit engagement. The engagement
partner should also take responsibility for creating an environment that emphasises the firm’s culture (that
demonstrates a commitment to quality) and expected behaviour of engagement team members (by com-
municating directly with the team members and by leading through example). It is expected of the engage-
ment partner to be sufficiently and appropriately involved from the planning phase to the concluding phase
of the audit to assure that he/she can determine the appropriateness of significant judgements made and
conclusions reached, as it relates to the nature and circumstances of the audit (this can be achieved by
taking responsibility for, and varying, the nature, timing and extent of the direction and supervision of the
team and the review of their work).
In creating an environment as described above, the engagement partner should take responsibility for
actions being taken that reflect the firm’s commitment to quality. The engagement partner should also take
responsibility for setting the expectations for the engagement team’s behaviour and communicating the
expected behaviour. In doing this, the engagement partner should emphasise:
• that all engagement team members are responsible for contributing to the management and achieve-
ment of quality
• the importance of professional ethics, values and attitudes
• the importance of open and robust communication within the engagement team, and supporting the
ability of engagement team members to raise concerns without fear of reprisal, and
• the importance of each engagement team member exercising professional scepticism throughout the
audit engagement.
6/4 Auditing Notes for South African Students

Even when assigning certain aspects of the audit, such as the design or performance of procedures, to other
members of the engagement team, the engagement partner remains ultimately responsible for managing
and achieving quality on the audit through direction and supervision and review of their work.

6.2.2 Ethical requirements, including those related to independence


An essential requirement for achieving quality on the audit is that the engagement team apply the highest
level of professional ethics, the fundamental principles of which include:
• integrity (self-honesty)
• objectivity (independent thought, freedom from bias)
• professional competence and due care
• confidentiality, and
• professional behaviour.
The engagement partner should have an understanding of relevant ethical requirements, and although it is
the responsibility of the firm to recruit employees who display and believe in these fundamental principles,
it is the responsibility of the engagement partner to ensure the engagement team’s awareness of relevant
ethical requirements as well as the firm’s polices/procedures. These requirements, policies and procedures
also include those related to:
• threats to compliance with relevant ethical requirements, including those related to independence
• circumstances that may cause a breach of relevant ethical requirements, including those related to
independence
• the responsibilities of members of the engagement team when they become aware of such breaches, and
• the responsibilities of members of the engagement team when they become aware of an instance of non-
compliance with laws and regulations by the entity.
Equally important is the engagement partner’s duty to be alert to evidence of non-compliance by the
engagement team. If any such evidence is obtained, the engagement partner should follow the firm’s
policies and procedures, including communicating and consulting with the relevant parties (e.g., appro-
priate individuals, those charged with governance, regulatory authorities or professional bodies).
A clear duty is placed on the engagement partner to:
• obtain relevant information from the firm to identify and evaluate circumstances and relationships that
create threats to independence (e.g., if the proposed manager of the audit team is married to the client’s
financial controller)
• evaluate any potential breaches to determine whether they present a threat to the firm’s independence
that is not clearly insignificant. In the example in the first point above, the threat would be significant
• take appropriate action to eliminate or reduce the threat to an acceptable level. (In the example in the
first point above, the appropriate action would be to leave the proposed manager off the engagement
team), and
• document conclusions on the independence of the audit team.
Lastly, before dating the audit report, the engagement partner should take responsibility for ensuring that
all ethical requirements have been fulfilled, including those that relate to independence.

6.2.3 Acceptance and continuance of client relationships and audit engagements


It is the duty of the audit firm to have policies and procedures in place regarding the acceptance and
retention of clients, for example, there should be procedures to determine whether the directors of a poten-
tial audit client have integrity. This duty is extended to the engagement partner who is responsible for
determining that these policies and procedures are followed, and that adequate conclusions are reached.
The engagement partner should, among other things, consider information relating to:
• the integrity and ethical values of the principal owners, key management and those charged with
governance of the entity
• whether sufficient and appropriate resources are available to perform the engagement
• whether management and those charged with governance have acknowledged their responsibilities in
relation to the engagement
Chapter 6: An overview of the audit process 6/5

• whether the engagement team has the competence and capabilities, including sufficient time, to perform
the engagement, and
• whether significant matters that have arisen during the current or previous engagement have implica-
tions for continuing the engagement.
If the engagement partner obtains information that would have caused the firm to decline the audit engage-
ment had it had access to the information prior to accepting the engagement, the engagement partner
should convey the information to the firm so that appropriate action can be taken. The firm may have been
seriously misled by the directors as to the activities/operations of the company, a situation that is only
discovered once the audit is underway. For example, the company is involved in frequent and regular
illegal acts ranging from foreign exchange contraventions and illegal import of counterfeit goods. In this
instance the auditor would be required to meet its section 45 of the APA (Reportable Irregularities) duty,
and would ultimately withdraw from the engagement.

6.2.4 Engagement resources


The engagement partner should be satisfied that sufficient and appropriate engagement resources are made
available in a timely manner in order to perform an audit of the appropriate quality. Such resources may
include human resources (e.g., the engagement team, experts, etc.), technological resources (e.g., IT
applications) and intellectual resources (e.g., audit methodology). The engagement partner should deter-
mine whether the engagement team has the required competence and capabilities, and in doing so, will
consider the team’s:
• understanding of, and practical experience with, audit engagements of a similar nature and complexity
through appropriate training and participation
• understanding of professional standards and applicable legal and regulatory requirements
• expertise in specialised areas of accounting or auditing
• expertise in IT used by the entity or automated tools or techniques that are to be used by the engage-
ment team in planning and performing the audit engagement
• knowledge of relevant industries in which the entity being audited operates
• ability to exercise professional scepticism and professional judgement, and
• understanding of the firm’s policies or procedures.

6.2.5 Engagement performance


The engagement partner is required to take responsibility for the direction, supervision and performance of
the audit and a review of their work. His/her objective is to ensure that the audit has been carried out in
compliance with professional standards, regulatory and legal requirements, and that sufficient appropriate
audit evidence has been obtained to support the conclusions reached and the audit opinion to be given, i.e.,
the auditor’s report being appropriate in the circumstances.

6.2.5.1 Direction
The engagement partner directs the audit engagement by informing the members of the engagement team
of:
• their responsibilities (e.g., achieving quality, maintaining objectivity, adopting a suitable level of profes-
sional scepticism, ethics, supervision etc.)
• the nature of the entity’s business
• the objectives of the work to be performed
• risk-related issues and potential problems, and
• the detailed audit strategy and audit plan.

6.2.5.2 Supervision
This includes the following:
• monitoring progress on the audit
• considering the capabilities and competence of the individual members of the team, whether they have
the necessary time, whether they understand their instructions and are carrying them out in accordance
with the audit strategy and plan
6/6 Auditing Notes for South African Students

• addressing significant issues that arise on audit, and modifying the audit strategy and audit plan
appropriately
• identifying matters for consultation or consideration by more experienced members of the engagement
team
• providing coaching and on-the-job training to help engagement team members develop skills or com-
petencies, and
• creating an environment where engagement team members raise concerns without fear of reprisals.

6.2.5.3 Review
Review procedures are conducted on the basis that more experienced team members, including the engage-
ment partner, review the work performed by less experienced team members. A reviewer will consider
whether:
• the work has been performed in accordance with professional standards and regulatory and legal
requirements
• significant matters have been raised for further consideration
• appropriate consultations have taken place (and recommendations implemented and documented)
• there is a need to revise the nature, timing and extent of audit work
• the work performed supports the conclusions reached and is adequately documented
• the evidence obtained is sufficient and appropriate to support the auditor’s report, and
• the objectives of the audit procedures have been achieved.
Note: The engagement partner, in addition to his overall responsibility for the review process, must also
carry out timely reviews of specific matters such as:
• critical areas of judgement applied on the audit, and
• significant risks and responses thereto.

6.2.6 Consultation and differences of opinion


Difficult or contentious issues frequently arise on audit. It is the responsibility of the engagement partner to
ensure that where such issues arise, they are resolved by consultation with appropriate persons either
within the firm or external to it. The engagement partner should ensure that the nature, scope and conclu-
sions resulting from consultations are documented, confirmed with the consultant and implemented.
Where differences of opinion arise out of difficult or contentious issues, the firm’s policies and proced-
ures for settling the difference should be followed, for example, engagement of additional experts,
arbitration by a senior partner from another office of the firm.

6.2.7 Engagement quality review


An important requirement of ISA 220 (revised) is that for engagements that require a quality review (as in
the case of the audit of a listed entity or in terms of the specified responses to the risks identified as part of
the firm’s risk assessment process, or by law or regulation), the firm should appoint an engagement quality
reviewer to conduct a quality review of the engagement before dating the auditor’s report. The engagement
quality reviewer can be an individual or partner in the firm or an external individual employed by the firm.
ISQM 1 (as introduced in chapter 1) requires an engagement quality review for certain engagements and
ISQM 2 deals with the quality reviewer’s responsibilities, as well as the appointment and eligibility of such
a reviewer.

6.2.7.1 Responsibilities of the engagement quality reviewer


The engagement quality review entails that the engagement quality reviewer must objectively review:
• the significant judgements made by the engagement team, and
• the conclusions reached in formulating the auditor’s report.
In performing the engagement quality review as described above, the engagement quality reviewer must:
• obtain an understanding of the information communicated by the engagement team regarding the
nature and circumstances of the engagement and the entity
Chapter 6: An overview of the audit process 6/7

• obtain an understanding of the information communicated by the firm related to the firm’s monitoring
and remediation process, especially information related to deficiencies that may affect areas involving
significant judgements made by the engagement team
• discuss, with the engagement partner and members of the engagement team, significant matters and
significant judgements made in planning, performing and reporting on the engagement
• based on the information obtained, review selected engagement documentation relating to significant
judgements made and evaluate the basis for making those significant judgements, including the type of
engagement, the exercise of professional scepticism and whether the conclusions reached are
appropriate and supported by the documentation
• evaluate the engagement partner’s basis for concluding that relevant ethical requirements relating to
independence have been fulfilled
• evaluate whether appropriate consultation has taken place on difficult or contentious matters or matters
involving differences of opinion and the conclusions arising from those consultations
• evaluate the engagement partner’s basis for conceding that his/her involvement has been sufficient and
appropriate throughout the audit to allow for the engagement partner to be satisfied that the significant
judgements made and the conclusions reached are appropriate, given the nature and circumstances of
the engagement
• review, for audits of financial statements, the financial statements and the auditor’s report thereon,
including the description of key audit matters, and
• for review engagements, review the financial statements or financial information and the engagement
report thereon, or for other assurance and related services engagements, the engagement report, and
when applicable, the subject matter information.

6.2.7.2 Appointment and eligibility of the engagement quality reviewer


An audit firm must have policies and procedures that, firstly, assign responsibility to an individual for the
appointment of an engagement quality reviewer, and secondly, include detail of the criteria for eligibility
for a person/s to be appointed to the role of engagement quality reviewer. The person responsible for the
appointment of the engagement quality reviewer must understand the responsibilities of an engagement
quality reviewer and must have sufficient knowledge to establish the criteria for eligibility for appointment
as engagement quality reviewer. Such a person must further have sufficient knowledge about the engage-
ment requiring an engagement quality review, as well as the composition of the engagement team. The
criteria for eligibility to be appointed to the role of engagement quality reviewer must include that the
engagement quality reviewer:
• may not be a member of the engagement team (if the firm is very small, an outside person would then
typically be appointed)
• must have the competence and capabilities (e.g., technical skills, professional skills, ethics, etc.),
including sufficient time, and the appropriate authority to perform the engagement quality review
• must comply with relevant ethical requirements, (including those in relation to objectivity and
independence) of the engagement quality reviewer, and
• must comply with any applicable provisions of law and regulation.

6.2.8 Monitoring
Audit firms are required to put in place a process for monitoring and remediating their system of quality
management in order to provide information about the design, implementation and operation of the system
and to take appropriate actions to respond to identified deficiencies.
6/8 Auditing Notes for South African Students

6.3 The audit process


6.3.1 Diagrammatic representation of the audit process supporting narrative description

Note: This diagram should only be used to obtain an overview of the audit process. The stages of the audit
are not “stand alone units” and the activities within each stage do not always fit neatly into the
order presented. The different aspects or activities within planning are far more interrelated and
dependent on each other, than is reflected in the diagram and the order in which they occur is not as
clear cut.
For example, the audit strategy may change once risk assessment procedures have been carried out. Risk
assessment procedures cannot be planned until a materiality level has been set but the materiality level may
also change once the risk assessment procedures have been carried out, or even as they are being carried
out.
Even when carrying out planned procedures, the auditor might decide to change the plan to respond to
new information. Neither the audit strategy nor the audit plan is static; they will change as the audit
unfolds.
The above chart and brief narrative for each stage below should provide you with a basic understanding
of the audit process; the more detailed discussions that follow in the rest of chapter 6 and in chapter 7 will
then be placed in context.

6.3.1.1 Preliminary stage


This stage consists of what are termed preliminary engagement activities that take place before an audit
engagement is accepted. This includes:
• establishing whether the pre-conditions for an audit are present
• performing procedures to determine whether the audit firm wishes to establish (in the case of a pro-
spective client), or continue (in the case of an existing client) the client relationship
• establishing whether the client can be appropriately serviced (i.e., can the auditor do the audit
properly?)
Chapter 6: An overview of the audit process 6/9

• evaluating whether the firm is able to comply with the ethical requirements relating to the engagement,
(e.g., is there a threat to independence?), and
• establishing an understanding of the terms of the engagement including confirming that there is a
common understanding between the auditor and management, and those charged with governance, of
the terms of the audit engagement.

6.3.1.2 Planning stage


As you can see from the diagram, this stage has a number of activities within the stage itself. They are:
• establishing the audit strategy – this will be a preliminary idea of what the scope, timing and direction
(focus) of the audit will be and what resources (skills, number of staff, etc.) will be needed on the audit
• considering materiality – this entails the auditor making a judgement about the size of misstatements
that will be considered material
• planning risk assessment procedures – this entails planning the procedures that will be conducted to
obtain an understanding of the entity and its environment so that the identification and assessment of
the risk of material misstatement can take place
• conducting risk assessment procedures – this entails carrying out the planned risk assessment proced-
ures and identifying and assessing the risk of material misstatement as they progress, and
• planning “further” and “other” audit procedures – this amounts to planning the “further” procedures
that will be conducted to address the identified risks, in such a manner that audit risk (the risk of giving
an inappropriate opinion) is reduced to an acceptable level, and planning “other” procedures necessary
to satisfy the requirements of the ISAs (this is explained below).
Note (a): The auditor in effect develops two audit plans, or perhaps, to be more correct, one audit plan
with two sections. Either way:
• Plan 1 will describe the nature, timing and extent of procedures to identify and assess risk.
• Plan 2 will describe the nature, timing and extent of further audit procedures that are needed to
respond to the risks identified at assertion level.
• Plan 2 will also describe other audit procedures that must be carried out to ensure that the audit
complies with the ISAs. To illustrate, if part of our audit strategy is to make use of internal
auditors, we must plan procedures to comply with ISA 610 (Revised) – Using the work of
Internal Auditors. For example, we must carry out procedures to evaluate the internal
auditors before we can rely on them. These will not be “further procedures” directly related to
the risk assessment but rather procedures arising from our duty to comply with the ISAs.
Note (b): Making the distinction between “further” and “other” procedures is not particularly important,
getting the overall response right and conducting the procedures properly is far more important.
Note (c): The audit strategy will be affected by the identification and assessment of risk. As indicated
earlier, the audit strategy is initially based on preliminary knowledge about the audit and the
client. When identifying and assessing risk, the audit team will discover information that may
change the audit strategy. Neither the strategy nor the plan is static; they will change as the audit
unfolds.
Note (d): Obviously it is impossible to develop an effective audit plan for further audit procedures and other
procedures before the risk assessment procedures have been carried out, so for purposes of sim-
plifying the audit process, we will regard the identification and assessment of the risk of material
misstatement as part of the planning stage.
Note (e): The setting of materiality guidelines, that are the auditor’s judgements about the size of mis-
statements that will be considered material, must be carried out before risk assessment proced-
ures take place but may also change as the audit unfolds.

6.3.1.3 Responding to assessed risk stage


ISA 330 – The auditor’s responses to assessed risk, states that the auditor should obtain sufficient,
appropriate audit evidence regarding the assessed risks of material misstatement through designing and
implementing appropriate responses to those risks. The auditor’s first “response” to assessed risk is to plan
“further” and “other” audit procedures (so this response has been linked to planning in the diagram) and
thereafter to:
• respond in a general sense to assessed risk at financial statement level, for example, assigning appro-
priately experienced and skilled individuals to the audit team to execute the plan
6/10 Auditing Notes for South African Students

• respond specifically to assessed risk at assertion level by carrying out tests of controls and substantive tests
so as to gather sufficient, appropriate evidence that material misstatement has not gone undetected, and
• carry out those “other” procedures that are required to comply with the ISAs. Again these are not clearly
defined “stand alone” steps; they combine with and influence each other.

6.3.1.4 Concluding stage


This stage of the process consists of:
• evaluating and concluding on the audit evidence gathered – this means evaluating all the audit evidence
gathered to determine whether it is sufficient (enough) and appropriate (relevant and reliable) to draw a
conclusion of fair presentation, and
• formulating the audit opinion and drafting the audit report that conveys that opinion.

6.3.2 The role of the International Standards on Auditing (ISAs) in the audit process
South Africa has adopted the IFAC auditing standards (ISAs). The standards provide guidance on how the
audit process is to be conducted. The statements in which the standards are documented do not contain
detailed lists of procedures. They stipulate an objective and provide explanatory comment on how the
standard should be achieved. There are standards that are directly applicable to each stage of the audit, for
example, (this list is by no means exhaustive):
Preliminary stage ISA 210 – Agreeing the terms of audit engagements
ISA 220 – Quality management for an audit of financial statements
Planning stage ISA 300 – Planning an audit of financial statements
ISA 315 – Identifying and assessing the risks of material misstatement
(revised)
ISA 320 – Materiality in planning and performing an audit
Responding to risk stage ISA 330 – The auditors responses to assessed risks
ISA 500 – Audit Evidence
ISA 530 – Audit Sampling
Concluding stage ISA 450 – Evaluation of misstatements identified during the audit
ISA 700 – Forming an opinion and reporting on financial statements
ISA 705 – Modifications to the opinion in the independent auditor’s report
The important thing to remember about the ISAs is that they set the standards to which the auditor must
adhere. If an auditor is accused of being negligent in the performance of his duties, his best defence is to be
able to prove that he complied with the standards in an appropriate manner.

6.4 Preliminary engagement activities


6.4.1 Preconditions for an audit
In terms of ISA 210 – Agreeing the Terms of Audit Engagements, the objective of the auditor is to accept
or continue an audit engagement only when the basis upon which it is to be performed has been agreed,
through:
• establishing whether the pre-conditions for an audit are present, and
• confirming that there is a common understanding between the auditor and management and those
charged with governance of the terms of the audit engagement.
Obviously if these two requirements cannot be established or confirmed, the auditor need go no further in
considering accepting the engagement.
The preconditions for an audit are that:
• the financial reporting framework to be applied in the preparation of the financial statements to be
audited is acceptable. In South Africa the framework (suitable criteria) will normally be IFRS or IFRS
for SMEs, and
Chapter 6: An overview of the audit process 6/11

• the auditor obtains the agreement of management, that management acknowledges and understands its
responsibility:
– for the preparation and fair presentation of the financial statements in accordance with IFRS or IFRS
for SMEs, whichever is appropriate for the company
– for such internal control as management determines is necessary to enable the preparation of finan-
cial statements that are free from material misstatement whether due to fraud or error, and
– for providing the auditor with access to all information of which management is aware that is
relevant to the preparation of the financial statements such as records, documentation and other
matters, including additional information that the auditor may request from management for the
purposes of the audit, and unrestricted access to individuals within the company from whom the
auditor determines it necessary to obtain audit evidence.

6.4.2 Prospective clients and continuance with an existing client


Once it is satisfied that the pre-conditions for the audit have been met, the audit firm should determine
whether it wishes to establish or continue a relationship with the prospective client. Remember that an
audit firm is itself a business, and therefore will not want to enter into a relationship if negative conse-
quences are likely to flow. There are reasons that an audit firm may not wish to enter into a relationship
with a prospective client:
• the client’s management may appear to be unethical or lacking in integrity
• the audit firm may not wish to be associated with the “industry” or line of business in which the client
operates, for example, tobacco, pornographic materials, businesses that pollute the environment
• the client may have a reputation for poor relationships with its auditors and there may be a high risk of
the auditor being sued for negligent performance
• it may be a sound business decision not to take on the client, (e.g., the client does not pay the audit fee!),
and
• the firm may not have the competence and resources to service the client properly.
Both the decisions about the pre-conditions for an audit and about the desirability of the relationship will
be far easier to answer where the decision is about continuing a relationship. However, the auditor will still
give consideration to the above questions before continuing the engagement.

6.4.3 Compliance with Standards


Whether it be for a prospective or existing client, ISA 220 – Quality management for an audit of financial
statements, requires that the engagement partner be satisfied that appropriate procedures regarding the
acceptance and continuance of client relationships and audit engagements have been followed, and that
conclusions drawn in this regard, are appropriated (see ISA 220 par A49 - A57). The engagement partner
(firm) must:
• consider the integrity of the client’s principal owners, key management and those charged with
governance of the entity. This would include evaluating:
– the business reputation of individuals described above, for example, principal owners
– the client’s business practices, including whether it could be involved in any criminal activities such
as money laundering
– the attitude of the individuals described above, for example, principal owners, to applying the
“fairest” accounting standards as opposed to aggressively applying those that present the “most
favourable picture”
– the client’s attitude to paying audit fees, for example, its willingness to pay fair fees, its aggressiveness
in keeping fees low
– the possibility that the client will attempt to impose limitations on the audit, for example, restrict
access to certain information or individuals
– the identity and business reputation of related parties, for example, subsidiary companies
– in the case of a prospective client, the reasons for the change of auditors, and
– management’s attitude to sound corporate governance requirements, for example, King IV
6/12 Auditing Notes for South African Students

• determine whether the firm is competent to perform the engagement. This will require an assessment of
whether the audit firm has:
– personnel who have knowledge of the client’s industry and the necessary experience of relevant
regulatory and reporting requirements
– the necessary technical skills and competence within the firm, or the necessary access to other
auditors or experts who do have the skills
– the necessary resources. For example, taking on a new client may mean that the audit firm has to
employ more staff, particularly at busy periods such as year-end. Computer resources may also be an
important consideration. Does the audit firm have sufficient hardware and software, as well as the
technical computer skills, to offer the service?
– the personnel necessary to perform quality control reviews, and
– the combined resources to meet the engagement reporting deadline, and
• determine whether the firm can comply with ethical requirements. This will require that the firm eval-
uate whether:
– there are any (potential) conflicts of interest between the firm and the client, for example, a prospect-
ive client and the audit firm offer the same services to the same market, for example, IT consulting,
software distribution
– there are any threats to the independence of the firm, the engagement partner and the audit team
(including external experts) and if adequate safeguards can be put in place to address any threats, and
– any other situations that might lead to contraventions of the Code of Professional Conduct by any
member of the audit team, for example, possible confidentiality threats where a prospective client is
in direct competition with an existing client.

6.4.4 Procedures to gather “preliminary engagement” information


Obviously in the case of an existing client, gathering information about the preconditions for an audit and
whether to continue the relationship is far easier as the information is far more readily available. Generally
speaking, this process is underway from the moment the initial engagement with the client commenced. As
time passes, the firm gains a better understanding of the integrity of client, management’s attitude to
financial reporting and corporate governance, and whether the audit firm itself has been able to satisfy the
competence and resource requirements. Equally, it is obvious that where the evaluation is being conducted
on a prospective client, it is far more difficult to obtain the necessary information. However, the following
procedures should provide sufficient information to make the decision:
• communication with the previous auditor (in compliance with the Code of Professional Conduct)
• discussion with the client’s directors, senior financial personnel, audit committee, etc.
• inquiry of the firm’s bankers, legal counsel, etc. (permission would have to be sought)
• background searches of relevant databases, for example, on the Internet
• review of any documentation, either public or made available by the prospective client, for example,
group reports, management reports, and
• with regard to independence, enquiry and analysis of the status of the firm and its employees in relation
to the potential client (firms should regularly request written information from their staff as to, e.g., any
family or personal relationships with, or investments in the firm’s clients).
Note: Where the client has an audit committee (e.g., a listed company), the audit committee will also be
looking at the suitability of the audit firm, so there is likely to be a lot of co-operation between the
committee and the firm.

6.4.5 Establishing an understanding of the terms of the engagement


This is the formalising of the terms of the engagement into the engagement letter that, in turn is a reflection
of the presence of the preconditions for the audit. It is not a matter of simply drafting the letter and having
it signed. Important aspects of the engagement are spelled out in the letter and it is important that the client
(often represented by the audit committee), understands the terms. Whenever an auditor enters into an
agreement to render services to a client, there is the possibility that the client (or the auditor) will
misunderstand the nature of the engagement and the responsibilities of the parties involved. A client may
Chapter 6: An overview of the audit process 6/13

not be entirely sure of what type of engagement is being undertaken. For example, the client may believe
that an audit engagement that will result in an opinion given in a positive form, is being carried out, when
in fact a review is being undertaken where a conclusion, expressed in a negative form, and not an opinion
will be given. Clients may believe that the objective of an audit is to detect fraud, whilst others may be
confused by terminology, for example, independent review, compilation engagement, agreed upon
procedure engagements and so on! This issue has in prior years been referred to as the “Expectation Gap”;
very simplistically this means that clients often do not understand what the audit, or other services being
rendered, are about and therefore expect certain assurances that they will not receive.
With the introduction of the “public interest score” concept there is likely to be more confusion on the
part of some private company and close corporation clients who don’t understand why they should have to
be audited or, in the case of a private company, whether they are being audited or independently reviewed.
ISA 210 – Agreeing the terms of audit engagements, establishes and provides guidance on the “engage-
ment letter standard” stating that “the auditor shall agree the terms of the audit engagement with management or
those charged with governance”. Note that this does not mean that the client negotiates with the auditor on
what to do or how to do it. It is the right and duty of the auditor to decide on how the audit will be
conducted. The ISA also states that the agreed terms of the audit engagement shall be recorded in an audit
engagement letter.
The engagement letter is not a case of “one document fits all”; audits differ in extent and complexity,
and have different terms and conditions. ISA 210 paragraphs 10, A23, A23a and A24 provide guidance on
what should be included in an engagement letter as well as additional matters that could be included
depending on the circumstances of the audit. The following matters (points (a) to (e)) as a minimum should
be included in the engagement letter:
(a) The objectives of the audit should be clearly stated, namely, to obtain reasonable assurance about
whether the financial statements as a whole are free from material misstatement whether due to error
or fraud and to issue an auditor’s report that includes our opinion.
(b) The scope of the audit should be conveyed by identifying the financial statements on which the opinion
will be expressed and what they comprise, for example, statement of financial position, statement of
cash flows, etc. Reference may also be made to any legislation or regulations that may influence the
scope of the audit, for example, the Companies Act 2008 or the JSE requirements for the audit of
listed companies.
(c) The responsibilities of the auditor, including:
• a statement that the audit will be carried out in terms of the ISAs and that the ISAs require that the
auditor comply with ethical requirements and that professional judgement will be exercised and
professional scepticism will be maintained throughout the audit
• a statement that the audit is planned and performed to provide reasonable assurance about whether
the financial statements are free from material misstatement
• a broad description of the procedures conducted on an audit:
– identify and assess the risks of material misstatement (due to fraud or error)
– design and perform audit procedures responsive to those risks
– obtain audit evidence that is sufficient and appropriate to provide a basis for our opinion
– obtain an understanding of the system of internal control relevant to the audit
– evaluate the appropriateness of accounting policies used and the reasonableness of accounting
estimates and related disclosures
– conclude on the appropriateness of management’s use of the going concern basis of accounting,
and
– evaluate the overall presentation structure and content of the financial statements including the
disclosures and whether the financial statements represent the underlying transactions and events
in a manner that achieves fair presentation
• an explanation that because of the inherent limitations of an audit together with the limitations of
internal control, there is an unavoidable risk that some material misstatements may remain undetected,
even though the audit is properly planned and performed in accordance with the ISAs
6/14 Auditing Notes for South African Students

• a clear statement that whilst the auditor considers internal control in order to design audit proced-
ures, no opinion on the effectiveness of internal control is expressed but that weaknesses (significant
deficiencies) identified in internal control relevant to the audit will be communicated to manage-
ment, and
• in the case of the audit of a listed company, the auditor’s responsibility to communicate key audit
matters in the auditor’s report in accordance with ISA 701.
(d) The responsibilities of management, including a statement that the audit will be conducted on the basis
that management and those charged with governance acknowledge and understand that they are respon-
sible for:
• the preparation and fair presentation of the financial statements in terms of IFRS or IFRS for SMEs
• such internal control as they deem necessary to enable the preparation of financial statements that
are free from material misstatement
• providing the auditor with access to records, documents and other matters including additional
information the auditor might request as well as unrestricted access to individuals within the entity
from whom the auditors deem it necessary to obtain audit evidence
• providing access to all information of which management is aware that is relevant to the prepara-
tion of the FS including information relevant to disclosures, and
• making available to the auditor draft financial statements including all information relevant to their
preparation, including all information relevant to the preparation of disclosures in time for the
auditor to complete the audit on schedule.
(e) Reference to the expected form and content of any reports to be issued by the auditor, for example, we
expect that the report to be issued will state that in our opinion the financial statements, present fairly,
in all material respects the financial position of the company at reporting date, and its financial
performance and cash flows for the year then ended in accordance with IFRS and the Companies Act
of South Africa. The report will be addressed to the shareholders and will contain an introductory
paragraph, a paragraph dealing with the directors’ responsibility for the financial statements and a
paragraph dealing with the auditor’s responsibility.
However, this reference must include a statement that there may be circumstances in which the form
and content of the report may need to be amended in the light of the audit findings.
The following matters may also be raised in the engagement letter (parts (f) to (j)):
(f) the auditor’s expectation of written confirmation of oral representations.
(g) arrangements regarding the planning and performance of the audit, including:
• the name of the designated auditor (s 44(1) of the APA) and the composition of the team for the audit
engagement
• important dates for meetings with key personnel
• inventory counts, and
• audit deadlines.
(h) acknowledgement by management that they will inform the auditor of facts that may affect the finan-
cial statements, of which management may become aware during the course of the audit and during
the period from the date of the auditor’s report to the date the financial statements are issued.
(i) when relevant, arrangements concerning the involvement of other parties in the audit, namely:
• other auditors
• experts
• internal auditors, and
• predecessor auditor.
(j) the basis of fee computation and any invoicing arrangements, for example, fees to be charged monthly.
The letter should conclude with a request to the client to sign and return an attached copy of the engage-
ment letter as an acknowledgement of, and agreement with, the arrangements for the audit and the respect-
ive responsibilities of the auditor and management.
Chapter 6: An overview of the audit process 6/15

6.5 Planning
6.5.1 Introduction
ISA300 – Planning an audit of financial statements, states that the objective of the auditor is to: “plan the
audit so that it will be performed in an effective manner”. This entails developing an audit strategy, supported by
an appropriate audit plan.
ISA 300 also requires that the engagement partner and other key members of the audit team be involved
in planning the audit, as their experience and insight will enhance the effectiveness and efficiency of the
planning process.
The importance of planning cannot be overemphasised:
• proper planning helps to ensure that appropriate attention is devoted to important areas of the audit, for
example, significant risks are identified and addressed
• potential problems are identified and resolved on a timely basis, for example, the client is implementing
new financial reporting systems that may disrupt the current audit
• a competent and capable audit team, including other parties, for example, experts, other auditors, who
may be required on the audit, is assembled
• work can be properly assigned to audit team members, so that:
– the audit is effectively and efficiently performed, and
– audit deadlines are met, and
• proper procedures for direction, supervision and review can be set up to meet quality control standards,
including to the extent they are applicable to component (other) auditors and experts.
As explained earlier in the discussion of the audit process, planning should not be seen as a “stand alone” stage of
the audit; neither the overall audit strategy nor the audit plan is static. As circumstances change on the audit, so
may the overall strategy and audit plan change. For example, unexpected problems encountered on the audit of
work-in-progress may necessitate engaging an expert, something that was not considered when the overall audit
strategy was formulated. This in turn may lead to more intensive audit procedures of a different nature being
carried out. In addition, as the current audit unfolds, planning for the following year’s audit should be underway
as a natural “by-product” of the audit being conducted.

6.5.2 The overall audit strategy


(a) The overall audit strategy sets the scope, timing and direction of the audit and guides the development of
the audit plan. To establish the overall audit strategy, the key engagement team members must:
• determine the characteristics of the client company that will define the scope of the engagement, for
example, where the client is a listed company, JSE listing requirements and the King IV Report
requirements may affect the scope of the engagement (see also (c) below)
• determine the reporting objectives of the engagement that will influence the timing of the audit, for
example, reporting deadlines, scheduled meetings with the audit committee (see also (d) below)
• consider the important factors that will determine the focus or direction of the audit, for example,
results of previous audits, account headings that attach higher risk of misstatement (see also (e)
below)
• consider any aspects of the preliminary engagement activities that may affect the audit strategy, for
example, concerns over the competence/experience of senior accounting personnel (see also (e)
below), and
• ascertain the resources necessary to perform the engagement:
– the resources to be allocated to specific audit areas, for example, level of staff experience
required, use of experts
– the amount of resources to be allocated, for example, the number of staff to be allocated to the
inventory count
– the timing of the allocation of resources, for example, at an interim stage, and
– how the resources are to be managed, directed and supervised, for example, meetings, evalua-
tions, quality control reviews.
6/16 Auditing Notes for South African Students

(b) In formulating the audit strategy, key engagement team members should consider matters such as
those listed in 2.3 to 2.5 below (this list is not exhaustive and is for illustrative purposes; reference
should be made to ISA 300).
(c) Characteristics of the engagement that define its scope:
• the financial reporting standards on which the financial information to be audited, has been
prepared
• the expected audit coverage, including the number and locations of components to be included, for
example, divisions, inventory storage locations
• the involvement of other auditors, for example, holding company auditors and their requirements
• the need for specialised knowledge of the client’s industry or reporting
• the availability of the work of internal auditors and the extent of the auditor’s potential reliance on
such work
• the effect of information technology on the audit procedures, including the availability of data and
the expected use of computer-assisted audit techniques, and
• whether the engagement includes the audit of consolidated financial statements.
(d) Matters that will affect the reporting objectives, timing of the audit and nature of communications:
• the company’s timetable for reporting, for example, interim and year-end financial reporting dead-
lines
• the schedule of meetings with management and those charged with governance including the audit
committee, where applicable, to discuss the nature, extent and timing of the audit work
• the expected type and timing of reports to be issued, including the auditor’s report, management
letters and communications to those charged with governance
• communication with component (other) auditors, experts, internal audit, regarding the expected
types and timing of reports to be issued as a result of their work on the audit
• the size, complexity (e.g., complex manufacturing facilities) and number of locations of the client.
This will affect the timing of visits to the client, and
• the extent and complexity of computerisation at the client for example, availability of data and
personnel for assistance with CAATs may also affect the timing of visits to the client.
(e) Matters that determine the focus of the engagement team’s effort and direction of the audit:
• materiality levels, stricter levels result in more audit work
• preliminary identification of areas where there may be a higher risk of material misstatement
• the presence of significant risks
• the impact of the assessed risk of material misstatement at the overall financial statement level on direction,
supervision and review, for example, high risk at financial statement level may require more
experienced staff to be assigned to the audit, and more intense supervision and reviews to be
conducted
• evidence of management’s commitment to the design and operation of sound internal control, for
example, strong commitment may equal more reliance by the auditor on internal controls
• the volume of transactions, that may determine whether it is more efficient for the auditor to rely on
internal control, and that may dictate the use of CAATs
• significant business developments affecting the entity that have recently occurred, including changes
in information technology, in key management, in industry regulations and in applicable
accounting standards
• changes in the accounting standards applicable to the company, and
• the process management uses to identify and prepare disclosures, including disclosures containing
information that is obtained from sources outside the general and subsidiary ledgers.
The initial audit strategy will be set by considering the points above, but do not forget that this
“preliminary” strategy will be influenced by the identification and assessment of the risk of material
misstatement at assertion level as well. This is because the auditor will learn much more about the
client when carrying out these identification and assessment procedures that in turn will enable him to
refine the audit strategy.
Chapter 6: An overview of the audit process 6/17

6.5.3 The audit plan itself


The audit strategy and the audit plan (that we must think of as two plans, see 6.3.1.2 on page 6/9), are
closely interlinked, but the audit plan is far more detailed than the overall strategy. Many of the factors that
will influence the audit strategy, will also influence the audit plan. For example, Tonnes Ltd holds large
quantities of inventory in a number of locations. Part of the overall audit strategy is to make use of other
firms of auditors to, among others, attend the year-end inventory counts at the various warehouses. The
audit plan will now need to address this decision by defining the nature, timing and extent of procedures
that will have to be carried out by the other auditors, for example, attend inventory counts, and on the
work conducted by them, for example, how the audit team communicates with the other auditors and how
their work is reviewed and problems resolved.
In terms of ISA 300, the audit plan must contain:
• a description of the nature, timing and extent of planned risk assessment procedures, sufficient to assess the
risks of material misstatement (plan 1) (see note (a) below)
• a description of the nature, timing and extent of planned further audit procedures at the assertion level for
each material class of transactions, account balance and disclosure (plan 2) (see note (a) below), and
• any other audit procedures that may be required to comply with the ISAs (plan 2).
Note (a): Determining the nature, timing and extent of both risk assessment and further audit procedures
applies to disclosures as well. Disclosures are vital to fair presentation and as a result of the finan-
cial reporting standards, are often extensive, detailed and wide ranging. An opinion of fair
presentation can simply not be formed without “auditing” disclosures appropriately. Thus the
nature, timing and extent of procedures must be carefully considered and planned accordingly.
Carrying this out early in the audit will assist the auditor to determine the effects on the audit of:
• significant new or revised disclosures required arising from changes in the company’s activ-
ities
• significant new or revised disclosures required arising from changes in the applicable
financial reporting framework
• the need to engage an auditor’s expert to assist with the “audit” of difficult disclosures (e.g.,
disclosures related to pension and/or retirement benefit obligations), and
• matters relating to disclosure that the auditor may wish to discuss with management/ those
charged with governance.
In addition, a plan must also be compiled regarding the nature, timing and extent of the direction
and supervision of the audit team, and the review of their work.
It should be obvious to you that before the audit strategy, and particularly the audit plan, can be effectively
developed, a great deal of information about the client company is required. We cannot plan the audit if we
have not obtained an understanding of the entity and its environment.
Simplistically, modern auditing is about identifying the risks of material misstatement and responding to
those risks in such a manner that audit risk is reduced to an acceptable level. To extend our example above:
having performed the risk assessment, the audit team believes that Tonnes Ltd may attempt to overstate the
inventory on hand so as to manipulate reported profits. The audit plan must respond to this by detailing
procedures that will identify instances where fictitious (non-existent) inventory, or inventory not owned by
Tonnes Ltd, has been included in the year-end inventory figures. The other auditors attending the
inventory counts on our behalf must be made aware of the risk (of overstatement) and instructed on the
nature, timing and extent of the tests that must be carried out. These may include extending the number of
items counted, and performing extensive year-end cut-off tests, at the warehouses. Of course we may assess
that the directors’ desire to manipulate profits is a risk at overall financial statement level and that other
account headings are also directly at risk. An appropriately competent and experienced audit team must be
put in place and the audit plan must include further audit procedures to respond to the risk at assertion
level.

6.5.4 Materiality
As indicated above, the audit is geared towards identifying the risk of material misstatement. It follows
therefore, that before the audit strategy and particularly the audit plan can be developed, the auditor will
need to give some attention to determining “what is material” for the audit. For example, the audit team
cannot effectively plan procedures to identify and assess risk of material misstatement if they do not have
an idea about what is material. This is discussed in detail in chapter 7.
6/18 Auditing Notes for South African Students

6.5.5 Planning and conducting risk assessment procedures


A point that has been made a number of times is that the auditor must have a thorough understanding of
the client company and the environment in which it operates. This is especially important for the purposes
of identifying and assessing risk. If the auditor does not understand the client and its business, he will be
unable to adequately identify and assess the risk of material misstatement. Understanding the entity and its
environment is covered in detail in chapter 7. The auditor must assess:

6.5.5.1 Risk at financial statement level


ISA 315 (revised) requires that the risk of material misstatement be identified and assessed at financial
statement level and at assertion level. Risk at the financial statement level is the risk that affects the
financial statements as a whole, and that filters down into the account balances and totals that make up the
financial statements. It is the risk that pervades the financial statements. For example, if the client’s
management lacks integrity, the audit as a whole is inherently more risky than for the audit of a client
whose management has a proven record of integrity. The effect of managements’ lack of integrity may filter
down into the financial statements as they attempt to manipulate the account balances and totals to suit
their own purposes. Risks of this nature often relate to the client’s control environment and are not neces-
sarily identifiable with specific assertions at transaction, account balance or disclosure level. However, the
auditor needs to consider carefully how high risk at financial statement level may affect risk at assertion
level.
Although chapter 7 deals with the information the auditor will seek to gain an understanding of the
client, the following list illustrates the kind of information that might have an effect on the identification
and assessment of risk at the financial statement level:
• the integrity of management
• management’s experience and knowledge, for example, the financial reporting inexperience of manage-
ment may affect the preparation of the financial statements of the entity
• unusual pressures on management, for example, circumstances that might predispose management to
misstate the financial statements, such as the company facing going concern problems or management
bonuses being linked to financial performance, and
• the nature of the entity's business, for example, the significance of related parties, and the influence its
shareholders (such as a holding company) may have on its financial reporting.

6.5.5.2 Risk at assertion level


This relates to the risk of misstatement at the assertion level for classes of transactions, account balances
and disclosures. It is therefore essential that the auditor gather information that will enable him to identify
and assess risk for each of the assertions applicable to the transactions, account balances and disclosures
that are included in the financial statements. Again, chapter 7 deals with the information the auditor will
seek to be in a position to identify and assess risk of material misstatement at the assertion level, but the
following examples have been included to illustrate the point:
• information about the products the company sells, whether it sells to related parties, how sales are
initiated, recorded and processed, what documentation there is relating to the sale that will assist the
auditor in identifying and assessing the risk of material misstatement arising from the inclusion of sales
that have not actually occurred or that do not pertain to the entity (i.e., the occurrence assertion relating to a
class of transaction)
• information about the type of inventory held, the locations at which it is held, the physical and other
controls and the nature, extent and reliability of the records detailing the movement of inventory will
assist the auditor in identifying and assessing the risk of material misstatement arising from the
inclusion of inventory that does not exist in the inventory account balance (i.e., the existence assertion
relating to an asset account balance), and
• information about related parties, director’s interests in contracts, pending litigation, share options and
incentive schemes for directors (among others), will assist the auditor in identifying and assessing the
risk of material misstatement arising from the omission of disclosures that should have been included in
the financial statements (i.e., the completeness assertion relating to presentation and disclosure).
Chapter 6: An overview of the audit process 6/19

Of course information gathered will frequently relate to more than one assertion and part of the skill of a
good auditor will be the ability to link the information to the risk of material misstatement for all assertions
that may be affected. Also remember that information pertaining to the assessment of material risk at the
financial statement level may influence the assessment at assertion level. For example, if information
gathered suggests that management may be predisposed to manipulate the financial statements, the risk of
material misstatement relating to the occurrence of sales will increase because management could manipulate
the financial statements by including fictitious sales.

6.5.6 Planning “further” audit procedures based on the risk assessment


As indicated earlier, the auditor’s first response to assessed risk is to plan further audit procedures. This will
entail developing a plan that describes the nature, timing and extent of further audit procedures, both tests
of controls and substantive tests that will be conducted to reduce the risk of material misstatement relating
to the assertions remaining undetected.

6.5.6.1 Some general observations relating to the nature, timing and extent of further audit
procedures
• The nature of an audit procedure relates to its purpose, i.e., test of controls or substantive, and its type,
(i.e., inspection, observation, inquiry, recalculation, re-performance, analytical procedure or external
confirmation).
• Tests of controls can only be carried out where the system is “worthy” of being tested, for example, if
the system by virtue of weaknesses in its design or implementation is not effective, there is little point in
testing it. There must be an expectation that controls are operating effectively before testing them.
• A single test of controls is virtually never sufficient. For example, observing a receiving clerk count goods
received and comparing the quantity to the supplier delivery note, only tells you that the control was
carried out on the occasions that you observed him. Once you leave the receiving bay, he may not carry
out the control procedure. Inquiry conducted in isolation will also provide insufficient evidence. Further
evidence that supports the response to the inquiry is required.
• If the auditor is trying to gain evidence about the effective functioning of controls over a period of time
(this is normally the case), tests of controls will have to be conducted at various times during the period.
It cannot be assumed that because controls were working effectively in April, they will be working
effectively in August. There are of course factors that may reduce the risk that controls are not working
effectively over time, for example:
– where there is a strong ongoing control environment
– extensive monitoring of controls has taken place during the period
– strong general controls, particularly in computerised systems, or
– minimal changes in the business have occurred.
• Irrespective of the assessed risk of material misstatement, the auditor must design and perform substan-
tive tests for each material class of transactions, account balance and disclosure. Tests of controls cannot
in themselves, provide sufficient, appropriate evidence.
• Where significant risks (these are risks that require special audit consideration) are identified, the auditor
must perform substantive tests that specifically address the risk. These tests must include tests of detail
and cannot be purely analytical procedures.
• The auditor’s substantive procedures must include the following in respect of the financial statement
closing process:
– agreeing or reconciling the financial statements with the underlying accounting records, and
– examining material journal entries and other adjustments made during the course of preparing the
financial statements.
• The timing of tests is frequently dictated by key dates at the client and the objective of the test, for
example:
– a tight audit deadline may result in a comprehensive interim audit, supplemented by “roll forward”
tests
– the attendance at an inventory count is obviously determined by the date the client conducts the year-
end inventory count
6/20 Auditing Notes for South African Students

– subsequent events can only be audited in the post-balance sheet period, andd
– the availability of client IT staff may affect the timing of using computer assisted audit techniques
(CAATs).
• In general terms, a greater risk of material misstatement will result in more testing:
– where internal controls prove to be ineffective, the extent (and possibly the nature) of substantive
testing will increase
– the extent of testing is usually expressed in terms of sample size. Sample size can be determined by
professional judgement or more sophisticated statistical sampling plans, and
– the use of CAATs will usually enable the auditor to test far more extensively as a result of the power,
versatility and speed of computers and audit software.
• An effective audit plan will be a combination of tests of controls and substantive tests, as well as a mix
of the different types of test, for example, inspection, analytical review, etc.
• The chart that follows is an attempt to illustrate what the auditor might consider when deciding on the
nature, timing and extent of “further” audit procedures. Do not forget that many of the points raised in
paragraphs (a) to (e) under the overall audit strategy (par 6.5.2) on pages 6/15 and 6/16 will also have a
bearing on the nature, timing and extent of further audit procedures.
Developing an audit plan is not always straightforward, and the larger and more complex the client, the
harder it is. Professional judgement and experience will play a large part in blending tests of controls,
substantive testing and other ISA procedures into a plan that meets the standard, that is, “a plan which will
ensure the audit is performed in an effective manner so as to reduce audit risk to an acceptable level.”

Characteristic Matters to consider


Nature of tests – What tests will • the suitability of a particular procedure to provide the piece of
be conducted? evidence required
– re-performance, inspection, inquiry, observation, and
– recalculation, analytical procedures, external confirmation
• the need to perform tests of detail (e.g., significant risks)
• the possibility of performing analytical procedures exclusively (for
certain aspects of the audit)
• the hierarchy of evidence – how can the most relevant and reliable
evidence be gathered?
• statistically based or non-statically based sampling
• the use of other parties
– experts, other (component) auditors, internal auditors
• the use of CAATs
– system or data orientated CAATs
• special client requests, for example, the client has asked you to
perform special cash counts, and
• do the tests selected, address the risk adequately?
continued
Chapter 6: An overview of the audit process 6/21

Characteristic Matters to consider


Timing of tests – When will the tests • the need for and desirability of:
be conducted? – interim audits, and
– early verification of year end balances combined with “roll
forward tests”, for example, debtors circularisation carried out two
months prior to year end, supplemented by tests of controls, tests
of detail and analytical procedures for the subsequent period of
two months up to reporting date
• preparatory work on third-party confirmations and supporting
schedules
• non-negotiable dates set by client:
– inventory count
– reporting deadlines
– availability of key personnel, and
– audit committee meetings
• availability of information, for example, fixed asset schedules for
audit, including final information for analytical procedures
• timeous preparation where other parties will be used, for example, an
auditor cannot contact an expert the week before the year-end
inventory count to assist in the valuation of say, work-in-progress, and
• special client requests, for example, the client may request that you
visit each branch to attend inventory cycle counts at least once a year.
Extent of tests – How much testing • level of assessed risk
is to be done? • prior year experience
• the planning and performance materiality limits that have been set –
as the level of misstatement that the auditor believes would influence
a user reduces, so the extent of testing increases
• what sample sizes are required to achieve meaningful results
(particularly when non statistically based sampling is used)
• possible reduction of testing when internal audit is used
• third parties to understand “how much” they should do
• special client requests, for example, positively confirm all debtors, and
• the extent of testing deemed necessary should not be restricted by
deadlines.

6.6 Responding to assessed risk


Having responded initially to the risk assessment by planning further audit procedures, the auditor will
proceed by implementing an overall response and by carrying out the planned “further” and “other”
procedures.

6.6.1 Overall response at financial statement level


In terms of ISA 330 – The auditor’s responses to assessed risks, the auditor shall design and implement
overall responses to assessed risks of material misstatement at financial statement level, and should design and
perform further audit procedures to respond to assessed risks relating to the assertions (at account balance/
transaction and disclosure level).
Overall responses – these are not really procedures but rather general actions to deal with risk at financial
statement level. For example, if the auditor is concerned with management’s integrity, the overall response
may be to meet with the audit team to emphasise the need to maintain a high level of professional
scepticism, and to assign experienced and strong willed staff to the audit. Obviously it does not end there.
The potential effect of management’s lack of integrity on the assertions at account balance/class of trans-
action/disclosure level will need to be evaluated, and the appropriate procedures implemented (nature,
timing and extent). For example, the auditor’s concern may be that management will manipulate the
financial statements by overstating the value of inventory on hand at year-end and by including fictitious
sales. The auditor would respond by conducting extensive procedures on the existence, rights and valuation
of inventory and the occurrence of sales/existence of debtors.
6/22 Auditing Notes for South African Students

Overall responses may be summarised as follows:


• emphasise professional scepticism
• assign more experienced staff with special skills or use experts
• provide more supervision
• incorporate elements of unpredictability into the audit procedures adopted (do things in a manner that
the client may not expect), for example, surprise visits to client, and
• make general changes to the nature, timing and extent of audit procedures conducted in the past.

6.6.2 Audit procedures to respond to the assessed risks of material misstatement at the
assertion level (further procedures)
Generally, these procedures will form the major part of any audit although some practitioners might argue
that planning takes up the major portion! They are the procedures to be carried out to respond to the risk of
material misstatement pertaining to the assertions. Remember that the assertions are the representations
applicable to the various account headings, classes of transaction and disclosures that underlie the financial
statements, for example, the valuation of inventory, plant and equipment, the existence of debtors, the
completeness of sales, the presentation of a contingent liability disclosure, etc. The auditor must respond to the
risks by getting the nature, timing and extent of tests of controls and substantive tests correct so as to reduce
the risk of material misstatement going undetected to an acceptable level, and ultimately reducing the risk
of expressing an inappropriate opinion. In other words, the auditor carries out further audit procedures
with the intention of reducing audit risk to an acceptable level.
This is the stage at which the auditor uses the major tools in his toolbox – tests of controls and substan-
tive tests, and it is perhaps useful to recall what these tests entail:
• Inspection: consists of examining records, documents (physical files or electronic storage media), or
tangible assets, for example, inspecting the minutes of directors’ meetings for evidence of the approval
of a major investment transaction, inspecting the client’s machinery for damage (impairment) or
existence.
• Observation: consists of looking at a process or procedure being performed by others, for example, the
observation by the auditor of the counting of inventories by the entity’s personnel or observing the
receiving clerk counting and checking goods being delivered to the company by a supplier.
• Inquiry: consists of seeking information from knowledgeable persons inside or outside the entity:
– inquiries may range from formal written enquiries addressed to third parties, to informal oral
enquiries addressed to persons inside the entity, for example, a receiving clerk may be asked what
controls are exercised when goods are received from a supplier.
• External confirmation: amounts to the obtaining of a direct written response to an enquiry to corroborate
(confirm) information contained in the accounting records, for example, the auditor may seek direct
confirmation of amounts owed, by communication with debtors.
• Recalculation: consists of checking the mathematical accuracy of documents or records or of performing
independent calculations, for example, checking that discounts have been correctly calculated on sales
invoices, or recalculating interest accrued.
• Analytical procedures: consist of the analysis of significant ratios and trends, including the resulting
investigation of fluctuations and relationships that are inconsistent with other relevant information or
that deviate from predicted amounts, for example, comparing the current ratio for the year under audit,
to the prior year current ratio, and seeking an explanation if there is a difference
• Re-performance: is the auditor’s independent execution of procedures or controls that were originally
performed as part of the entity’s internal control, for example, re-performing the year-end bank recon-
ciliation.
In addition to ISA 500 – Audit Evidence, that describes the types of procedures available to gather evidence,
there are numerous statements that give guidance on the audit of specific matters; for example, how to
audit accounting estimates (ISA 540), and how to conduct analytical procedures (ISA 520). Remember the
objective is to gather sufficient (enough) appropriate (relevant and reliable) evidence to reduce the risk of
material misstatement remaining undetected in the account balances, classes of transactions and dis-
closures that make up the financial statements, to an acceptable level. Combinations of procedures are car-
ried out and are often referred to by a collective name, for example, carrying out a debtors circularisation
Chapter 6: An overview of the audit process 6/23

to assist in verifying the existence of debtors, or conducting cut-off procedures on sales at year-end, to test
the assertions of occurrence and completeness.
Also bear in mind that the auditor must conduct substantive procedures related to the financial statement
closing process. The auditor will:
• agree or reconcile the financial statements with the underlying accounting records, and
• examine material journal entries and other adjustments made during the course of preparing the finan-
cial statements.

6.6.3 Audit procedures carried out to satisfy the requirements of the ISAs (other
procedures)
You will recall that in terms of ISA 300, the audit plan must include (the nature, timing and extent of)
procedures that the auditor is required to carry out arising from the important need to comply with the
standards. These procedures do not arise directly from the risk assessment but may be linked to it. For
example, risk assessment procedures may reflect that there is no risk surrounding the going concern ability of
the company. This does not mean that the auditor can ignore ISA 570 – Going concern, and simply accept
that there is no going concern problem based on the risk assessment. The statement requires that the
auditor gather sufficient, appropriate evidence to support management’s decision to use the going concern
assumption in the preparation of the financial statements. Other standards that must be complied with are,
for example, ISA 260 and ISA 265, which deal with communicating with those charged with governance
and communicating deficiencies in internal control to the client.

6.7 Evaluating, concluding and reporting


Something has to be done with the audit evidence gathered. ISA 700 – Forming an opinion and reporting
on financial statements, states that the auditor should form an opinion on the financial statements based on
an evaluation of the conclusions drawn from the audit evidence obtained. This is carried out in this stage of
the audit process. The evaluation sets out to determine whether:

6.7.1 Sufficient, appropriate evidence


Sufficient, appropriate evidence has been obtained to reduce audit risk to an acceptable level.
ISA330 – The auditor’s responses to assessed risks, requires that the auditor conclude on whether suffi-
cient, appropriate audit evidence has been obtained to reduce audit risk to an acceptably low level. The
auditor is required to consider all evidence, not just that which corroborates the assertions. If evidence
contradicts say, the existence assertion relating to debtors (i.e., the evidence suggests there may be fictitious
debtors included in the balance) the auditor must consider this evidence and respond by seeking further
evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, a qualified opinion or a
disclaimer of opinion will have to be issued. Bear in mind that audit risk is the risk that the auditor
expresses an inappropriate audit opinion when the financial statements are materially misstated, for
example, the auditor’s opinion is that the financial statements “present” fairly when in fact they are
materially misstated.

6.7.2 Uncorrected misstatements


Uncorrected misstatements identified during the audit, result either individually or in aggregate, in a material
misstatement of the financial information.
• In terms of ISA 450 – Evaluation of misstatements identified during the audit, a misstatement is a
difference between the reported amount, classification, presentation or disclosure of a financial state-
ment item and the amount, classification, presentation or disclosure that is required for that item in
terms of the applicable accounting framework, for example, IFRS. Simplistically expressed, a misstate-
ment is a difference in what has been reported (by the directors) in the financial statements, and what
should have been reported in terms of the reporting framework, for example, a particular lease has been
reported as a finance lease when in fact it does not meet the criteria for classification as a finance lease,
or inventory has been valued and reported at replacement cost and not at the lower of cost or net
releasable value, or a material contingent liability has not been disclosed. Misstatements may arise out
of fraud or error.
6/24 Auditing Notes for South African Students

• In terms of ISA 450, the auditor must document all misstatements in the work papers (audit documen-
tation) and must indicate whether they have been corrected. The auditor must also conclude on whether
uncorrected misstatements are material, individually or in aggregate. Misstatements that are clearly
trivial may be ignored.
• This work paper is often referred to as an “overs and unders” schedule. The figures on the schedule
should be supported by sufficient evidence for the manager or engagement partner to evaluate. Where
necessary, discussions with members or the audit team will be conducted.
• An important distinction has to be made between misstatements that have been specifically identified
and about which there is no doubt (factual misstatements), for example, the total cost of certain inventory
items has been incorrectly calculated, and those that, in the auditor's judgement, are likely to exist
(judgemental misstatements), for example, where estimation is involved such as allowances for inventory
obsolescence. Judgemental misstatements are differences that arise between management’s accounting
estimates and what the auditor considers a reasonable estimate to be, for example, management may
consider that an inventory obsolescence allowance of R500 000 is appropriate but the auditor thinks
that a reasonable allowance would be R750 000. The judgemental misstatement would be R250 000.
Similarly a judgemental misstatement will arise where the auditor thinks that the selection or applica-
tion of a particular accounting policy by management is unreasonable or inappropriate. This only
applies where the accounting policy and its application are open to interpretation. Judgemental
misstatements include differences arising from the judgements of management in respect of presentation
and disclosure.
The differences between the amounts (and disclosures) that the auditor thinks would be reflected in the
financial statements if the appropriate policy was selected and applied, and the amounts and disclosures
that have been reflected will be the judgemental difference(s). If the selection or application is just plainly
wrong, it will be factual misstatement.
The third type of misstatement is termed projected misstatement. A projected misstatement is the auditor’s
best estimate of the amount of misstatement in a population based on the projection of the misstatement
found in a sample taken from that population.
It is important to distinguish between the different types of misstatement because the type of misstate-
ment will affect how the auditor will react:
• Where there is a factual misstatement, the auditor is on solid ground when requesting the client to make
adjustments to the financial statements and, if the adjustments are not made, when modifying the audit
report (qualifying the audit opinion).
• Where there is a judgemental misstatement, the auditor is on far less solid ground. The misstatement
has only arisen because there is an element of interpretation in the facts. The auditor cannot state
categorically that the directors are wrong! As a result the auditor may have to accept a measure of
compromise when requesting adjustment and will have to think very carefully about whether and how
to modify the report.
• Where there is a projected misstatement, the auditor may be in for an even harder time when requesting
amendments or qualifying the audit report. Projecting misstatement over a population based on a
sample can be a very subjective matter. If a proper statistical sampling method has been properly
applied it is less subjective, but there is still plenty of subjectivity in setting the parameters for the
sampling plan. A client is not going to be too happy with an auditor who says “we think, based on a
projection of our sample, that the inventory balance is overstated by R500 000”. The client is going to
want more hard evidence than that! So again the auditor will need to accept a measure of compromise
and think carefully about modifying the audit report.
• The materiality of the audit difference is a very important part of this evaluation. If an audit difference
is regarded as not material (leaving the misstatement uncorrected will not influence a user’s decision),
the auditor will not insist on adjustment being made but will still bring it to the attention of the client
who, of course, may choose to correct it.
Chapter 6: An overview of the audit process 6/25

6.7.3 Applicable financial reporting standards


The financial statements have been prepared in all material respects in accordance with the applicable financial
reporting standards.
In particular the auditor will evaluate whether:
• the financial statements adequately disclose the significant accounting policies selected and applied
• the accounting policies selected and applied are consistent with the financial reporting standards/
accounting framework and appropriate for the company’s business
• the accounting estimates made by management are reasonable
• the information presented in the financial statements is relevant, reliable, comparable and understand-
able
• the financial statements provide adequate disclosures to enable users to understand the effect of material
transactions and events on the entity’s financial position, financial performance and cash flows
(information conveyed in the financial statements)
• the terminology used in the financial statements is appropriate
• the company has complied with the applicable statutory requirements and regulations, for example, JSE
regulations for listed companies and King IV corporate governance requirements, and
• the financial statements achieve fair presentation.

6.7.4 Events occurring after the reporting date


All material events occurring after the reporting date and up to the date of the audit report that may indicate the
need for adjustment to, or disclosure in, the financial information on which the auditor is reporting, have
been identified, and appropriately dealt with.
The evaluation, as described above, will be carried out by a senior member of the audit team, probably
the manager or engagement partner. During the course of the audit, evaluation and review will have taken
place at various levels so that, in effect, this final evaluation will be of evidence (contained in the working
papers) that has already been subject to scrutiny. Based on the evaluation, the manager/partner will
conclude on whether an unmodified audit opinion is appropriate. If not, further decisions must be made as
to whether an "except for" qualification, an adverse opinion or a disclaimer of opinion should be given.
This is dealt with in the chapter on reporting (see chapter 18). The engagement partner will also consider
whether any other modifications such as the inclusion of an emphasis of matter paragraph, or a paragraph
that reports on other legal and regulatory duties of the auditor, for example, section 45 of the APA
(reportable irregularities), are required.
CHAPTER

7
Important elements of the audit process

CONTENTS
Page
7.1 Understanding audit risk ................................................................................................... 7/2
7.1.1 Introduction ........................................................................................................... 7/2
7.1.2 The inherent limitations of an audit ......................................................................... 7/2
7.1.3 The link between audit risk and the audit process ..................................................... 7/2
7.1.4 The components of audit risk .................................................................................. 7/3

7.2 Understanding the entity and its environment .................................................................. 7/5


7.2.1 Introduction ........................................................................................................... 7/5
7.2.2 Conditions and events that may indicate risks of material misstatement .................... 7/6
7.2.3 Risk assessment procedures and related activities ..................................................... 7/6
7.2.4 The entity and its environment and the applicable financial reporting framework ...... 7/9
7.2.5 The entity’s system of internal control...................................................................... 7/13
7.2.6 Significant risks (ISA 315 (revised 2019) para 12) ..................................................... 7/18
7.2.7 “Stand-back” provision (ISA 315 (revised 2019) para 36) .......................................... 7/19

7.3 The concept of materiality................................................................................................. 7/20


7.3.1 Introduction ........................................................................................................... 7/20
7.3.2 The nature of materiality ......................................................................................... 7/21
7.3.3 Planning materiality and performance materiality .................................................... 7/23
7.3.4 Materiality at the evaluating stage (final materiality) ................................................ 7/26
7.3.5 Conclusion ............................................................................................................. 7/30

7.4 The auditor’s responsibilities relating to fraud in an audit of financial statements ............. 7/30
7.4.1 Introduction ........................................................................................................... 7/30
7.4.2 Auditor’s objective .................................................................................................. 7/30
7.4.3 Terminology – Definitions (compiled from various sources in ISA 240) .................... 7/30
7.4.4 Responsibility of management and those charged with governance ........................... 7/32
7.4.5 Responsibilities of the auditor.................................................................................. 7/32
7.4.6 Responses to the risk of material misstatement due to fraud ...................................... 7/34
7.4.7 Fraud risk factors .................................................................................................... 7/37
7.4.8 Communication with management, those charged with governance and others ......... 7/40
7.4.9 Fraud and retention of clients .................................................................................. 7/41

7.5 Consideration of laws and regulations in an audit of financial statements – ISA 250 .......... 7/42
7.5.1 Introduction ........................................................................................................... 7/42
7.5.2 Important considerations ........................................................................................ 7/42
7.5.3 Auditor’s duties, responsibilities and procedures ...................................................... 7/42
7.5.4 Reporting of non-compliance .................................................................................. 7/43

7/1
7/2 Auditing Notes for South African Students

7.1 Understanding audit risk


7.1.1 Introduction
Before going into the detail of some aspects of the audit process, we need to remind ourselves about the
role the auditor plays and what is expected of him/her. The auditor’s role is to provide reasonable
assurance about the fair presentation of the company’s financial statements. Users want to be satisfied that
the audited financial statements on which they are relying are free of material misstatement and their
reliance is an implied acceptance that the auditor has performed his function properly. However, there is
always the risk that the auditor will “get it wrong” and give an incorrect opinion. This is audit risk. To
define it more precisely, we can look to ISA 200 – Overall objectives of the independent auditor and the
conduct of an audit per the International Standards on Auditing, that defines audit risk as the risk that the
auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. In simpler
terms, it is the risk that the auditor will give an unqualified opinion when in fact, a qualified, adverse, or
disclaimer of opinion should have been given. Note that the opposite does not constitute audit risk
(expressing a qualified audit opinion when in fact the financial statements are free from material
misstatement) as the risk of this occurring is usually insignificant.

7.1.2 The inherent limitations of an audit


A valid question might be, “If the auditor does his job properly, won’t he eliminate the risk of expressing
an inappropriate opinion, or in other words, reduce audit risk to zero?” The answer is that audit risk can
never be completely eliminated due to the inherent limitations of an audit. These can be summarised as
follows:
• The nature of financial reporting itself
• The auditor is forming an opinion on financial statements that include a great deal of information based
on judgement, subjective decisions, and assessments.
• The nature of audit procedures
• There is always the possibility that management or others may not provide the auditor with complete
information relating to the financial statements. Accordingly, the auditor can perform procedures
related to the completeness of information but can never be 100% certain that all information has been
recorded or conveyed to him
• Fraud, including collusion and falsification of documents, may be so sophisticated and expertly hidden
that conventional audit procedures will be ineffective in detecting misstatement.
• An audit is not an official investigation into wrongdoing, and accordingly, the auditor does not have the
legal powers necessary to pursue certain evidence.
• Most audit procedures are conducted on samples so there is always the risk that material misstatement
will go undetected.
• Time constraints
If the auditor had unlimited time to conduct the audit, audit risk could probably be significantly
reduced. However, the relevance and value of information diminish (rapidly) over time, so the audit
must be completed within a reasonable period after the financial year-end. Time available should not be
used as an excuse for not doing the audit properly and can be addressed, to a large extent, by proper
planning, but it does remain a limiting factor.
• Cost/benefit
• The same logic will apply to cost. It is too costly (and would take too long) to address all information
and pursue every matter exhaustively, just to obtain that little extra bit of evidence when it produces no
real benefit.
However, despite its limitations, the audit remains a very important function.

7.1.3 The link between audit risk and the audit process
The audit process is a combination of stages that the auditor goes through to be in a position to report on
whether the financial statements are fairly presented. As it is today, the audit process has been developed
over time by the profession in such a manner that if the process is followed, audit risk will be kept to an
acceptable level. The International Standards on Auditing (ISAs) direct the audit process so it follows that
compliance with the standards will result in audit risk being kept to an acceptable level. A clearer under-
standing of audit risk will help to put the audit process into context.
Chapter 7: Important elements of the audit process 7/3

7.1.4 The components of audit risk


To better understand audit risk, we need to understand its components. There are three “components” of
audit risk, and in addition to defining these, we must consider the relationship between audit risk and its
components and the components themselves. ISA 200 provides the necessary guidance. It is important to
note that, although the ISAs refer to “risk of material misstatement”, ISA 315 (revised 2019) requires a
separate assessment of inherent and control risk to provide a basis for designing and performing further
audit procedures to respond to the assessed risks of material misstatement.

7.1.4.1 Inherent risk


Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure, to a
misstatement that could be material, either individually or when aggregated with other misstatements, before
consideration of any related controls. For example, transactions that require complex calculations, such as
complex lease agreements, are inherently more likely to be misstated than simple transactions, such as
purchasing goods.
Of course, as auditors, we would expect the client to put controls in place to ensure that the complex
transaction is correctly recorded, but the transaction remains “inherently risky”. Another way of looking at
it may be to describe inherent risk, as the "built-in" risk that an account balance, class of transaction or
disclosure might have.
For example, there is more inherent risk relating to the valuation assertion for an inventory of diamonds
in a jewellery business than to the valuation assertion of an inventory of cricket bats at a sporting goods
wholesaler. A cricket bat is, and looks like, a cricket bat, but a diamond has inherent characteristics that
make it difficult to identify (is it glass or zirconia?) and value (what number of carats it is, is it flawed, what
colour is it?). The important thing is that the auditor must identify the inherent risk and respond to it. In
this example, an expert may be called in to assist the auditor in the valuation of the diamonds. Expressed
another way, the risk of material misstatement is greater for an inventory of diamonds than it is for an
inventory of cricket bats because of the inherent characteristics of diamonds compared to cricket bats. The
auditor’s response to the risk of material misstatement will vary accordingly.
ISA 200 explains that the inherent risk is higher for certain assertions and related classes of transactions,
account balances, and disclosures than others. This variation is referred to as the “spectrum of inherent
risk” (ISA 315 (revised 2019)). The degree of likelihood and magnitude (or combinations of likelihood and
magnitude) will determine the assessment of the risk within the spectrum of inherent risk.

7.1.4.2 Control risk


The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or
disclosure that could be material, individually or when aggregated with other misstatements, will not be prevented
or detected and corrected on a timely basis, by the entity’s system of internal control. Control risk is perhaps
easier to understand than inherent risk. Simply stated, if the system of internal control does not do its job,
there is a strong possibility that misstatement of which the auditor may not be aware will occur.
Control risk is a function of the effectiveness of the design and operation of the system of internal control
in achieving its objectives but because of the limitations of internal control itself, it is improbable that a
client’s system will be perfect. Hence some control risk will exist. ISA 315 (revised 2019) states that “the
entity’s system of internal control, no matter how effective, can provide an entity with only reasonable
assurance about achieving the entity’s financial reporting objectives”. The likelihood of achievement is
affected by limitations inherent to internal control.
These limitations may be described as follows:
• Management's usual requirement that the cost of internal control does not exceed the expected benefits
to be derived (cost/benefit). Control may be sacrificed due to the cost of implementing the control, thus
increasing the risk that misstatement goes undetected. This is particularly so for smaller companies.
• Judgement errors on the nature and extent of the controls implemented and the risk assumed.
• Most internal controls tend to be directed at routine transactions rather than non-routine transactions
(non-routine transactions may bypass controls, resulting in misstatement).
• The potential for human error due to carelessness, distraction, mistakes of judgement and the misunder-
standing of instructions.
7/4 Auditing Notes for South African Students

• The possibility of circumvention of internal controls through the collusion of a member of management
or an employee, with parties inside or outside the entity.
• The possibility that a person responsible for exercising an internal control could abuse that responsi-
bility, for example, a member of management overriding an internal control.
• The possibility that procedures may become inadequate due to changes in conditions, and compliance
with control procedures may deteriorate (e.g., internal controls cannot handle a huge increase in sales).
It is not sufficient for the auditor simply to identify the presence of weaknesses in a client's system of
internal control; the important exercise is evaluating the effect that the identified weaknesses may have on
the financial statement assertions. To illustrate – your client, a wholesaler, routinely sells its products to
retailers on credit. The internal controls for credit sales are sound. However, over time, the practice of
selling to staff members and street hawkers for cash has crept in without adequate internal control activities
being formalised.
For example, at Gupta (Pty) Ltd, no specific cash sale documentation has been developed, cash is not
adequately recorded and regularly banked, and there is no segregation of duties between recording sales
and banking of cash. What assertions may be affected? The obvious ones are completeness of sales (are all
sales being accounted for?) and completeness of bank/cash on hand (is all the cash received being accounted
for?). Perhaps a less obvious assertion at risk is the completeness assertion for liabilities. If sales are not being
accounted for, profits will be misstated, and hence the liability to SARS for taxation will be understated.

7.1.4.3 Detection risk


The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect
a misstatement that exists and that could be material, individually or when aggregated with other misstatements.
Detection risk relates to the nature, timing and extent of the auditor’s procedures to respond to the risk of
material misstatement and reduce audit risk to an acceptable level. Detection risk is a function of the
effectiveness of an audit procedure and its application by the auditor, and may arise because the auditor:
• selects an inappropriate audit procedure, and/or
• misapplies an appropriate procedure, and/or
• misinterprets the results of the test.
Reducing detection risk is best achieved by complying with the relevant ISAs, particularly by:
• sound planning
• proper assignment of personnel to the engagement team
• the application of an appropriate level of professional scepticism, and
• proper supervision and review of the audit work performed.

7.1.4.4 Relationships between audit risk, inherent risk, control and detection risk and material
misstatement
• Audit risk and the risk of material misstatement are not the same thing. Diagrammatically we can illustrate
the difference as follows:
Chapter 7: Important elements of the audit process 7/5

• The risk of material misstatement is made up of inherent risk and control risk, for example, the risk of
material misstatement will be highest where there is a high level of inherent risk relating to the assertion
and controls are weak. If controls are very strong (i.e., low control risk) and there is low inherent risk
relating to the assertion, then the risk of material misstatement relating to that assertion will be low.
Here it is important to note that when the auditor does not intend to test the operating effectiveness of
an entity’s controls, the risk of material misstatement will be equal to the assessment of the inherent
risk.
• Audit risk is a function of the risk of material misstatement and detection risk, for example, if there is a high
risk of material misstatement and the auditor does not respond with effective selection and application
of audit procedures, the risk of expressing an inappropriate audit opinion (audit risk) will be very high.
In other words, to keep audit risk to an acceptable level, the auditor must ensure that detection risk is
kept to a low level by sound planning, proper assignment of personnel to the audit team, proper super-
vision, etc.
Think of it another way. If you evaluate inherent risk and control risk at your client as high, it means
that there is a strong possibility of material misstatement being present in the financial statements. As the
auditor, you must minimise the chance of expressing an inappropriate opinion on the financial statements,
in other words, you must reduce this risk (audit risk) to an acceptable level. How do you do that? The
answer is by adopting an appropriate audit strategy and plan and assigning the right staff to the audit team
(experienced and competent), having the audit team exercise professional scepticism and putting in place
proper supervision and review procedures – by doing these things you will be reducing the risk of failing to detect
the misstatements that you expect (due to the high inherent and control risk) to an acceptable level. As the
auditor, you have no control over inherent risk or control risk, inherent risk is “built-in” risk and internal
control is the responsibility of management. All you can do is to respond to these risks by reducing detec-
tion risk. Unlike inherent and control risk, detection risk is controllable by the auditor.

7.2 Understanding the entity and its environment


7.2.1 Introduction
As you will know by now, the objective of the auditor is to identify and assess the risks of material misstate-
ment, whether due to fraud or error at the financial statement and assertion levels, through understanding the
entity and its environment, including the applicable financial reporting framework, as well as the entity’s system of
internal control, thereby providing a basis for designing and implementing responses to the assessed risks of
material misstatement. The key to this is that unless the auditor has a thorough understanding of his
client’s business and the environment in which it operates, proper identification and assessment of the risk
of material misstatement is not possible. Simple examples illustrate this. If we don’t understand how a
company’s manufacturing process works, what raw materials or components make up its products and
how it identifies and records production overheads, how can we as auditors, identify and assess the risks
relating to such account headings as finished goods inventory, work-in-progress, etc.? How will we know if
overheads are being appropriately included in the cost of inventory? If we are not familiar with the
company’s leasing policies, how will we determine whether leases should be treated as finance or operating
leases? The examples are endless, and the message should be clear – without a thorough understanding of
the client, a substandard audit will be conducted.
Although “understanding the entity” is a clearly defined activity within the audit process, it is not a
“once-off, stand-alone” activity. Knowledge about a client is acquired as the relationship with the client
evolves. Each audit provides a better understanding of what we already know and new information about
changes and developments in the business is added. Understanding the entity is dynamic, not static. It is
not an exact science and there is no hard and fast set of procedures to be followed.
According to ISA 315 (revised 2019) – Identifying and assessing the risks of material misstatement, an
understanding of the entity establishes a frame of reference within which the auditor plans the audit and
exercises professional judgement, for example, when:
• assessing risks of material misstatement of the financial statements
• determining materiality
• considering the appropriateness of the selection and application of accounting policies and the adequacy
of disclosures
• identifying areas where special audit consideration may be necessary, for example, the audit of related
party transactions
• developing expectations for use when performing analytical procedures
7/6 Auditing Notes for South African Students

• responding to the assessed risk of material misstatement, including performing further audit procedures,
to obtain sufficient, appropriate evidence, and
• evaluating the sufficiency and appropriateness of audit evidence obtained.
All of the above are fundamental to performing the audit but cannot be achieved without the auditor
having a thorough understanding of the entity.

7.2.2 Conditions and events that may indicate risks of material misstatement
The following list provides examples of conditions or events that may suggest to the auditor that there is a
risk of material misstatement in the financial statements under audit. Of course, such conditions or events
do not mean that there is a material misstatement, but instead there is a possibility of material misstate-
ment, that the auditor should consider. The list is not exhaustive.
1. The company’s operations are exposed to volatile markets and/or are subject to a higher degree of
complex regulation, for example, trading in futures.
2. Going concern and liquidity problems with the corresponding difficulty in raising finance.
3. Changes in the company such as a significant merger or reorganisation or retrenchments.
4. The existence of complex business arrangements such as joint ventures and other related party struc-
tures.
5. Complex financing arrangements, for example, use of off-balance sheet finance and the formation of
special purpose entities.
6. Lack of appropriate accounting and financial reporting skills in the company.
7. Changes in key personnel, including the departure of key executives, for example, the financial
director.
8. Deficiencies in internal control.
9. Incentives for management and employees to engage in fraudulent financial reporting include unfair
remuneration structures, poor working conditions, and an autocratic environment.
10. Changes in the IT environment, including installations of significant IT systems related to financial
reporting, or a weakening of the IT control environment, particularly regarding security.
11. A significant number of non-routine or non-systematic transactions at year-end, for example, inter-
company transactions.
12. The introduction of new accounting pronouncements relevant to the company, for example, IFRS 15.
13. Accounting measurements that involve complex processes, events and transactions that involve
significant measurement uncertainty.
14. The omission or obscuring of significant information in disclosures as presented to the auditor.
15. Pending litigation and contingent liabilities, for example, sales warranties and financial guarantees.

7.2.3 Risk assessment procedures and related activities


Risk assessment procedures are those procedures carried out by the auditor to gather information about the
client so that the identification and assessment of risks of material misstatement at the financial statement
and assertions level can occur. Once this has been done, the auditor will have a basis for designing and
implementing responses to the assessed risks of material misstatement.
Useful information about a client can come from any number of sources but will generally flow from the
following:

7.2.3.1 Client acceptance of continuance procedures


Remember that by the time risk assessment procedures take place, the audit engagement will have been
accepted and that prior to acceptance, a fair amount of information about the client would have been
obtained. For example, information about the integrity of the directors would have been sought, discus-
sions with the audit committee (if there was one) would have been held, and information about the size
and complexity of the entity would have been gathered. In the case of an existing client, any major changes
or developments would have been considered in deciding whether to retain the client. The point is that
some of the information gathered will be useful in identifying and assessing the risk of material misstate-
ment.
Chapter 7: Important elements of the audit process 7/7

7.2.3.2 Previous experience with the entity


Where the entity has engaged the audit firm before, there will already be a “store” of information about the
entity. The extent of this information will depend on the previous engagements. If the firm has conducted
the audit for several years, there is likely to be a good base of information. If the previous experience with
the entity was providing tax advice, then information relevant to an audit is likely to be far less. Clearly, the
auditor would need to determine whether information obtained in a prior period remains relevant.

7.2.3.3 Inquiries of management and others


Discussion with the client’s personnel will perhaps provide the most information and the following
examples serve to illustrate the diversity of employees and others who may be consulted:
• Production personnel can provide information about the company’s raw materials, finished goods, manu-
facturing process, etc.
• Marketing and sales personnel can provide information about the company’s marketing strategies, pro-
ducts, competitors, etc.
• Human resource personnel can provide information about organisational structures, remuneration pol-
icies, labour disputes, etc.
• Internal audit personnel can provide information on investigations and assessments they have done as
well as their evaluation of the company’s own risk assessment procedures, etc.
• Financial and accounting personnel will be a major source of financial reporting information, including
the accounting policies used, related parties, procedures for setting estimates, making provisions, estab-
lishing fair values, taxation, etc.
• The company secretary, or the company’s legal counsel, will supply information about litigation, laws and
regulations relevant to the company, important contractual obligations, etc.
• The board of directors (those charged with governance) will provide information on the company’s overall
strategies. etc., and will give the auditor a sense of the control environment at the company.
• IT personnel will be able to provide important information about the company’s computer system, etc.
• An audit committee and risk committee will also provide information relating to accounting policies, inter-
nal control, financial reporting objectives (audit committee) and the company’s own risk assessment
procedures and policies regarding risk (risk committee).
• Where applicable, the previous auditor may provide information about the previous audits, including
audit problems and their resolution, dealings with the audit committee and board members, the com-
petence of senior financial personnel and the control environment, etc. (Note: Much of this information
may have been obtained when the pre-acceptance procedures were carried out, but there is nothing to
stop further contact with the previous auditor, provided the client gives permission.)

7.2.3.4 Observation
The observation of “what’s going on” can provide a useful backdrop for understanding the client’s oper-
ations.
For example:
• A guided tour of a company’s manufacturing plant will give the auditor a basic understanding of the
production process. This understanding will put the audit of plant and equipment, work in progress, the
allocation of production overheads, etc., into context.
• A tour of the company’s business premises, IT centre, warehousing facilities, will also contribute to a
better understanding of the client.

7.2.3.5 Inspection
Along with enquiry, inspection will be a major provider of information in understanding the entity. At this
stage of the audit, we are not carrying out a detailed inspection of “everyday” documents such as sales
invoices or purchase orders on which we may conduct further audit procedures (substantive tests of detail).
This is more likely to be a detailed review of the following kinds of documents:
• business plans and strategies
• internal control procedure manuals, flow charts, organisational charts
• management reports, minutes of board meetings and board committee meetings
7/8 Auditing Notes for South African Students

• the company’s integrated report and prior year financial statements


• relevant trade and financial journals and internet sites, and
• important contracts.

7.2.3.6 Analytical procedures


Analytical procedures carried out at this stage of the audit process may be useful in providing an overall
indication of whether the company’s financial performance is as expected, but may produce results that are
unexpected and that need to be explained. Ratio and trend analysis, including comparisons to prior
periods, industry averages or between similar sections or divisions, may reveal unusual or unexpected
relationships, and the explanation may indicate the presence of material misstatement.
For example (there are any number of examples):
• there may be an increase in sales but a decline in gross profit
• debtors’ ratios may have declined without credit policies having been changed, or
• sales commissions paid may have increased but sales may have declined.

7.2.3.7 Discussion among the audit team


This amounts to the “two heads are better than one” principle. The discussion is an opportunity for:
• the experienced members of the audit team to share their insights and knowledge of the entity, and
• explain how and where the financial statements may be susceptible to material misstatement, and
• for the new team members to inject fresh insight and question conventional thinking about the audit.

7.2.3.8 Gaining the required understanding of the entity and its environment, including the
applicable financial reporting framework and the entity’s system of internal control
In terms of ISA 315 (revised 2019) the auditor must obtain an understanding of:

• the entity and its environment and the applicable financial reporting framework
ISA 315 (revised 2019) provides a basic framework as to what information should be gathered. This has
been used as a basis for the charts and narratives that follow:
• organisational structure, ownership and governance and business model, including the extent to which
the business model integrates the use of IT
• relevant industry, regulatory and other external factors
• measures used internally and externally to assess the entity’s financial performance
• the applicable financial reporting framework and the entity’s accounting policies and reasons for
changes thereto, and
• how, and to what degree, inherent risk factors affect exposure of assertions to misstatements.

• the entity’s internal control


Again, ISA 315 (revised 2019) provides a useful framework for the auditor to obtain this understanding.
It suggests that the auditor should obtain an understanding of each of the following components of the
system of internal control:
• the control environment
• the entity’s risk assessment process
• the entity’s process to monitor the internal control system
• the information system, including communication, and
• control activities.
Remember that the auditor is putting together a body of information that will enable the audit team to
identify and assess the risk of material misstatement at the financial statement level and at the assertion
level.
Chapter 7: Important elements of the audit process 7/9

7.2.4 The entity and its environment and the applicable financial reporting framework
7.2.4.1 Organisational structure, ownership, governance, and business model
Understanding an entity's organisational structure and ownership may enable the auditor to understand the
complexity and relationships within the structure and ownership. The auditor may use automated tools
and techniques to assist in the understanding of transaction flow and processing. As such, the auditor may
obtain information about the organisational structure of the entity or its vendors, customers or related
parties. The auditor should also obtain an understanding of an entity’s objectives, strategy and business
model. A business sets itself objectives and then puts strategies in place to achieve these objectives.
“Business risk” is the term used to describe those conditions, events, circumstances, actions or inactions
that threaten the company’s achievement of the objectives it has set and its ability to achieve them.
Business risk is broader than the risk of material misstatement of the financial statements; in other words,
business risk includes risks other than the risk of material misstatement. Many of the business risks may
increase the risk of material misstatement in the financial statements. Therefore, the auditor must be
familiar with the client’s objectives and strategies and evaluate whether they will increase the risk of
material misstatement. Consider the following (simplified) examples:

Example 1
Objective: Wearit (Pty) Ltd wishes to increase its market share.
Strategy: Increase sales by making the terms and conditions for granting credit to
customers much less strict.
Business risk: Making sales on credit to customers who will not pay.
Potential material misstatement: Understatement of the allowance for bad debts, resulting in an over-
statement of accounts receivable.

Example 2
Objective: Pills (Pty) Ltd wants to expand its health products business into the
sports market.
Strategy: Import top quality, patented muscle growth and related products and
advertise extensively.
Business risk: Increased product liability, over-estimation of demand, import regu-
lation contraventions, for example, on foodstuffs.
Potential material misstatement: Under-provision for legal claims, over-statement of inventory value (no
demand, or goods cannot be legally sold).
There are any number of business risks – the key is to have experienced audit team members who can
identify them and evaluate whether they will give rise to material misstatement. Some examples of matters
to be considered by the auditor concerning an entity’s organisational structure, ownership and governance,
and business model appear below.

Factor Matters to consider


Organisational structure and ownership • structures:
– corporate, for example, subsidiaries, divisions
– organisational, for example, head office, regional offices
– joint ventures or special-purpose entities, and
– structure and complexity of IT environment
• ownership:
– relationships between owners and other persons/entities
– related parties, and
– distinction between owners, those charged with governance and
management.
continued
7/10 Auditing Notes for South African Students

Factor Matters to consider


Governance • involvement of those charged with governance in management
• existence of non-executive board
• separation of non-executive board from executive management
• positions held by those charged with governance
• sub-groups such as audit committee and its responsibilities
• responsibility for oversight of financial reporting, and
• responsibility of the approval of financial statements.
Business model • industry developments
• new products and services
• expansion of the entity’s business
• new accounting requirements
• regulatory requirements and legal exposure
• current and prospective financing requirements
• use of IT
– implementation of a new IT system, for example, and
• effects of implementing a strategy (e.g., new accounting
requirements).
Other factors specific to public sector • ability of entity to make unilateral decisions
entities • other public sector entities ability to influence/control entity’s
mandate and strategic directions
• relevant government activities/related programmes, and
• program objectives and strategies (e.g., policy elements).

7.2.4.2 Industry, regulatory and other external factors


The industry in which an entity operates and the relevant degree of regulation, plus certain external factors,
may give rise to specific risks of material misstatements. Some examples of matters to be considered by the
auditor follow.

Factor Matters to consider


Industry • cyclical or seasonal
• risk profile:
– high risk, for example, fashion, technology
– competition (demand, capacity and price)
– labour volatility
– size and market share within the industry, and
– boom or recession, and
• technology relating to products.
Regulatory • accounting principles and industry-specific practices
• legal and regulatory framework:
– taxation, for example, farming company
– foreign transactions operations, for example, health regulations,
consumer protection
– environmental, for example, pollution control
– safety and security, for example, in the workplace, and
– disclosure requirements, and
• government policy:
– industry specific financial incentives
– trade restrictions and tariffs, and
– foreign exchange.
continued
Chapter 7: Important elements of the audit process 7/11

Factor Matters to consider


Other external factors • general economic conditions
• interest rates and available financing, and
• inflation or currency revaluation.
Other factors specific to public sector • particular laws or regulations affecting the entity’s operations.
entities

7.2.4.3 Measures used internally and externally to assess financial performance


The auditor should obtain an understanding of how the performance of the entity and its management are
measured. Measuring performance creates pressure on individuals, and failure to perform can have serious
consequences. Professional scepticism suggests that one way of avoiding negative consequences may be for
management to manipulate the financial statements to present a better position than actually exists.
For example, the directors of a subsidiary may stand to lose their jobs if the subsidiary does not meet
certain turnover or profit targets for the financial year. This gives the directors the incentive (creates pres-
sure) to manipulate the financial statements. This could be done by manipulating sales cut-off (including
post-year-end sales in the year-end sales figure), introducing fictitious sales with related parties, and
manipulating costs to increase profits.
In effect, the auditor needs to consider how much the entity’s measurement and review system is likely
to increase the risk of material misstatement of the financial statements.
A further example may confirm your understanding of this. A series of performance measures are built
into the directors’ and managements’ employment contracts that directly affect their personal remuner-
ation. Many of the measures are based on the entity's financial performance and thus present a real incen-
tive for manipulating the financial statements and other financial information. The auditor must under-
stand the performance measurement exercise and carefully consider which account headings (and related
assertions) are susceptible to manipulation. Some examples of matters to be considered by the auditor
appear below.
Factor Matters to consider
Measures used by management • key performance indicators (financial and non-financial)
• period on period rations, trends and operating statistics
• budgets, forecasts, variance analyses
• segment information
• divisional, departmental or other performance reports
• employee performance measures
• incentive compensation polices, and
• comparisons with competitors.
External parties • analysis of credit agencies
• news and other media, including social media
• taxation authorities
• regulations
• trade unions, and
• finance providers.
Other factors specific to public sector • for example, achievement of public benefit outcomes.
entities

7.2.4.4 The applicable financial reporting framework, and accounting policies and reasons for
changes thereto
Obtaining an understanding of the applicable financial reporting framework may assist the auditor to
identify inherent risk factors that affect the susceptibility of assertions about classes of transactions, account
balances or disclosures, to misstatement.
The auditor will need to consider whether the accounting policies selected by the client are:
• appropriate for the business, and
• consistent with the financial reporting standards relevant to the industry.
7/12 Auditing Notes for South African Students

If the policies adopted do not satisfy the above, the risk of material misstatement is increased. Some
examples of matters to be considered by the auditor follow.

Factor Matters to consider


Financial reporting practices • accounting principles and industry-specific practices, including
significant transactions
• revenue recognition
• accounting for financial instruments, including related credit losses
• foreign currency assets, liabilities and transactions, and
• unusual or complex transactions.
Selection and application of accounting • methods used to recognise, measure, present and disclose significant
policies or unusual transactions
• significant accounting policies for which there may be a lack of
guidance or consensus
• changes in the environment that necessitate a change in accounting
policy, and
• new financial reporting standards and laws and regulations.
Other factors specific to public sector • for example, entity’s application of applicable financial reporting
entities requirements.

7.2.4.5 How, and to what degree, inherent risk factors affect the exposure of assertions to
misstatement
As discussed earlier, inherent risk factors (on their own or as a combination) increase the inherent risk to
varying degrees. Inherent risk may be higher or lower for different assertions. This is referred to as the
“spectrum of inherent risk” (ISA 315 (revised 2019)). Obtaining an understanding of the entity, its environ-
ment, and its applicable financial reporting framework may assist the auditor in identifying inherent risk
factors that affect the susceptibility of assertions about classers of transactions, account balances or dis-
closures, to misstatement. This understanding may enable the auditor to form a preliminary understanding
of the probability or extent of misstatements. Inherent risk arising due to complexity or subjectivity (often
linked to change or uncertainty) requires a greater need for the auditor to apply professional scepticism.
Some examples of matters to be considered by the auditor follow. Furthermore, these risk factors may
create an opportunity for intentional or unintentional management bias. Some examples of matters to be
considered by the auditor appear below.
Factor Matters to consider
Complexity • operations that are subject to a high degree of complex regulation
• the existence of complex alliances and joint ventures
• accounting measurements that involve complex processes, and
• use of off-balance-sheet finance, special purpose entities, and other
complex financing arrangements.
Subjectivity • applicable financial reporting framework
• a wide range of possible measurement criteria of an accounting
estimate, (e.g., management’s recognition of depreciation or
construction income and expenses), and
• management’s selection of a valuation technique or model for a non-
current asset, such as investment properties.
continued
Chapter 7: Important elements of the audit process 7/13

Factor Matters to consider


Change • economic conditions, (e.g., operating in economically unstable
countries)
• markets: volatile markets, (e.g., futures trading)
• customer loss (can lead to going concern/liquidity problems)
• change in industry
• change in supply chain
• new products/services/lines of business
• expanding into new locations
• change in structure, (e.g., acquisitions/reorganisations)
• selling of business segment/entity
• change in key personnel or executives
• change in IT environment
• new accounting pronouncements
• constraints on availability of capital/credit, and
• new legislation
Uncertainty • measurement uncertainty, (e.g., accounting estimates)
• pending litigation, and
• contingent liabilities (e.g., warranties/guarantees)
Susceptibility to misstatement due to • opportunities to engage in fraudulent reporting
management bias or other fraud risk • significant transactions with related parties
factors insofar as they affect inherent risk • non-routine or non-systematic transactions including inter-company
• debt refinancing
• assets to be sold, and
• classification of marketable securities
Other • lack of skilled personnel
• control deficiencies not addressed, and
• past misstatements/errors

7.2.5 The entity’s internal control system


In chapter 5 we discussed internal control systems in some depth and noted that a good way of gaining an
understanding of an entity’s system is to consider its five components separately and collectively. As
indicated earlier, ISA 315 (revised 2019) in fact recommends that this is how the auditor should go about
obtaining the necessary knowledge of the system. Remember that an understanding of a client’s system of
internal control assists the auditor in identifying types of potential misstatement and factors that affect the risks of
material misstatement and designing the nature, timing, and extent of further audit procedures.
Some aspects of internal control covered in chapter 5 have been repeated here, but as the client’s internal
control system is so important to the auditor, the repetition is acceptable. Computerised systems, that
contain a mix of manual and automated (programmed) controls, are the norm and therefore very common
in business. The degree, complexity and sophistication of computerised systems vary considerably, but in
most cases, the auditor will need to obtain a sound understanding of the role played by computerisation in
the company’s internal control system, particularly in relation to the information system and control
activity components of the internal control process.

7.2.5.1 Component: The control environment


The control environment sets the tone of the organisation and influences the control consciousness of its
staff. It concerns the attitude and awareness of the directors and managers to internal control and its
importance to the entity. The directors and managers should promote an environment in which adherence
to controls is regarded as very important by their actions and behaviour. If managers set a bad example,
ignoring controls and generally projecting a “slack” attitude, employees will soon adopt the same attitude.
7/14 Auditing Notes for South African Students

For example, a creditors clerk whose function is to reconcile the creditors ledger accounts to the creditors
statements, and then take the reconciliation to the financial accountant to be checked before payment is
made, will soon not bother to reconcile properly, if at all, if he knows that the financial accountant does not
check the reconciliation before authorising the payment.
A good control environment will be characterised by:
• communication and enforcement of integrity and ethical values throughout the organisation
• a commitment by management to competent performance throughout the organisation
• a positive influence generated by those charged with governance of the entity, for example, non-execu-
tive directors, the chairperson (i.e., do these individuals display integrity and ethical commitment, are
they independent, and are their actions and decisions appropriate?)
• a management philosophy and operating style that encompasses leadership, sound judgement, ethical
behaviour, etc.
• an organisational structure that provides a clear framework within which proper planning, execution,
control and review can take place
• policies, procedures and an organisational structure that clearly define authority, responsibility and
reporting relationships throughout the entity, and
• sound human resource policies and practices that result in the employment of competent, ethical staff,
provide training and development, fair compensation and benefits, promotion opportunities, etc.
Gathering of evidence relating to the control environment can be achieved by observation of management and
employees “in action”, including how they interact, inquiry of management and employees, for example,
union officials, and inspection of documents, for example, codes of conduct, organograms, staff communica-
tions, records of dismissals, minutes of disciplinary hearings, etc. Obviously, as the client/auditor relation-
ship develops over time, it will become easier to understand and evaluate the control environment.
Generally, a strong control environment will be a positive factor when the auditor assesses the risk of
material misstatements. For example, the risk of fraud may be significantly reduced. A poor control envi-
ronment, or elements of the control environment that are poor, will have the opposite effect, for example,
the company may have excellent human resource policies, but may lack leadership and organisational
skills. Employees may be competent but management may have a “slack” attitude towards controls.

7.2.5.2 Component: The entity’s risk assessment process


This is the process that the company has in place for, among others:
• identifying business risks relevant to financial reporting objectives
• estimating the significance of each risk
• assessing the likelihood of its occurrence, and
• responding to the risk (taking action to address the risk).
This process of risk assessment may be formal or informal. More complex organisations are more likely to
have a formal plan, for example, specific committees who hold regular meetings, the appointment of a
chief risk officer and/or a compliance officer, but generally risk assessment is part of “managing”. In doing
their jobs, managers will identify and respond to risk.
Information about the client’s risk assessment process will be gathered mainly by inquiry, for example,
risk officer, compliance officer, chief executive officer, and inspection of documentation where it is avail-
able, for example, minutes of designated committee meetings, inter-office memos on rectifying problems
(responding to risk). An effective risk assessment process is advantageous for the auditor because the results
produced by the in-house process provide the auditor with a platform to work from in assessing risk.
In terms of King IV internal audit should primarily be risk-based, which means that the internal audit
section is expected to conduct assessments and evaluations of the company’s risk process and the com-
pany’s response to risk. Therefore, internal audits will be a good source of information for the external
auditor when evaluating the client’s risk assessment process.

7.2.5.3 Component: Monitoring of the system of internal control


You will recall that, at the outset, management identifies the objectives that the company’s internal control
process should achieve, both overall and right down to the transactions level. Monitoring of the system tells
management how well the internal control process is doing over time. Management (and the board) wish to
know if controls are operating as intended and monitoring assists in providing this information. Some
Chapter 7: Important elements of the audit process 7/15

procedures that are described and carried out as control activities are a form of monitoring. For example, a
senior accountant inspects the monthly bank reconciliation carried out by his assistant to ensure that it has
been done, and done correctly. Monitoring as a component of the internal control process looks at all of the
components of the process, not only at the control activity component. For example, management’s
monitoring of disciplinary actions and warnings to employees relating to breaches of the company’s “code
of conduct” may indicate a decline in the control environment, and the ongoing monitoring of the com-
pany’s poor performance on contracts may reveal that the risk assessment component is not effective.
In larger or more complex companies, internal audit departments usually contribute to the effective
monitoring of control activities, and the external auditor will frequently rely on work carried out by the
internal auditor. Monitoring will often take place at a subsequent stage.
For example, they may play back recorded sales transactions to confirm that telesales operators are
“following the rules”, or the IT manager might scrutinise the activity logs/exception reports on a weekly
basis. Information from outside the company can also provide meaningful insights into whether the
“system is working”, for example, monitoring complaints from customers will often give a good indication
of aspects of the business that are not functioning as required. Monitoring the number of bad debts over
time indicates whether creditworthiness checks are effective.
The auditor can obtain information about monitoring by inquiry of management and staff, working with
internal audit and inspecting documentation relating to a monitoring process or performance reviews.

7.2.5.4 Component: The information system and communication


The auditor is required to obtain an understanding of the information system relevant to financial reporting
and communication. The accounting system is part of the information system. Bear in mind that the
client’s information system will produce information that is not relevant to financial reporting.
For example, the information system of a motor manufacturer may produce extensive information about
sales, for example, such as the most popular colours, sales by dealer, month, geographical location, age of
purchaser, etc. to assist the marketing department. While this may be interesting to the auditor (and
sometimes helpful, as it may provide some evidence of the saleability of inventory), it is not directly related
to financial reporting.
The auditor must obtain a thorough understanding of:
• the classes of transactions in the client’s operations that are significant to the financial statements, for
example, sales, wages
• the procedures within both IT and manual systems, by which those transactions are initiated, recorded,
processed, corrected as necessary, transferred to the general ledger and reported in the financial
statements
• the related accounting records, supporting information and specific accounts in the financial statements
in respect of initiating, recording, processing and reporting transactions
• how the information system captures events and conditions, other than transactions that are significant
to the financial statements, for example, contingent liabilities
• the financial reporting process used to prepare the entity’s financial statements, including significant
accounting estimates and disclosures
• controls over the passing of non-standard journal entries used to record non-recurring, unusual trans-
actions or adjustments, and
• how financial information is conveyed to management, the Board, the audit committee and external
bodies, for example, the JSE in the case of a listed company.
This understanding of the information system relevant to financial reporting should include relevant
aspects of that system relating to information disclosed in the financial statements obtained from within or
outside the general and subsidiary ledgers.
Examples of such information may include:
• information obtained from lease agreements disclosed in the financial statements, for example, renewal
options
• fair value information disclosed in the financial statements
• information used to develop estimates recognised or disclosed in the financial statements, for example,
assumptions applicable to the useful life of an asset
7/16 Auditing Notes for South African Students

• information to support management’s assessment of going concern, and


• information that has been recognised or disclosed in the financial statements that has been obtained
from the company’s tax returns/SARS correspondence.
The following chart provides a breakdown of matters the auditor might consider when obtaining informa-
tion about a computerised information system.
Factor Matters to consider
Computerised applications • which applications are computerised, for example:
– payroll – not computerised, or
– acquisitions and payments – computerised
• computer environment:
– micro, network, centralised, or
– use of bureau
(see chapter 8 for a discussion on computer environments)
• the application software:
– purchased or in-house software
– key processing functions
– nature and source of inputs
– output produced
– important master files and tables
– interface between applications, and
– new or established.
Hardware • makes and capacities of CPUs, drives, printers, servers, terminals
(important for establishing compatibility with the auditors
hardware and software and for understanding the system), and
• physical location (branches, factory, etc.).
Software • details of all software that is used for managing the functions of
the hardware and data:
– operating systems
– database management systems
– utilities
– access control software, and
– programme change control software.
Organisation and control • general and automated application controls (chapter 8)
• communication and reporting lines
• IT personnel and their job descriptions
• steering committee details, and
• internal audit involvement in IT.
Complexities of the system • the presence of:
– networks (LANS, WANS)
– electronic data interchange (EDI)
– electronic funds transfer (EFT)
– real time systems
– the Internet
– high levels of system integration, and
– complex databases, communication networks.
Note: Refer to chapter 9 for more discussions about networks and
databases.
The level of dependence • degree of disruption that would occur if the system was not
(of the client on its normal system) functional for a lengthy period, and
• the dependence of a particular functional area on timely, accurate
computing, for example, wages in a large labour-intensive industry
Chapter 7: Important elements of the audit process 7/17

The auditor should be mindful that computerised (IT) systems pose specific risks to an entity’s internal
control. Examples of such risks may include the following:
• A computer will process what is input and will do so in the manner in which it is programmed. For
example, if there is an error in programming, that error will be repeated every time the relevant trans-
action is processed – for example, if a programming error results in the VAT on sales being calculated
on the selling price plus VAT, for example, 14% of 114%, and 5 000 invoices are processed, the com-
puter will make the mistake 5 000 times.
• Unauthorised access to data can result in an instant and huge destruction or contamination of data, for
example, deletion of the debtors master file.
• IT personnel gaining access privileges they should not have, resulting in a breakdown of segregation of
duties, for example, a systems analysts gains access to the salaries master file and alter his salary.
• Unauthorised changes to data in master files, systems or programmes.
• Instantaneous processing of fraudulent transactions such as unauthorised EFTs that instantly move
money out of the company’s bank account.
• Potential denial of access to electronic data, for example, employees/customers cannot get into the
database because of system failure.
The auditor should also be mindful that the information system as a whole, or elements of it, can be placed
at risk, by any of the following (among others):
• New employees who have a different understanding of, or attitude to internal control, for example, a
newly appointed IT manager has a less strict attitude to access controls than his predecessor.
• Rapid growth in the company that places severe strain on the controls, for example, a significant
increase in the demand for the company’s products has resulted in the company letting its credit-
worthiness checks lapse (so as not to lose sales) due to a lack of time and staff to carry out the checks.
Automated (programmed) controls relating to creditworthiness may be overridden permanently or
disabled.
• New technology that can lead to disruption of internal controls – introducing a network system may
result in data being lost or corrupted, or existing controls becoming inappropriate.
• Introducing new business models that may result in the existing internal controls being rendered
inadequate, for example, introducing sales over the Internet to along-established (physical) retail busi-
ness may introduce problems in controls over banking, receipt and dispatch of goods, etc.
• Corporate restructuring may result in staff reductions, new lines of authority, etc., thereby jeopardizing
for example, division of duties and authorisation controls.
The auditor will have to carefully assess whether and how the changes affect the internal control objectives
and the potential for material misstatement.
Details of the information system (including the accounting system) can be gathered by:
• inspection (or creation) of flowcharts of the system, user manuals, etc.
• observation of the system in action, for example, what happens when a supplier delivers goods, what
documents are called up on-screen, what access controls are in place
• inquiry of client staff and the completion of internal control questionnaires
• discussions with prior year audit staff, management and possibly outsiders, for example, application soft-
ware suppliers
• discussions with internal audit staff and review of internal audit work papers
• inspection of exception reports, error reports, activity reports produced by the system, and
• tracing transactions through the information system, sometimes called “walkthrough” tests.

7.2.5.5 Component: Control activities


This component was covered extensively in chapter 5, and is also covered in chapter 8.
Control activities are the policies and procedures that are implemented to ensure that management’s
objectives are carried out. Not all control activities relate to financial reporting and the auditor will concern
himself only with those that relate to areas where material misstatement is more likely to occur. Control
activities essentially include such things as:
• authorisation of transactions (that is a form of isolating responsibility)
• segregation of duties, for example, separating custody of inventory from keeping of inventory records
7/18 Auditing Notes for South African Students

• physical control over assets, for example, restricting access to the warehouse
• comparison and reconciliation, for example, reconciling the bank account monthly
• access controls, for example, access tables, user profiles, IDs and passwords in a computerised environ-
ment
• custody controls over blank/unused documents, for example, order forms, credit notes
• good document design (to achieve accuracy and completeness of information), and
• sound general and automated application controls in IT systems (see chapters 8 and 9).
Information about control activities will usually be gathered in the same way as information about the
information system as a whole is gathered, for example, inspection of control procedure manuals, observation
of controls in action, inquiry of employees as to the procedures they carry out and the completion of
internal control questionnaires.

7.2.6 Significant risks (ISA 315 (revised 2019) para 12)


1. ISA 315 (revised 2019) defines significant risk as identified risk of material misstatement for which the
assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the
combination of the likelihood and the magnitude of the potential misstatement (or risks that are
significant in accordance with other ISAs). You may remember that the concept of “the spectrum of
inherent risk” was referred to earlier.
Significant risks require specific audit responses and identifying risks as significant allows the auditor to
focus more attention on those risks. In terms of ISA 315 (revised 2019), the auditor is required to carry
out procedures to identify and assess the risk of material misstatement at financial statement and at
assertion level, and as part of the assessment process, inherent risks may be assessed towards the upper
end of the spectrum of inherent risk (due to their likelihood or magnitude). This is a matter of profes-
sional judgement. These risks (at the higher end of the spectrum) may then be classified as significant.
This may differ from entity to entity and also from period to period for a specific entity. However,
certain risks are to be treated as significant following another ISA (as stated above), such as ISA 240,
that deals with the auditor’s responsibility to consider fraud.
Wherever a risk is assessed on the spectrum, the auditor must respond appropriately. This is the key.
For example, the risk relating to the valuation of a jewellery business inventory of diamonds will
probably be regarded as high or significant. As discussed earlier, auditors will probably not know one
diamond from the next and will not be able to judge its clarity, cut or carats to determine whether it has
been fairly valued. Whether the auditor calls it a high risk or significant risk, he has assessed the risk of
material misstatement in the inventory account heading as very likely and his response, in this case, is
likely to involve making use of an expert. The further audit procedures (response to risk) will involve
making use of an independent expert. Essentially, what is important is that the auditor identifies the risk
of material misstatement comprehensively and responds accordingly, not whether the classification of
the risk is “correct”.
2. As stated above, assessing the severity (likelihood and magnitude) of a risk is a matter of professional
judgement. Risk of material misstatement with higher inherent risk, that may therefore be determined
as a significant risk, may arise due to (ISA 315 (revised 2019)):
• transactions for which there are multiple acceptable accounting treatments such that subjectivity is
involved
• accounting estimates that have high estimation uncertainty or complex models
• complexity in data collection and processing to support account balances
• account balances or quantitative disclosures that involve complex calculations
• accounting principles that may be subject to differing interpretations
• changes in the entity’s business involve changes in accounting, such as mergers and acquisitions,
and
• risks that may be deemed as significant in accordance with another ISA.
Below are some further explanations/examples of matters relating to the above that may be identified as
significant risks:
• Risk of fraud, namely, if the auditor considers a risk of fraudulent manipulation of the financial
statements, it would be a significant risk.
Chapter 7: Important elements of the audit process 7/19

• Risk related to recent significant economic, accounting or other developments/changes, (the sugges-
tion here is that where there are new conditions at a client that the auditor considers may give rise to
a risk of material misstatement, the risk should be regarded as significant because the condition is
new). For example, a company finds itself in severe financial problems for the first time in its
history, to the extent that its going concern activity is seriously threatened.
• The complexity of the transactions (giving rise to the identified risk). For example, the audit client
commences trading in derivatives and the auditor considers that there is a risk of material misstate-
ment arising from the inappropriate application of the financial reporting standards relating to
derivatives. Due to the complexity of derivative transactions and the fact that trading in derivatives is
new to the company, this may be regarded as a significant risk.
• Risk that involves significant transactions with related parties. Because of the potential for non-
arm’s-length transactions occurring between the company and related parties, there may be a risk of
material misstatement of related party transactions, and where such transactions are material and
frequent, the risk should be regarded as significant.
• The degree of subjectivity in the measurement of the financial information related to the risk. The
greater the subjectivity, the more likely the risk will be significant. For example, the valuation of
plant and equipment for a large manufacturing company that has to account for numerous and
varied impairments of its plant and equipment at year-end, will probably present a significant risk.
• Risk that involves significant transactions that are outside the normal course of the business, or
otherwise appear unusual due to their size or nature. These transactions are unlikely to be subject to
the normal, everyday routine control activities associated with the company’s transactions and,
therefore may well result in a material misstatement. Material loans to directors or sale of some of
the company’s manufacturing equipment might be regarded as significant.
Remember that the reason for identifying and assessing the risk is so that the auditor can determine the
nature, timing and extent of further audit procedures. Grading the risks as higher or lower helps fine
tune the audit plan and respond appropriately. Before the actual determination of the response, the
auditor will obtain an understanding of the company’s controls relevant to the risk identified, as the
company’s controls will affect the auditor’s response. For example, suppose management recognises the
risk of material misstatement arising from related party transactions. In that case, they may have
already implemented strict control activities over these transactions, such as additional authorisation
requirements, monthly reports to the board on all such transactions, and sound procedures for identi-
fying related parties. From an audit perspective this is likely to reduce the “significance” of the risk
associated with related party transactions, but of course, will not eliminate it.
3. There is no unique set of procedures that the auditor carries out to respond to significant risks. By
definition, a significant risk is important and if it is inadequately addressed, could lead to material mis-
statement going undetected. It is logical, therefore, that the engagement partner would concentrate on:
• getting the composition of the audit team right concerning knowledge, experience and attitude (good
level of professional scepticism)
• carefully evaluating the full effect of the significant risk and how it may manifest itself. For example,
if the audit manager thinks that there is a significant risk that management may manipulate the
financial statements, he should consider very thoroughly how this could be done. Fictitious sales,
overstating inventory, making use of related parties, etc., are all methods of manipulating financial
information, and the audit team will need to respond to all these methods, and
• all assertions affected should be identified and the best quality evidence should be sought by the audit
team using normal audit procedures, such as inspection, confirmation, and enquiry.

7.2.7 “Stand-back” provision (ISA 315 (revised 2019) para 36)


ISA 315 (revised 2019) introduces a provision that is generally referred to as the “stand-back” provision.
The purpose of this provision is to ensure that there is no risk of material misstatement relating to material
classes of transactions, account balances and disclosures being left unidentified, thus confirming that the
risks identified are, complete. Therefore, after the auditor has identified and assessed the risk of material
misstatement and subsequently identified all significant classes of transactions, account balances and
transactions, the auditor will have to consider the classes of transactions, account balances and disclosures
that have not been classified as significant, but are material. The ISA states that “classes of transactions,
7/20 Auditing Notes for South African Students

account balances or disclosures are material if omitting, misstating or obscuring information about them
could reasonably be expected to influence the economic decisions of users taken on the basis of the finan-
cial statements as a whole”.

7.3 The concept of materiality


7.3.1 Introduction
Materiality is a fundamental concept in auditing. The objective of the audit is to express an opinion on
whether the financial statements are fairly presented in all material respects. The audit report is a statement
by the auditor that, in his opinion, the financial statements do not contain material misstatement. It is
generally understood and accepted by users of financial statements that the amounts reflected in the
financial statements are not 100% accurate and may contain a margin of error or uncertainty. However,
this margin of uncertainty must be acceptable to users otherwise, the financial statements are of little value.
Once the misstatement falls outside the acceptable margin, it becomes material and is likely to affect the
users’ decisions.
Two ISAs relate to “materiality” in the context of the audit of financial statements:
• ISA 320 – Materiality in planning and performing an audit, and
• ISA 450 – Evaluation of misstatements identified during the audit.
ISA 320, as its title suggests, is concerned with materiality at the planning and performing stage of the
audit, (i.e., setting materiality levels to assist in the planning and performance of the audit), while ISA 450
is concerned with materiality as part of evaluating the effect of misstatements identified in the audit, and of
uncorrected misstatements on the financial statements, to form an opinion on fair presentation.
ISA 320 is a very general statement and is not particularly prescriptive. This is mainly because while an
understanding of materiality in auditing is essential, how firms implement the concept varies considerably.
Essentially the statement presents the principles and leaves the rest up to the auditor.
In its discussion on materiality, ISA 320 explains that:
• misstatements, including omissions, are considered to be material if they, individually or in aggregate
could reasonably be expected to influence the economic decisions of users taken based on the financial
statements
• judgements about materiality are made in the light of surrounding circumstances and are affected by the
size or nature of a misstatement, or a combination of both, and
• judgements made by users of the financial statements about material matters are based on a considera-
tion of the common financial information needs of users, not specific individual users.
A less formal explanation might be that a matter will be material if a user of financial statements should
know about it when making a decision based on the financial statements.
The difficulty for the auditor is that he is required to decide what users of the financial statements as a
group will regard as material in the context of fair presentation. Judgements about what is material to users
of the financial statements are based on considering the common financial information needs of users and
not the needs of specific individuals. In making these judgements, the auditor is entitled to assume the
following:
• users have a reasonable knowledge of business and economic activities and accounting and a willing-
ness to study the information in the financial statements with reasonable diligence
• users understand that financial statements are prepared, presented and audited to levels of materiality
(i.e., users know financial statements are not 100% correct)
• users recognise the uncertainty in the measurement of amounts based on the use of estimates, judge-
ments and the consideration of future events, and
• users make reasonable economic decisions based on the information in the financial statements.
In terms of the IASB “Framework for the Preparation and Presentation of Financial Statements”, financial
statements that meet the needs of providers of risk capital to a company will also meet the needs of most
other users of the financial statements. This essentially means that in deciding on what is material to users,
the auditor can assume that what is material to investors in the company will be material to other users.
Chapter 7: Important elements of the audit process 7/21

7.3.2 The nature of materiality


7.3.2.1 Materiality is subjective
Ten auditors would probably come up with ten different decisions when setting a materiality level (i.e., the
level of acceptable misstatement) at the planning stage, at the performance stage or deciding on whether a
particular matter is material to fair presentation at the evaluating stage. It is not a defined concept, and
professional judgement will play a large part in the decision.
For example, if accounts receivable is reflected in the annual financial statements at R500 000, would an
overstatement of R5 000 be material? R10 000? R20 000? R50 000? There is no definite answer. Of course,
the auditor does not decide on a materiality level by just choosing a nice round figure. Other factors will
also have to be considered, such as the size of the accounts receivable balance in relation to the current
assets and total assets, as well as the profit or loss that has been made for the period. The auditor may be
able to accept an overstatement of R50 000 in the accounts receivable balance itself, but if the over-
statement is due to an understatement of the allowance for bad debts, then it will be necessary for the
auditor to consider the misstatement in relation to the profit or loss made by the company as well.
Remember that the auditor has to make judgements about what users will consider being an acceptable
level of misstatement.

7.3.2.2 Materiality is relative


What is “material” will vary from user to user and from audit client to audit client. What is regarded as
material for the financial statements of a medium-sized company, may be totally insignificant to an inter-
national conglomerate, and a matter that is material to a private investor may be insignificant to a “unit
trust” investor.
Because materiality is relative, it is necessary to establish bases against which it can be measured.
For example, a misstatement of R50 000 is material relative to net income of R500 000, but not material
relative to net income of R5 000 000. We cannot say that R1 000 000 is material just because it is a large
amount (to us!) because it is simply not material in the case of a large company. If a listed company’s net
profit is misstated by R1 000 000, users’ decisions are unlikely to be influenced.
Instead of just using a convenient pre-established amount, audit firms may use percentages of account
headings or account groupings as a starting point or benchmark for setting the level.
For example:
Account heading/grouping %
Net profit before tax : 5%
Current assets : 5%
Current liabilities : 3%
Total assets : 3%
Turnover : 1%

Note: This is only an illustrative example – other account headings/grouping may be used. Percentages
may also vary and may be presented as a range, for example, Turnover ½ to 1%. Benchmarks may also
vary considerably from industry to industry. For example, benchmarks that may be appropriate for an audit
at a supermarket company may not be appropriate for a company that runs hospitals, as the relationships
between account balances within the financial statements differ from industry to industry – a supermarket
company will have very high turnover and low profit margins, while hospital companies may have lower
turnover but higher profit margins.
Perhaps the most important point to make here is that the vast majority of misstatements affect the
comprehensive statement of income and the statement of financial position but can be material to one and
not to the other.
For example, a company has total assets of R3 000 000 and net income before tax of R250 000. An error
in the calculation of depreciation has resulted in an overstatement of fixed assets of R40 000. If the above
percentages are used, this misstatement would not be material relative to the guideline for total assets (3% of
R3m) but would be material relative to the guidelines for net profit before tax (5% of R250 000).
For this reason, most auditing firms will use net income before tax as the base to measure the materiality
of the misstatement, particularly because net income before tax is an important figure for most users.
7/22 Auditing Notes for South African Students

It is interesting to note that ISA 320 recognises the use of benchmarks but does not prescribe any percent-
ages to be used in setting materiality levels. This serves to emphasise the subjectivity surrounding the
concept and the need to use professional judgement.

7.3.2.3 Materiality can be both quantitative and qualitative


An amount that is quantitatively material will exceed the amount that the auditor determines is material,
(i.e., the amount of misstatement that could influence a users’ decision).
For example, an overstatement in inventory of R100 000 may exceed the preset materiality level of
R80 000. If this is the basis on which materiality is determined, it follows that an overstatement of R79 999
would not be material.
A matter that is qualitatively material will be one that is regarded as material when judged against a factor
other than an amount.
For example, important disclosures may be omitted from the financial statements. If this omission
influences a user, it becomes qualitatively material. Disclosure is not the only qualitative factor to be
considered.
The auditor should consider both the quantitative and qualitative aspects of materiality as a matter may
be material in respect of one and not the other.
For example, assume that the amount of misstatement the auditor can accept in the accounts receivable
balance is R100 000. If the auditor discovers errors of R90 000 in the balance arising from genuine mistakes
such as receipts from debtors inadvertently not accounted for or credit notes not passed, even if the errors
were not corrected, the auditor would accept that the errors that were not corrected were quantitatively
immaterial. If, however, the auditor identified a misstatement of R90 000 arising from the deliberate
inclusion of fictitious debtors in the account balance, the auditor would regard this as qualitatively material
and would not accept it, despite the amount being below the R100 000 limit.
Another example might be that the auditor discovers R75 000 included in the accounts receivable
balance, which is a loan to a director. Loans to a director attract disclosure requirements, and if these have
not been met (which is likely in this situation), the misstatement of accounts receivable would be
qualitatively material, although not quantitatively material.
A comparative example of quantitative vs. qualitative information is provided below:

Qualitative
Refers to the nature of a trans-
action or amount and includes
Subjective many financial and non-
Conclusions financial items that, inde-
Unstructured data pendent of the amount, may
influence the decisions of a
user of the financial state-
ments.

Quantitative Numeric materiality


Refers to the type of data that is Measurements & ratios
considered “measurable informa- Statistical analysis
tion”. This means that its value or Structured data
state can be numerically express- Objective
ed. All data that is quantifiable,
Conclusive
verifiable, and amenable to stat-
istical manipulation classifies as
quantitative.
Chapter 7: Important elements of the audit process 7/23

7.3.3 Planning materiality and performance materiality


In terms of ISA 320, the concept of materiality is applied at the planning stage of the audit, (planning
materiality) during the performance of the audit (performance materiality), and at the evaluating stage of the
audit (final materiality). Final materiality is dealt with later in the chapter.

7.3.3.1 Planning materiality


When planning the audit, the auditor makes judgements about misstatements that will be considered
material. Having an idea about the size of misstatement he is looking for assists the auditor in:
• determining the nature, timing and extent of risk assessment procedures
• identifying and assessing the risks of material misstatement, and
• determining the nature, timing and extent of further audit procedures.
Note: Considering the nature of potential misstatements in disclosures is relevant to the design of audit
procedures to address the risk of material misstatement. For example, the auditor may anticipate
that contingent liabilities may be omitted or inadequately described. A response to this risk will be
built into the audit plan.
Planning materiality is in a sense, an overall guideline to the audit and is the auditor’s judgement as to the
amount of misstatement a user can “live with”.

(a) Setting planning materiality levels


In terms of ISA 320, when establishing the overall audit strategy, the auditor is required to determine
“materiality for the financial statements as a whole” and may also establish materiality levels to be applied
to classes of transactions, account balances or disclosures. This means that in principle (and in practice)
there will be a planning materiality level set for the financial statements as a whole and planning mater-
iality levels (of lesser amounts) to be applied to classes of transactions, account balances and disclosures.
Setting planning materiality levels for the financial statements involves quantifying the amount of
misstatement that the auditor believes could be present in the financial statements without affecting fair
presentation. In the introduction to this chapter, we pointed out that financial statements are not 100%
accurate and users understand that; but what is acceptable? 95% correct, 80% correct? Setting a materiality
level is an attempt to quantify the level of misstatement that is acceptable. This is done so that the audit can
be planned to make provision for a reasonable chance of identifying misstatements that would exceed the
acceptable level of misstatement. As a result, we might say that as an overall “guide”, the financial
statements could be out by R1 000 000 and still be fairly presented.
However, setting a planning materiality level at the overall financial statements level does not really mean a
great deal. This is because the audit is carried out on individual account balances and classes of transaction
and disclosure, and this is the level at which the audit must be planned. Therefore, the next step will be to
consider the amount of misstatement that could be tolerated within an account heading before fair
presentation of that account heading is lost. Setting planning materiality for classes of transactions and
account headings is very subjective and requires significant professional judgement. Audit firms have
different ways of approaching this, but the principles remain the same (i.e., the auditor should consider
what amount of misstatement each account heading can contain before it is no longer fairly presented).
This decision will directly bear on the extent of testing and may change the nature and timing of testing as
well.

(b) Factors may be considered when quantifying planning materiality


Remember that the auditor uses his judgement to decide how much misstatement users of the financial
statements would be prepared to accept, knowing that the financial statements are a fair presentation and
not a “100% correct” certification. The following factors may influence the auditor’s thinking:
• The use of benchmarks is probably the most common starting point and was discussed under the nature
of materiality at 7.3.2.2.
• whether the applicable financial reporting framework may affect the users’ expectations regarding the
measurement or disclosure of certain items, such as directors’ remuneration, and related party trans-
actions. Such matters are of general but often significant interest to users and should be presented as
fairly as possible.
7/24 Auditing Notes for South African Students

• Importance of specific information to users


For example, a bank has provided a long-term loan to the client. One of the terms/conditions of the
loan is that the client must maintain a preset current ratio. If this is not achieved, the loan must be
repaid within six months. The auditor would regard current assets and current liabilities as having
increased importance, as a user (the bank) will be specifically relying on the fair presentation of the
amounts reflected under these account headings. The auditor would plan the audit to ensure that
current assets and current liabilities are fairly presented.
• The key disclosures in relation to the industry in which the entity operates, such as For example, research
and development costs and disclosures in the pharmaceutical industry, or bonuses paid in the banking
industry, particularly to directors. The auditor will want to be sure that these amounts and disclosures
are as fairly presented as possible.
• Legal requirements – the same logic will apply where legal or regulatory requirements govern financial
information, for example, an amount or fact that must be specifically disclosed in terms of the Com-
panies Act or an accounting standard or JSE regulations should be carefully and thoroughly audited to
ensure that misstatement (quantitative or qualitative) is kept at an acceptable level. Users expect fair
presentation of these amounts and disclosures as they are of specific interest.
• The opinions, views and expectations on materiality of those charged with governance and the audit
committee.

7.3.3.2 Performance materiality


Performance materiality levels will be set when the auditor performs tests on specific account balances or
classes of transactions. (Ignore disclosure for the moment.)
For example, let us say that the auditor sets planning materiality for the audit of inventory at R100 000.
Simplistically, this means that the auditor is satisfied that fair presentation of inventory will still be
achieved even if material misstatement of up to R100 000 in the inventory balance is not detected. So does
this mean that when the auditor carries out the audit of inventory, his objective will be solely to detect
errors that are individually over R100 000? The answer is no, for the following reason: The R100 000
planning materiality limit is the maximum or total amount of misstatement that the auditor considers
acceptable for inventory. If the auditor only looks for individual errors of R100 000, he will be overlooking
the fact that the inventory balance could still be overstated by individual errors of less than R100 000 but
that in aggregate (total) exceed R100 000, errors of (say) R45 000, R70 000 and R13 000. Performance
materiality is again a matter of professional judgement and is not a simple mechanical exercise. Because
performance materiality levels are lower (stricter) than planning materiality levels, larger samples (extent of
testing) will be tested. This is logical. In this example, the auditor is not looking for individual errors
exceeding R100 000 but rather for smaller errors that, when added together, exceed R100 000.
In terms of ISA 320, the auditor must determine performance materiality for the purposes of:
• assessing the risks of material misstatement (in the class of transactions, or account balance), and
• determining the nature, timing and extent of further audit procedures.
Again, this is logical. If the auditor does not quantify what a material misstatement is, he will not know
what he is looking for or how to find it!
For example, if you were told by your audit senior to identify and assess the risk of material statement
occurring in the accounts receivable balance of R2 000 000, you would need to know, among other things,
what amount would be considered to be material. Are you considering the risk of misstatement of R5 000
or R500 000? The risk that the accounts receivable balance is “misstated” by R5 000 is probably very high,
but the risk that it is misstated by R500 000 is probably very low. Similarly, when you carry out the audit
plan to respond to your risk assessment, the procedures that you would conduct to ensure that the
probability that the aggregate of uncorrected and undetected misstatements does not exceed R5 000 is
reduced to an appropriately low level will be very different to those you would conduct if the materiality
level were R500 000. Misstatements of R500 000 in a balance of R2 000 000 should not be too difficult to
find, but misstatements of R5 000 (in aggregate) could require far more audit work. The materiality levels
given in this example are somewhat ridiculous, but they illustrate the point!
As you will have gathered, the performance materiality level set will directly affect the nature, timing and
extent of testing. Consider the following hypothetical example: The statement of financial position (balance
sheet) of The Zed Company Ltd, a listed company, reflects an inventory balance of R81 463 000. Let us
assume a range of four possible planning materiality levels for the audit of inventory.
Chapter 7: Important elements of the audit process 7/25

If users of The Zed Company Ltd’s financial statements insisted that no amount of misstatement was
acceptable in the inventory balance, we would have a materiality level of 0 (zero). To satisfy the users that
there were no misstatements in inventory, we would have to count and price every single inventory item
and ensure that every item was saleable at above cost, and in perfect condition. We would also have to
ensure that every single item of inventory purchased or sold has been accounted for, and so on. Of course,
this is a highly theoretical situation, but it illustrates the point that the extent of audit work would be huge
(extent), every kind of audit procedure would have to be used (nature) and we would take all year to do the
audit (timing)! The cost of the audit would be astronomical. It is an impossible situation.
If the users had decided that they would accept R250 000 of misstatement, it follows that we could test
less extensively. This is because even if R250 000 of misstatement is present but is not identified, users will
not be concerned, as misstatement of up to R250 000 will not influence their decisions. Based on this
premise, if users had decided that R2 500 000 or R5 000 000 of misstatement was acceptable, we could test
even less. The difficulty is that users do not conveniently inform the auditors of what amount of mis-
statement is acceptable – that is left to professional judgement!
Also, just a reminder – performance materiality levels take into account the fact that we test for misstate-
ment that in aggregate might exceed the planning materiality level. Performance materiality will be a lower
amount than planning materiality.
It does not end there – we must also remember that an error in inventory is not going to be confined to
one account balance only and could result in material misstatement elsewhere in the financial statements.
Takenet profit before tax as an example. To illustrate the point very clearly, The Zed Company Ltd
made a net profit before tax of only R2 604 000 in the year 0002 (and a loss in year 0001), so a misstate-
ment in inventory of R2 500 000 or R5 000 000 would have a significant effect on net profit before tax and
the financial statements as a whole, even though the misstatement is a small percentage of current and total
assets. Expressed another way, a misstatement of R2 500 000, that affects both inventory and net profit
before tax could not be regarded as immaterial as it has a significant effect on the company’s profit despite
being “not material” to the inventory balance.

7.3.3.3 Planning for qualitative misstatement


Qualitative misstatement essentially deals with disclosure. Having obtained a thorough understanding of
the entity and its environment before considering planning materiality, the auditor should have a good idea
about disclosures that, if omitted or inadequately presented, could influence the user's decision.
For example:
• inadequate or improper descriptions of accounting policies that could mislead the user
• related party transactions
• directors’ remuneration
• litigation in which the client is involved, or
• failure to disclose the possible cancellation of a manufacturing licence or the loss of a substantial
market.
Alerted to the possibility of these qualitative misstatements, the auditor formulates the audit plan to address
them. Some of the tools in the auditor’s toolbox will be used to identify qualitative matters, for example,
inquiry and inspection. Experienced staff may be used to determine whether the qualitative misstatements
have been appropriately dealt with.
7/26 Auditing Notes for South African Students

7.3.3.4 Revision of planning and performance materiality levels


Once a planning materiality level has been set, can it be changed as the audit progresses? The answer is yes.
Planning materiality levels (whether for the financial statements as a whole or for a class of transactions or
account balances) are based upon the auditor’s initial understanding of the entity. If, after setting planning
materiality, the auditor obtains further information that would have affected his thinking about planning
materiality, he can change the planning materiality levels. Remember that planning materiality is the
auditor’s “estimate” of what users of the financial statements would regard as the acceptable level of
misstatement that could be present in the financial statements without influencing their decisions. If the
auditor discovers something that would have affected his initial “estimate”, he should change it.
For example, when setting planning materiality, the auditor may not have known that strict debt
covenants, that require the company to satisfy a range of financial ratios if it wishes to retain the loan, had
been added to the agreements with loan providers. This would warrant a change in the planning materiality
levels initially set as the needs and expectations of (some) users (loan providers) will probably have
changed. The margin of misstatement they are prepared to accept in the account balances that affect the
debt covenant ratios will have been reduced. Another example is as follows. During the audit, long after
having set planning materiality, the auditor discovers that the financial statements will be submitted to the
Department of Trade and Industry (DTI) from whom the audit client wishes to borrow money. Before they
advance a loan the DTI requires, among other things, that the company’s AFS reflect certain profit,
turnover and asset “levels”. As the auditor now knows a user's reliance on specific balances in the financial
statements, his estimate of planning materiality is likely to change. There is greater risk of misstatement in
these balances because the client may be tempted to manipulate them to satisfy the “levels” required by the
DTI.
Performance materiality directly influences the extent (and nature and timing) of the further audit pro-
cedures that are conducted by the audit team on a particular class of transactions or account balances. The
auditor sets performance materiality to match his assessment of the risk of material misstatement in the
class of transaction or account balance. If the information that comes to the auditor changes his initial assess-
ment of the risk of material misstatement, performance materiality may need to change. This will, in turn,
change the “further audit procedures” that must be performed to reduce audit risk to an acceptable level.
Finally, in practice, preliminary judgements about materiality may be based upon preliminary or draft
figures. If this is the case, the auditor will need to consider whether planning materiality will be adjusted if
the client's final figures differ substantially from the draft figures.

7.3.4 Materiality at the evaluating stage (final materiality)


7.3.4.1 Introduction
ISA 450 – Evaluation of misstatements identified during the audit, guides how the auditor should proceed
with regard to misstatements identified on the audit. The statement says that the auditor must
• evaluate the effect of identified misstatements on the audit, and
• evaluate the effect of uncorrected misstatements if any, on the financial statements.
Final materiality is the materiality level or guideline against which the auditor measures the effect of
uncorrected misstatements on the financial statements.

7.3.4.2 Misstatements
• ISA 450 defines a misstatement as “a difference between the reported amount, classification, presenta-
tion or disclosure of a financial statement item and the amount, classification, presentation or disclosure
that is required for the item to be in accordance with the applicable accounting framework”.
• Misstatements (errors) may arise from:
– an inaccuracy in gathering or processing data
– an omission of an amount or disclosure (including inadequate or incomplete disclosure)
– an incorrect accounting estimate arising from overlooking, or clear misrepresentation of, facts
– judgements of management concerning accounting estimates that the auditor considers unreasonable
or the selection of accounting policies that the auditor considers inappropriate
– an inappropriate classification, aggregation or disaggregation of information, or
Chapter 7: Important elements of the audit process 7/27

– an omission of a disclosure that is necessary for the financial statements to achieve fair presentation
but that is not specifically required by the accounting framework adopted for the presentation of the
financial statements.
• Misstatements can arise from error (as described above) or from fraud, that is dealt with later in this
chapter.
• ISA 450 requires that the auditor accumulate (record) all misstatements identified on the audit unless
they are clearly trivial. Clearly trivial should be taken to mean that the misstatement is very small,
insignificant and inconsequential. “Clearly trivial” is not another phrase for not material; because a
misstatement falls below the materiality level it does not mean it is automatically regarded as trivial and
therefore not part of the accumulation of misstatements.
• Uncorrected misstatements that the auditor has accumulated during the audit but have not been
corrected by the client.

7.3.4.3 Consideration of identified misstatements as the audit progresses


Essentially this requirement is about the auditor monitoring how the audit is going in respect of what the
auditor expected and what is reflected by the materiality levels and audit strategy and plan that were put in
place. If misstatements identified on the audit suggest that things are not going as expected or planned, the
auditor may need to revise the audit strategy and plan.
For example, the auditor conducts further audit procedures on the existence of inventory. Suppose the
number of instances where the existence of the inventory items is in question is beyond what is expected by
the auditor, and the value of the (non-existent) items identified is material or may be approaching
materiality. In that case, the auditor will need to consider whether the audit plan needs to be revised. The
instances of non-existence identified may suggest to the auditor that fraud has taken place or internal
controls have broken down and that a revised plan to respond to these "new” risks must be implemented.
The auditor may choose to extend his testing (and/or change the nature of testing) or request management
to conduct the necessary tests to identify missing (non-existent) inventory.

7.3.4.4 Evaluating the effect of uncorrected misstatements on the financial statements


This is about making the final materiality decision – in other words, the auditor now has to decide what to
do about any uncorrected misstatements. The auditor needs to judge whether the uncorrected misstate-
ments are likely to influence the decision of a user. To understand final materiality, we perhaps need to
remind ourselves of what has happened so far on the audit. Having gained an understanding of the client,
identified and assessed risk, formulated an audit plan, the auditor is in a position to carry out further audit
procedures. These procedures are usually performed on samples of populations, for example, sales, debtors,
and creditors. Audit conclusions, however, must be drawn about the populations from which the samples
came; therefore, if there are errors in the sample, the auditor must do the following:

(a) Analyse and project the errors in the sample over the population sampled
If a statistical basis has been used for selecting the sample, the appropriate statistical method for projecting
the error in the sample over the population, will be used. Most often however, auditing firms use a propor-
tional projection method, for example:
error value in sample
× total value of population
total value of sample
to obtain an idea of the extent to which the population is misstated.
7/28 Auditing Notes for South African Students

Whatever method of projection is used, if the projected misstatement for the population is unacceptable,
the auditor must:

(b) Decide whether the audit team should carry out further tests, or whether the client should be
asked to check the population in detail for other errors
After this process has been completed, the auditor must:

(c) Discuss all misstatements with management in an attempt to have them rectified
If management refuses to correct misstatements, the auditor is left with what are termed, uncorrected mis-
statements (commonly referred to as unresolved audit differences), and it is at this point that final mater-
iality comes into play. The auditor must now decide whether the uncorrected misstatements are immater-
ial, (i.e., their presence will not influence a user's decision), or whether they are material. If they are
material, failure to correct them will result in financial statements that contain more misstatement than is
acceptable, (i.e., some aspects of the financial statements are not “presented fairly”), and the auditor will
have to modify the audit opinion. Making this decision is not just a matter of deciding that final materiality
will be equal to planning materiality and that any errors over the planning materiality level will be material.
There are several factors to be considered at the evaluation stage. These are discussed in (d) below. At this
point you may be asking yourself why management might not want to correct all misstatement. Most often,
they will, but sometimes they will not. The reasons for this are that management may:
• disagree that there is a misstatement; for example, the client genuinely believes that its estimation of
inventory obsolescence is fair but the auditor thinks it is too low
• not regard the misstatement as material; that is, management does not believe that leaving the misstate-
ment uncorrected will influence a user’s decision
• have ulterior motives; for example, the directors wish to achieve particular ratios based on figures in the
financial statements. If corrections that the auditor requests are made, the ratios that management
wishes to achieve, will not be reflected
• regard it as “too much hassle” to make the changes; for example, the adjustment would mean changing the
income statement, statement of financial position, consolidation, supporting schedules, etc., or
• be unconcerned about receiving a qualified audit opinion.

(d) Factors to be considered in evaluating uncorrected misstatements


At the planning stage, the auditor used his professional judgement to set a level of misstatement that could
be present in the financial statements without influencing users' decisions. Suppose the audit goes as
expected and the auditor has no reason to change this planning materiality level. In that case, it is logical
that any uncorrected misstatement should be measured against this planning materiality amount to
determine whether it is material for final materiality evaluation purposes. However, as we indicated earlier,
evaluating uncorrected misstatements is not just a matter of comparing the misstatement to a quantified
amount and disregarding those below the amount as immaterial. As ISA 450 says,
“the circumstances related to some misstatements may cause the auditor to evaluate them as material, individually or when
considered together with other misstatements, even if they are lower than materiality for the financial statements as a whole.”
• Factual misstatements, judgemental and projected misstatements
– A “factual misstatement” is a misstatement that the auditor (and therefore the client) can clearly
identify and substantiate with supporting evidence, for example, sales invoices that have been
included in the wrong period. They are misstatements about which there is no doubt.
A “judgemental misstatement” is a difference arising from management judgements, including those
concerning recognition, measurement, presentation and disclosure in the financial statements
(including the selection or application of accounting policies) that the auditor considers unreasonable
or inappropriate.
– A projected misstatement is the auditor’s best estimate of misstatements in populations, involving the
projection of misstatements identified in audit samples over the entire population from which the
sample was drawn.
The auditor makes this distinction as it will affect the attitude or stance that is adopted when dealing
with the treatment of the uncorrected misstatements. If the error is a factual misstatement, the auditor
may be more forceful in requesting that the error be corrected, and if the client refuses, the auditor is on
Chapter 7: Important elements of the audit process 7/29

strong ground if he decides to qualify the audit opinion. Where it is a judgemental or projected misstate-
ment, the auditor will have to be less forceful and open to further discussion and negotiation with
regard to insisting on correction and qualifying the report, because of the error’s subjective nature.
• When evaluating the effect of uncorrected misstatement ISA 450 requires that:
– each individual misstatement of an amount be considered to evaluate its effect on the relevant classes
of transactions, account balances or disclosures, including whether the materiality level for that
particular class of transactions, account balance or disclosure, if any, has been exceeded.
– each individual misstatement of a qualitative disclosure is considered to evaluate its effect on the rele-
vant disclosures, and on the financial statements as a whole. The evaluation of the effect of a
qualitative disclosure misstatement is a matter of professional judgement.
• Offsetting uncorrected misstatements against each other – it is theoretically unsound to offset uncorrected
misstatements against each other to reduce the “effect” of misstatements.
For example, a material misstatement that results in an overstatement of say, R100 000 in inventory
should not be offset against an understatement of say, R120 000 in accounts receivable (or an
overstatement of accounts payable) to reduce the “misstatements” to a net of R20 000. Likewise, as
indicated in ISA 450, if revenue has been materially overstated, the financial statements as a whole will
be materially misstated, even if the effect of the misstatement on earnings has been completely offset by
an equivalent overstatement of expenses.
• Circumstances related to some misstatements may cause the auditor to evaluate them as material even if
they are lower than materiality for the financial statements as a whole. Circumstances that may affect
the evaluation include the extent to which the misstatement:
– affects compliance with regulatory requirements, for example, the misstatement or omission of amounts
relating to directors remuneration may be regarded as material even though the amounts are below
the materiality level
– affects compliance with debt covenants or other contractual requirements, for example, an uncorrected
misstatement in inventory may not be material in terms of the materiality level but may affect
compliance with a requirement (covenant) in a loan contract that inventory does not exceed a certain
amount or percentage of current assets
– impacts on ratios or trends that are “popular” with users of the financial statements in evaluating the
entity’s financial position, results of operations or cash flows, for example, earnings per share
– has the effect of increasing management earnings, for example, a company may pay its management a
bonus based on net profit, before taxation. Therefore, all misstatements that affect net profit before
tax that remain uncorrected will also affect management’s bonuses. Even though management may
be reluctant to correct such misstatements, the audit may “insist” upon the correction of such
misstatements even though they are not quantitatively material. Bonuses paid to management should
be as accurate as possible
– relates to items involving particular parties, for example, contracts entered into by the company in
which a director has a financial interest, should be disclosed. If the company omits this disclosure,
the auditor cannot disregard this misstatement because the value of the contract is below the
materiality level, and
– reflects a level of dishonesty by the directors, for example, if the materiality level is R100 000 for the
accounts receivable balance and the auditor discovers that an unauthorised loan of R75 000 to a
director has been “hidden” in the accounts receivable balance, the auditor cannot regard this as an
immaterial misstatement because it is below the materiality level of R100 000.
The list of circumstances given above is not exhaustive. However, it is sufficient to illustrate that
when evaluating the effect of uncorrected misstatements on the financial statements, both quan-
titative and qualitative factors must be considered by the auditor.
• Misstatements should not be considered in isolation – although each individual misstatement is considered
to evaluate its effect on the relevant classes of transactions, account balances or disclosures, misstate-
ments must be aggregated (added together) for evaluation purposes. Remember that an individual
misstatement in say, inventory may be below the materiality level but when added to other individual
misstatements that are also below the materiality level, the aggregate misstatement may be above the
7/30 Auditing Notes for South African Students

materiality level. Similarly, if misstatements are being measured against a materiality level for total
assets, then the aggregate (total) of uncorrected misstatements relating to account balances making up
total assets must be used for evaluation purposes.

(e) Should final materiality equal planning materiality?


The answer is that the final materiality the auditor uses to evaluate uncorrected misstatements should be
equal to the planning materiality eventually used on the audit. This of course, may not be the auditor’s
initial planning materiality because, as we have seen, the initial planning materiality can change as the
audit progresses. However, if you think about it, the planning materiality the auditor eventually uses is his
best estimate of the amount of misstatement users will accept in the financial statements, so uncorrected
misstatements must be evaluated against this amount.

7.3.5 Conclusion
No magic formula tells the auditor what the planning and performance materiality levels should be or how
uncorrected misstatement should be evaluated. It is a matter of judging the circumstances of each client
separately. You will undoubtedly feel uneasy with this topic, but this is not surprising – understanding the
concept is straightforward, its application less so. The entire question of “what is material” and “how
should it be addressed” causes most practitioners some concern, and it is only years of experience that
build confidence and improve professional judgement.

7.4 The auditor’s responsibilities relating to fraud in an audit of financial statements


7.4.1 Introduction
As a result of the increase in fraud worldwide, particularly the now notorious frauds at Enron, Parmalat,
LeisureNet, Steinhoff and VBS Bank to name just a few, a lot of attention has been focused on the
accounting profession. Such questions as “where were the auditors?”, and why didn’t the auditors pick up
the fraud?, have been asked repeatedly. While these questions may be very simplistic and naïve, the
profession moved quickly to address the issue by, among others, substantially increasing reference to fraud
in its auditing pronouncements. ISA 240 – The auditor’s responsibilities relating to fraud in an audit of
financial statements deals with this topic in depth.

7.4.2 Auditor’s objective


In terms of ISA 240 – The objectives of the auditor are to:
• identify and assess the risk of material misstatement of the financial statements due to fraud
• obtain sufficient, appropriate audit evidence regarding the assessed risk of material misstatement
through designing and implementing appropriate responses
• respond appropriately to fraud or suspected fraud identified during the audit.

7.4.3 Terminology – Definitions (compiled from various sources in ISA 240)


• Error. This term refers to an unintentional act that results in a misstatement in the financial statements
and may include:
– a mistake in gathering or processing data from which financial statements are prepared, for example:
o mathematical or clerical mistakes (e.g., incorrect depreciation calculations)
o omission of a transaction (e.g., failure to record a sale)
– oversight or misinterpretation of facts (e.g., charging incorrect rates of interest as a result of failing to
understand the terms of the loan agreement)
– misapplication of accounting policies (e.g., capitalising an operating lease through ignorance of the
financial reporting standards).
• Fraud. This term refers to an intentional act by one or more individuals among management, those
charged with governance, employees or third parties involving the use of deception to obtain an unjust
or illegal advantage.
• Fraud risk factors. This term relates to events or conditions that indicate an incentive or pressure to
commit fraud or provide an opportunity to commit fraud.
Chapter 7: Important elements of the audit process 7/31

• Management fraud. This term relates to fraud involving one or more members of management or those
charged with governance.
• Employee fraud. This term relates to fraud involving only employees not management or those charged
with governance.
• Fraudulent financial reporting. Fraudulent financial reporting involves intentional misstatements,
including omissions, in financial statements to deceive financial statement users, for example, the
directors deliberately understate the liabilities and overstate the assets of their company to secure a loan
from a bank, or they manipulate earnings either to reduce taxation or increase their own performance-
based remuneration. Fraudulent financial reporting, that will normally be perpetrated by management
or those charged with governance, may be accomplished by the following:
– Manipulation, falsification or alteration of the accounting records or supporting documentation underlying the
financial records.
For example:
o changing the balance on a debtors account to reflect a higher value
o inflating the cost price of inventories, or
o including fictitious sales.
– Misrepresentation in, or intentional omission from the financial statements, of events, transactions or other
significant information.
For example:
o omitting a significant contingent liability from the notes
o underproviding or failing to provide at all for known future losses, or
o failing to reflect the sale of material assets.
– Intentional misapplication of accounting principles to amounts, classification, manner of presentation or dis-
closure.
For example:
o failing to capitalise finance leases, or
o intentionally using an inappropriate policy for revenue recognition to inflate profits.
– Management override (particularly where controls appear to be operating effectively). Fraud can be committed
by management overriding controls using techniques such as intentionally:
o recording fictitious journal entries to manipulate operating results or other balances, for example,
raising fictitious sales by journal entry
o inappropriately adjusting assumptions or changing judgements used to estimate account balances,
for example, understating asset impairments
o omitting, advancing or delaying recognition of events and transactions at reporting date, for
example, recognising profits on a long-term contract prematurely
o omitting, obscuring or misstating disclosures required by the applicable financial reporting frame-
work, or disclosures that are necessary to achieve fair presentation
o concealing facts that could affect the amounts recorded in the financial statements, for example,
remaining silent about a major debtor who has been placed in liquidation
o engaging in complex transactions structured to misrepresent the financial performance or position
of the company, for example, manipulating intercompany balances (in a group) to “reallocate”
profits earned by the related companies, and
o altering records and terms relating to significant or unusual transactions.
7/32 Auditing Notes for South African Students

• Misappropriation of assets. This involves the theft of an entity’s assets and may be perpetrated by employ-
ees or management. It is harder for the auditor to detect where management is involved, as it is easy for
management to conceal or disguise the misappropriation. Misappropriation would include:
– Embezzlement
For example:
o stealing cash sales, and
o stealing receipts from debtors (and writing off the debtor as bad).
– Theft of physical assets or intellectual property
For example:
o stealing inventory for personal use or sale, or
o selling the company’s trade secrets to a competitor.
– Causing the entity to pay for goods and services not received
For example:
o paying wages to fictitious (dummy) employees or
o making payments to a (fictitious) company set up by management for goods that are never
received.
– Using the company’s assets for personal use
For example:
o hiring out the company’s equipment at weekends and keeping the fees charged or using the
entity’s assets as collateral (security) for a personal loan.
The distinguishing feature between fraud and error is intention. In a sense, errors are made in "good faith"
while fraud is in “bad faith”, there is an intention to misrepresent and thereby cause prejudice to some
party. Although the distinguishing feature is intention, it is not always easy for the auditor to determine
the intention of the directors. This is particularly true where there is a high level of subjectivity involved
in the financial statement item in which the suspected misrepresentation has taken place, for example,
an estimate, or where there are options, for example, a range of possible accounting policies that could
be adopted and that produce different results. There is no definite or conclusive way of determining
intention, but obviously, the auditor’s assessment of the integrity of management will be an important
consideration.

7.4.4 Responsibility of management and those charged with governance


The responsibility for preventing and detecting fraud and error lies with those charged with governance as
well as with management. This responsibility should be met by the implementation and continued
operation and monitoring of the system of internal control. Management and those charged with govern-
ance need to set the proper tone and create and maintain a culture of honesty and ethics, in other words a
strong control environment. Although the auditor may make recommendations about internal control,
management carries the responsibility for a sound system of internal control. Management is also
responsible for consciously assessing the risk that the financial statements may be materially misstated due
to fraud.

7.4.5 Responsibilities of the auditor


So, where does this leave the auditor? ISA 240 lays down what is required of the auditor in respect of fraud.
The auditor should:
(a) Maintain an attitude of professional scepticism. In the context of the auditor’s responsibility to fraud, this
means that the auditor should not be “led around by the nose” by the client and simply accept what he
is told regardless of who tells him. The auditor should realise that in today’s business environment,
fraud is widespread and therefore, the risk of occurrence is high. In a nutshell, today’s auditor must
not be naive and believe that the client's intentions are always honest and honourable. Even if
management has acted with integrity in the past, the auditor cannot assume that they will continue to
do so. Circumstances change, for example, the client may have become, in the past year, a subsidiary
Chapter 7: Important elements of the audit process 7/33

of a holding company that demands high levels of performance. Your client’s management may be
tempted into adopting dubious business practices and manipulating financial reports in an attempt to
meet performance targets and avoid losing their jobs.
(b) Facilitate the discussion of a client’s susceptibility to material misstatement due to fraud, amongst the
audit team.
Discussing the susceptibility of the entity’s financial statements to material misstatement due to fraud:
• provides an opportunity of more experienced members of the engagement team to provide insight
as to how and where the financial statements may be susceptible to material misstatement due to
fraud
• assists the auditor to consider an appropriate response to points raised by the experienced members
of the team and to decide on which members of the team will conduct the relevant audit
procedures, and
• enables the auditor to determine how the audit team will use the results of such audit procedures
and deal with any allegations of fraud that may come to the auditor’s attention.
The discussions with the audit team may include such matters as:
• an exchange of ideas about how and where the company’s financial statements (including
disclosures) may be susceptible to material misstatement due to fraud
• how management could perpetrate and conceal fraudulent financial reporting and how assets could
be misappropriated
• circumstances that may be indicative of earnings by management and the practices that man-
agement might follow to manage earnings that could lead to fraudulent financial reporting, for
example, manipulating sales cut-off
• the risk that management may attempt to present disclosures in a manner that may obscure a proper
understanding of the matter by, for example, using confusing and over-technical language
• any internal or external factors (known to, or suspected by, members of the team) that may:
– create an incentive or pressure for management to commit fraud
– provide an opportunity for fraud to be perpetrated, or
– indicate a culture or environment that enables management or others to rationalise committing
fraud, for example, a disgruntled management team at odds with the board
• management’s involvement in overseeing employees with access to cash or other assets susceptible
to theft
• any unusual or unexplained changes in behaviour or lifestyle of management or employees that has
come to the notice of the engagement team, for example, formally co-operative members of
management who have become uncooperative
• the need for team members to exercise professional scepticism
• the types of circumstances that, if encountered, might indicate the possibility of fraud, for example,
evasiveness in responding to questions put to employees, domineering management behaviour
• how to incorporate an element of unpredictability into the nature, timing and extent of the audit
procedures to be performed, for example, not carrying out procedures that are expected at a time
that they are not expected, for example, a surprise, random inventory count of selected items
• the most effective audit procedures to conduct in response to the suspicion/susceptibility of fraud
• any allegations of fraud that may have come to the auditor’s attention, and
• the risk of management override of controls.
(c) Conduct risk assessment procedures and related activities.
• When obtaining an understanding of the entity and its environment (ISA 315 (revised)), the auditor
should enquire of management as to:
– its assessment of the risk that the financial statements will be materially misstated due to fraud
– its processes for identifying and responding to the risks of fraud including details of any fraud
already identified (or that management considers likely)
7/34 Auditing Notes for South African Students

– its processes for responding to alleged fraud: for example, a supplier notifies management that
one of the company’s buyers is taking kickbacks from other suppliers, what action is taken
– its communication with those charged with governance regarding the identification of, and
response to, fraud, and
– how management communicates its stance on ethical behaviour to employees.
• The auditor should make enquiries of management, those charged with governance, internal audit
and others in the organisation (e.g., in-house legal counsel, the ethics officer, human resource
manager, operating personnel not directly involved in financial reporting) to determine whether
they know any actual, suspected or alleged fraud.
• The auditor should obtain an understanding of how those charged with governance exercise their
responsibility to oversee management’s processes for identifying and responding to the risk of fraud
by:
– attending meetings at which such matters are addressed
– reading minutes of such meetings, and
– direct enquiry of those charged with governance.
• The auditor should consider unusual or unexpected relationships when performing analytical
procedures to obtain an understanding of the entity and its environment, for example, unexpected
fluctuations in the gross profit percentage ratio may indicate fraudulent misstatements of the figures
used in calculating the ratio, for example, inclusion of fictitious sales, overstatement of closing
inventory, etc.
• The auditor should consider information from other related activities, for example, information
obtained at an interim audit, while conducting preliminary engagement activities.
• The auditor should consider whether the information gained when obtaining an understanding of
the entity and its environment, indicates that one or more fraud risk factors are present, see fraud risk
factors below.
(d) Identify and assess the risk of material misstatement due to fraud at financial statement level and at
assertion (account balance/transaction/disclosure) level.
(e) Determine an overall (audit) response to address the risk of material misstatement due to fraud at
financial statement level and assertion level.

7.4.6 Responses to the risk of material misstatement due to fraud


7.4.6.1 At financial statement level
The auditor should:
• consider the assignment (and supervision) of appropriate staff, who should be:
– competent and technically skilled (experts if necessary)
– experienced
– strongly independent (will not be bullied by client), and
– able to adopt the correct degree of professional scepticism
• consider the accounting policies adopted by management, that could be:
– appropriate and properly applied, or
– indicative of fraudulent financial reporting, chosen to manipulate earnings or to fraudulently
influence the perceptions of users, and
• incorporate an element of unpredictability in determining nature, timing and extent of testing.
Management generally have some idea of what the auditor will do. Changing the nature, timing and
extent of tests may throw management off balance, and upset their attempts to conceal fraud. There
should also be an increase in the need to corroborate management’s explanations/representations
concerning material matters.
Chapter 7: Important elements of the audit process 7/35

7.4.6.2 At assertion level


• The auditor should consider the nature, timing and extent of testing necessary to reduce the risk of
material misstatement due to fraud being present, to an acceptably low level.
• The tests and procedures that the auditor has available in compiling the audit plan to address the risk of
fraud are no different to those that are used to respond to the risk of unintentional material
misstatement. The auditor must still decide on what tests to do (nature), when to do them (timing), and
how much to do (extent). However, when addressing an appropriate response to fraud, the auditor
needs to remember that:
– those who have perpetrated the fraud will attempt to conceal it, making it far more difficult for the
auditor, and
– the most reliable and relevant evidence must be sought. There can be severe consequences arising out
of fraud and the auditor needs to be on firm ground before either deciding there is fraud, or whether
there is no fraud.
• Generally speaking, the nature of testing is likely to become more inclusive, for example, inquiry
supported by inspection and analytical review to provide more corroborative evidence coupled with
more extensive testing. The auditor may also decide that due to management override, the focus should
be on substantive testing; or that external or auditor-generated evidence must be sought, as opposed to
relying on the representations of management or other internally generated evidence. The auditor may
also decide that the use of experts is necessary (e.g., identifying fake goods) or that CAATs be used to
extensively interrogate databases, for example, searching for anomalies such as duplicate ID numbers,
or duplicate bank accounts in an employee master file, when the inclusion of fictitious employees is
suspected. Concerning the timing of tests, the auditor may decide to change “normal” timing by
introducing surprise visits, in an attempt to catch the client (management) off guard, for example,
arriving unannounced to count and reconcile till cash (in a cash retail business), count inventory or
conduct physical verifications of employees.

7.4.6.3 Management override


The auditor should design and perform audit procedures to respond to the risk of management override. To
respond to this risk the auditor should:
• test the appropriateness of journal entries and other adjustments made in the preparation of the financial
statements (remember that even a system that produces valid, accurate and complete data can be
overridden by passing a journal entry to manipulate the balances or totals produced by that system). In
deciding on which entries and other adjustments to select for testing, the auditor should consider:
– the presence of any fraud risk factors that might indicate journal entries related to fraud, for example,
there is an assessed risk that proceeds from debtors are being stolen and concealed by writing off the
debtor as bad
– the effectiveness of the client’s controls over the authorisation and implementation of all journal entries,
and concentrate on those that are inadequately authorised or where implementation has been
abnormal in terms of the internal control system
– whether the characteristics of fraudulent journal entries and other adjustments are present. Such journal
entries and other adjustments often reflect the following characteristics
(i) entries are made to unrelated, unusual or seldom used accounts
(ii) they are passed by individuals who do not normally make journal entries
(iii) they are not supported by adequate reasons, explanations or descriptions
(iv) they are not posted to specific ledger accounts, but rather directly to amounts in the financial
statements at period end, or
(v) they contain round amounts or consistent ending numbers
– the nature and complexity of the accounts used in the entry, for example, fraudulent journal entries may
be made to accounts that contain transactions that are complex or unusual, are not reconciled
regularly, or seem to have no specific purpose, such as “slush funds”, and
– whether the journal entry is outside of the normal course of business (i.e., non-recurring). Because the
internal control system does not normally address non-recurring journal entries, there is a greater
chance that they will be fraudulent
7/36 Auditing Notes for South African Students

• review accounting estimates for biases that could result in material misstatement due to fraud, for
example, deliberate understatement of allowances such as obsolete inventory, bad debts, depreciation/
impairment, to intentionally manipulate earnings figures. Consider with professional scepticism any
changes to assumptions used in estimating account balances
• obtain an understanding of the business reasons of significant transactions outside of the normal course
of the company’s business, or that otherwise appear to be unusual, for example, the company suddenly
purchases another company that manufactures a completely different and unrelated product to that
which the company itself manufactures
• pay careful attention to the completeness, relevance, accuracy and understandability of material
disclosures to identify any omission, obscuring or misstating disclosures required by the financial
reporting framework or that are required to achieve fair presentation.

7.4.6.4 Evaluation of evidence


The auditor should consider whether the assessment of material misstatement at assertion level remains
appropriate once the initial planned audit procedures have been conducted (ISA 330). In actually carrying
out the planned audit procedures, the auditor may be alerted to the possibility of fraud by the existence of
numerous situations or circumstances. ISA 240 provides a lengthy list of these circumstances that,
individually or in combination, indicate the possibility that the financial statements may contain material
misstatement resulting from fraud. Some examples have been listed below to illustrate.

Discrepancies in the accounting records


• Bank and other reconciliations are not conducted timeously
• unauthorised transactions, for example, unauthorised travel expenditure
• evidence of employees’ access to systems and records inconsistent with that necessary to perform their
authorised duties, for example, a factory foreman has access to the employee master file
• tips or complaints to the auditor about alleged fraud, for example, fraud hotlines, and
• last minute adjustments that significantly affect financial results.

Conflicting or missing evidence


• Missing documents or documents that appear to have been altered, for example, purchase transactions
selected for testing are not supported by purchase orders or supplier delivery notes
• unexplained items on reconciliations
• unexplained changes in trends, ratios or relationships, for example, increase in sales commission
expense but no increase in sales
• inconsistent, vague or implausible responses from management or employees arising from inquiries or
analytical procedures
• payments for services (e.g., to lawyers, consultants or agents) that appear excessive concerning the
services provided
• unusual discrepancies between the entity’s records and external confirmation replies
• missing inventory or physical assets, revealed by existence testing, and
• unavailable or missing electronic evidence inconsistent with the company’s retention practices.

Problematic or unusual relationships between the auditor and management


• Denial of access to records, facilities, certain employees, customers, etc.
• undue time pressures imposed by management to resolve complex or contentious issues, or unrealistic
audit deadlines
• management intimidation (or attempted intimidation) of engagement team members
• unusual delays by the entity in providing requested information
• unwillingness to agree to the use of (reasonable) CAATs (particularly where there is no realistic alter-
native method of gathering evidence)
• an unwillingness to address identified weaknesses in internal control on a timely basis, and
• a general lack of co-operation.
Chapter 7: Important elements of the audit process 7/37

Other
• Unwillingness by management to permit the auditor to meet privately with those charged with govern-
ance
• changes in accounting estimates that do not appear to result from changed circumstances, and
• tolerance of violations of the entity’s code of conduct.
Note: The auditor will also consider whether an identified misstatement (not initially thought to be fraud)
is in fact fraud. In effect this will be an assessment of whether the misstatement is intentional. If so,
the auditor should consider the effect of this (fraud) on the rest of the audit, especially other repre-
sentations made by management.

7.4.6.5 Management representations.


The auditor should obtain written representations from management relating to fraud. These representa-
tions should:
• contain management’s acknowledgement that it is responsible for the design, maintenance and imple-
mentation of internal control to prevent and detect fraud
• state that management has disclosed to the auditor, the results of its assessment of the risk that the
financial statements may be materially misstated as a result of fraud
• state that management has disclosed to the auditor its knowledge of fraud or suspected fraud involving:
– management and/or
– employees, and
• state that management has disclosed to the auditor any allegations of fraud or any suspected fraud
affecting the entity’s financial statements communicated by employees, former employees, analysts,
regulators or others.

7.4.7 Fraud risk factors


7.4.7.1 Introduction
When understanding the entity and its environment and assessing the risk of material misstatement due to
fraud, the auditor must consider whether the information obtained, indicates presence of fraud risk factors.
ISA 240 divides these factors into two categories, namely:
• risk factors relating to misstatement resulting from fraudulent financial reporting – these are factors that
indicate to the auditor that the financial statements may be manipulated to achieve fraudulent financial
reporting, and
• risk factors relating to misstatements resulting from misappropriation of assets.
The statement then suggests that each of the above categories should be looked at from the perspective of:
• incentives/pressures, that is, are there incentives for, or pressures on management to report fraudulently
or for management or employees to misappropriate assets?
• opportunities, that is, are there opportunities for fraudulent financial reporting or misappropriation of
assets?
• attitudes/rationalisations, that is, does management’s and employees’ attitude and behavioural manner
suggest an environment conducive to fraudulent reporting or misappropriation of assets?
The following examples are presented to illustrate the above. A more comprehensive list can be found in
ISA 240. Bear in mind that where fraud is being perpetrated, a number of risk factors are likely to be
present.
7/38 Auditing Notes for South African Students

7.4.7.2 Fraudulent financial reporting


(a) Incentives/Pressures
These factors may provide an incentive or place pressure on management to engage in fraudulent financial
reporting or the factors may indicate that management has reported fraudulently.
• Financial stability or profitability is threatened by economic, industry or entity operating conditions:
– a high degree of competition accompanied by declining margins
– a high vulnerability to rapid changes, such as changes in technology, product obsolescence, or
interest rates, for example, electronics companies
– operating losses threatening going concern, and
– new accounting, statutory, or regulatory requirements (e.g., the application of new environmental
legislation relating to certain chemical products will significantly affect the saleability of the com-
pany’s inventory).
• Excessive pressure exists for management to meet the requirements or expectations of third parties due to the
following:
– profitability or trend level expectations of investment analysts, institutional investors, significant
creditors, or other external parties
– the need to obtain additional debt or equity financing to stay competitive, for example, manipulating
financial statements used to support a loan application
– difficulty in meeting debt repayment or other debt covenant requirements, for example, manipulating
the financial statements to maintain prescribed financial ratios specified in a loan agreement, and
– perceived or real adverse effects of reporting poor financial results on significant pending trans-
actions, such as a merger or the awarding of a contract, for example, a construction company
reporting financial losses, having recently tendered for a large contract to construct an office block.
• Information that indicates that the personal financial situation of management is threatened by the entity’s
financial performance arising from the following:
– significant personal financial interests in the entity, for example, management members hold
significant numbers of shares
– significant portions of their compensation (e.g., bonuses, share options are contingent upon achieving
aggressive targets for operating results, financial position or cash flow, for example, the gross amount
of management bonuses is 25% of net profit after tax, and
– personal guarantees of debts of the entity, for example, directors, have given personal guarantees for
the company's debts.
• There is excessive pressure on management to meet financial targets established by those charged with govern-
ance, including sales or profitability incentive goals.

(b) Opportunities
These factors are examples of conditions/situations that provide the opportunity for management to
engage in fraudulent financial reporting:
• The nature of the industry or the entity’s operations
– significant related-party transactions particularly where the same firm does not audit the related party
– a strong financial presence or ability to dominate a certain industry sector that allows the entity to
dictate terms or conditions to suppliers or customers that may result in inappropriate or non-arm’s
length transactions
– assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judge-
ments or uncertainties that are difficult to corroborate, that can be used to manipulate results
– significant, unusual, or highly complex transactions, that can be used to manipulate results, and
– use of business structures or business methods for which there appears to be no clear business
justification, for example, importing goods indirectly through a neighbouring country.
Chapter 7: Important elements of the audit process 7/39

• Ineffective monitoring of management


– domination of management by a single person or small group (in a non-owner-managed business)
without compensating controls, and
– ineffective oversight by those charged with governance over the financial reporting process and
internal control.
• A complex or unstable organisational structures evidenced by the following:
– difficulty in determining the organisations or individuals that have a controlling interest in the entity
– overly complex organisational structure involving unusual legal entities or unusual managerial lines
of authority, and
– high turnover rates of senior management, legal counsel, or those charged with governance.
• Internal control components that are deficient as a result of the following:
– inadequate monitoring of controls
– high turnover rates or employment of ineffective staff in accounting, internal audit, or information
technology, and
– ineffective accounting and information systems.

(c) Attitudes/Rationalisations
These are factors or situations that may indicate that management may be predisposed to fraudulent finan-
cial reporting:
• ineffective enforcement of the entity’s values or ethical standards by management, or the presence of
inappropriate values or ethical standards
• non-financial management’s excessive participation in selecting accounting policies or the determina-
tion of significant estimates (this suggests they have a personal financial interest in reported earnings)
• history of allegations against members of management, etc., for fraud or violations of laws and regula-
tions (e.g., insider trading)
• excessive interest by management in maintaining or increasing the entity’s share price or earnings trend
• an interest by management in employing inappropriate means to minimise reported earnings for tax-
motivated reasons, for example, understating sales
• the owner-manager makes no distinction between personal and business transactions, for example,
takes holidays and charges the cost to the company, and
• the relationship between management and the auditor is strained, for example, domineering or dismis-
sive management attitude towards the audit team.

7.4.7.3 Fraud risk factors relating to misstatements resulting from misappropriation of assets
The presence of the following conditions or factors should alert the auditor to the possibility of misstate-
ment arising from misappropriation of assets:

(a) Incentives/Pressures
These factors provide an incentive for management or employees to misappropriate assets:
• personal financial problems, and
• adverse relationships, between the entity and its employees, including management, for example, dis-
satisfaction with compensation or other conditions of service, or anticipated retrenchments (employee
lay-offs).

(b) Opportunities
These fraud risk factors pertain to the nature of an entity’s assets, the degree to which they are subject to
theft, and the lack of internal control related to it.

Nature
• large amounts of cash on hand
• inventory characteristics, such as small size combined with high value and high demand, for example,
jewellery, iPads
7/40 Auditing Notes for South African Students

• easily convertible assets, for example, bearer bonds or diamonds, and


• fixed asset characteristics, such as small size, marketability and lacking in ownership identification, for
example, hand-held power tools.

Internal control
• inadequate segregation of duties, for example, storeman has “write access” to inventory records
• lack of appropriate management supervision, for example, no supervision and observation of goods
being taken into or despatched from the warehouse
• lack of procedures to screen job applicants for positions where employees have access to assets
susceptible to misappropriation (poor personnel practices)
• inadequate record-keeping for, and reconciliation of assets (theoretical to actual)
• lack of an appropriate system of authorisation and approval of transactions, for example, acquisition of,
and payment for, purchases
• poor physical safeguards over cash, investments, inventory or fixed assets
• lack of timely and appropriate documentation for transactions, for example, allowing customers to take
goods, but doing the paperwork later
• lack of mandatory vacations for employees performing key control functions. Employees who are
involved in fraudulent activities usually do not want to take a holiday, as being absent makes it very
difficult for that person to cover his tracks or conceal her fraudulent activities
• inadequate authorisation and review of senior management expenditures, for example, travel claims,
and
• inadequate management understanding of IT, that enables IT employees, to do “what they like”.

(c) Attitudes/Rationalisations
These are factors that indicate that management/employees have a relaxed, casual or negative attitude
towards controls relating to the prevention of misappropriation of assets, and include:
• poor control environment, for example, ignoring incidents of theft, and overriding controls
• changes in behaviour or lifestyle that may indicate assets have been misappropriated, for example, man-
agement taking expensive holidays, driving expensive cars, etc., and
• behaviour on the part of the employees (including management) that indicates displeasure or dis-
satisfaction with the entity or its treatment of its employees.

7.4.8 Communication with management, those charged with governance and others
7.4.8.1 Introduction
If the auditor identifies misstatement resulting from fraud, appropriate action will need to be taken. Before
proceeding, there are several matters to which the auditor will need to give consideration, to ensure that his
actions are appropriate:
• Confidentiality – the auditor is bound by confidentiality and cannot simply inform all and sundry about
the fraud, for example, it would be inappropriate to make direct contact with SARS, a creditor, a trade
union.
• Management involvement in fraud – fraud is by no means perpetrated only by (non-management)
employees. The majority of large financial frauds are perpetrated by management, often including the
directors. If the auditor believes that management is involved, great care must be taken in deciding to
whom the fraud should be reported.
In principle, fraud should be reported to the level of authority above the level at which it has been
perpetrated or is suspected; for example, if a wage fraud is perpetrated by the paymaster, it should be
reported to the financial accountant. If the financial accountant is also suspected of being involved, it
should be reported to the financial director. If the financial director is also suspected of being involved,
it should be reported to the Chairperson of the Board or the audit committee (those charged with
governance). And of course if none of this proves successful, it may be necessary to report the matter to
the IRBA as a “reportable irregularity.”
Chapter 7: Important elements of the audit process 7/41

• Absolute evidence of fraud? While the auditor does not have to have absolute proof of fraud before taking
action, he should make certain that he has obtained sufficient appropriate evidence to support his
contention and should be careful not to make direct accusations. The entire matter should be docu-
mented.
Note also that for a “reportable irregularity” (which many frauds will be) to become “reportable” in terms
of section 45 of the APA, the auditor needs only to “have reason to believe” that the reportable irregularity
is taking place, not absolute evidence.

7.4.8.2 Parties with whom the auditor might communicate concerning fraud
There are several individuals/parties with whom the auditor may communicate:
• Management (other than the Board of Directors) – as indicated earlier, the general principle is that fraud
should be reported to the level above the level at which the fraud has been perpetrated. The auditor will
need to decide:
– whether the “level above” is sufficiently high in the organisation; for example, a major fraud
conducted by a wage clerk would probably be reported to the financial director, not only the pay-
master, and
– whether the “level above” is in any way involved in the fraud, in which case it should be reported to
a higher level.
• Those charged with governance of the company – while management other than the Board, are responsible
for the day to day implementation and application of practices and procedures that uphold proper
governance, the Board of Directors is ultimately responsible for good governance. In addition, the
Companies Act 2008 requires that public companies appoint audit committees. Audit committees share
the responsibility for good governance. The auditor's decision is whether it is necessary to report the
fraud to the Board and the audit committee. In general terms, the auditor should report the following:
– material weaknesses in internal control (this means management are not meeting their responsibility
and risk of fraud is increased)
– issues regarding management integrity
– fraud involving management, and
– other fraud that results in material misstatement of the financial statements.
• Regulatory and enforcement authorities – once again the auditor’s duty of confidentiality would preclude
reporting fraud to a third party. However, the duty of confidentiality is overridden in certain circum-
stances where:
– a reportable irregularity is reported to the IRBA in terms of section 45 of the APA
– the court or statute requires that such information be disclosed, and
– the client gives permission.
• Proposed successor auditor – the question of whether an auditor who has resigned (or is about to be
replaced) may disclose details of fraud or suspected fraud to the proposed (successor) auditor. The Code
of Professional Conduct requires that the proposed auditor should communicate with the existing
auditor to establish whether it would be appropriate for the proposed auditor to accept the engagement.
The extent to which the existing auditor may discuss the client's affairs will depend on whether the
client has given the existing auditor permission to discuss these affairs with the proposed auditor. If
permission has not been granted, the existing auditor may not discuss the client's affairs with the
proposed auditor, but should convey to the proposed auditor that permission has been refused.

7.4.9 Fraud and retention of clients


• Should an auditor continue to service a client company at which fraud is a frequent occurrence? The
answer is that where there is a high incidence of fraud, there is high audit risk, and ultimately, it is not
in the best interests of an individual firm, or the profession as a whole, to retain such a client,
particularly if management or those charged with governance will not take decisive action to eradicate
fraudulent practices.
• An auditor who resigns because there is too much fraud or suspected fraud at a client company will
have to carefully consider whether the client's fraudulent activities constitute a reportable irregularity. If
so, the auditor must fulfil his obligations in terms of section 45 of the APA before resignation.
7/42 Auditing Notes for South African Students

• The auditor should also consider his overriding duty to act in a professional manner, with honesty and
integrity and to fulfil his duty to conclude the audit. The auditor should make every attempt to fulfil his
reporting obligations – that is precisely why he has been appointed. To resign from an engagement,
especially before the expiry of his term of office, should not be an easy option taken simply to avoid
getting into a time consuming, confrontational or otherwise unpleasant situation, and doing so may
have legal consequences for the audit firm.

7.5 Consideration of laws and regulations in an audit of financial statements –


ISA 250
7.5.1. Introduction
This statement gives guidance on the auditor’s responsibilities concerning non-compliance by the client
with the laws and regulations that govern the client’s business.

7.5.2. Important considerations


• There are often numerous laws and regulations that govern the client’s business, for example, environ-
mental, operating, income tax and health legislation (to mention just some), as well as municipal,
regional council and industry regulations.
• The auditor is not expected to have an in-depth knowledge of all these laws and regulations but should
be aware of those that could have a material effect on the financial statements if not complied with.
Some of these are easy to identify: all auditors should be aware of the consequences of non-compliance
with the Companies Act or the Income Tax Act and very often the effect on the financial statements is
reasonably quantifiable. However, non-compliance with other laws and regulations may not be quite so
obvious to the auditor (but see para 7.5.3 below).
For example, non-compliance with the Road Transportation Act may result in heavy fines or the
suspension of a licence. The latter penalty could seriously affect the going concern ability of the entity.
• The average auditor is not an expert in legal matters and may therefore not be able to determine
whether there has been non-compliance by the client. This does not let the auditor off the hook; the
procedures indicated below should be carried out and if, as is likely, legal opinion is required, the
auditor should seek it.

7.5.3. Auditor’s duties, responsibilities and procedures


• The auditor has no responsibility to prevent non-compliance, that responsibility rests with management
and those charged with governance.
• When complying with ISA 315 (revised) – Identifying and assessing the risk of material misstatement,
the auditor should consider the risk of material misstatement being present in the financial statements
arising from the client’s noncompliance with laws and regulations. The general principle of professional
scepticism should prevail throughout the audit.
• When understanding the entity and its environment, the auditor should obtain a general understanding
of the laws and regulations that govern the client. The auditor will commence by identifying such laws
and regulations.
For example, if the company is listed and involved in foreign transactions (very likely) and road
transportation, the audit team should be appraised of the salient features of the JSE regulations and the
Acts that govern foreign exchange transactions and road transportation, and instructed to be alert to the
possibility of non-compliance with these laws and regulations. This would extend to the performance of
tests specifically to identify non-compliance, for example, enquiries may be made of management and
third parties, and documents may be inspected to confirm that the client is complying with any
regulation or law that is critical to its continued existence and has a bearing on fair presentation if there
has been non-compliance.
• During the performance of the audit, the auditor must be alert to evidence that could indicate that non-
compliance has occurred. Some examples are as follows:
– investigation of the client’s affairs by government or regulatory bodies
– the payment of fines or penalties
Chapter 7: Important elements of the audit process 7/43

– material transactions for which there is inadequate or insufficient supporting documentation, for
example, unsupported payments to government employees, related parties
– unusual transactions, for example, what is the reasoning? Is there an attempt to get around the law?
– large cash payments, for example, paying bribes, laundering money, or buying stolen goods?
– purchase at non-market prices, for example, why would the company pay more than the market
price?
– excessive salesperson or agents’ commissions, for example, why are the commissions higher than the
market?, and
– newspaper articles or news reports that suggest the occurrence of illegal practices in the particular
industry in which the client operates, such as the importation of fake brand-name goods.
As mentioned earlier, the auditor should view the presence of any of the above with professional
scepticism.
• If the auditor becomes aware of a possible instance of noncompliance, the auditor should gather
sufficient evidence to evaluate:
– the potential financial consequences, such as fines, damages, litigation, expropriation of assets
– whether adjustment to, or disclosure in, the financial statements, is required, and
– whether failure to adjust or disclose, the financial consequences of non-compliance will result in a
failure on the part of management, to achieve fair presentation of the financial statements.
• All findings should be documented and discussed with management.

7.5.4 Reporting of non-compliance


As with the reporting of fraud, the auditor reporting non-compliance may need to report to various bodies,
however, the principles are the same as for reporting fraud.

7.5.4.1 To management and those charged with governance


The auditor should report to the audit committee, the board of directors, and senior management as soon
as practicable. The principle of reporting to a higher level than the level perpetrating the non-compliance
still holds. If the auditor believes that management is intentionally failing to comply with laws and
regulations, it will be necessary to consider whether the non-compliance constitutes a reportable material
irregularity in terms of section 45 of the APA.

7.5.4.2 To users of the financial statements


If the auditor concludes that the non-compliance has a material effect on the financial statements and has
not been adequately dealt with in the financial statements, the audit report should be modified accordingly.
The audit report is the appropriate medium to report to users and to communicate in other ways without
client consent would be a breach of confidentiality.

7.5.4.3 Regulatory and enforcement agencies


Usually, the auditor’s duty of confidentiality would preclude him from reporting to third parties. However,
in terms of certain statutes, for example, the APA, or regulatory requirements, this duty may be over-
ridden. If in doubt, the auditor should seek legal council before communicating any information pertaining
to the non-compliance by the client.
CHAPTER

8
Computer audit: The basics*

CONTENTS
Page
8.1 Computer auditing ............................................................................................................ 8/3
8.1.1 Introduction ........................................................................................................... 8/3
8.1.2 The components of internal control and information technology systems .................. 8/4

8.2 IT general controls ............................................................................................................. 8/10


8.2.1 Definition of an IT general control .......................................................................... 8/10
8.2.2 Categories of IT general controls ............................................................................. 8/10
8.2.3 Access controls ....................................................................................................... 8/12
8.2.4 Change management controls (also referred to as program maintenance) .................. 8/20
8.2.5 Continuity of operations ......................................................................................... 8/22
8.2.6 Systems development and implementation controls .................................................. 8/27
8.2.7 Retiring applications ............................................................................................... 8/32
8.2.8 Interface management ............................................................................................. 8/34
8.2.9 System software and operating controls ................................................................... 8/38
8.2.10 End-user computing ................................................................................................ 8/39
8.2.11 Documentation....................................................................................................... 8/40

8.3 Automated application controls ........................................................................................ 8/41


8.3.1 Terminology ........................................................................................................... 8/41
8.3.2 Audit and control procedures .................................................................................. 8/41
8.3.3 Understanding control activities in a computerised accounting application................ 8/42
8.3.4 Control techniques and automated application controls ............................................ 8/47
8.3.5 Masterfile amendments (masterfile maintenance) ..................................................... 8/54

8.4 Automated application controls audit procedures ............................................................. 8/56


8.4.1 Inventory................................................................................................................ 8/57
8.4.2 Debtors .................................................................................................................. 8/58
8.4.3 Revenue ................................................................................................................. 8/59
8.4.4 Fixed assets ............................................................................................................ 8/60
8.4.5 Tax ........................................................................................................................ 8/61
8.4.6 VAT ....................................................................................................................... 8/62

______________
*
For further reading and references on new concepts on internal auditing processes, refer to Internal Auditing: An Introduction
6th ed 2017;Performing Internal Audit Engagements 6th ed 2017, and Assurance: An Audit Perspective 1st ed2018, GP Coetzee, R
du Bruyn, H Fourie, K Plant, A Adams and J Olivier, LexisNexis.

8/1
8/2 Auditing Notes for South African Students

Page
8.4.7 Payroll ................................................................................................................... 8/62
8.4.8 Intercompany ......................................................................................................... 8/63
8.4.9 Creditors ................................................................................................................ 8/63
8.4.10 Statement of profit and loss ..................................................................................... 8/65
8.4.11 Bank and cash ........................................................................................................ 8/65

8.5 Computer assisted audit techniques (CAATs) ..................................................................... 8/65


8.5.1 Introduction ........................................................................................................... 8/65
8.5.2 How CAATs fit into the audit process ..................................................................... 8/66
8.5.3 System-orientated CAATs....................................................................................... 8/67
8.5.4 Data-orientated CAATs .......................................................................................... 8/69
8.5.5 Factors that will influence the decision to use CAATs .............................................. 8/70
8.5.6 Audit functions that can be performed using data-orientated CAATs ........................ 8/71

8.6 Data management ............................................................................................................. 8/72


8.6.1 Introduction ........................................................................................................... 8/72
8.6.2 Terminology ........................................................................................................... 8/73
8.6.3 Big data .................................................................................................................. 8/73
8.6.3 Audit and control procedures .................................................................................. 8/74
8.6.4 Risk implications .................................................................................................... 8/75
Chapter 8: Computer audit: The basics 8/3

8.1 Computer auditing


8.1.1 Introduction
As an auditor, whether internal or external, junior or senior, you will be exposed to computerised financial
reporting systems at your audit clients. You will also make use of laptop computers to assist you in carrying
out your audit work. The vast majority of businesses you will visit to perform audits will use computers to
capture, process and record transactions, produce the accounting records and lots of other information.
However, the extent to which business entities use computers will vary considerably.
For example, a small company (e.g. an independent dentist practice) may have one or two stand-alone
personal computers with basic bookkeeping programs that are used to manage the business.
A large company (e.g. a bank) will have far more complex and sophisticated arrangements, using micro-
computers as servers and workstations. Such companies will have data centres and lots of highly qualified
personnel.
You can therefore conclude that the range of skills required by auditors will be very diverse. The
following two chapters are intended to provide you with a basic knowledge of computers in the context of
auditing. As with most aspects of auditing, you are not expected to be an IT expert, but a basic knowledge
of “computers” will help and is expected. For example, even very small businesses these days pay salaries
and creditors via electronic funds transfer (EFT), so some knowledge of how this is controlled will be
important if you are auditing the payroll or acquisitions and payments cycles. An overview of IT general
controls, automated application controls and other key critical IT trends, such as interface management
and mobile applications, will provide you with a good understanding of how IT impacts the audit.
You also need to get used to the fact that every business has different information needs. Different
programs do a multitude of different things and will be supported by different policies and procedures.
Documents (both on screen and hardcopy) will be designed to meet users’ specific needs and terminology
will vary considerably. When you start auditing, the detail will become second nature to you, but for study
purposes you need to concentrate on the basics.
In this text we have used the term “computer environment” to describe any particular and unique
combination of hardware, software and personnel. As briefly explained above, a small business is going to
have a very different computer environment to a large company, and medium size companies are going to
fit somewhere in between.
In the early days of business computing, had you gone to a large company’s computer department, you
would have been confronted by the central processing unit (a great big “box”) with large storage devices
(tape drives and disk drives) as well as terminals and printers. There would also have been IT personnel
going about their business, for example, capturing data, loading tape drives, monitoring what the computer
was doing, loading the printers with specific stationery necessary for a particular job. Systems analysts,
programmers, operators, technical personnel would also have been about. Generally, the computer centre
would have been a busy, but orderly place. However, with the development of the silicon chip, came the
microcomputer which allowed CPUs and other devices to decrease substantially in size. Microcomputers
have their own CPU and storage capabilities, and this has enabled many businesses to replace mainframe
and minicomputers with microcomputers. The age of end-user computing was born. The result of this was
that many of the functions that were performed in the computer centre are now carried out by users sitting
at their workstations often with a printer nearby. The user is now responsible for entering data, carrying out
checks, printing documents, etc., so the centralisation of computing facilities and operations has
diminished dramatically. However, large companies still have vast amounts of highly technical equipment
on which the computer systems are run and into which users are connected. This equipment, for example,
lots of servers doing different things, routers, modems, etc., is still usually centrally located (but does not
have to be) in a physically protected area called the “data centre”. The data centre will, itself, not be
inhabited by lots of employees.
The important point about all this from an auditor’s perspective is that a client’s computer environment
will directly affect the audit strategy and plan. To illustrate:
• The strategy adopted to audit a bank will call for the inclusion of computer audit experts on the team
due to the complexity and importance of the computerised systems. The fact that banks process millions
of transactions will require that the strategy focus on tests of controls which in turn will affect the audit
plan.
o The software used by a large company is likely to be far more sophisticated, and highly integrated.
Simply stated, this means that applications work together, for example, a credit sale automatically
8/4 Auditing Notes for South African Students

updates the inventory records, the debtors ledger and general ledger, and have many more control
features for input, processing and output.
• The strategy for the audit of a small company with a bookkeeper or two and a number of PCs will not
require specialist computer skills and will probably be focused on substantive testing.
o A small business may use simple software for each application which is not linked to any other
application, for example, a simple computerised perpetual inventory application may require that all
movements of inventory, for example, receipts, issues of inventory items will be entered onto the
system by keying in the information from hard copy goods received notes (GRNs) and delivery
notes.
• As a final illustrative example, the use of audit software (i.e. software which helps the auditor conduct
the audit or carry out what are termed “computer assisted audit techniques”) will be absolutely critical
on some audits, and hardly critical at all on others. For example, the efficient and effective audit of
debtors for a large company with, say, 5 000 debtors, will not be possible without using audit software
to interrogate the debtors masterfile, extract samples from it, re-perform calculations, analyse it, etc. In
a small business with, say, 200 debtors, this may not be necessary or even possible. In this situation it
may be far more efficient to carry out manual audit procedures.
The difference in the capabilities of the software will directly affect the validity, accuracy and completeness
of the information it produces as well as the way in which the information is audited.
Bear in mind that generally the more sophisticated the software is, the more it costs to purchase and run.
These days software has more features than any business could desire, but many of the features do not
provide any great benefit, so companies use cheaper software and/or “enable” only those controls and
features the business needs. In principle, this is no different from how you use your cell phone, iPad, or
laptop.
Regardless of whether the company is small, medium or large, hardly computerised or extensively
computerised, management is still responsible for implementing and maintaining control, and the auditor
still goes through the audit process as described and discussed in chapters 6 and 7.
One of the specific objectives of internal control is to achieve reliable reporting; in computer “speak” this
is often referred to as the production of information by the information system (of which the accounting
system is part) which is valid, accurate and complete. From the auditor’s perspective, if the information
produced is valid, accurate and complete, the risk of material misstatement in the financial statements is
significantly reduced.
Finally, computer environments are sometimes distinguished as personal usage, small business systems
and large business systems. This is a useful way of classifying them and reminding us that different audit
strategies and plans are required for different businesses.

8.1.2 The components of internal control and information technology systems


The system of internal controls can be defined as the system designed, implemented and maintained by
those charged with governance, management and other personnel to provide reasonable assurance about
the achievement of an entity’s objectives with regard to:
• the reliability of the entity’s financial reporting
• the effectiveness and efficiency of its operations, and
• its compliance with applicable laws and regulations.
One of the best ways by which management can achieve these objectives is by embracing the ever-
increasing power and versatility of information technology. For example, a company computerises its
accounting system to improve the reliability of its financial reporting system because computers can process
vast quantities of information very accurately and very quickly, can store information for instant retrieval,
can analyse information extensively and communicate it instantly and widely.
The International Auditing Standards (ISA) require that auditors evaluate controls over each IT
environment when intending to rely on automated application controls and system generated reports to
provide audit evidence and to modify the nature, timing and extent of substantive audit procedures. In
terms of ISA 315 (revised), the auditor is required to gain an understanding of the company’s internal
control system and the statement suggests that this understanding can best be obtained by considering the
five components of internal control.
Chapter 8: Computer audit: The basics 8/5

These components are:


• the control environment
• the entity’s risk assessment process
• the entity’s process for monitoring the system of internal control
• the information and communication system, and
• activity control.
It stands to reason therefore, that when considering each component, the auditor will need to consider the
effect of the company’s IT (computerisation) on that component. For example, when evaluating the
company’s control environment, the auditor will look specifically at the control environment relating to IT
management.

8.1.2.1 Control environment


This is about management’s attitude, awareness and actions regarding the system of internal control.
Because of the potential major consequences of poor control in a computerised system, a strong control
environment is very important. The evaluation of the control environment will be far more intense in a
large, highly computerised company (think bank!) than in a smaller or medium-sized business (although
some smaller entities may also have complex computerised systems). Evaluation of the control environ-
ment is discussed extensively in chapter 5 and later in this chapter. These may also be referred to as entity
level controls specific for IT. These controls are implemented within the IT governance environment and
have a pervasive impact on the IT controls environment including those at the transaction or application
level. Entity level controls assess the overall overarching landscape and may include the following:
• communication and enforcement of integrity and ethical values
• commitment to competence
• participation by those charged with governance
• management’s philosophy and operating style
• organisational structure, assignment of authority and responsibility, and
• human resource policies and practice.
In terms of ISA 315 (revised), the auditor evaluates the control environment as a component of the system
of internal control so you might be wondering why it is part of a general control evaluation. The reason is
that the evaluation of the control environment as a component of the system of internal control covers the
entire organisation (to the extent that it affects the audit), while the evaluation at general control level con-
centrates on the control environment within the IT structures. Of course, the evaluation of the control
environment within the IT structures is part of the overall exercise, but it has some significant and unique
aspects to it.
You should refer to chapter 5 as well.
ISA 315 (revised) refers to risks related to inappropriate reliance on IT applications that are inaccurately
processing data, or processing inaccurate data, or both, such as:
• Unauthorised access to data that may result in destruction of data or improper changes to data,
including the recording of unauthorised or non-existent transactions, or inaccurate recording of trans-
actions. Particular risks may arise where multiple users access a common database.
• The possibility of IT personnel gaining access privileges beyond those necessary to perform their
assigned duties thereby breaking down segregation of duties.
• Unauthorised changes to data in masterfiles.
• Unauthorised changes to IT applications or other aspects of the IT environment.
• Failure to make necessary changes to IT applications or other aspects of the IT environment.
• Inappropriate manual intervention.
• Potential loss of data or inability to access data as required.
Control environments can be complex and may include highly-customised or highly-integrated IT
applications and may therefore require more effort to understand. Financial reporting processes of IT
applications may be very sophisticated and integrated with other IT applications. Such integration may
involve IT applications that are used in the entity’s business operations and that provide information to the
8/6 Auditing Notes for South African Students

IT applications relevant to the flow of transactions and information processing in the entity’s information
system. In such circumstances, certain IT applications used in the entity’s business operations may also be
relevant to the preparation of the financial statements. Complex IT environments may also require
dedicated IT departments that have structured IT processes supported by personnel that have software,
development and IT environment maintenance skills. In other cases, an entity may use internal or external
service providers.
ISA 315 (revised) suggests that the auditor must also understand emerging technologies at clients.
Entities may use emerging technologies (e.g., blockchain, robotics or artificial intelligence) because such
technologies may present specific opportunities to increase operational efficiencies or enhance financial
reporting. When emerging technologies are used in the entity’s information system relevant to the
preparation of the financial statements, the auditor may include such technologies in the identification of
IT applications and other aspects of the IT environment that are subject to risks arising from the use of IT.
While emerging technologies may be seen to be more sophisticated or more complex compared to existing
technologies, the auditor’s responsibilities in relation to IT applications and identified general IT controls
remain unchanged. Refer to chapter 9 for more on new/emerging technologies.

Communication and enforcement of integrity and ethical values


• Ethical IT governance must be cultivated and promoted and should align with the ethical culture of the
organisation.
• A strongly ethical culture is important in an IT department, particularly as IT personnel will have access
to confidential and sensitive information and may also have the opportunity to cause disruption to
operations. This may occur maliciously or unknowingly with the incorrect/ unauthorised access to
data.
• IT management should communicate a code of ethical behaviour and conduct and comply with the
code themselves. The code should enforce strong remedial action, which may include dismissal, where
integrity and ethical behaviour have been lacking. The potential damage (risk) of engaging or retaining
individuals who lack integrity is considerable.

Commitment to competence
• The demands of many of the jobs in an IT department with regard to skills and knowledge as well as the
ability to handle pressure can be considerable.
• IT management should be committed to matching these attributes to an individual’s job description.
Again, the consequences of an individual not being able to do his job could be immense. Performance
reviews and regular discussions with employees as well as ongoing training demonstrate a commitment
to competence.

IT management’s philosophy and operating style


• As with the company’s overall control environment, this comes down to the attitudes, control aware-
ness and actions of the IT management. Their actions set the tone of the department and as they lead,
so will the employees follow. Their management philosophy and management style must demonstrate,
communicate and enforce sound control.
For example, a manager who shares his PIN code to gain access to the data centre, or spends half the
day “surfing the Internet”, can expect employees to start doing the same, and worse, before long!
• Very often IT personnel are seen as technical specialists who are more interested in IT and the excite-
ment of its capabilities, than they are in the “boring” routine of the company’s business. This can lead
to a level of disharmony within management, particularly if IT as a department “does its own thing”.

Organisational structure and assignment of authority and responsibility


• The organisational structure should achieve two major objectives:
– it should establish clear reporting lines/levels of authority, and
– it should lay the foundation for segregation of duties so that, if possible, no staff perform incompatible
functions.
• The organisational structure should address segregation of IT and user departments and segregation of
duties within the IT department.
Chapter 8: Computer audit: The basics 8/7

• The chief executive officer should appoint a chief information officer (CIO) who is suitably qualified
and experienced. This individual should interact regularly with:
– the board
– the steering committee and audit committee, and
– executive management.
• Overall, the functions of supervision, execution and review within the department should be segregated
as far as possible.
• Job descriptions, levels of authority and responsibilities assigned to IT personnel should be documented.
A suggested organisational chart for an IT department appears below. The size and complexity will differ
depending on the organisation

Sound Organisational Structure for an Information Technology Department

Board of Directors
IT risk committee

Steering Committee

Chief Information Officer

Software manager Infrastructure manager

Application development Technical/ Helpdesk


Webmaster Security
and programming administration operations

Note: There are many variations of organisational structure, for example, a director may be designated as
the CIO and the individual who runs the department may be called the IT manager.
Technical/Administration
• Database administrators have the specialised skills to develop, maintain and manage the database (the
store of information).
• Operating system administrators have the specialised skills to implement, maintain and manage the
operating system and hardware.
• Network administrators have the specialised skills to implement, maintain and manage the company’s
LAN/WAN, etc., (refer to chapter 9 for further details on these).

8.1.2.2 The entity’s risk assessment process


In the context of a computerised environment this component is about controlling IT risk. The King IV
report on corporate governance recognises information technology (IT) risk as one of the major risks facing
a company (particularly a large company). While managing IT risk is the responsibility of the board, it is
likely that the board will delegate its responsibility to a risk committee. The structures of the IT section may
include a steering committee and a chief information officer. Part of this internal control component’s
function will be to focus on the assessment of (and response to) the IT risks facing the company, for
example, data security and privacy, business continuity, data recovery and keeping up with technology, etc.

8.1.2.4 The information and communication system


The information system consists of infrastructure (physical and hardware components), software, people,
procedures and data. When the auditor is gathering information about this component, he will need to
familiarise himself with each of the above and how they interact (refer to chapter 7). ISA 315 (revised)
8/8 Auditing Notes for South African Students

explains that the information system (relevant to the financial statements) consists of activities and polices,
and accounting and supporting records designed and established to:
• initiate, record, process and report entity transactions, events and conditions and to maintain account-
ability for the related assets, liabilities and equity
• resolve incorrect processing of transactions
• process and account for system overrides or bypasses to controls, for example, by the creation of audit
trail in the form of a log of overrides
• transfer information from transaction processing systems to the general ledger, for example, where the
revenue application software is not integrated with the general ledger, a journal entry will have to be
passed to get sales and debtors totals into the general ledger
• capture information other than transactions, such as depreciation and allowances for bad debts
• confirm information required for disclosure is accumulated, recorded, processed, summarised and
appropriately reported in the financial statements, and
• authorise and process journal entries.
This knowledge provides the auditor with a basis to evaluate both the manual and automated procedures
and controls that make up the next component of the system of internal control, namely, control activities.

Application development and programming


During the entity level controls review it may be beneficial to meet with the system analysts to ascertain
which automated application controls exist within the organisation’s IT environment and whether those
controls will meet the audit objectives.
• Business/systems analysts are responsible for liaising with users to understand their needs and
documenting functional specifications for new applications and program enhancements.
• Programmers write the program code based on the specifications supplied by the business analysts,
document the technical specification and debug programs.

Webmaster
Many companies now have websites that can be integral to the company’s business, for example, a com-
pany trading on the Internet. A webmaster should be appointed. Responsibilities will be to:
• design, develop and maintain the company’s website
• regulate and manage the access rights of the users of the site
• set up and maintain website navigation
• deal with complaints and other feedback about the site.

8.1.2.5 Control activities


This is the component of the system of internal control that will probably interest the auditor the most
because these control activities (policies and procedures) have a big influence on whether the financial
information system records and processes transactions that are authorised and have already actually
occurred and does so accurately and completely.
It is important to remember that control activities in a computerised system will be a combination of
manual and automated (programmed) controls. Modern software is overloaded with features which
improve control over input, processing and output of data, and it will be the auditor’s duty to establish
what features (automated application controls) are in use at the client and which automated application
controls may be considered for inclusion as part of the audit.
Policies and practices for IT personnel will essentially be the same as for other skilled personnel. The IT
department will work with the entity’s human resource department in respect of these policies and prac-
tices. The point has been made several times that an important part of any control system is “people.” The
characteristics of honesty, competence and trustworthiness are paramount in a computerised environment
and management should institute the following policies and practices:
• proper recruiting policies which include careful checks on an applicant’s background and competence
• immediate exclusion from computer facilities if an employee is dismissed or resigns (passwords and
user privileges should be cancelled)
Chapter 8: Computer audit: The basics 8/9

• compulsory leave – employees who are involved in unauthorised activity will often be exposed when
they are not present to cover their tracks
• training and development to keep staff up to date and able to fulfil their functions efficiently and
effectively –this should be accompanied by ongoing evaluation of personnel suitability and competence
for their jobs and their progress down their career paths
• written formalisation of human resources policies to provide employees with terms of reference or
guidelines
• rotation of duties – moving employees between functions is a useful practice as it helps avoid undue
reliance on any individuals by ensuring that each employee has a backup. It may also relieve boredom
as well as encourage employees to develop new expertise and skills. Rotation of duties should not be
implemented to the extent that segregation of duties is compromised, for example, the computer
operator should not be trained as an application programmer and then be placed temporarily in the
programming section
• strict policies pertaining to the private use of computer facilities by IT personnel (and other employees)
should be in place, for example, Internet use and running private jobs.
It needs to be noted that there may be policies and procedures directly applicable to the IT department and
there may be IT policies that are relevant to the whole organisation and all staff members will have to
adhere to, for example, your device policy, privacy policies and access management policies.

8.1.2.3 The entity’s process for monitoring of the system of internal control
This is the third component of internal control as identified by ISA 315 (revised) and concerns
management’s responsibility to assess whether the internal control system is meeting its objectives over
time. It is not solely about monitoring whether the control activities are taking place; it is also about
assessing whether they are effective. Monitoring is also not only about assessing control activities, it is also
about evaluating the other components of the internal control system, for example, the control environ-
ment and the risk assessment process. In a computerised environment the amount and variety of informa-
tion, which can be quickly and accurately obtained from the system, enhances the ability of management,
those charged with governance as well as various bodies, such as the internal audit department, audit and
risk committees, to conduct effective monitoring over time.

8.1.2.6 Participation by those charged with governance


• In terms of King IV, IT governance is the overall responsibility of the board and it should provide the
required leadership and direction to assist IT that IT achieves, sustains and enhances the company’s
strategic objectivity. IT governance is not an isolated discipline.
• There should be defined mechanisms for the IT department to communicate with the board and report
regularly to the board.
• The board should appoint an IT steering committee to assist is the governance of IT. A steering
committee is a group of people knowledgeable about computers, to whom major issues are referred, for
example, policies, future strategy, IT risk, acquisitions of hardware and software.
• The IT department should not be seen as a “separate entity” answerable only to itself.

8.1.2.7 HelpDesk/Operations
Another good example of monitoring of controls is helpdesk operators.
Helpdesk operators – receive calls from users and log their problems/requests on the HelpDesk System,
resolve “First Tier” problems where possible (i.e. problems that are easy to solve), as well as perform
routine operational duties, for example, checking that backups have been completed successfully and
managing rotation of backup tapes (see 8.2.6.3 for further information on backups).
Note: “Second Tier and “Third Tier” problems would normally be referred by the HelpDesk to the most
appropriate technical administrators/programmers or the vendor concerned.
Also, organisations generally have monitoring reports that manage and report on these controls.
8/10 Auditing Notes for South African Students

8.1.2.8 Security
Security personnel lay down control procedures for access to all computer facilities, monitor security
violations (e.g. logs) and follow these up and issue passwords. The company may appoint an Information
Security Officer to manage and monitor security procedures.

8.2 IT general controls


8.2.1 Definition of an IT general control
Controls in a computerised environment are categorised as either IT general controls or automated application
controls. IT general controls are those which establish an overall framework of control for computer
activities. They are controls which should be in place before any processing of transactions get underway
and they span across all applications. In contrast, automated application controls are controls that are
relevant to a specific task within a cycle of the accounting system.
For example, control procedures and policies to confirm that staff have the correct level of access, would
be regarded as IT general controls, while a control procedure which requires that the foreman authorise all
overtime worked, would be an automated application control (payroll cycle).
General IT controls are implemented to address risks arising from the use of IT. Accordingly, the auditor
uses the understanding obtained about the identified IT applications and other aspects of the IT environ-
ment and the applicable risks arising from the use of IT in determining the general IT controls to identify.
In some cases, a company may use common IT processes across its IT environment or across certain IT
applications, in which case common risks arising from the use of IT and common general IT controls may
be identified.

8.2.2 Categories of IT general controls


Even a quick reference to the relevant literature reveals there are numerous ways of categorising or classify-
ing IT general controls. While this can be confusing, it is not that important. It is, however, important for
you to understand both the distinction between an IT general control and an automated application control
and the kinds of IT general controls you are likely to encounter at a client.
The auditor is required to obtain an understanding of the entity and its environment, and this will
include obtaining an understanding of the IT general controls at the client. It is important to realise that the
amount of knowledge and skill as well as the nature, timing and extent of procedures to obtain the
necessary understanding will vary considerably from client to client.
For example, the IT general controls at Sithole (Pty) Ltd, a small company with a limited number of
computers, that does not employ its own specialised IT personnel, makes use of packaged application
software, and uses an external computer consultancy to “keep its system up and running”, will be very
different to the IT general controls at Motholo Ltd, a large motor vehicle manufacturing company, that is
highly dependent on computerised systems.
The auditor needs to understand that he/she does not need to test a complete set of IT general controls
to rely on automated application controls. Essentially, the access and change management governing a
particular automated application control is all that is actually required to rely on a single automated
application control. If the access to the configuration is controlled and changes to the configuration/
automated application have been governed, then the automated application control IT controls are satis-
factory for reliance in the audit.
It is important to equip audit teams with an understanding of the relationship between applications used
by the organisation and the controls governing those applications, the information it generates and the IT
operations supporting them.
Chapter 8: Computer audit: The basics 8/11

An illustration of the IT general controls roadmap follows:

During your period of training as an auditor you may be required to assist in an evaluation of IT general
controls for an organisation and a basic knowledge of what IT general controls actually are will be
beneficial.
For the purposes of this text we have categorised IT general controls as follows:

• Access controls
– Physical access management controls
– Logical access management controls

• Change management controls

• Continuity of operations/business resilience


– Risk assessments performed by the organisation
– Environmental controls
– Disaster recovery
– Backup strategies
– Social media

• Systems development and implementation controls


– In-house development
– Packaged software
– Retiring applications
– Interface management

• System software and operating controls

• End user computing controls

• Documentation
We have not described IT general controls for a specific size of company (that would be a book in itself!)
but have assumed that the company is large enough to have a separate IT department, a data centre, its
own “technical” IT personnel to undertake systems developments and program maintenance. Obviously, if
a company does not have a data centre, some of the physical controls will not be relevant, or if a company
uses only packaged software, it will not have to worry about certain aspects of system development but will
have to worry about which packaged software to purchase and who will maintain it.
8/12 Auditing Notes for South African Students

8.2.3 Access controls


8.2.3.1 Introduction
There is an old saying that prevention is better than cure, which is very applicable to computerised systems.
An organisation must focus its attention on two very different aspects of access controls:
• physical access management controls
• logical access management controls.
The picture below illustrates the differences:

The consequences of unauthorised access to a system can be disastrous for a company – uncontrolled
physical access to the hardware has resulted in the theft of, or damage to, expensive equipment and the data
that will be stored on the hardware. Unauthorised logical access (which really means gaining unauthorised
access to data and programs electronically stored through a workstation/terminal) can result in the
destruction of data, the manipulation of data or the theft of data and programs. Rather than having to
implement a “cure” for the theft, destruction, etc., it is far better for the company to prevent these very
negative consequences by implementing strict access control policies and procedures. Again, computer
security is a huge and very complex topic which exercises the minds of the best and brightest. Many
companies are permanently under siege from “hackers” trying to break into their systems, sometimes with
very malicious intent and at other times “just for the challenge” (or so they say!) Measures to prevent/
minimise the negative consequences of terror attacks, natural disasters, etc., must also be implemented. All
of these preventative measures must take into account the important fact that authorised employees must
still have access to the hardware, programs and data they require to do their jobs effectively and efficiently.
Access to all aspects of the system must be controlled:
• hardware
• computer functions at system level (accessing the computer system itself), and computer functions at
application level (accessing a specific application or module within an application)
• data files/databases
• utilities
• documentation (electronic or hard copy)
• communication channels.
8.2.3.2 Terminology
• Logical access: Logical access consists of controls used to manage access to applications, data and
systems and can be embedded within applications and systems.
• Physical access: Physical access refers to the management of access to the actual hardware and network
server rooms.
• Segregation of duties: A user should never have access to an application that gives him/her the rights/
access to manage a single process or task.
Chapter 8: Computer audit: The basics 8/13

• Toxic combinations: Toxic combinations arise when a user profile or profiles have been identified to be
unfavourable and may lead to segregation of duty conflicts. Toxic combinations may also be relevant
for two or more user profiles where the risk of collusion or fraud may exist.
• Privileged user/super user: A super user is a user who has full access to make any changes to a system,
such as a system or network administrator.
• Firewalls: A firewall protects an organisation’s computer network and data from unauthorised access,
such as hackers. This can be in the form of hardware or software.
8.2.3.3 Audit and control procedures
The auditor should test the design adequacy and operating effectiveness of logical and physical access
management controls.

Consider the following for physical access management controls:


The IT department itself should be entirely separate from user departments
• No transactions should be authorised or executed by any member of the IT department, for example,
placing a purchase order or authorising a wage rate increase.
• No member of the IT staff should have access to, or custody of, the physical assets of the company, for
example, inventory, or uncontrolled access to the non-physical assets, such as the debtors masterfile.
• IT staff should only be responsible for correcting errors that arise from operating or processing prob-
lems; unless in response to authorised requests from user departments for assistance with corrections.
Within the IT department itself:
• Technical administrators should be segregated from programmers and business analysts. Technical
administrators have high levels of expertise and although they work mainly with operating systems
software, detailed knowledge of the application programs would enable them to make unauthorised
modifications to the application programs or data.
• Security functions should be restricted to the security sections, for example, an operator should not be
asked to follow up on logged access violations.

8.2.3.4 Physical access control


Access control is important to all businesses, but how physical access is controlled will vary considerably.
For example, Logica Ltd, a large retail organisation, has extensive equipment (CPU, servers, secondary
storage devices, etc.), which is housed in a data centre. The company has hundreds of microcomputers,
printers, etc., in user departments on LANs and WANs. By contrast, Green-Me (Pty) Ltd, an independent
vegan grocer, has a small number of microcomputers (which could be “stand-alone” or networked) and a
printer.
Even though the consequences of unauthorised access may be far greater for a large company in absolute
terms, in relative terms unauthorised access may be equally devastating for a smaller company.
A combination of physical controls will be implemented to prevent unauthorised entry to an IT data
centre (which could of course be part of a large IT department).
For example, the IT department of a large pharmaceutical company could be contained in a separate
building or wing of a building. All IT personnel would have their offices in this building. The building
would also have a dedicated room in which all the equipment which runs the system, for example, CPU,
servers, and routers to run the company’s systems, would be housed. This dedicated room would be the
data centre. The data centre would not double up as offices although IT personnel would need to go in to
perform some of their functions. In this type of arrangement, access to the IT building (or wing) may be
controlled and further access to the data centre itself would be far more strictly controlled to only grant
access to authorised staff members. Only a limited number of personnel need access to the data centre
itself, while many more need access to the IT department.
8/14 Auditing Notes for South African Students

A list of physical controls that can be implemented to prevent unauthorised access (as mentioned above
follows:
• Identification of users and computer resources
– Users – some examples:
o user identification, (user IDs) with staff photo
o magnetic card or tag which can be used to swipe in at security doors
o biometric data, for example, thumbprint, facial recognition.
– Terminals – some examples:
o terminal identification (the system recognises terminal ID number or name).
• Visitors from outside the company to the IT building should:
– be required to have an official appointment to visit IT personnel working in the IT department, for
example, external maintenance personnel
– be cleared on arrival at the entrance to the company’s premises, for example, by a phone call to the
IT department acknowledging the fact that they have been expecting the visitors and are potentially
accompanying the visitors
– be given an ID tag and possibly escorted to the department
– not be able to gain access through the locked door (must “buzz”)
– wait in reception for whomever they have come to see (or be met at the door), and
– be escorted out of the department at the conclusion of their business.
• Company personnel other than IT personnel
There should be no need for other personnel to enter the data centre and access to the IT department
should be controlled in a practical manner as there will be contact between the IT department staff and
users on a regular basis. Ideally, the IT data centre should restrict access and have a visitor register by
the secure (fire-proof) door for all visitors to sign before access. Visitors should be escorted at all times,
even if they are there for maintenance.
• Physical entry to the data centre (dedicated room)
– only individuals who need access to the data centre should be able to gain entry
– access points should be limited to one
– access should be through a door which is locked other than when people are entering or exiting, in
other words, not propped open by, for example, a wastepaper basket for people to come and go
– the locking device should be deactivated only by swipe card, entry of a PIN number, and scanning of
biometric data, for example, thumbprint, and
– entry/exit point may be under closed-circuit TV.
Remember, the data centre is the heart of the company’s information system.
• Remote workstations/terminals
In most businesses, workstations/terminals are distributed around the offices, so centralised control
measures are not possible (other than where, say, a group of telesales operators are sitting in a separate
room). Some physical controls will still be implemented:
– terminals can be locked and secured to the desk
– terminals can be placed where they are visible and not near a window, and
– offices should be locked at night and at weekends.
Consider the following for logical access management controls:
If we make a simple comparison between a standalone personal computer used in a small company’s
accounting department and a large linked network of computers, it is easy to see that in the latter there is
significantly more risk, which must be controlled. It is important that controls be implemented to assist in:
• controlling access to computer resources: Remember that where information is transmitted (data com-
munication), there will be numerous computers that are all linked together. It therefore becomes
“physically” possible to access the system from numerous points and to access the system via the
communication line (just like tapping a telephone)
Chapter 8: Computer audit: The basics 8/15

• maintaining the integrity and security of data which is being transmitted: It will be of little use if data
being transmitted is completely or partially lost, is changed during transmission or its confidentiality is
compromised
• managing segregation of duties, and
• toxic combinations.
At the outset you must realise that the more complex and sophisticated data communication systems are
very technical, but that a detailed knowledge of computer science and communications is not required by
the “everyday” auditor. Certainly, the audit profession, and large firms in particular, will have employees
who are technically excellent and right up to date with developments. What is required by an “everyday”
auditor is a general understanding of the risks and controls, and the sense to realise that expert knowledge
may be required.
Remember also that it is the business world at large that faces these risks, and that there are numerous
companies and groupings of companies, such as banks, etc., that are continually seeking ways of improving
access control, integrity and security in data communication. It is obviously necessary for the audit
profession to keep abreast of technological developments, but it is also important that the profession does
not lose sight of the fact that the audit objectives do not change.
(See the description of computerisation at ProRide (Pty) Ltd at the end of this chapter.)

8.2.3.5 Security policy


A security policy addresses the security standards that management need to achieve to maintain the
integrity of the company’s hardware and software. Once management has decided what it wants to
achieve, it can go about implementing the policy. The policy should be documented and should be based
on principles rather than detailed procedures. Important principles include:
• Least privilege – employees should be given access to only those aspects of the system that are necessary
for the proper performance of their duties, for example, a clerk in the wages department should not be
given access to inventory records as he does not “need to know” what is contained in the inventory
records. On a more general level, employees who do not need any access to perform their functions,
should not be given any access, for example, a factory worker needs no access privileges to the
company’s systems.
• Fail safe– this principle requires that wherever possible, if a control “fails”, whatever is being protected by
that control, should remain “safe”, for example, if logical access control software malfunctions, the
system should shut down completely, rather than allow uncontrolled access. The same principle will
apply to physical controls.
• Defence in depth– this means that protection is not left up to one control only, but rather to a combin-
ation of controls, for example, a combination of logical access controls and authentication before an
authorised user can access the company’s financial applications.
• Logging – adherence to this principle requires that the computer’s ability to log (record) activity that
takes place on it, should be extensively incorporated, for example, unsuccessful attempts to access the
system should be logged and followed up. Logging is not an effective control activity unless the logs are
regularly and frequently reviewed and follow-up action is taken where control violations are identified.
Access controls will vary considerably depending on the size of the company, the extent of its computerisa-
tion, and how it is set up. Access controls at a bank or multinational company are going to be different to a
small or medium-sized company but the principles remain the same.
Logical access controls will be primarily preventative, that is, designed to prevent unauthorised access via
terminals, but these will be supported by logs which are detective in nature, for example, logging of
attempted access violations as well as logging access. Logical access control also plays a big part in
controlling access at application level, but is dealt with under general controls because, before any trans-
action processing takes place, access controls must be implemented as part of the general controls frame-
work. Logical control access is also covered in the section on application controls.
Against the overall backdrop of ensuring that only authorised individuals can gain access to the facilities on
a least privilege/need to know basis, in other words, access is given only to those aspects of the system that are
8/16 Auditing Notes for South African Students

necessary for proper performance of their duties, the following controls in various forms can be imple-
mented through the access control software and other programs:
• Authentication of users and computer resources
Authentication of the user is used to verify that the user of an ID is the owner of the ID. Authentication
can be achieved in various ways:
– entering a unique password
– entering a piece of information that an unauthorised individual would not know about the genuine
user, for example, the person’s great-grandmother’s first name. This works on the same principle as a
password. The information, say, 10 different pieces of information, is held on the system (securely) as
provided by the user. When the user ID is entered, the system selects one piece of information and
poses a related question to the user. If the answer keyed in is correct, authentication has been
achieved. It is also possible that a single piece of information is stored but regularly changed.
– connecting a device to the USB port of the terminal:
For example, to authenticate the authorisation and release of an EFT, a leading bank requires that
the authorised employees have a device called a “dongle” that must be inserted before the payment
can proceed. This works in combination with a password and both are unique to the user. The
password and dongle are needed to authenticate the user.
Another bank uses a small random number generator device that produces a number that must
also be used in conjunction with the password. It is really a second unique password. In a company a
“one time” password can be generated on a server and sent to the user by SMS. This works on the
same principle.
A combination of the above techniques is called multifactor authentication and is used where very
strict access control is required. The dongle will only work on a terminal on which the bank’s specific
software has been loaded. This is a form of terminal authentication.
The fact that a user ID can be linked to the individual is a strong isolation of responsibility control.
• Authorisation: This means defining the levels (types) of access to be granted to users and computer
resources:
– Once the system has authenticated the user, access will only be given to those programs and data files
the user is authorised to have access to, and, as pointed out, this should be only to programs and data
the user requires to do his work. Users can be given different levels of authority and may be granted a
“single sign on” to access all the programs they are authorised to access.
– Users – some examples:
o a user may be granted “read only” access (this means a file can only be read)
o users may have “read and write” access (this means a file can be read and written to, for example,
the user can add, create, delete).
Note that although a user may be granted “read only” access, there is still a risk, as users can take
screenshots of sensitive information.
– Terminals – some examples:
o although modern software concentrates access privileges around the user, specific terminals can be
linked to specific applications, for example, a warehouse terminal not linked to the wage applica-
tion, or to the EFT facility
o restricted hours of operation, for example, the terminal shuts down at 4pm and comes on at 7 am.
• Root access/system-wide access/super-user access and privileged-user access
This level of privilege gives the user concerned virtually unlimited powers to access and change, without
trace or audit trail, all programs and data, bypassing normal access controls, and therefore should only
be given to a very limited number of IT personnel. Generally, there should be an audit trail review by
senior management for these profiles on a regular basis to assess activity and determine whether there
was any unjustified activity.
The allocation and authorisation of powerful user IDs need to be controlled and monitored.
Chapter 8: Computer audit: The basics 8/17

• Segregation of duties
As the auditor, you may perform the following tests:
– What is the risk that segregation of duties is not adequate to prevent and/or detect errors or
irregularities? This applies to duties of employees within the IT department and between IT and user
functions.
– Does an organisational access chart exist and is it maintained to depict segregation of duties?
– Does business and IT authorise changes to access profiles and do they consider segregation of duties
when changes are made to profiles?
• Identification of/and access to toxic combinations
During the creation of a segregation of duties matrix or framework for an organisation’s user profiles,
an assessment will be made of toxic combinations. These combinations should be preventative in nature
and documented to confirm that no users will be granted or have their access modified to include
specific access.
For example, large applications that are off-the-shelf provide user profile frameworks that provide
companies with guidance on how to set up user profiles that are segregated. Generally, they also
provide guidance on which account transactions and users are ‘toxic combinations’ and should be
avoided because they create risks. For instance, if the same user can create a purchase order and
authorise it.
In addition, there may be certain role profile combinations that are also toxic. The auditor should:
– determine whether management reviews access regularly to ascertain whether the correct users have
been assigned to the correct profiles and if modifications are correct
– determine whether sensitive and conflicting applications, data and transactions have been identified
and documented in a framework.
• Logging: This means recording access and access violations for later investigation.
An access log records the people who accessed the system and, by comparing it to some other piece of
information, may provide evidence of unauthorised access.
For example:
If Willy Worker is logged as having gained access to the system on 10 June, when he was supposed to
be on holiday.
If Danny Doodles has logged in while on maternity leave.
If Tim Trouble left the company on 31December, but his profile shows he logged on, on 5 January.
Clearly, something strange is going on! Logging and following up is essentially a detective control.
The emphasis on access control will be on preventing unauthorised access but logging and following up
is still an essential control. Refer to exception controls in automated application controls.
As the auditor, you must:
– determine whether management reviews access regularly to ascertain whether the correct users have
been assigned to the correct profiles and, if changes have been made, that the modifications are
correct
– in addition, determine whether users that have been terminated had their access revoked timeously as
and when they left the organisation. This will also reduce the risk of unauthorised access should the
staff member be disgruntled.
• Access tables
The computer cannot perform logical access control unless a large number of details are defined in
tables to which the system can refer. These tables identify all “objects” and “conditions” that the
computer has to “know” to be able to control access. These objects include:
– all authorised PCs (PC IDs)
– all authorised users (user IDs)
– all passwords
– all programs
– all possible modes of access (no access, read-only, read and write), time of day (e.g. a bank teller may
only be able to log in between 8.30 am and 4.00 p.m.), etc.
8/18 Auditing Notes for South African Students

Setting up these tables is not technically difficult for a skilled person but requires meticulous care.
Broadly, it happens as follows: when a new employee joins, say, the payroll department, he will need
access to files, etc., which are required to do his job. This detail is provided by the manager of the
payroll department on a written form which describes the employee’s job exactly.
For example, the employee must be able to read the employee masterfile and only be able to change
some fields; he may need to be able to change an employee’s address but not the wage rate field. This,
and everything else the employee must be able to do, has to be reflected in the employee’s user profile
and is related to the access tables.
It is now possible to compile the necessary tables and the user profile which specifies which
combinations of these objects and conditions should be allowed/authorised and which combinations
should be disallowed (access violations) or potential segregation of duty issues. These profiles should be
determined by the IT manager and senior IT staff working in conjunction with senior user personnel
and system design documentation.
A simple example will illustrate user profiles:
Fred Bloggs, the storeman, is to be given access to the inventory masterfile, but this is to be “read
only” access. He has a user identification and a password. For the sake of simplicity, we will say that
Fred needs no access to any other data programs. Once Fred’s needs have been established, senior IT
staff will create Fred’s “user profile”, which will be stored in a secure file on the system. The computer
now has something to refer to. When Fred activates his PC, he will be prompted to enter his user ID
and password. The computer will check against the access table whether Fred’s PC and his user ID are
listed (identified). The computer will check that Fred has proved who he is by matching Fred’s
password to listed passwords in the access tables (authentication). If Fred has entered his password
correctly, the computer will “fetch/consult” Fred’s user profile and display the inventory application
functions that he has access to. The computer may also check that Fred is at a PC that has authorised
access to the inventory application. Fred may now call up the inventory masterfile, but if he tries to
write to that file, the computer will check against his profile and prevent him from doing so as he has
“read only” access.
Access profiles, like the one described above, are usually set up for “user groups” rather than for
individual users, as this is a more efficient way of controlling access. In other words, management
would determine what access privileges a storeman should have and Fred would then be allocated to
the “storeman user group”. If you imagine that Fred’s company may have 500 stores around the
country, each with one storeman, it is easy to appreciate that it would be more efficient to define one
group profile and allocate all 500 storemen to that group, rather than having to define access separately
for each user.
If Fred attempts to get into an application or module, or exercise a privilege he does not have, the
computer will send him a screen message, and he will not be able to proceed (or the computer may just
fail to respond). The system may also be set up in such a way that what appears on Fred’s screen may
not give him the option to click onto what he wants to do. For example, if he is not allowed to give
approval, there will be no approval field for him to click on.

8.2.3.6 Controls over passwords


The strict control of passwords is fundamental to successful, logical access controls. The following list
shows what is deemed good practice:
• Passwords should be unique to each individual (group passwords should not be used).
• Passwords should consist of at least eight characters, be random, not obvious, and a mix of letters,
numbers, upper/lower case and symbols to reduce the risk of easily “cracking” passwords. Passwords
should not be obvious, for example, birthdays, names, name backwards, common words, and should
not be the same as the user ID.
• Passwords/user IDs for terminated or transferred personnel should be removed/disabled at the time of
termination or transfer to reduce the risk of unauthorised access and therefore changes.
• Passwords should be changed regularly, and users should be forced by the system to change their password.
(The system sends the user a screen message to change his password and allows a limited number of
attempts to enter his existing password. After this, access will not be granted until a new password has been
registered.) The recommendation is to change passwords monthly.
– Passwords should have a history setting to save at least 12 passwords so that they cannot be reused.
Chapter 8: Computer audit: The basics 8/19

– The first time a new employee accesses the system, he should be prompted to change his initial
password.
– Passwords should not be displayed on PCs at any time, be printed on any reports or logged in
transaction logs.
– Password files should be subject to strict access controls to protect them from unauthorised read and
write access. Encryption of password files is essential.
– Personnel should be prohibited from disclosing their passwords to others and subjected to disci-
plinary measures should they do so.
– Passwords should be changed if confidentiality has been violated, or violation is expected.
– Automatic account lock-out must take place in the event of an access violation, for example, an
incorrect password entered more than three times.

8.2.3.7 Other access control considerations


• Data communication
Data communication relates to the transmission of information from a sender to a receiver in electronic
form. Information must be sent down a link which may be a fixed line.
For example, a public telephone network, or a dedicated line linking two computers, or a fibre optic
cable, or by wireless technology, for example, satellite transmission, cellphones or even cordless com-
puter devices, such as a cordless mouse.
All transmission media are used in business and are really the domain of the computer and
telecommunications expert. However, because media do form an integral part of information systems
used in business, the general auditor needs to have a broad understanding of how they work and must
realise that they do present an opportunity for an unauthorised person to access the system. Control is
achieved by:
– the implementation of specialised software which is responsible for:
o controlling access to the network
o network management (i.e. controlling traffic flow, routing data to its destination and logging
network activity)
o data and file transmission (control the transfer of data and files, for example, making sure the
entire message is delivered)
o error detection and control (identifies errors that indicate that the data received is the same as the
data sent)
o data security (which protects the data from unauthorised access during transmission)
– encryption (converting data into a secret code) of data which is being transmitted
– the protection of physical cabling (under the control of the client), for example, channelled within
brickwork, under the floor, etc. The use of fibre optic cable is far more secure than traditional wire
cabling but far more expensive. Wireless communications can be a real threat to a company and
controlling access in this environment has taken on far greater significance.

• Firewalls
Once a company’s network is connected to an external network such as the Internet there is an
increased risk of unauthorised access to the company’s network. A firewall is a combination of hard-
ware and software that operates as access control gateways which restrict the traffic that can flow in and
out. This could be as detailed as the prevention of incoming transmissions from undesirable sites and
will include antivirus software and intrusion detection software (which detects malicious behaviour
such as the presence of “worms”) and alerts the company to it. Firewalls should be tested regularly; use
the “most up to date” software, and warnings, etc., must be logged and followed up.

• Libraries
In a computer environment, libraries may be both in electronic form (on the system) and/ or in physical
form. Either way, access to the information in the library must be protected. This is done in the
conventional way, for example, library software will protect backup copies of programs from
unauthorised changes being made, record (log) any authorised access, audit changes and monitor users.
8/20 Auditing Notes for South African Students

A physical library, which may contain documentation relating to the system and data stored on discs,
tapes or other mobile storage devices, should be:
– physically access controlled
– the information on the storage device could also be password protected
– issue (of items) from the library should be authorised and recorded, and
– externally labelled.

• Utility programs/database access


Access to utility programs and high-level access directly to the database provides the potential to
change/delete data and programs without leaving an audit trail (normally changes/deletions are made
through application programs, which confirm that such activities are subject to all the normal access
controls, including automatic logging).
For example, a debtor’s balance may be altered (reduced) without trace using this type of programme,
whereas a debtor’s balance should normally only be reduced by a payment being processed or an
authorised credit note being passed using the application software.

8.2.3.8 Supplementary access controls


• “Time-out” facilities that automatically log the user out of the system if a period of more than (say)
three minutes expires during which there has been no activity.
• Automatic logging, review and follow up of access and access violations.
• Encryption of confidential and critical information.
• Sensitive functions and facilities can be afforded extra protection by requiring two or more passwords in
order to gain access.
• Additional once-off passwords can be given to supplement an existing user ID and password to protect
sensitive transactions, such as a transfer out of a bank account.
For example, when a user wants to make the transfer, the system automatically generates a unique
password and sends it to the user’s cellphone for that user to enter. The assumption is that somebody
trying to use another person’s user ID and password (which they have obtained by devious means) will
not have the genuine user’s physical cellphone and therefore will not receive the necessary once-off
password. The genuine user will also be alerted to the fact that someone is trying to transfer money out
of his/her account.

8.2.3.9 Risk implications


• Risk of unauthorised access to sensitive data that may be used to commit identify theft, fraud and theft
of data. This could also cause harm to an organisation’s reputation and credibility.
• Unauthorised changes to data, software programs and configurations can be made, and no audit trail,
that is, who made the changes and what the changes were, will exist.
• Loss of productivity due to abuse of hardware resources such as network congestion which causes slow
response times for IT critical applications.
• Unauthorised access to system critical hardware can allow configuration changes to be made which
could result in hardware performance issues.
• Malicious damage to hardware can occur if no physical access management is in place and is very
costly to replace or repair.

8.2.4 Change management controls (also referred to as program maintenance)


8.2.4.1 Introduction
When a new system is developed and subjected to vigorous systems development controls, the result is
usually a well-designed, effective application that produces reliable information in a format which satisfies
the user. However, this is just a starting point. There is virtually always an on-going need to modify appli-
cations to meet changes in user requirements and improve ways of presenting information. These modifica-
tions require changes to the application program and, if such changes are not carefully controlled and
Chapter 8: Computer audit: The basics 8/21

unauthorised, modifications could be made negating the effect of the strong controls that were imple-
mented when developing the system. Program changes of an ongoing nature are usually referred to as
program maintenance.
For example, large financial cloud applications continuously release updates for customers to
implement. This is part of their value-added service offering. These updates need to be reviewed and their
impact assessed by the customer, and prioritised according to their requirements to release. These changes
then need to be tested and implemented on an ad hoc basis by the customer. These changes do not
“classify’” as large strategic changes and are deemed “program maintenance” changes.
Other examples include a change to a reference data table, changes to a user profile, changes to a report,
implementation of an exception report, changes to the ledger, etc.

8.2.4.2 Terminology
Change requests: When a change to an application is required, a change request document should be drafted
as part of the change management process. This document will contain the detail of the required change to
the application. These should be allocated in sequential numbers for ease of an audit trail.
Change management: Change management is the process of implementing a strategy, policy and processes
for managing application changes within the organisation.

8.2.4.3 Audit and control procedures


The auditor should test the design adequacy and operating effectiveness of the change management within
the organisation. The controls which should be in place are the following:
• Program change standards similar to those for systems development must be adhered to.
• Requests for program changes should be documented on prenumbered, preprinted change control forms
and listed in a register. All changes should be logged through a change request application that manages
the changes by tracking status and closing them when complete. All changes should have a unique
number and numbers should be allocated sequentially via the application for audit trail purposes.
• Program change requests should be evaluated and approved by:
– the user department (application changes)
– the IT manager (CIO) (application and systems changes) and
– the steering committee for more major changes.
• Program changes should be affected by programmers – not operators or users. In some systems program
changes can be made by a user from his workstation. This system would have to be carefully controlled,
primarily by written approvals, access controls, logging by the computer and review thereof.
• Any major change should be managed as a mini project (see systems development).
• Changes should be made to a development program (test environment), not the production program
(i.e. to a copy of the live programme).
• Changes should be tested by the programmer and an independent (senior) programmer using standard
debugging techniques.
• Program changes should be tested by business users to perform user acceptance tests and sign off.
• Program changes should be discussed with users and internal audit, and they should sign the change
control form if they approve.
• All documentation affected by the change should be updated and the entire change exercise itself should
also be documented.
• The amended program should be copied to the live environment by an independent technical adminis-
trator, and all program changes should automatically be logged by the computer.
• The IT manager should review the log of program changes and reconcile it to the program change
forms and register.
There should be segregation of duties amongst the IT staff that develops and the IT staff that implements
the changes. Development staff should be prevented from accessing production data and software.

8.2.4.4 Risk implications


• Changes in system applications need to be documented and versioned in order to avoid the risk of not
being able to rollback a system change in an event of a system error.
8/22 Auditing Notes for South African Students

• Unauthorised changes can be made to system applications if no adequate change management exists.
• If no change management exists, there will be no version control to highlight when, what and by whom
the system changes were made.
• Stakeholders need to initiate a system change by documenting the requirements of the change and they
must have the ability to sign off a system change as well. Without a change management process, the
risk exists that stakeholders constantly change the requirements.

8.2.5 Continuity of operations


8.2.5.1 Introduction
These controls are aimed at protecting computer facilities from natural disasters (e.g. flooding or fire), as
well as from acts of destruction, attack or abuse by unauthorised people. Poor controls result in “down
time” and disruption to normal processing. Although South Africa has reasonably stable weather condi-
tions, floods and fires and other natural disasters do still occur. Our high crime rate and general unrest
place businesses at risk of armed robbery and damage from explosion.

8.2.5.2 Terminology
• Backups: This is the process of keeping a copy of your master data and/or physical files in a secondary
location in case of a disaster. You need to recover your applications from these backups.
• Disaster recovery: Disaster recovery refers to the steps that will initiate normal business operations in
an event such as a fire that caused normal business operations to be disrupted.
• Business continuity: It is the capability of an organisation to continue operating the most essential
functions during and after a disaster.
• Environmental controls: Environmental controls refer to controls over air-conditioning systems, smoke
and gas leak detectors. Smoke and gas leak detectors should be tested regularly as they could be harmful
to humans if they do not function correctly. The hardware and equipment that store the entire
organisation’s data may get damaged if these controls do not function optimally.
• Uninterrupted power supply: It is a device that provides temporary secondary power when the primary
power source fails, also referred to as a UPS.
• Social media: Social media allows the sharing of information and ideas on the Internet and can help
your organisation to build your brand but needs to be managed effectively.
• Business resilience: It is the ability to react to disruptions while continuing business operations and
protecting your assets and overall brand equity.

8.2.5.3 Audit and control procedures


Risk assessment performed by the organisation
As part of the entity level controls procedures, the auditor should consider controls over computer oper-
ations and the risk that it may pose to the organisation if not managed. Although the company’s risk
assessment procedures are regarded as a separate component of internal control and will be evaluated by
the auditor as a component, a general control evaluation should consider the company’s risk assessment
procedures to the extent that they relate to IT risk (which, as previously stated, is regarded by King IV as a
major risk facing companies). The dependence by large companies on their IT systems is huge and failure
to assess and address IT risk threatens the continuity of operations. The auditor will evaluate whether:
• assessing IT risk is an integral part of the company’s risk assessment procedures
• there is an appropriate level of experience and knowledge about IT risk on the risk assessment committee
• the risk committee meets regularly but is available to deal with the threat of unexpected IT risk on an
ongoing basis
• the risk assessment committee recognises and assesses all types of threat relating to IT which could dis-
rupt operations including, for example:
– fraud and theft perpetrated through the IT system
– physical and infrastructure damage
– hacking and viruses, and
– non-compliance with IT laws, rules, standards and best practice
Chapter 8: Computer audit: The basics 8/23

• accepted risk assessment protocols (ways of doing things) are followed


• assessments are documented and reported to the board, and
• responses to risks are recorded, implemented and monitored.

Environmental controls
These controls are designed to protect facilities against natural and environmental hazards and attack or
abuse by unauthorised people. The auditor should test the design adequacy and operating effectiveness of
the environmental controls. The following pertain more specifically to the data centre:

Disaster recovery
The auditor needs to assess disaster recovery procedures as part of the organisation’s business resilience
procedures as a complete plan. The most dangerous risks to any business are the ones that are not foreseen.
Preparing for something that is not yet tangible takes a progressive and imaginative management style.
The history of modern business is one filled with highly successful companies without a Plan B. The
attrition rate of blue chips so far this century is staggering.
It therefore makes complete sense that planning for the tough times, whatever they may be, is a real source
of organisational strength and shareholder value, inclusive of:

These are controls implemented to minimise disruption due to some disaster that prevents processing
and/or destroys/corrupts programs and data. The auditor should test the design adequacy and operating
effectiveness of the disaster recovery plan. Consider the following:
• Consider the existence of the following:
– a disaster recovery plan, in other words, a written document that lists the procedures that should be
carried out by each employee in the event of a disaster
– the plan should be widely available so that there is no frantic searching if a disaster occurs –time is
usually precious
– the plan should address priorities, that is, the order in which files or programs should be recon-
structed, with the most important being allocated the highest priority, as well as where backup data,
programs, hardware, etc., may be obtained
– the plan should be tested at least annually
– it should be reviewed by management on a frequent basis
– management should consider simulation sessions to test different scenarios to update the disaster
recovery procedures to make them relevant, and
– the plan should detail alternative processing arrangements which have been agreed upon in the event
of a disaster, for example, using a bureau.

Backup strategies
It is imperative that an organisation performs backups of its systems. Organisations need to consider the
following when creating backup strategies:

Identify and
Determine what Determine how
implement a Test and
often data has
data has to be suitable backup monitor the
to be backed
back up. and recovery backup system.
up.
solution.
8/24 Auditing Notes for South African Students

Organisations often follow the 3-2-1 backup approach:


• At least THREE copies of your data
• Backed-up data on TWO different storage types
• At least ONE copy of the data offsite.
The auditor should test the design adequacy and operating effectiveness of the backup strategy of the
organisation. Consider the following:
• backups are copies of all or parts of files, databases, programs taken to assist in reconstructing systems
or information, should they be lost or damaged
• policies and procedures for the backup strategy
• whether the policy agrees to the application settings
• at least three generations of backups should be maintained (grandfather, father, son), understand the
retention of backups and test accordingly
• backup of all significant accounting and operational data and program files should be carried out fre-
quently and regularly, and determine the frequency of the backup procedures
• the most recently backed up information should be stored off-site
• backups are to commence automatically or manually
• independent verification that the backup completed successfully, and that exceptions are resolved, for
instance the backup may have been disrupted by a break in power supply
• review of the backup logs to confirm successful completion
• all backups should be maintained in fireproof safes and onsite backups should be stored away from the
computer facilities
• backup tapes should be clearly marked
• critical data and programs can be copied to a “mirror site” in real time so that it is possible to switch
processing to the mirror site in the event of a disaster, for example, a large refinery in KZN duplicates
its processing on a second computer installation housed in a separate, very secure (bomb-proof as well)
site on the premises. This is expensive, but the computer system is an integral part of both operations
and record keeping, and a refinery is a potential target for terrorist attack. The economy would suffer if
the refinery could not operate because its computer systems were non-functional0000
• copies of all user and operations documentation should be kept securely off-site, determine the frequency
of backups taken to the off-site facility and test accordingly.
It is important to test whether the backups were tested and restored successfully during the financial period
and whether there have been instances of data loss during the financial period.

Other measures
There are several other control measures that can be taken which will assist in preventing or alleviating
disaster:
• applying the concept of redundancy (simplistically this means having a “spare” as a backup), for
example, the use of dual power supplies, or as explained above, mirroring
• regular maintenance and servicing of equipment to prevent failure
• adequate insurance cover to provide funds to replace equipment
• avoidance of undue reliance on key personnel by maintaining complete and appropriate documentation
and by training of understudy staff, for example, the disaster recovery plan should not revolve around
one staff member
• arrangements for support to be provided by suppliers of equipment and software, who may even
provide alternate processing facilities
• the use of firewalls and antivirus software.

8.2.5.4 Risk implications


• There can be severe financial losses when no adequate business continuity plan is in place because
recovering from a disaster/system failure can take some time and the business functions must resume as
soon as possible.
Chapter 8: Computer audit: The basics 8/25

• Risk that when a disaster causes a system failure or a security breach, and the organisations do not
respond, customers will perceive the company as not trustworthy, which could cause serious reputa-
tional damage.
• If the organisation can’t provide adequate and quick responses to customers, they may seek other
alternatives; therefore there is a risk of losing business.
• A company could lose data in the event of a system failure and it could be very costly to recover this
data, if at all possible.
• Clients won’t know how to respond to either being asked for the content originally generated or being
told that pending content will have to wait while the organisation starts from scratch. Suddenly, the
organisation that worked so hard to keep its reputation will not look so professional, and clients may
begin looking elsewhere for more reliable services.
• Losing critical data can be a violation of federal and state regulations. This will be subject to re-com-
pliance costs and additional fines for the violation. The government also has a justifiable cause to
investigate an organisation for any foul play, causing loss of valuable time and further damage and
brand reputation
• Lack of adequate backups can also lead to compliance breaches with the governing authorities as data
needs to be kept for defined periods and needs to be provided when requested. A risk exists that the
authorities can also impose fines for these regulatory and compliance breaches.
• Lack of environmental controls in the server rooms may lead to damage and loss of data and equip-
ment.
• Lack of environmental controls in the server rooms may lead to injuries or even in severe cases loss of
life.

8.2.5.5 Social media


(a) Introduction
Social media can be both an asset and a liability. What is beyond doubt is that it needs careful, continual
management. Negative content has affected many businesses to date. Although negative reviews may be
distasteful and unwanted, if it receives enough media attention, it may pose the biggest reputational risk a
business will ever face. Shareholders are progressively placing pressure on senior management to govern
social media. Essentially organisations should not just manage all social media platforms that govern their
public opinions, but also manage and monitor all opinions on social media platforms relating to their
organisation.
Social media is imperative to many organisations’ operations, not just from a marketing and branding
perspective but may also act as an early warning system when a crisis occurs. Social media is a force to
reckon with and has proven in many instances to significantly affect organisations and, in severe cases,
social media has affected the going concern of such organisations. “Any publicity is good publicity” is not
applicable considering the world today, and unfavourable feedback needs to be managed. Social media
exposes organisations to more risk than ever imagined. Although some companies choose not to engage on
social media platforms, the majority of their customers have social media and will engage.
Organisations should monitor social media activity relating to their brand and report to management
frequently. Monitoring should relate to text and pixels on all public platforms, not just to monitor which
platform is used and where the most activity is gained but more specifically if any adverse opinions have
been expressed. A common error made by organisations is to only monitor social media platforms that they
subscribe to, but in reality all social platforms should be monitored as dissatisfied customers, for example,
will choose the platform that they subscribe to, to voice their concerns.
For example, in an interesting turn of events, Facebook itself faced a social media incident during July
2018 when it became public knowledge that users’ personal information was not as secure as initially
portrayed by the social media giant. Shares dropped by 20% and Mark Zuckerberg, CEO of Facebook, lost
$660 million, a very classic example of the financial impact social media may have on a business, especially
when trust is lost. Zuckerberg only responded on the third day after the crisis became public knowledge,
forced by his shareholders, with a less than sincere apology.
Taking the above into consideration, it is deemed good practice for an organisation to establish a social
media management process and curation team that will manage and monitor all social media activities
inclusive of adverse comments posted by the public about the organisation. Ideally the organisation should
8/26 Auditing Notes for South African Students

incorporate the social media response management process in the business resilience strategy and plan.
This will provide the organisation with the opportunity to respond appropriately as and when it happens. It
is advisable to proactively manage and report on social media to key stakeholders. It may also be beneficial
to include a summary of the social media management position within the financial statements to provide
an opinion on the social media readiness of the business.
(b) Audit and control procedures
The effect of a casual social media approach can permanently damage, even sink, a brand or a business.
The social media audit approach should include establishing:
• governance processes
• risk management procedures
• response management strategies to various level alerts, and
• management of responses to adverse communication.
The auditor should test the design adequacy and operating effectiveness of the social media strategy of the
organisation. The objective of the social media audit is to provide management with an independent assess-
ment relating to the effectiveness of controls over the organisation’s social media policies and processes.
The audit should incorporate governance, policies, procedures, training and awareness related to social
media. Consider including the following:
• As part of the entity level controls review, determine whether a social media policy, social media
strategy and social media business response management process is in place.
• Review the policies, strategy and processes and determine whether they are frequently reviewed.
• Assess whether the social media business response management process has been incorporated in the
business resilience plan.
• Determine whether all users have been on social media training.
• Ascertain monitoring processes and how social media activities are reported.
• Exception reports relating to social media are reviewed by senior management and remediated.
• Determine whether logical access management controls have been applied throughout the organisa-
tion’s social media platforms, especially when users that have access, resign or change roles.
• Change management controls have been applied throughout the organisation’s social media platforms.
• Defined governance procedures exist for social media.
• Consider compliance and legislation relating to social media and whether policies have included these
aspects.
• Have responsibilities been defined for the social media process, for example, who posts the social media
comments on behalf of the organisation and who authorises the content?
• Assess whether the organisational risk assessment incorporates social media and the impact thereof.
• Assess impact risks identified during the organisation’s risk assessment process and determine whether
the risk ranking is applicable.
• Validate observations with key stakeholders.
• Inspect minutes of board meetings to determine whether social media and social media crises are delib-
erated at that level.
• Assess whether the social media policy incorporates privacy policies and regulation.
The auditor may be required to assess the social media “crisis management” response process.
It is good practice for an organisation to establish a social media management process in the event of a
social media crisis. The organisation should ideally establish a social media curation team that will manage
and monitor all social media activities inclusive of adverse comments posted by the public about the
organisation.
Ideally the organisation should incorporate the social media response management process in the
business resilience strategy and plan. Consider the following good practices in the attempt to prepare for
the social media response process and detect potential social media crises:
• Consider the following detective controls:
– Regular name searches containing the name of the organisation on all social media platforms in
order to report any posts relevant to the organisation.
Chapter 8: Computer audit: The basics 8/27

– Regular company logo searches on all social media platforms where the organisation’s logo is used
via advanced search options of search engines.
• Consider the following preventative controls:
– Set up a social media policy document for company staff highlighting the rules when engaging on
social media.
– Ascertain which social media platform is most frequently used and if there are users that comment
more frequently than others.
– Set up a social media response team to respond to social media statements pertaining to the organisa-
tion.
– Set up response sessions with the social media response team to advise management in preparation of
a real scenario requiring a response in order to familiarise them on how to respond.
– Do a trend analysis to determine the most common social media scenarios that exist in the market.
– Set up simulations to test responses using a sample public population.
• Define what constitutes as a social media crisis and consider the tier level of the incident using the
following metrics:
– A social media crisis has information asymmetry.
– It has a decisive change from the norm.
– It escalates within hours on multiple social media platforms.
– A social media crisis has a potentially material impact on the company overall considering scope and
scale.
• Determine whether any social media events occurred during the year within the organisation that may
affect the organisation. Ascertain whether the organisation performed a post-mortem on the events with
the following audit procedures to consider:
– Where did the crisis originate, when did it occur and how did it spread?
– How did the organisation find out about the crisis?
– Was there an internal alarm system or did the crisis alert derive from an external source, for example,
a news publication?
– Did the organisation suffer any financial losses due to the social media crisis?

(c) Risk implications


Social media exposes organisations to more risk than ever imagined. Although some companies choose not
to engage on social media platforms, the majority of their customers have social media and will engage.
Some of the key risks that need to be taken into consideration:
• Brand and reputation damage that may cause a going concern issue within the organisation in the
medium to long term.
• Uncertain behavior from end-users on social media that post adverse comments damaging the brand of
the organisation.
• Risk of disclosure of confidential information on social media platforms.
• Risk of business impersonation and social engineering as many organisations’ social media platforms
have been hacked.
• If not managed, a fragmented view of the social media landscape may exist, which may result in a lack
of governance and reporting on social media activities.

8.2.6 Systems development and implementation controls


8.2.6.1 Introduction
Systems change because the business world changes, and the need for quicker, different, enhanced, better
quality information and more information increases. Business-related systems are said to have a “life
cycle”; they start, develop, mature and decline. Changes in the company’s information system may arise
because of changes in the company’s business activities, growth, a need to maintain a competitive
advantage or just to improve its all-round performance by having better information.
8/28 Auditing Notes for South African Students

Systems development has to do with significant changes relating to computerised systems. This often
means that most of the following aspects of the system will be new or significantly changed: hardware,
software, communication devices, personnel procedures, documentation, and/or control procedures.
For example:
• A company that has grown considerably and wants to computerise a previously manual payroll system.
• A company that wants to start selling its merchandise over the Internet to remain competitive.
• A company that has been running off an old legacy application and now plans to move to the cloud.
In each case it would probably require new hardware, operating systems, application programs and
procedures to be designed and implemented to achieve these objectives.
It is imperative to have both pre-and post-implementations performed independently when implementing
a new application or making changes to a current application. Also known as program assurance reviews,
these include the management of risks, including the focus on adequate and timeous remediation of risks,
benefits realisation and program management processes. These will include evidence of collaboration
between business and IT, results of user acceptance testing, training and the GO/NO-GO decision proving
the participation of all stakeholders during the process. Changes affect the entire business. Consider the
following:
• legislative compliance
• the impact on business continuity
• the complete decommissioning of the retiring application, and
• the measurement of the benefits that were committed to post the implementation of the project.
8.2.6.2 Terminology
• Aproject is an individual or collaborative initiative that is carefully planned to achieve a particular result.
• Project management – the entire exercise should be run as a project by a team appointed by the steering
committee.
• Project approval – a feasibility study must still be conducted to determine:
– user needs
– specifications (capabilities, functions, controls, ease of use) of packages available in the market
– costs and benefits (costs will include costs of the package itself, running it, appointing and training
staff, purchasing additional hardware, etc.), and
– technical support and reliability of the supplier.
• Approval for the package chosen should be obtained from users, internal audit and the steering com-
mittee, and authorisation for its purchase should be obtained from the CIO and the board.
• Training – all affected IT personnel and users should be trained in the use of the new software.
• Conversion – moving data onto the new system should be controlled as explained under in-house
development.
• Post-implementation review – again IT personnel, users, and internal audit should review the new soft-
ware several months after implementation to determine whether it is operating as intended.
• Documentation – the systems documentation, user manuals, etc., will come from the supplier but the
planning and execution of the project itself should be documented.
• Project team– responsible for the delivery of the program with a combination of IT and business people
ranging from solution architects, business users and testers.
• The project sponsor is the person ultimately responsible for the project or program from a budget and
delivery perspective.
8.2.6.3 Audit and control procedures
The auditor ascertains whether the organisation implemented an off-the-shelf application or completed in-
house development and should test the design adequacy and operating effectiveness of the system
development of an organisation. He/she should consider the overall strategic objectives for the system
development, implementation and the alignment program to confirm that the objectives were met. In addi-
tion, he/she should assess the compliance with project management processes against program delivery,
phases and activities, methods, templates, standards, and roles and responsibilities.
Chapter 8: Computer audit: The basics 8/29

Consider the following life-cycle:


For in-house development and implementation of systems

Standards
• All systems development should be carried out in accordance with predefined standards that have been
set for each of the phases described below, for example, components of the ISO 9000 series of
standards.
• Compliance with these standards should be strictly monitored and any deviations thoroughly followed
up by management.

Project approval
• Projects for systems development may arise out of user requests or as a result of strategic planning.
• A feasibility study should be carried out, culminating in either:
– a system specification for an in-house development proposal
– a proposal that involves the purchase of off-the-shelf software (packaged software), or
– rejection of the project with the decision to continue operations as is or to reconsider the strategic
approach.
The feasibility study should include a cost versus benefit analysis which lists and puts a money value to:
– all requirements for the project, such as personnel, hardware, software and running costs, and
– all benefits arising, for example, increased revenue, reduced costs, improved controls.
• The steering committee should give its approval prior to commencement of the project.

Project management
• A project team should be formed by the steering committee to manage the project and should include
IT and appropriate user personnel, including accounting and internal audit personnel.
• The development project should be planned in stages, each stage detailing the specific tasks to be com-
pleted.
• Responsibility for each specific task must be allocated to appropriate staff members.
• Deadlines should be set for completion of each stage and each specific task.
• Progress should be monitored at regular intervals to identify any problems that may affect achievement
of goals set – critical path analysis may be useful here.
• A project risk register should be maintained throughout the process to manage and report risks as they
arise.
• Regular progress reports should be submitted to the steering committee.
8/30 Auditing Notes for South African Students

User requirements
• Business analysts should carefully determine and document all user requirements relating to the system,
for example, input, procedures, calculations, output, reports, financial reporting requirements and audit
trails.
• Special care should be taken to consult both internal and external auditors as to their requirements and
their recommendations concerning internal controls, for example, access controls and validation checks.
• Management of each user department should sign their approval of the specifications recorded to satisfy
the needs of their individual departments.

Systems specifications and programming


• Program specifications should be clearly documented.
• Programming should take place in accordance with standard programming conventions and
procedures, for example, for coding, flow charting, program routines and job control routines.
• Programmers should carry out all program development in a development environment and should
have no access to the live environment.

Testing
• Program coding of individual programs should be tested by the programmers using standard debugging
procedures like program code checking and running the program with test data (program tests and string
tests).
• The system should also be tested to confirm that all programs are integrating properly – this would
normally be done by business analysts in a test environment (systems tests).
• The system should also be tested on an output level by management, users and auditors to establish
whether the system is satisfying the requirements of its users (user acceptance tests).

Final approval
• Results of the above testing should be reviewed by all involved to confirm that necessary changes have
been made and errors corrected.
• The project team should then obtain final approval from the board, users, internal audit and IT
personnel before going ahead with conversion procedures.
Training
A formal program should be devised setting out in detail all personnel to be trained, dates and times for
their training and allocating responsibility for training to specific, capable staff.
• User procedure manuals are updated, and clearly defined job descriptions should be compiled during
the training.
Conversion
Controls are necessary at this stage to confirm that programs and information taken onto the new system
are complete, accurate and valid:
Conversion project: the conversion should be considered as a project in its own right, applying the
principles explained in project management above.
Data clean-up: data to be converted must be thoroughly reviewed and discrepancies resolved prior
to conversion. For example, if a new inventory application is being introduced,
physical inventory should be counted so that correct quantities can be entered onto
the system.
Conversion method: the conversion method must be selected:
• parallel processing of the old and new systems for a limited period, or
• immediate shut-down of the old system on implementation of the new system,
or
• conversion of the entire system at one time, or
• phasing in of different aspects over a set period.
Chapter 8: Computer audit: The basics 8/31

Preparation and entry: controls over preparation and entry of data onto the new system should include the
use of a data control group to:
• perform file comparisons between old and new files and resolve discrepancies
• reconcile from original to new files using record counts and control totals, for
example, if there were 300 employees on the old payroll, there must be
300 employees on the new payroll
• follow up exception reports of any problems identified through use of program-
med checks, for example, no employee identity number
• obtain user approval for data converted in respect of each user department
• obtain direct confirmation from customers or suppliers of balances reflected on
the new system.
Post-implementation review
Users, IT personnel and auditors should review the system several months after implementation to
determine whether:
• the system is operating as intended (all bugs resolved)
• all risks noted during the development and implementation period have suitably been resolved
• the systems development exercise was effective (for future reference), and
• all aspects of the new system are adequately documented in accordance with predetermined standards
of documentation.
Documentation
• The project itself and all the activities which took place in the planning and execution of the project
should be documented.
• Documentation relating to the system itself must also be prepared, for example, systems analysis, flow-
charts, programming specifications, etc.
• Documentation should be backed up on an ongoing basis and stored off-site.

8.2.6.4 Systems development and implementation based on packaged software


When a company decides that it needs a new system, one of the options it has is to purchase packaged
software as opposed to developing the software itself (in-house). This is not just a matter of purchasing a
package, installing it and away you go – the majority of the system’s development and implementation
controls covered above will apply. The major difference between in-house developed and packaged
software is that for purchased packages, the company will have no control over the specifications and
development, for example, writing the programs, or testing of the software. Purchased packages are
designed to meet the generic requirements for lots of users with similar needs and although current
packages contain hundreds of features and capabilities, the user basically gets what the package offers,
nothing more and nothing less. This means that from the company’s perspective, the emphasis will be
deciding whether the package offers features and capabilities that match with what the company’s users
want.
Of course, there are packages available which are of a lower quality, short on control features and not
particularly reliable, which give rise to plenty of disadvantages, but the project team should endeavour to
avoid these packages.
8/32 Auditing Notes for South African Students

The advantages of packaged software The disadvantages of packaged software


• It has a lower cost. • There are not too many disadvantages. This is
• The entire software development project is com- mainly because the software development indus-
pleted far quicker because development and testing try is highly competitive, which has resulted in an
have been done on the software by the developers explosion of packages on the market covering
of the package. virtually every industry. The packages are of high
• The package can be demonstrated up front, so IT quality, fully debugged and very reliable,
personnel and users can see what the package “can however, the package may not meet the com-
do”. Sample reports can be examined and the pany’s requirements exactly.
computer capabilities required by the software can • Excellent software developed overseas may, for
be determined and tested. example, not satisfy South African tax or
• Technical support (by phone or over the Internet) financial reporting requirements (many of these
is usually available from individuals who are very packages do offer SA versions).
skilled and knowledgeable about the specific • Changes can’t be made by a purchaser of the soft-
package, and comprehensive manuals are supplied. ware.
• Software companies usually upgrade the packages
on an ongoing basis.

8.2.6.5 Risk implications


Unless the entire exercise of designing the system is carefully controlled, the following might occur:
• costs of development may get out of control
• the system design may not suit user requirements properly (e.g. important information which is required
is not available or is hard for the user to find)
• programs within the system may contain errors and bugs
• important financial reporting requirements are not incorporated into the system or are incorrectly
understood by the business analyst/programmer
• poor functional and technical requirements
• the new system may not incorporate enough controls to confirm the integrity of its programs and data,
for example, the design of access privileges may give employees write access to files they should not
have any access to
• inappropriate vendor and/or package selection or decision to build
• the new application may not interface completely and accurately with the existing applications
• new developments may cause the retiring of older applications and the incorrect decommissioning of
applications may result in additional risk exposure for an organisation. A few examples are the
safekeeping of decommissioned application data for tax and financial reference purposes, the cost of the
keeping the data and managing the access to the data
• an excellently designed system may be rendered virtually useless because no one knows how to use it
• inadequate skills and resources
• insufficient documentation to enable successful post-go-live operations, procedures and maintenance
• failure to evaluate and record lessons learnt for future use
• absence of service level agreements and operational level agreements, and
• the information transferred from the old system to the new may be erroneous, invalid or incomplete.
If proper system development and implementation controls are put in place, the risks mentioned above can
be avoided.

8.2.7 Retiring applications


8.2.7.1 Introduction
Throughout an organisations’ existence there will be many changes from fundamental operating model
changes, application updates to infrastructure refreshes. Older organisations find themselves in a particularly
challenging situation as many are supported by an older IT generation and legacy applications that are not
only expensive to maintain but will not have the capability to keep abreast of innovative trends due to
limitations.
Chapter 8: Computer audit: The basics 8/33

Strategically organisations will continuously assess and prioritise applications to retain, replace and retire
(also referred to as decommission) applications.
There are a number of other reasons why organisations will retire applications. Organisations may
decide for strategic reasons to assess and prioritise applications, and therefore retire others.
For example,
• Retiring an old reconciliation application which has become obsolete, as a new financial application
which has been implemented is faster and more efficient for reconciliations
• Retiring an old legacy financial application as the organisation has successfully migrated to the cloud
version of the application which is offered by the same vendor
• A new asset management application has been developed in-house and all info has been migrated and
historic data archived, therefore the application can be retired
Organisations are encouraged to establish a migration path and application retirement plan as part of the
general policies and procedures. Therefore, when an organisation does decide to renew the IT landscape
and invest in new technologies, it requires an effective strategy that will not expose the business to potential
financial losses or reputational risk. Retiring applications need a rigorous process and structure if the
applications are currently in use and support the day-to-day business activities. Applications that are
integrated and form part of an integrated business system will require more planning and will be more
difficult to retire due to the process mapping change that will have to be completed to confirm complete
and accurate data flow with minimal interruptions.

8.2.7.2 Terminology
Retiring/decommissioning of applications is the practice of shutting down redundant or obsolete business
applications while retaining access to the historical data.
Stage gates are when retirement projects are divided into distinct stages or phases, separated by decision
points. At each gate, continuation is decided by management, a steering committee, or the governance
board. The decision is made on progress, risk analysis and any other factors that may impact the successful
retirement of the application.
Retirement of application benefits results in quantitative and qualitative benefits when retiring
applications.
The retirement of applications often results in the following quantitative benefits especially if the
applications have been deemed obsolete:
• cost savings through software licences
• cost savings through maintenance costs, and
• cost savings through increased resource efficiencies.
There will, however, be costs associated with the retiring of assets as historic information will be required
to be safeguarded and stored in a cloud or alternative solution.
Qualitative retirement benefits include the following:
• revamp of the architecture plan to a cloud solution
• rationalise and renew the landscape
• regulatory requirements and compliance to regulation
• integrated business software solution
• organisational structure changes and mergers may require consistency with regard to applications being
used
• growth within the business and the current application/s may not cater for sophistication required
• reduction in power consumption
• old legacy applications may have to be switched off as they are not supported and new enterprise appli-
cation solutions are required to transform the business
• simplification of applications to streamline financial applications and reporting
• old legacy applications increase the risk of control deficiencies, and
• virtual storage, because legacy applications frequently take up loads of space due to the nature and age
of the applications and decades of information they may host.
8/34 Auditing Notes for South African Students

8.2.7.3 Audit and control procedures


The auditor should consider the following:
Planning phase Retiring of application plan Migration plan Execution phase Conclusion phase
• When an application comes to • Identify custodian and project • Cut-off date • As the auditor, you need to test • Review stakeholder sign-off as
the end of its working life, it is manager • Project manager the data migration as per the evidence that the
important to establish and • Expected decommissioning date • Information of legacy and following outline: decommissioning was
adhere to a data transfer that • Identify stakeholders target applications • If the data is not available or completed.
confirms completeness and was not transferred
• Consider involvement of auditors • Requirements traceability
accuracy. successfully to the storage /
• Legislative requirements • What needs to be migrated and
• The auditor needs to confirm archiving solution, the
• Complete assessment of all the who is responsible
that the following has been following should be considered
prevented: processes that are being retired to • Impact on existing interfaces
as it may have an impact on the
confirm that all the processes are • Testing plan financials or hold reputational
* data leakage terminated or replicated, including
* duplication during transfer. • Training risk:
the discovery of unknown data • Migration schedules
• It is deemed good practice to * Consider the maximum
relationships
involve the auditor during the • Resources required – financial impact imposed by
• Complete assessment of all the data hardware, software, people regulatory bodies if financial
retirement of applications and that will either be archived or
to have the auditor review the • Communication data is not available.
migrated
various phases/stage gates as • Issues log to track problems * Consider the reputational
• Data retention requirements risk associated to the
progress is made to confirm during the process and to
successful delivery. During the • Existing interfaces confirm timely remediation unavailability of historical
planning phase the auditor will • Software to archive • Data migration: financial information.
need to perform the following • Hardware disposal * strategy - covered as part of • Refer to program assurance
procedures: • Operational process changes, for target application project when migrating information to
• Assess whether the retiring example job schedules, backups, plans or not a new application.
application and migration plan firewall rules, service accounts, con-
* data preparation, mapping
is complete, and all the tinuity, licences, service level extraction, transfer and
relevant components have been agreements, internal billing. loading
considered: • Testing plan * data quality
• Training of resources * migration controls and
• Schedules and activities reconciliations
• Communication * sign-off
• Backups are up to date prior to • Process migration:
decommissioning and roll-back * strategy
procedures are current
* re-mapping
• Risks documented on a risk register
* update documentation
and mitigation plan
* implementation
• Resources required to execute
* sign-off.
• Resources available post
decommissioning
• Application encompasses processes,
logic, workflow, data that needs to be
migrated.

Risk implications
Decommissioning of applications and databases inherently exposes an organisation to many risks. The
primary risks for an auditor are the migration of data and the cut-off thereof. There are, however, other
risks to consider that are indicative of the company’s policies, procedures and governance when decom-
missioning that will need to be considered when auditing. The following risks may exist when
decommissioning:
• data losses/duplication of data could occur during migration to another application or archiving facility
• incorrect timing of decommissioning
• duplication of data while running parallel with replacement application
• unauthorised access to retired applications
• historical data is not available for regulatory, statutory and auditing purposes
• no governance relating to the retirement of application process
• the retiring of application process impacts on day-to-day business and causes major interruptions
• lack of effective communication and transparency to external stakeholders, and
• decommissioned assets and e-waste are not disposed of in a safe manner in accordance to the Privacy
Act and may cause reputational risk.

8.2.8 Interface management


Multiple applications that are designed to consolidate financial data may exist in an environment. In more
complex environments, where multiple applications operate together, the testing of data flow is crucial.
This type of environment is, as you are aware, all around us. In the workplace computers within depart-
ments and between departments are linked, companies around the country link their various offices and the
world has linked itself through the omnipresent Internet.
Interfaces form a crucial part of the financial-IT landscape. Considering the global trends, these
interfaces will only become more complicated and advanced in the future. It is imperative that you identify
Chapter 8: Computer audit: The basics 8/35

and test all interfaces where data is moved from application to application to verify complete and accurate
transfers. As the auditor, you need to satisfy yourself that controls exist to identify any data loss or
duplication that may occur during application interfaces. If controls do not remediate the risk or exposure
identified, control failure (manual or automated) needs to be reported to management.
Interface examples:
• Online banking user interface, gives customers the platform to link to bank servers and conduct
transactions over the Internet.
• An organisations’ mobile application interfaces with the financial application to enable online sales.
• Sub-ledgers and general ledger interfacing.
These applications all direct financial information, and ultimately the data is consolidated to draft the
financial statements. All interfaces referred to below include mobile applications interfacing with the
organisation. Therefore, it is important to assess the controls that manage the completeness and accuracy of
data interfaces to detect financial data leakage and/or duplication, termed interface management.
Effective testing can prevent:

The transfer of data between applications is termed interfacing. Data will be sent (mostly an automated
process) from one application to another application, requesting information, sending the information and
then updating the information.

8.2.8.1 Terminology
• Interface management: Implementing an interface management process on a project streamlines commu-
nication, identifies critical interfaces, and monitors ongoing work progress while mitigating risks.
• Exception reports: An exception report is a document that states those instances in which actual
performance deviated significantly from expectations, usually in a negative direction. The intent of the
report is to focus management attention on just those areas requiring immediate action.

8.2.8.2 Audit and control procedures


The auditor needs to test the design adequacy and operating effectiveness of the interface controls.
Completeness and accuracy of the data flow between applications may be tested through controls and/or
substantively using computer assisted audit techniques (CAATs).
When auditing, it is imperative to test the transfer of data and not just the financial data per application
to confirm the integrity of the data provided by interfaces.
In addition to the substantive tests, automated application control tests, such as exception reports, may
be relied on, if access and change controls over the exception reports are managed and the differences on
the exception reports are followed up manually and remediated.
Many interfaces may exist within a client’s environment:
• financial application to financial application
• banking application interfaces
• mobile application interfaces
• exchange rate interface providing a daily rate to invoicing with regard to international sales
8/36 Auditing Notes for South African Students

• separate supply chain management applications may be hosted on a different application than the
warehouses are hosted on
• payment gateways, such as mobile payment application interfaces and contactless card point of sales
devices, and
• human resource management applications may be hosted on a different application due to sensitivity.
As part of the entity level controls assessment, the auditor will need to perform the following tests:
• Review the IT landscape to identify and characterise interfaces.
• Identify risks associated with these interfaces within the value chain.
• Identify critical applications that share data within the value chain (consider whether the data is
financial and/or operational).
• Discuss data transfers with key stakeholders to corroborate whether all interfaces have been identified.
• Gain an understanding of the type of interfaces that exist within the landscape batch versus real time.
• Establish whether all interfaces have been documented depicting the process map, the type of interface,
the known risks and mitigating controls, associated exception reports, interdependencies, timing, custo-
dian and security/access rules.
• Determine how management has addressed these risks and identify relevant controls to mitigate the
risks.
• Establish how the risks of duplication, data loss or routing to the incorrect database are addressed.
• Establish if interface process maps are reviewed annually.
• Establish the change procedure to update interface settings, in other words, who is authorised to make
changes and who performs independent reviews.
• Determine if any key man dependencies exist.
• Obtain a comprehensive list of all the interface exception reports.
• Determine whether the exception reports are reviewed manually and whether discrepancies on the
reports are resolved.
Entity level controls are controls implemented within the IT governance environment, which have a
pervasive impact on the IT controls environment including those at the transaction or application level.
The auditor needs to perform a review of the interface design and control environment.
It is important that you, as the auditor, gain an understanding of the data flow through applications
throughout the organisation as well as the time and effectiveness of the data interfaces. Changes in the
business structure during the financial year may also lead to changes in the data flow.
For example:
• A merger or acquisition may result in new or more complex interface.
• A new payroll system will result in a new interface with the financial applications.
Ascertain whether the organisation improves data integrity through effective automated controls and, if
authorised, sources may result in more reliable data. Frequent exception reports to message and display
accuracy throughout various stages will aid in identifying interface errors and correcting them in a timely
manner. Confirm that access and security to application program interface data, processes and parameters
are appropriately restricted. Confirm that changes to interfaces are appropriately managed and reported
through exception reports. Ultimately the auditor should confirm the timely, accurate and complete
processing of data between applications and reliability of data reported to legislative and regulatory bodies.
Automated control tests will determine whether the applications were configured correctly to send and
receive data and whether the transfers are accurate and complete.

Configurations to interface
• Identify the key critical interfaces that fall within the scope of the audit.
• Inspect the validity and completeness parameters and configuration settings.
• Review the access controls to determine who has access to set and amend configurable parameters on
interfaces.
• Have any changes been made to the configuration during the period under review?
• Have the changes been authorised in the application?
Chapter 8: Computer audit: The basics 8/37

Configurations to exception reports


• Review exception reports to determine whether the data interfaces are reported upon and reviewed. In
addition, determine whether exception reports are followed up manually and remediated.
• Test that incidents are logged for failures.
• Review the automated comparison test and confirm that transactions on both applications match.
• Review the access controls to determine who has access to set and amend configurable parameters
relating to the exception reports generated for interfaces.
• Have any changes been made to the exception report configuration during the period under review?
• Select a sample of reconciliations and test that it is reviewed.
• Access to audit trails and/or exception reports is managed and only authorised users have view access.

8.2.8.3 Backup and recovery procedures


• Confirm that data recovery and/or backup processes are used when there is an interface failure.
• Match the results with the results from the job schedule testing included in the IT general control tests.
• Select a sample of job schedule reports and test that (if not done as part of ITGC testing):
– Jobs are scheduled.
– Jobs start automatically.
– Failures are remediated.
– Test for evidence of review.
– Incidents are logged for failures.

8.2.8.4 Substantive procedures


Substantive procedures are manual tests where a sample of records are selected from the transferring
application and matched to the records sent to the receiving application to test whether the transfer was
complete and accurately performed.
Alternatively, a sample of records may be selected from the receiving application and matched to the
transferring application to test whether the transfer was complete and accurately performed.
For both the tests above, refer to the sampling guidance for substantive tests.
Substantive procedures may also be performed through computer assisted audit techniques (CAATs):
CAATs will potentially provide you with the opportunity to test the whole population and compare all the
data that was sent from one application to another application. Alternatively select a large sample, for
example, a quarter may be tested. The following tests may be performed:
• Extract records for the defined audit period from both the transferring and receiving application.
• Perform comparison tests to identify records that exist within the receiving application but do not match
to the transferring application. Extract the list of records and report accordingly.
• Perform comparison tests to identify records that exist within the transferring application but do not
match to the receiving application. Extract the list of records and report accordingly.
• Perform a duplication test to determine whether data was transferred more than once. Extract duplicate
items and report accordingly.
• Inspect and test the sequence of the transferring application and note any missing numbers.
• Inspect and test the sequence of the receiving application and note missing numbers.
It is important to note that interface differences may be considered not significant by the custodians, and
these differences may not always be resolved. The differences may be considered qualitative for reporting
purposes. As the auditor, you need to assess the quantitative impact should small differences occur daily.
With a daily interface, the quantitative difference over the period of 365 days may be considered
significant.
Due to the nature of some organisations, it might not be feasible to test all the existing interfaces;
therefore, consider testing key interfaces on a rotational basis. The interface tests should include IT general
control tests:
8/38 Auditing Notes for South African Students

8.2.8.5 Risk implications


Interface management inherently exposes an organisation to many risks. The primary risks for an auditor is that
the organisation has limited control over interfaces and, where controls exist, they are not governed.
• Risk of data losses could occur during the data transfer.
• Late follow up of exception reports may result in incomplete data sets.
• Incorrect timing of interfaces.
• Lack of effective communication and transparency to stakeholders when interface errors occur.
• Lack of documentation of interfaces across applications supported by the IT environment.
• Access to interface configurations and the ability to change contents.
• Access to interface exception reports and ability to change contents.
• Lack of backup/recovery controls in the event of failures.

8.2.9 System software and operating controls


The evaluation of system software is very much the domain of the computer audit specialist with good
technical knowledge. System software is made up of various kinds of software including, inter alia:
• Operating system software that:
– controls the use of the hardware
– tests critical components of the hardware and software where the computer is started
– controls the input and output of data, and
– schedules the use of resources and programs
Think of it like this: in a business environment, there are hundreds of transactions going on all the time,
from different parts of the business. Transactions are put in queues because they can’t all be dealt with
at once, especially as lots of things may be happening at the same time; input instructions may be
coming from one programme, output from another, and so on. The operating software makes sure that
all this happens in an efficient and orderly manner.
– monitors the activities of the computer and keeps track of each program and the users of the system
– provides the interface with the user, for example, how the user communicates with the computer.
• Network management software which enables computer systems to communicate with each other.
• Database management software which enables the user to create, maintain and use data files in an
efficient and effective manner.
• System development software that is used to develop new software, for example, assemblers, compilers.
• System support programs such as antivirus software, data compression software, etc.
A vitally important part of any IT department is to take responsibility of these programs (software), confirm
that they operate as they should and are monitored. Operating controls are the policies and procedures that
should be in place to work with the system software controls to confirm that the computer system (the
hardware and software) runs like a “well-oiled machine”. Controls include:
• operating policies and procedures that are fully documented, regularly reviewed and updated
• system software that maintains a log of activity on the system detailing all activity which had taken
place, including:
– hardware malfunction, and
– intervention by personnel during processing
• skilled technicians who can resolve operating problems for users
• adherence to international system software control protocols (how things are properly done)
• follow up on access violations, attempted violations
• follow up of potential virus infection
• adherence to manufacturers’ equipment, maintenance and usage guidelines, and
• strict supervision and review of IT employees (IT manager needs to know what his staff is doing).
Chapter 8: Computer audit: The basics 8/39

8.2.10 End-user computing


8.2.10.1 Introduction
End-user computing refers to computer systems that give individuals who are not computer programmers
the means to develop computer applications. It introduces end-users to the world of systems development.
It allows end-users to control their computing environment without the aid of developers.
For example:
• A finance staff member using Microsoft Access to generate reports. Users often extract information
from financial applications and then perform additional procedures called “manual/tactical
workarounds” to reconcile and/or report financial data.
• A start-up that maintains its fixed asset register on Excel.
It is imperative that access and change controls should be implemented to detect unauthorised access and
changes to these numbers.
ISA 315 (revised) provides the following guidance:
Although audit evidence may come in the form of system-generated output that is used in a calculation
performed in an end-user computing tool (e.g., spreadsheet software or simple databases), such tools are
not typically identified as IT applications. Designing and implementing controls around access and change
to end-user computing tools may be challenging, and such controls are rarely equivalent to, or as effective
as, general IT controls. Rather, the auditor may consider a combination of information processing controls,
taking into account the purpose and complexity of the end-user computing involved.
The company’s ability to maintain the integrity of information stored and processed in the information
system depends on the complexity and volume of the related transactions and other information. The
greater the complexity and volume of data that supports a significant class of transactions, account balance
or disclosure, the less likely it may become for the entity to maintain integrity of that information through
information processing controls alone (e.g., input and output controls or review controls). It also becomes
less likely that the auditor will be able to obtain audit evidence about the completeness and accuracy of
such information through substantive testing alone when such information is used as audit evidence. In
some circumstances, when volume and complexity of transactions are lower, management may have an
information processing control that is sufficient to verify the accuracy and completeness of the data (e.g.,
individual sales orders processed and billed may be reconciled to the hard copy originally entered into the
IT application). When the entity relies on general IT controls to maintain the integrity of certain infor-
mation used by IT applications, the auditor may determine that the IT applications that maintain that
information are subject to risks arising from the use of IT.

8.2.10.2 Terminology
• Computer systems: These are several computers that are connected and share central storage and devices,
such as printers and scanners.
• Computer programmer: This is a person who codes, tests and debugs code written to achieve a certain
computing task.
• Computer application: This is a computer program written with the aim to achieve a certain outcome
and where the program can perform one or more tasks.

8.2.10.3 Audit and control procedures


The auditor will need to provide assurance of end-user computing controls:
• Inspect that the end-user computing policies and processes are documented, authorised and regularly
reviewed.
• Inspect that procedures are documented and easily accessible and available to all users.
• Obtain evidence that training is conducted so that more than one person is trained to use the
application.
• Enquire whether the application prompts the user to password protect information.
• Enquire from users whether version control is applied and change management controls are in place to
track changes made to these documents.
• Ascertain whether users are aware that they need to back the documents up and not host documents on
their laptops only. When the laptop is stolen, and no backup is made, the document will be lost.
8/40 Auditing Notes for South African Students

ISA 315 also suggests the following controls:


• Information processing controls over the initiation and processing of the source data, including relevant
automated or interface controls to the point from which the data is extracted (i.e., the data warehouse).
• Controls to check that the logic is functioning as intended, for example, controls which ‘prove’ the
extraction of data, for example, reconciling the report to the data from which it was derived, comparing
the individual data from the report to the source and vice versa, and controls which check the formulas
or macros used for end-user computing.
• Use of validation software tools, which systematically check formulas or macros, namely, spreadsheet
integrity tools.

8.2.10.4 Risk implications


• There is a risk of data entry, logical and formula errors in a spreadsheet, which will generate incorrect
output.
• It is very difficult to manage and enforce version control in end-user-developed applications.
• If the end-user-developed application has not been documented sufficiently and is not applied for
what it was designed, it can lead to errors unintentionally and these errors could also not necessarily be
detected.
• Files that are not password protected can lead to unauthorised users accessing sensitive information.
• End-user computing does not always cater for backup and disaster recovery procedures.
• Very few end-users have their system audited for completeness and accuracy.
• Backups are not made of the documents.

8.2.11 Documentation
8.2.11.1 Introduction
Sound documentation policies are essential, because documentation can be critically important in:
• improving overall operating efficiency
• providing audit evidence in respect of computer-related controls
• improving communication at all levels
• avoiding undue reliance on key personnel, and
• training of users when systems are initially implemented.
There are two major objectives to bear in mind regarding documentation:
• all aspects of the computer system should be clearly documented, and
• access to documentation should be restricted to authorised personnel.

8.2.11.2 Documentation standards


As for all other aspects of the computer environment, predetermined standards should exist for
documentation and adherence thereto should be enforced. These standards should require at least:
• general systems descriptions
• detailed descriptions of program logic
• operator and user instructions including error recovery procedures
• back-up and disaster recovery procedures
• security procedures/policy
• user training, and
• implementation and conversion of new systems.
This documentation should be promptly updated for any changes and responsibility for this task should be
allocated to specific individuals (isolation of responsibility).
Backup copies of all documentation should be stored off-site.
Access to documentation should be restricted to authorised personnel.
Chapter 8: Computer audit: The basics 8/41

8.3 Automated application controls


Depending on the outcome of the general IT control evaluation, the auditor will be in a position to proceed
with automated control testing.
The entity’s information system may include the use of manual and automated elements that also affect
how transactions are initiated, recorded, processed, and reported. In particular, procedures to initiate,
record, process and report transactions may be enforced through the IT applications used by the entity, and
how the entity has configured those applications. In addition, records in the form of digital information
may replace or supplement records in the form of paper documents.
ISA 315 advises that automated controls may be more effective than manual controls in the following
circumstances:
• High volume of recurring transactions, or, in situations where errors that can be anticipated or predicted
can be prevented, or detected and corrected, through automation.
• Controls where the specific ways to perform the control can be adequately designed and automated.

8.3.1 Terminology
• An application is a set of procedures and programs designed to satisfy all users associated with a specific
task, for example, the payroll cycle. Other examples include making sales, placing orders with suppliers
and receiving or paying money. Application controls are very closely linked to the cycles described in
chapters 10 to 14.
• An automated application control therefore is any control within an application which contributes to the
accurate and complete recording and processing of transactions that have actually occurred, and have
been authorised (valid, accurate and complete information).
• The stages through which a transaction flows through the system can be described as input, processing
and output and automated application controls can be described in terms of these activities, for example,
an automated application control relating to input.
• In addition to implementing controls over input, processing and output, controls must be implemented
over masterfiles. A masterfile is a file that is used to store only standing information and balances, for
example, the debtors masterfile will contain the debtors name, address, contact details, credit balance,
and the amount owed by the debtor. The masterfile is a very important part of producing reliable
information and must be strictly controlled.
For example, if a salesperson wants to make out an invoice for a credit sale on the system, the first
thing he will do is enter the customer’s name or account number to see if the customer is a valid
customer. The system checks the account number (or name) against the masterfile and if there is no
match, the salesperson cannot proceed. If the customer is a valid customer, the order can be taken, but
the system will automatically check the total value of the goods bought against the customer’s credit limit
on the masterfile. If the limit has been exceeded, the sale will not be permitted until it has been cleared
(approved) by the credit controller.
This illustrates the importance of protecting the masterfile. If the debtors masterfile is not protected,
unauthorised changes to it could be made, for example, a customer who has not been checked for
creditworthiness could be added, or a credit limit could be changed, resulting in losses from bad debts.
Controls over the masterfile are application controls and are referred to as masterfile maintenance
controls.

8.3.2 Audit and control procedures


The objective of controls in a computerised accounting environment is generally regarded as being centred
around the occurrence, authorisation, accuracy and completeness of data and information processed by
and stored on the computer.

Occurrence and authorisation are concerned with ensuring that transactions and data:
• is not fictitious (this has occurred) or fraudulent in nature, and
• is in accordance with the activities of the business and has been properly authorised by management.
Accuracy is concerned with minimising errors by ensuring that data and transactions are correctly captured,
processed and allocated.
8/42 Auditing Notes for South African Students

Completeness is concerned with ensuring that data and transactions are not omitted or incomplete.
Therefore, application controls can further be classified in terms of input, processing and output, for
example, authorisation controls over input, authorisation controls over processing, completeness controls
over input and the completeness controls over processing. However, this can be confusing and over
analytical particularly because in current computerised applications, input, processing, and output are
merged into one. It is more important to understand what the control does and how it is carried out. If you
understand that, you will understand the objective of the control.
As we noted earlier in this text, preventing errors from entering the system is far better than detecting them
later on. However, systems are not perfect, so, while the main focus of automated application controls will
be on prevention of errors, a good system will also have strong detection controls. If errors are detected,
they must be corrected so there will be correction controls for correcting errors which have been identified by
the detection controls. These are usually manual review controls of exception reports produced by the
application where remediation needs to occur.

8.3.3 Understanding control activities in a computerised accounting application


This section is structured as follows:
8.3.3.1 Introduction
8.3.3.2 Segregation of duties
8.3.3.3 Isolation of responsibilities
8.3.3.4 Approval and authorisation
8.3.3.5 Custody
8.3.3.6 Access controls
8.3.3.7 Comparison and reconciliation
8.3.3.8 Performance reviews.

8.3.3.1 Introduction
Before moving on to discussing specific techniques in the next section of the chapter, we will discuss the
control activities identified in chapter 5 and referred to in ISA 315 (Revised) in the context of a
computerised application. This will give you a better understanding of how control techniques and specific
application controls are implemented.
It is also important to remember that application controls are a combination of manual and automated
(programme) procedures. We can also refer to manual controls as user controls, that include all the controls
which people carry out, for example, authorising a document, performing a reconciliation, checking goods
delivered by a supplier against the delivery note, etc.

8.3.3.2 Segregation of duties


In a manual system, segregation of duties is achieved by assigning incompatible functions to different
individuals. This facilitates the checking of one employee’s work by another employee and prevents an
employee from covering up errors, unauthorised actions and misappropriations, for example, theft. Also
refer to the logical access management section in this chapter for more information around segregation of
duty controls and toxic combinations.
Potentially, computerisation is a danger to segregation of duties as it takes employees out of the
application and enables the control procedures relating to authorising, executing, custody and recording to
be performed by one employee and his computer. In addition, computerisation enables numerous
employees to gain legitimate access to the accounting records, which means that the risk that they may be
performing incompatible functions is increased.
For example, the storeman who has custody over physical inventory may have a PC that links him to the
inventory masterfile so that he can access these records to instantly get information about inventory on
hand. He therefore has custody of the asset and access to the asset records. This is poor internal control
unless he is strictly denied the ability to change the inventory records.
Segregation of duties in a computerised environment is achieved primarily by controlling access which
employees have to the system itself, the applications on it, and the modules or functions within the
application. This is achieved by setting up user profiles on the system for each employee which detail
Chapter 8: Computer audit: The basics 8/43

exactly what that employee must be given access to and what he can do when he has access, for example,
read a file, write to a file, make an enquiry, authorise a transaction, etc.
For example, an order clerk will be allowed access (by his user profile) to the module to create an
onscreen purchase order, but his profile will not allow him to approve the purchase order. This must be
done by his supervisor, whose user profile gives him that ability/privilege. See “approval” (2.4) for an
explanation of how this is achieved.
The access to programs and files granted to an employee is based on the user’s functional responsibility.

8.3.3.3 Isolation of responsibilities


In a manual system, isolation of responsibilities is usually achieved by making a specific employee (or
employees) responsible for each function or procedure and requiring that the employee sign the document
relevant to the procedure he is performing, to acknowledge (take responsibility for) having carried out the
procedure.
A computerised system can enhance isolation of responsibility by programming the computer to produce a
log of who did what and when it was done. If the log is properly followed up, it becomes an effective way
of isolating responsibility.
For example:
• A company that has five receiving clerks recording deliveries of goods from suppliers with only two PCs
available in the receiving bay can, by requiring the use of unique user IDs and passwords, record the
identity of the receiving clerk who actually recorded the delivery, and, in doing so, isolate responsibility
to that person. Of course, access controls also contribute to isolation of responsibility – terminal
identification and authorisation controls as well as user IDs and passwords can restrict (isolate) access
to the goods receiving module to terminals in the receiving bay and receiving clerks respectively.
• Restricting access to the module that facilitates on-screen approval of a credit sale (customer order) to
the credit controller, isolates the responsibility for this function to the credit controller.

8.3.3.4 Approval and authorisation


Approval and authorisation can be a (manual) user procedure, for example, signing a document, or an
automated (programmed) control as discussed below.
In a computerised system the authorisation and approval of a transaction can be carried out far more
effectively and efficiently than in a manual system. The system can be programmed not to proceed if
certain conditions or controls have not been satisfied.
For example:
• An order clerk who wants to place a purchase order with a supplier, and who is not approved by the
company, will be prevented from doing so because the system will not allow an order to be initiated on
the system if the supplier is not on the approved supplier (creditors) masterfile. Approval is given by the
fact that the supplier is on the masterfile.
• The system may be programmed to allow a salesperson to give a discount of up to 20% to a customer to
secure a sale. If the salesperson tries to give a discount above 20%, the system will not allow him to
proceed with generating the invoice (sale not approved).
• Making a payment by EFT will be programmed not to proceed unless, say, two specified employees
each enter a unique password to effect the transaction.
• The program checks against preset parameters, for example, an online loan application is automatically
approved if the income and expenditure of the applicant satisfy preset parameters (only appropriate for
loans of a small amount).
The point is that a computerised system is very effective at preventing unauthorised transactions from taking
place. It is certainly true that these kinds of controls can be overridden, but overrides will be logged
(isolation of responsibility) by the computer and should be followed up. Logging and following up is a
detective manual control.
The system may also be programmed to enable authorisation/approval to be given on screen (on the
system) by the authorising person. This is very common in modern systems as it speeds up authorisation
procedures and is very effective in preventing a transaction from progressing through the system until
approval has been given. In a manual system (or in a computerised system where documents are printed for
approval) it is normally a case of presenting the document to the authorising person who looks at the
8/44 Auditing Notes for South African Students

supporting evidence and signs the document. In a computerised system approval can be given on the
system itself. How this is done may vary (depending on the software) but the principle is as follows:
Employee A prepares the documents on the screen. On completion, Employee A selects the send option
and his terminal transmits a message to Employee B’s terminal (the authorising employee), alerting him to
the fact that the (computer) file containing the documents is ready for authorisation/approval. Employee B
accesses the file, carries out whatever checking procedures are necessary and, if satisfied, selects the approve
option on the screen. Once the approve option has been selected, the file cannot be written to at all. This
prevents Employee A (or anyone else) from adding to the file after it has been approved. A refinement of
on-screen approval is that Employee B should not have write access to the file; any changes should be
referred back to Employee A to make the changes and resubmit the file for approval. This is good division
of duties and isolates responsibility.
Consider the following example:
• Joe Bigg, the order clerk, prepares a batch of purchase orders on the system which must be reviewed/
approved by the chief buyer.
• Once Joe has created the file of all the purchase orders on the screen, he selects the send option and a
message is sent to the chief buyer’s (Chas Chetty) computer alerting him to the fact that the file of
purchase orders is ready for his review and approval. From this point there will be no write access to the
file.
• Joe’s user profile allows him to create a purchase order but not to approve it. This restriction is enforced
by the system not providing an approve option on Joe’s screen. The only thing that Joe can do is send the
file on to Chas. Chas conducts his reviews and if he is satisfied, selects the approve option.
• Because Chas has the power to approve in terms of his user profile, his screen will display an approve
option, but he will not be able to change the file as he has not been granted write access. The computer
will simply not respond if he attempts to alter a figure or detail on the purchase order.
• When Chas selects the approve option, the file is transferred back to Joe, who can then proceed with
distributing the purchase orders to suppliers by printing hard copy, faxing or e-mailing the purchase
orders. As write access to the file of purchase orders is not available, Joe cannot add or change the
purchase orders after they have been approved by Chas.
• If Chas requires changes to the purchase orders, for example, he may want to reduce the quantity
ordered, he will select an option that returns the file to Joe and simultaneously lifts the “no write”
restriction on the file. Joe makes the corrections and repeats the procedures to get the file approved.
• Until the file has been approved, the purchase orders cannot be printed or sent electronically.
In a manual system, Joe would have to write out the purchase orders in multicopy form (lots of potential
mistakes in this procedure!) and physically take them to the chief buyer who would probably sign each
purchase order.
Another advantage of approval on the system is that the parties involved do not have to be
geographically close. Joe could be sitting at a division of the company in Durban and Chas could be sitting
at head office in Johannesburg and the approval could take place on the company’s wide area network.
One potential risk with regard to approval/authorisation in a computerised system is that the initiation
and execution of transactions may be automatic with no visible or actual authorisation of the transaction.
For example, the rate of interest paid on a savings account at a bank, or the rate of interest charged on a
debtor’s account by a company, may automatically increase when the savings balance reaches a specified
amount or the debt has been outstanding for a specified period of time.
These automatic transactions should be logged by the computer and reviewed by a suitable employee, for
example, in the case of the debtors interest charge, by the credit controller.

8.3.3.5 Custody
Application controls play an important role in the custody of the company’s assets, particularly the
company’s cash in the bank and other assets held in electronic form such as the debtor’s masterfile. In
reality, all information on the database should be considered as an “asset” that needs to be strictly
controlled as without its information, a company is in serious trouble. You can see soon enough that if a
company does not have automated application controls (both user and automated) in place to prevent and
detect certain invalid actions, the asset is under serious threat.
Chapter 8: Computer audit: The basics 8/45

For example:
• In the case of cash in the bank, the company does not have physical control over the cash, but must control
unauthorised removals from its bank account. When cheque books were still in use, this was done by
controlling the company cheque book itself, limiting signing powers to senior officials (preventive
controls) and reconciling the company’s cash book with the bank statement (detective controls). In a
computerised payment system, for example, EFT for the payment of creditors and employees, far stricter
application controls must be implemented over access to the EFT facility (the equivalent of the cheque
book) and authorising and releasing the funds (the equivalent of signing a cheque). Reconciliation of the
company records and bank statement will still be an important control but can be done much more timeously
as bank statements can be downloaded from the bank instantly shortly after the EFT payments have been
made, and any problems can be followed up immediately. Failure to adequately protect an “on-line”
bank account would probably have greater consequences than losing a cheque book or having a cheque
signature forged (a cheque could be “stopped” but an EFT cannot), so controls to prevent invalid EFTs
must be comprehensive. There will also be detective controls, but these may be “too little, too late” as
the money will be long gone.
• In the case of protecting debtors it is a matter of protecting the information about the debtor held in the
masterfile, transactions files and supporting documentation. If the electronic information is corrupted or
destroyed, the company is going to find it very difficult to reconstruct its records. In addition, if a debtor
is not sent an up-to-date statement or request to pay (difficult to do if the company doesn’t have
records), a percentage of debtors won’t pay.
In a manual system, protection will come down to keeping the accounting records under lock and key
when they are not in use and filing at least two copies of the sales invoices securely and in different places.
In a computerised system, the electronic data is protected by a combination of general and automated
application controls. While hardcopy documentation such as sales invoices, etc., can be physically
protected, electronic files will be protected by a whole range of controls, including controlling unauthorised
access of the system at systems level and application level (preventing unauthorised people from getting
onto the system and, if they are authorised to be on the system, from gaining access to the debtor’s appli-
cation), as well as adequate continuity of operations controls. These will include physical controls to
protect the system as a whole, as well as disaster recovery controls.
Modern software will also have features that protect the debtor’s information.
For example:
Current software will not permit a person who has access to the debtors masterfile to simply delete a
debtor without trace. The debtors balance would first have to be reduced to nil by valid means, for
example, processing a payment from the debtor or processing a credit note. Removal of the debtor’s record
could then take place but this privilege would be restricted to a minimum number of employees and the
removal would be logged. The most important application controls, however, will probably be those
implemented over masterfile amendments (see 8.3.3.4).
Do not forget that these principles and controls will apply to all the company’s financial information,
both electronic and physical.

8.3.3.6 Access controls


Once a person or terminal is introduced into a system, suitable access controls must be implemented for
that terminal and employee. Access violations can have extremely serious consequences for the business.
These include:
• destruction of data
• “theft” of data
• improper changes to data
• recording of unauthorised or non-existent transactions, and
• access to particular applications can be restricted to particular terminals
For example, the ability to affect an EFT transfer can be restricted to the terminal of the financial manager.
Note: While modern software concentrates on restricting access through personal user profiles, access can
also be limited to certain terminals:
• access is restricted in terms of user profiles/access tables at both systems level and applications level
8/46 Auditing Notes for South African Students

For example:
– at systems level, access to a particular application may be restricted to particular users
– at application level, access to specific program functions may be restricted to particular users on the
“least privilege” basis, for example, sales order entry is limited to telesales operators.
• PC timeout facilities and automatic shutdown in the face of access violation will prevent continued
attempts to access the system, as well as the threat of employees leaving their terminals unattended.
Note (a): Physical access to computer facilities in general and access controls at system level are covered
under general controls. The above access controls relate to controls at the application level.
Note (b): Once a user or personal computer has been granted access to a particular application, the “least
privilege” principle may be implemented in a number of ways to restrict such access to the
minimum possible privileges necessary for proper performance of the duties concerned:
• Restrictions on access to a module or program function, for example, masterfile amend-
ments.
• Restrictions in terms of mode (type) of access, for example, read-only.
• Restrictions in terms of time of day (e.g. working hours – only as in a bank or telesales call
centre – assist in ensuring access is supervised).
• Extent of access to data (e.g. allowing only restricted views of certain data so that sensitive
data fields are hidden to users of lower privilege levels).
Note (c): Access at application level should be logged so that details of the activity carried out are recorded
together with the user ID responsible for that activity (such logs can be selectively set so that only
specific types of activity that have been identified as high risk are monitored). In other words, access
to the configuration settings.
Summary: In effect a user:
• must identify himself to the system with a valid user ID
• must authenticate himself to the system with a valid password, and
• will only be given access to those programs and data files that he is authorised to have access to in terms
of his user profile.
Once the user has logged onto the system, access is usually controlled by what appears or does not appear
on the user’s screen.
For example, only modules of the application to which the user has access will appear on the screen, or,
alternatively, all the modules will be listed but the ones the user has access to will be highlighted in some
way, for example, a different colour. If the user selects (clicks on) a module to which he does not have
access (this is determined by his user profile), nothing will happen and/or a message will appear on the
screen saying something like “access denied”.
In another similar method of controlling access, the screen will not give the user the option to carry out a
particular action – certain sales orders awaiting approval from the credit controller are listed on a suspense
file. Although other users may have access to this file for information purposes, when they access the file
their screens will not show an approve option, or the approve option will be shaded and will not react if the
user clicks on it. Only the credit controller’s screen will have an approve option that can be activated.

8.3.3.7 Comparisons and reconciliation


A reconciliation is a comparison of two different sets of recorded information or of recorded information
and a physical asset. In a manual system this is done by employees laboriously comparing the two sets of
information to identify differences.
For example, an employee reconciles the net wages paid in wage period 2 to the net wages paid in wage
period 1 to establish if, and why, they are different. This can take a long time as changes in the number of
employees, pay rates and deductions could all contribute to the difference. In a computerised system this
reconciliation can be completed accurately, comprehensively and in no time at all. Before authorising the
payment of wages, the paymaster or accountant could review the reconciliation and tie it up to other
sources of information – an amount in the reconciliation that relates to changes in pay rates could be
checked against the original authority for the change.
Chapter 8: Computer audit: The basics 8/47

Along with the ability for a good computerised system to produce any number of reports, including those
that can be printed and used for physical comparisons, its ability to instantly compare any data on the
system makes comparison and reconciliation a valuable and effective control activity.

8.3.3.8 Performance reviews


These control activities include, inter alia, reviews and analysis of actual performance versus budgets, forecasts
and prior period performance as well as relating different sets of data to one another. In principle,
performance reviews in manual systems and a computerised system do not differ. The huge advantage which
a computerised system has is its ability to produce numerous useful reports, including comparisons,
reconciliations and reasons for differences.
For example, provided the necessary data is in the database, sales can be extensively analysed, reports can
be generated to show what quantities of products are selling, which specific models or colours or sizes are
most popular or are not selling, what gross profit is being generated from each sale, the region in which the
products were sold, etc. Debtors can be analysed in terms of what they buy, how much they spend, who
returns goods for credit, why credit notes were issued, how long the debt has been outstanding, etc.
In modern systems, transactions can be tracked on screen through the system as they are carried out.
For example, orders from customers will start out listed on a sales order suspense file. When the time
comes for the goods ordered to be picked, the sales order will be “coded/moved” to a picking slip suspense
file, and once the goods have been picked (physically), the picking slip is “coded/moved” to the invoice
file. All these files are on the system, which means that a manager can access the files at any time and
establish the stage the original sales order has reached. This can be done remotely, so a manager in Port
Elizabeth can find out and review the performance of dispatch staff at the warehouse in Johannesburg.

8.3.4 Control techniques and automated application controls


This section of the chapter is fairly long and detailed, so the following list of contents has been provided to
help you find your way around it.
8.3.4.1 Batching
(a) Batch entry, batch processing/update
(b) On-line entry, batch processing/update
(c) On-line entry, real time processing/input
8.3.4.2 Screen aids and related features
8.3.4.3 Program controls – input and processing
(a) Program checks – input
(b) Program checks – processing
8.3.4.4 Output controls
8.3.4.5 Logs and reports

8.3.4.1 Batching
Batching is a technique that assists in controlling an activity which will be carried out on a batch of
transactions with the intention of making sure that all transactions in the batch were subjected to the
activity, that the activity was carried out accurately and that no invalid transactions were added to the
batch. Batching can be manual (user) or automated, or a combination of both.
In the context of accounting systems, batching can be used at the input stage, processing stage or output
stage. However, modern accounting software is designed around real-time input and processing in terms of
which individual transactions are captured and processed almost instantaneously (real time). As up-to-date
information is required, it is no longer a case of accumulating the day’s sales invoices, entering them onto
the system at 4pm where they are stored on the system, and then processing them over the weekend. If the
company does this, the debtors masterfile, the inventory masterfile and other related information will be
out of date by a week and will not be much use to users of that information. For example, checking an
order from a customer against the customer’s credit limit cannot be done effectively because that
customer’s balance owing may be understated because credit sales made to him during the week, are not
reflected.
8/48 Auditing Notes for South African Students

However, batching does still have a place, for example, in a wage system, where up-to-date information
is only needed at, say, two weekly intervals. The daily hours worked by each employee will be
accumulated and then entered individually as items in a batch and processed in a batch. The batch could be
designed as a convenient numerical number or by some other means, for example, employees in a cost
centre. Batches are processed in order. The following description of batching illustrates the principle of
batching at the input stage.
• Source documents are grouped into separate batches, for example, 50, and the following control totals are
manually computed:
– financial totals: totals of any fields holding monetary amounts
– hash totals: totals of any numeric fields, for example, invoice number (meaningless other than as a
control total)
– record counts: totals of the number of records (documents) in the batch, for example, 50.
• A batch control sheet should be prepared and attached to each batch. The batch control sheet should
contain:
– a unique batch number, for example, batch 3 of 6, week ending 31/7/01
– control totals for the batch
– identification of transaction type, for example, invoices
– spaces for signatures of all people who deal with the batch, for example, prepared by: . . . , checked
by . . . , reviewed by. . .
• A batch register should be used to record physical movement of batches; the register should be signed by the
recipient of the batch after checking what is being signed for, . . . transfer batches of clock cards to the
payroll department.
• The batch control system works as follows:
– The details of the batch (e.g. batch description and control totals) are keyed into the computer to
create a batch header label.
– Information off each record in the batch is keyed in and subjected to relevant automated validation
checks. . . valid account number, limit check.
– When all records have been entered, the computer calculates its own control totals based on what has
been keyed in and compares these totals to the manually computed totals input earlier to create the
header label (off the batch control sheet).
– If the totals agree and no other type of error was detected, the batch is accepted for processing.
– If not, the batch is rejected and sent for correction.
– Once the control totals have been “attached” to a batch, they can follow the batch throughout the
process, for example, if there are 50 clock cards in a batch, the computer will record whether 50 were
keyed in, 50 were processed and output for 50 was created.
Note (a): Batching assists with the following:
• identifying data transcription errors (e.g. incorrect values keyed in due to transposition errors)
• detection of data captured into incorrect field locations, and
• detection of invalid (e.g. duplicate) or omitted transactions or records for a batch, for example, if a clock
card is entered (keyed in) twice, the control totals will not balance.
The following summary should clarify batching in the context of transactions flowing through the system.
Remember that the control hinges around creating totals “before”, and “after”, and then comparing these
to each other.

(a) Batch entry, batch processing/update


• Initially transaction data is captured onto manually prepared source documents, for example, sales
invoices.
• These source documents are then collected into batches usually after manual checks have been per-
formed and entered via the keyboard with control totals in these batches. Relevant program checks take
place as the information is keyed in. The transaction information is converted into machine readable
form and held on a transactions file on the computer system.
Chapter 8: Computer audit: The basics 8/49

• These transactions are then processed as a batch when it is efficient/convenient to do so and the rele-
vant masterfiles are updated to reflect the effect of the entire batch on affected masterfile balances.
Control totals before and after processing are compared.
• Not common, particularly as it is slow and information is not up to date.

(b) On-line entry, batch processing/update (also referred to as an on-line entry with delayed processing)
• Transaction data is entered via a keyboard immediately as each transaction occurs. For example, a sales
order is placed by telephone and the operator keys in the details as the conversation with the customer
takes place. Relevant program checks take place as information is keyed in (for simplicity sake, assume
an invoice is created immediately and not only after goods have been dispatched).
• The transaction information is converted into machine readable form as each transaction occurs and is
held on a transactions file on the computer system.
• Control totals are created by the computer on the batch for the transaction file.
• The transactions are then processed as a batch and the relevant masterfiles are updated to reflect the
effect of each transaction in the batch on affected masterfile balances, for example, they could be
processed at the end of each day (daily batch update).
• Entry of the transaction is efficient, but information is not immediately up to date. The longer the
period that the batch of transactions is not processed, the less up to date the information will be.

(c) On-line entry, real-time processing/update


• Transaction data is entered via a keyboard, immediately as each transaction occurs. Relevant program
checks take place as information is keyed in.
• The relevant masterfiles are also updated immediately to reflect the effect of each individual transaction
on affected masterfile balances. For example, a seat booked on an aircraft will instantly update the
“seats available masterfile”, which is really an inventory masterfile for that particular flight. This could
not be done in batch mode as the same seat could be booked numerous times before the masterfile is
updated.
• Entry of the transaction is efficient (access controls are very important) and information is right up to
date.

8.3.4.2 Screen aids and related features


Screen aids have been classified as all the features, procedures or controls that are built into the application
software and reflected on the screen to assist a user to capture information accurately and completely, and
to link the user’s access privileges to the screen in front of him.
For example, if an employee does not have the power (privilege) to approve an on-screen document,
there may be no “approve” option for the document appearing on the screen. The employee may only have
a send option. Alternatively, the “approve” option may be on the screen but may be shaded and will simply
not react if the user “clicks” on it.
• Minimum keying in of information: The principle is that the less information that has to be keyed in, the less
errors are likely to occur and the less time it takes.
For example:
– In a telesales system, the customer should be required to give only his account number or name,
which, when keyed in, will automatically retrieve all other standing details, provided the account
number is valid. It thus makes it unnecessary for the person taking the order to key in name, delivery
address, etc.
– Techniques, such as “drop-down” lists that simply require the user to “select and click” the option
they require from the options provided on the drop-down list should be used.
• The screen should be formatted in terms of what hardcopy would look like.
For example:
– When entering an order from a customer, the screen should look like the sales order, and should have
easily recognisable fields into which data is entered, such as a box with the letters QTY (quantity) above it.
– Where possible, the number of little boxes within a field box should reflect the number of digits required
for that field, for example, a person’s identity number has 13 digits, so the identity field should consist of
13 little boxes. The screen should be formatted to receive essential data in the order in which it is required,
for example, the debtors account number is at the top.
8/50 Auditing Notes for South African Students

• Extensive use of screen dialogue and prompts. These are messages sent to the user to guide him, for
example, a prompt may appear on the screen reminding the user to confirm and re-enter a field.
• Mandatory fields: Keying in will not continue until a particular field or all fields have been entered. Such
fields may be highlighted in red or identified by a star, or there may even be a prompt if the user misses that
field and moves on to the next field.
• Shading of fields, which will not react if “clicked on”, for example, if an on-screen sales order may have the
customer’s account number and details shaded, the user completing the sales order will not be able to
change these fields.

8.3.4.3 Program controls – input and processing


Program checks are controls built into the application software, with the intention of validating/editing
information/data which is entered or processed. Validation can take place at the input and/or processing stages.
Vast quantities of transactions can be subjected to a range of programmed controls to consistently produce
reliable information. Errors are reduced and information is provided timeously, but remember that a
computer does what it is programmed to do, so although input controls may be very good, an error in
(processing) programming can undo these benefits and the error will be processed over and over again.
Program checks are many and varied. The list below provides a number of common program checks,
sufficient to illustrate the kinds of controls that can be implemented. The list is not exhaustive. Some
checks are very similar to others and the same check is often given a different name by software providers
and users. Not all program checks are relevant to all applications by any means. As an auditor, you need a
general understanding of what the program check does, regardless of its name, so that you can recognise
the different checks when you are working at different clients. Also remember that program checks do slow
things down and take up computer resources.

(a) Program checks – Input


• Existence/validity checks
– Validation tests validate data keyed in against the masterfile.
For example:
A customer’s account number will be verified against the debtors masterfile.
– Matching tests are described in different ways, but, essentially they amount to input being matched
against data that is already in the database. Checking input information against data on a masterfile
is a form of matching.
For example:
Matching a biometric characteristic of an employee (thumbprint) against the employee masterfile.
The computer may also match the details of an invoice received from a supplier to the
corresponding GRN held in a suspense file on the system.
– Data approval/authorisation tests confirm input against a preset condition.
For example:
To make a sale on credit, a liquor store requires that a customer’s identity number be entered on a
computer-generated invoice. If the customer is under 18, (which the identity number will indicate) a
sales invoice cannot be generated. (The sale is not authorised.)
The credit limit on a debtor’s account can only be 30 or 60 days. An attempt to enter 120 days in
the credit terms field would not be approved.
• Reasonableness and limit checks
– Limit checks detect when a field entered does not satisfy a limit that has been set.
For example:
The normal hours worked by an employee in a week cannot be entered at a quantity greater than
40 hours.
– Reasonableness checks: For the data being entered to be accepted, it must fall within reasonable limits
when compared to other data.
Chapter 8: Computer audit: The basics 8/51

For example:
If a normal order from a customer for an inventory item is 100 units, and a clerk enters 1 000, the
screen will display a message querying the entry of 1 000, although there is no limit on the quantity
ordered. (The computer does an “instant” check on the quantity that the client normally orders.)
Of course, this type of check takes processing resources, so will only be used if there is a real
benefit.
• Dependency checks
An entry in a field will only be accepted depending on what has been entered in another field.
For example:
The acceptability of entering a credit limit of R100 000 on a debtors account will depend on the status
allocated to the debtor. If the debtor’s credit status rating is A+ (very good), the credit limit of R100 000
will be acceptable. If the status is only B+, the credit limit will not be acceptable.

• Format checks
– Alpha-numeric checks prevent/detect numeric fields that have been entered as alphabetic, and vice
versa, for example, when entering an employee’s identity number, all digits must be numeric.
– Size checks detect when the field does not conform to pre-set size limits, for example, an identity
number entered must have 13 digits.
– Mandatory field/missing data checks detect blanks where none should exist; if a quantity is not entered
in a quantity field on an internal sales order, data capture cannot continue. (This is also discussed
under screen aids.)
– Valid character and sign check. The letters, digits or signs entered in a field are checked against valid
characters or signs for that field, for example, a minus sign (–) could not be entered in a quantity
order field.

• Check digits
A check digit is a redundant (extra) character added to an account number, part number, etc.
For example:
The character is generated by manipulating the other numerical characters in the account number.
When the account number is keyed in, the computer performs the same manipulation on the numerical
characters in the account number and if it has been entered (keyed in) correctly, the computer will come
up with the same check digit which was added to the account number originally. If it does not match,
the computer sends a screen message to inform the operator that the account number has been
incorrectly entered.
Check digits use up processing resources and therefore are limited to critical fields. They cannot be
used on financial fields.
• Sequence checks
Detect gaps or duplications in a sequence of numbers as they are entered.
For example:
If numbered masterfile amendment forms are being keyed in, a sequence check will alert the user if
there is a gap or duplication in the numerical series.
Note: The controls which follow are not program controls, but where information is entered off a
source document, the source document should be:
– pre-printed, in a format which leaves the minimum amount of information to be filled in manually
– pre-numbered– sequencing facilitates identification of any missing documents
– designed in a manner that is logical and simple to complete and subsequently enter into the
computer, for example, key pieces of information should have a prominent position on the document
– designed to contain blank blocks or grids that can be used for authorising or approving the document.
Unused source documents should be kept under lock and key by an independent person and a register
of receipt and issue of the document should be kept. If the source document is freely available, it is
easier to create fraudulent transactions.
8/52 Auditing Notes for South African Students

(b) Program checks – Processing


Processing controls assist in ensuring that data is processed accurately and completely. Processing is a com-
bination of elements in the system.
For example:
Masterfiles, transaction information that has been input, programs and the hardware itself are all
elements that must be controlled if only authorised transactions, which have actually occurred, are to be
processed accurately and completely. The user cannot “see” processing taking place, but the computer will
be programmed to carry out checks on itself and “report” to the user on what it has done. The user can
then satisfy himself that processing occurred accurately and completely.
Processing will not normally stop if an error is discovered. The error will be written to an exception
report.
• Program edit checks
The computer may carry out any of the following examples of edit checks:
– Sequence test of documents processed is inspected for gaps.
For example, after processing credit notes, the computer may identify missing credit note numbers.
– Arithmetic accuracy test.
For example, reverse multiplication (multiplication is repeated but in reverse and answers matched
3 × 6 = 18; 18 ÷ 6 = 3).
– Reasonableness/consistency/range tests are performed after processing of a transaction has taken place, and
the result is compared by the computer itself to other information for reasonableness
For example, a wage of R5 000 is not reasonable for a grade 3 employee or compared to his prior wage
period’s earnings
– Limit test identifies amounts that fall outside a predetermined limit after processing.
For example, credit sales to a customer have pushed the debtor’s balance owing beyond the customer’s
credit limit.
– Accuracy testis where amounts are allocated to columns and the columns are independently cast
(added up). The totals of the columns can be cross cast (added across) and compared to the total
amount allocated.
For example, net pay + PAYE + medical aid deduction = gross pay.
– Matching in the context of processing is about comparing data that has been processed against data
that is already in the database.
For example, a matching control may match clock cards processed with the employee masterfile to
identify employees for whom there was no clock card information. The reason there is no clock card
may be perfectly valid (perhaps the employee was on holiday for the week) but it could also be a
processing error.
• Program reconciliation checks
The computer will also carry out reconciliations of control and other totals in some or other form, based
on the principle that if pre-processing totals and post-processing totals can be reconciled, one can be
more confident that processing was valid, accurate and complete.
– Control totals
For example, record counts, and hash totals from input are compared to record count and hash totals
after processing.
– Run-to-run totals – a final balance after processing is compared to the opening balance and individual
totals of transactions.
For example, the closing balance on debtors (31 May) is compared to the opening balance on
debtors (30 April) plus the total of May sales (debits) less the total of May receipts (credits).
Note: Reliable and correct processing would be affected if the wrong data files and program files
were used for processing. This occurrence should be prevented by the library software and
database management system, and is well beyond the scope of this text.
Chapter 8: Computer audit: The basics 8/53

Note: The reliability of the hardware itself will also play an important part in processing. Modern
computer equipment is very reliable, and the hardware will have its own range of hardware
controls, such as the following:
– Valid operation code: The processor checks if the instruction it is executing is one of a valid set of
instructions.
For example, bank reconciliations.
– Echo test.
For example, the processor sends an activation signal to an input/output device. That device returns
a signal showing it was activated. Echo tests can also be used to detect corruption of messages in
transit by bouncing the signal back from the recipient of the message to the sender, so that the sender
can compare it against the original message for any errors that may have occurred during trans-
mission.
Evaluating hardware is the domain of the expert, not the general auditor, and will be considered
when conducting risk assessment procedures.
Note: Interruptions in processing, that could lead to errors in processing, will be logged on activity
reports and followed up by operations staff.

8.3.4.4 Output controls


The objective of output controls is to confirm that output (which is the product of processing) is accurate
and complete and that its distribution is strictly controlled, for example, that confidential output does not
go to the wrong individuals. Output does not have to be in hardcopy, it can be on screen. The accuracy and
completeness output controls will be strongly aligned with processing controls, because, if processing has
proved to be accurate and complete, the data, which is turned into reports for users, is far more likely to be
accurate and complete.

• Controls over distribution will include preventive controls such as:


– Clear report identification:
o name of report
o time and production number of report (this prevents confusion if the report is run more than once)
o processing period covered (assists in carrying out checks against input data), and
o sequenced pages and “end of report” messages (prevents undetected removal of pages).
– A distribution matrix of who is to receive which output and when. This should align with the user
profiles and access privileges of employees so that individuals who do not need access to the reports,
etc., cannot access them on the system.
– If output is on hardcopy, printed at a certain point and distributed to users, its movement should be
controlled by the distribution list (who gets what and when), and an entry should be made in a
register which is signed by the authorised recipient on receipt of the output.
– Output that is confidential should be designed to promote confidentiality, for example, salary slips in
sealed envelopes.
– Confidential information emailed to employees (such as payslips again) should stipulate “confiden-
tial” in the email.
– Output that is printed, especially more sensitive information, should be printed only in the depart-
ments that require the output, and, if it is confidential, under the supervision of authorised personnel.
– Output which is not required should be shredded – it should not just be left about or thrown away as
a complete document.

• User controls will include (all detective controls):


– review of output for completeness
For example, numerical sequence check, and
– reconciliation of input to output
For example, the foreman of each cost centre reconciles overtime worked with his factory overtime
records.
8/54 Auditing Notes for South African Students

– review of output for reasonableness


For example, the financial manager reviews period-to-period wage reconciliations (the payroll
manager will conduct detailed tests on the period-to-period wage reconciliation produced by the
system).
– review and follow up of any exception reports produced during processing
For example, individual wage payments that failed the “reasonableness test” during processing to
understand and remediate the exception.

8.3.4.5 Logs and reports


Logs and reports do not have to be printed (but often are). They can be accessed on screen. Access can be
restricted to read only and should be for all logs of computer activity which form part of the audit trail.
The types of logs and reports that may be produced by a computer are virtually unlimited. These may be used
as detective or monitoring controls to provide additional assurance that computer processing is valid, accurate
and complete, and that computer usage is authorised and productive. It is important to be selective about the
use of logs and reports as they can affect computer performance (slower processing and use of storage space).
They also require review and follow up, so unless personnel are allocated to do so, the logs and reports
themselves are worthless. Types of logs and reports used may include:
• audit trails, that provide listings of transactions and summaries and lists of tables or factors used in
processing..
For example, all changes made to purchase orders, by whom, and with the date and time.
• run-to-run balancing reports, that provide evidence that the opening balances that have been updated by a
series of transactions have resulted in correctly calculated closing balances.
For example, sub-ledger to ledger reconciliations.
• override reports, that provide a record of computer controls that have been overridden by employees using
supervisory or management privileges. Abuse of such privileges is a threat to the objective of validity.
For example, an unauthorised change to the client masterfile documenting credit limits.
• exception reports, that provide a summary listing of any activities, conditions or transactions that fall outside
of parameters that have been set for control purposes.
For example, employees whose remuneration for the wage period falls outside the reasonableness
parameters set for employees of that grade.
• activity reports, that provide a record for a particular resource, of all activity concerning that resource.
For example, names of users, usage times and duration of usage.
• access/access violation reports, which are particularly important in relation to sensitive applications.
For example, EFT and payroll reports that both hold sensitive and private information.
These are categories of reports. Hundreds of different reports falling into these categories may be produced
in a reasonably sized business.

8.3.5 Masterfile amendments ( masterfile maintenance)


In a computerised financial accounting system, the masterfile contains very important data, which, if not
protected from unauthorised change, can have very negative results for the company.
For example:
Unauthorised increases to employees’ pay rates in the employee masterfile, or to debtors’ credit limits in the
debtors masterfile or the addition of an unapproved supplier to the creditors masterfile could all result in
losses to the company at a later stage. If the quantity field in the inventory masterfile is not protected from
unauthorised amendment, a theft of inventory could be covered up by reducing the quantity field in the
inventory masterfile.
Therefore, automated application controls over masterfile amendments are very important. The objective
will be that:
• only valid (authorised) amendments are made to masterfiles
• the details of the amendment are captured and processed accurately and completely
• only authorised individuals will have access to the masterfile data, and
• all masterfile amendments are captured and processed.
Chapter 8: Computer audit: The basics 8/55

The controls are based on the principles discussed in this chapter and will be a combination of a user and
program controls, and will include both preventive and detective controls (and correction controls when
applicable). As usual, the focus will be on preventive controls.
An example of the controls over a debtors masterfile amendments follows:

Procedure Application controls and related comments


1. Record all masterfile 1.1 All amendments to be recorded on hardcopy masterfile amendment forms
amendments on a source (MAFs) (no verbal instructions).
document. 1.2 MAFs to be pre-printed, sequenced and designed in terms of sound document
design principles.
2. Authorise MAF. 2.1 The MAFs should be
• signed by two reasonably senior debtors section personnel, for example,
credit controller and senior assistant after they have agreed on the details of
the amendment to the supporting documentation, for example, the
approved credit application document for the addition of a new customer
• cross-referenced to the supporting documentation.
3. Enter only authorised 3.1 Restrict write access to a specific member of the debtors section by the use of
masterfile amendments onto user ID and passwords.
the system accurately and 3.2 All masterfile amendments should be automatically logged by the computer
completely. on sequenced logs and there should be no write access to the logs (this allows
subsequent checking of the MAFs entered for authority).
3.3 To enhance the accuracy and completeness of the keying in of masterfile
amendments and to detect invalid conditions, screen aids and program checks
will be implemented.
Screen aids and related features:
• minimum keying in of information, for example, when amending existing
debtor records, the user will only key in the debtors account number to bring
up all the details of the debtor
• screen formatting, that is, the screen looks like MAF, screen dialogue
• new debtors account number automatically generated by the system.
Program checks:
• verification/matching checks to validate a debtor account number against
the debtors masterfile (invalid account number, no amendment)
• alpha numeric checks
• range and/or limit/data approval checks on terms and credit limit field, for
example, credit limit must be between R5 000 and R75 000 (range) or
cannot exceed R75 000 (limit), and terms can only be 30 days or 60 days
(data approval)
• field size check and mandatory/missing data checks, for example, credit
limit and terms must be entered when adding a new debtor
• sequence check on MAFs entered
• dependency check, for example, the credit limit granted may depend upon
the credit terms granted, for example, a debtor granted payment, terms of 90
days, may only be granted a credit up to a limit of R2 000 (a relatively low
amount).
4. Review masterfile amend- 4.1 The logs should be reviewed regularly by a senior staff member, for example,
ments to confirm they financial manager.
occurred, were authorised 4.2 The sequence of the logs themselves should be checked (for any missing logs).
and were accurately and 4.3 Each logged amendment should be checked to confirm that it is supported by
completely processed. a properly authorised MAF.
4.4 That the detail, for example, debtor account number, amounts, etc., are
correct.
4.5 The MAFs themselves should be sequence checked against the log to confirm
that all MAFs were entered.
8/56 Auditing Notes for South African Students

Note (a): Modern accounting packages do not allow balances in a masterfile to be adjusted other than
through a subroutine (sub-journal), for example, it is not usually possible to go into the
masterfile via the masterfile amendment module and reduce or delete a debtor’s balance. This
would have to be done through a transaction file, for example, credit notes, journal entries or
receipts.
Note (b): Unused MAFs and other important supporting documentation should be subject to stationery
controls as it is more difficult to create an invalid masterfile amendment without the source
document.
Note (c): A masterfile amendment should be carefully checked in all respects before it is authorised, for
example, the validity of credit terms and limits to be entered, so there should not be too many
errors or invalid conditions having to be identified by the program controls. Each company will
decide for itself the extent of program controls they wish to implement.

8.4 Automated application controls audit procedures


Automated application controls apply to the processing of individual applications. They are “automated”
or “automated with manual procedures” that operate at a business process level. They are either
preventative or detective controls and designed to confirm integrity of the accounting records. Automated
controls are controls designed to confirm completeness, accuracy and validity of processed transactions
with a financial impact.
For example:
System configuration/account mapping, input validity tests, reasonability tests, exception or edit reports,
interface and conversion controls and system access.
A good example of an automated control in practice is a pricing masterfile (where access and change
controls over the masterfile exist) and where the financial system auto-generates invoices, using the prices
listed in the pricing masterfile.
Strong controls within key applications confirm reliability of data as well as information used in
management decisions. The audit process is as follows:
• understand the business requirements and strategic fit of applications
• understand the overall application landscape and integration between applications
• understand the business processes related to each application inclusive of the interfaces
• identification of critical business processes
• identification of general application risks
• identification of the risks associated with the key business processes categorising the risks as input,
processing and output components, and
• identification of key controls within each application addressing the risks identified inclusive of inter-
faces.
Depending upon the audit approach adopted (substantive or control based), the approach for automated
application control tests may vary.
For example:
Should the IT general controls environment have limited findings and the control environment is
considered effective, automated controls may be tested.
If the IT general controls environment is considered ineffective, the auditor may still rely on automated
controls but will need to test the access and change management around the automated application control
embedded in the application.
The auditor should report on shortcomings identified in the existing processes as well as weaknesses
identified during the review with recommendations to improve. Automated controls may be considered to
test significant accounts rather than opting for detailed substantive tests. It is imperative to equip the
auditor with the skill to identify and test automated controls and reduce the reliance on manual controls or
substantive procedures. It is also important for the auditor to understand the importance of application
controls and the impact of control failures on both the business and the audit
Chapter 8: Computer audit: The basics 8/57

The following automated controls may be considered per significant account:


• Determine which are key input controls and processing controls in the system.
• Review access to the automated control for the period under review.
• Review changes to the automated control for the period under review.
• Perform a walkthrough of the automated application control (a sample of one can be selected).
• The types of exception reports that are available and its value to those in oversight roles.
• Determine whether there is manual oversight over the automated application control.

8.4.1 Inventory
Inventory formulae
• Determine the cost formulae and whether the rules have been configured in the application.
• Determine whether the inventory formulae/rules align with the policy.
• Determine who has access to the inventory formulae configuration in the application and whether the
access is limited to authorised personnel only.
• Have changes been made to the inventory formulae/rules in the application during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the inventory formulae/rules are accurate.

Master data
• Determine who has access to the inventory masterfile/cost price and whether the access is limited to
authorised personnel only.
• Have changes been made to the masterfile in the application during the period under review?
• Have changes been authorised in the application?
• Perform a comparison test to compare inventory prices year on year and review significant dis-
crepancies.

Inventory aging
• Stratify the age analysis through analytics.
• Review the inventory age analysis for inconsistencies and aged inventory.

Inventory impairment
• Perform analysis of inventory listing and determine inventory that should be classified as “obsolete” or
slow moving.
• Assess whether the application has been configured to perform inventory impairment.
• Determine whether the inventory impairment rules align with the policy.
• Determine who has access to the inventory impairment configuration in the application and whether
the access is limited to authorised personnel only.
• Scrutinise the write-off report to determine whether inventory was written off by authorised individuals
and whether there are inconsistencies with the write-offs.
• Have changes been made to the configured impairment rules in the application during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether impairment rules are in actual fact working

Impaired inventory
• Determine what the inventory write-off process is. Is there is a possibility that the inventory can be
written off and sold for own profit?

Journals
• Determine who has authorisation to process journals relating to inventory within the application.
8/58 Auditing Notes for South African Students

Foreign inventory
• Foreign/imported inventory has been captured at the correct forex rate, at spot on the first day the
recognition should have occurred.
• Determine whether the application has been configured to receive daily currency exchange rates that
would have been applied to imported inventory.
• Who has access to change the currency exchange rate configuration in the application?
• Have any changes been made to the configuration during the period under review?
• Perform a walkthrough of one inventory item to determine whether the forex calculation is accurate.

Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.

8.4.2 Debtors
Debtors age analysis
• Test whether the debtors aging that is documented in the policy aligns with the aging in the system.
• Have changes been made to the debtors age analysis configuration settings embedded in the application
during the period under review?
• Have changes been authorised in the application?
• The aging has remained static during the course of the year and the audit trail does not depict any
changes to the application.
• Determine who has access to the debtors age analysis configuration in the application and whether the
access is limited to authorised personnel only.
• Perform a walkthrough of one to determine whether the aging is accurate.

Debtors’ limit configurations


• Assess whether the system has been configured for debtors’ limits.
• Determine whether the debtors’ limits align with the policy.
• Determine who has access to the debtors’ limit rules configuration in the application and whether the
access is limited to authorised personnel only.
• Have changes been made to the debtors’ limits embedded in the system during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the limits are accurate.

Debtors’ impairment
• Assess whether the application has been configured to perform debtors’ impairment.
• Determine whether the debtors’ impairment rules align with the policy.
• Determine who has access to the debtors’ impairment configuration in the application and whether the
access is limited to authorised personnel only.
• Have changes been made to the configured impairment rules in the application during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether impairment rules are accurate.

Interest
• Determine whether the application calculates interest on long overdue debtors.
• Determine whether the debtors’ interest aligns with the policy and terms and conditions.
• Determine who has access to the debtors’ interest configuration in the application and whether the
access is limited to authorised personnel only.
• Have changes been made to the interest raised on long overdue debtors configured in the application
during the period under review?
Chapter 8: Computer audit: The basics 8/59

• Have changes been authorised in the application?


• Perform a walkthrough of one to determine whether impairment rules are accurate.

Discounts
• Determine whether the application calculates discounts for early payment or for specific debtors.
• Determine whether the discount rules align with the policy and terms and conditions.
• Determine who has access to the debtors’ discount configuration in the application and whether the
access is limited to authorised personnel only.
• Have changes been made to the debtors’ discounts on long overdue debtors configured in the
application during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the discount rules are in actual fact working.

Journals
• Determine who has authorisation to process journals relating to debtors within the application.

Other tests
• Perform analytical analysis on the register to determine large outstanding numbers, debtors that are also
creditors and to determine whether there are any trends.
• Stratify the age analysis through analytics.
• Determine whether the client has configured the transaction trail accurately within the application.

8.4.3 Revenue
Invoice prices vs masterfile prices
• Perform analytics on the revenue data to determine whether prices charged on the invoices align with
the price on the masterfile. Review significant discrepancies.

VAT
• Confirm that the VAT was correctly configured within the application.
• Determine who has access to the VAT configuration in the application and whether the access is limited
to authorised personnel only.
• Have changes been made to the VAT configured in the application during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one determine whether the calculation is accurate.

Credit notes
• Determine who had the rights to authorise credit notes during the period under review.
• Determine who has access to the credit notes configuration in the application and whether the access is
limited to authorised personnel only.
• Have changes been made to authorisation levels configured in the application during the period under
review?
• Have changes been authorised in the application?

Credit note trend


• Obtain a list of approved credit notes for the period under review and through analytics assess whether
there is a trend, in other words, who processed the credit notes, whether there are specific clients that
have recurring credit notes, amounts aligned to original invoice, bank details align to customer data,
etc.
• Determine whether the client has edit and validation checks in the application when processing a credit
note.

Link to debtors ledger


• Determine whether the client has configured an audit trail to link sales to the debtors ledger.
• Perform a walkthrough of one of to determine whether the transaction reflects accurately.
8/60 Auditing Notes for South African Students

Link to cash sales


• Determine whether the client has configured an audit trail to link cash sales.
• Perform a walkthrough of one of to determine whether the transaction reflects accurately.

Master data
• Determine who has access to the masterfile price list and whether the access is limited to authorised
personnel only
• Have changes been made to the masterfile in the application during the period under review?
• Have changes been authorised in the application?
• Through analytics, perform a comparison of prices year on year.
• Assess client master data and determine whether all clients have an indicator for payment terms – either
“IMMEDIATE”/“CASH SALE”/“COD” or “DEBTOR”/“CREDIT SALES”.

Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.

8.4.4 Fixed assets


Depreciation
• Test whether the depreciation rates documented in the policy align with the depreciation rates
configured in the system.
• Have changes been made to the fixed asset register configuration settings embedded in the system
during the period under review?
• Have changes been authorised in the application?
• Depreciation rates have remained static during the year and the audit trail does not depict any changes
to the application.
• Access to the fixed asset register configuration settings in the system is limited and only authorised
personnel have access.
• Perform a walkthrough of one of each asset class/category to determine whether the calculation is
accurate.

Componentisation
• Assess whether the system has been configured for componentisation rules for assets.
• Access to the componentisation rules configuration settings in the system is limited and only authorised
personnel have access.
• Have changes been made to the componentisation rules embedded in the system during the period
under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the calculation is accurate.

Disposals of assets
• Ascertain who had access to dispose of assets during the period under review.
• Ascertain whether there are specific criteria configured in the system to dispose of assets.
• Determine whether the disposal of asset calculation has been configured correctly in the system and
includes the data trails to the capital gains calculation should profit be made.
• Perform a walkthrough of one to determine whether the calculation is accurate.

Authorisation for purchase of assets


• Ascertain who had access to add new assets during the period under review.
• Ascertain whether there are specific criteria configured in the system to add assets.
Chapter 8: Computer audit: The basics 8/61

• Determine whether the depreciation of new assets have been calculated correctly if purchased during
the period.
• Perform a walkthrough of one to determine whether the calculation is accurate.

Impairment
• Ascertain who has access to write off or impair assets.
• Ascertain whether there are specific criteria configured in the system to impair assets at a certain point.

Impaired assets
• Determine what the asset impairment process is. Is there is a possibility that the assets can be written off
and sold for own profit?

Journals
• Determine who has authorisation to process journals relating to asset entries within the application.

Capital gains
• Is the capital gains tax configuration correct in the system?
• Access to the capital gains tax configuration settings in the system is limited and only authorised
personnel have access.
• Have changes been made to the capital gains configuration settings embedded in the system during the
period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the calculation is accurate.

Wear-and-tear allowances
• Are the wear-and-tear allowance configurations correct in the application?
• Access to the wear-and-tear tax configuration settings in the system is limited and only authorised
personnel have access.
• Have changes been made to the wear and tear configuration settings embedded in the application
during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one of each asset class/category to determine whether the calculation is
accurate.

Foreign exchange
• Foreign/imported assets have been captured at the correct forex rate at spot on the first day the
recognition should have occurred.
• Determine whether the application has been configured to receive daily currency exchange rates which
would have been applied to imported assets.
• Who has access to change the currency exchange rate configuration in the application?
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one asset to determine whether the forex calculation is accurate.

Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.

8.4.5 Tax
• Determine whether the tax rules align with national tax laws.
• Determine who has access to the tax configuration settings in the application and whether the access is
limited to authorised personnel only.
8/62 Auditing Notes for South African Students

• Have changes been made to the tax configurations configured in the application during the period under
review (technically changes should only occur annually – also review whether the changes were made
timeously)?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the tax rules are accurate.
• Review whether settings have been enabled to overwrite tax calculations.

Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.

8.4.6 VAT
• Determine whether the VAT rules align with national tax laws.
• Determine who has access to the VAT configuration settings in the application and whether the access
is limited to authorised personnel only.
• Have changes been made to the VAT configurations configured in the application during the period
under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the VAT rules are accurate.
• Review whether settings have been enabled to overwrite VAT calculations.

Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.

8.4.7 Payroll
Payroll applications
• Determine whether the payroll function is performed on the same financial application where all other
financial functions are performed.
• If payroll is completed on a different application, interface management controls need to be reviewed to
confirm that the payroll data is transferred completely and accurately and not intercepted when
transferred.
• Review exception reports to determine whether the data interfaces are reported upon and reviewed. In
addition, determine whether exception reports are followed up and remediated.

Payroll calculations
• Determine whether the application has been configured accurately for statutory deductions.
• Perform a walkthrough of one to determine whether the payroll calculation is accurate.
• Determine who has access to change the employee tax rules configured in the application.
• Have any changes been made to the configuration during the period under review (technically changes
to the configuration should only occur annually, review whether the changes were made timeously)?
• Have changes been authorised in the application?

New and terminated employees


• Determine who had access to add a new employee and terminate employees that have resigned during
the period under review.
• Obtain a report for all new employees during the year to inspect.
• Obtain report for all terminated employees during the year to inspect.
Chapter 8: Computer audit: The basics 8/63

Time-capturing system
• If the company operates on a time-captured system and employees are paid accordingly, determine the
interfaces with the time management application, and the payroll application and related exception
reports that are produced.
• Review exception reports to determine whether the data interfaces are reported upon and reviewed. In
addition, determine whether exception reports are followed up and remediated.
• Determine who has access to the time-capturing application configurations.
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
• Are validity checks built into the time application system to test limits, namely, maximum hours of
work per week, overtime permitted, public holidays, etc.?

Pay rate
• Determine who has access to change rates within the application or make changes on the master file.
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
• Determine whether these rate changes were approved by the authorised individual.

Other tests
• Determine whether the system has been configured to perform an edit check when a duplicate bank
account is entered; alternatively, perform analytics to test for duplicate bank account details.
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.

8.4.8 Intercompany
Foreign exchange
• Determine whether foreign/imported transactions have been captured at the correct forex rate.
• Determine whether the application has been configured to receive daily currency exchange rates which
would have been applied to forex transactions, namely, Reuters rates.
• Determine who has access to change the currency exchange rate configuration in the application.
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?

Intercompany journals
• Determine who has authorisation to process journals relating to intercompany transactions within the
application.

Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.

8.4.9 Creditors
Purchasing approval levels
• Determine whether the application has been configured to incorporate specific approval limits and
different authorisation levels when purchasing.
• Determine who has access to change the limits within the application.
• Have any changes been made to the limit configuration during the period under review?
• Have changes been authorised in the application?
8/64 Auditing Notes for South African Students

Unmatched invoices
• Determine whether the application has been configured to match invoices to purchase orders when
purchasing.
• Determine who has access to change the configuration within the application.
• Have any changes been made to the configuration during the period under review”
• Have changes been authorised in the application?
• Review report for unmatched purchase orders for trends and inconsistencies.

Creditors masterfile
• Determine who has access to change the vendor masterfile within the application.
• Have any changes been made to the vendor masterfile during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to assess the authorisation process of adding a new vendor.

Exchange rate
• Determine whether the application has been configured to calculate foreign purchases at spot.
• Determine whether foreign/imported transactions have been captured at the correct forex rate.
• Determine whether the application has been configured to receive daily currency exchange rates which
would have been applied forex transactions, namely, Reuters rates.
• Determine who has access to change the currency exchange rate configuration in the application.
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one transaction to determine whether the forex calculation is accurate.
Preventing duplicate vendors by comparing VAT and bank account number
• Determine whether the application has been configured to only enter a vendor once off and that a
validity check is performed when a new vendor is captured to identify a duplicate VAT and or bank
account number.

Journals
• Determine who has authorisation to process journals relating to creditors within the application.

Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.

Creditors’ age analysis


• Test whether the creditors aging that is documented in the policy aligns with the aging in the system.
• Have changes been made to the creditors age analysis configuration settings embedded in the
application during the period under review?
• Have changes been authorised in the application?
• The aging has remained static during the course of the year and the audit trail does not depict any
changes to the application.
• Determine who has access to the creditors age analysis configuration in the application and whether the
access is limited to authorised personnel only.
• Perform a walkthrough of one to determine whether the aging is accurate.

Provisions
• Determine who has authorisation to process journals relating to provisions.
• Obtain a list of the year-end journals and stratify to determine whether there are any non-routine
journals.
Chapter 8: Computer audit: The basics 8/65

8.4.10 Statement of profit and loss


• Perform analytics on the total income statement to determine year-on-year differences and significant
percentage changes in expenses.
• Determine whether there are similar month-to-month exception reports where changes are reported and
followed up by management.

8.4.11 Bank and cash


• Determine authorisation levels that have been configured in the banking application.
• Determine whether the levels confirm to policy/process documentation in terms of amount and
staff/user profile.
• Determine whether the bank account details interface with the application.

Foreign exchange
• Determine whether foreign payments have been captured at the correct forex rate.
• Determine whether foreign accounts have been captured at the correct rate.
• Determine whether the application has been configured to receive daily currency exchange rates which
would have been applied forex transactions, namely, Reuters rates.
• Determine who has access to change the currency exchange rate configuration in the application.
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one transaction to determine whether the forex calculation is accurate.
Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
The following IT general controls should be considered when performing audit procedures but not restricted
to the test and reliance of control testing above:
• default account procedures
• there is a formal process in place to validate user accounts on the database
• users are restricted from viewing the text and stored procedures
• privileged user activity is reviewed
• monitoring of user access violations
• terminated employees with active user accounts
• lack of periodic user validation
• generic accounts are not used to access the database
• super user access is restricted
• user activity logs are reviewed on a regular basis
• segregation of duties within the application, and
• toxic combinations have been assessed and restricted.

8.5 Computer assisted audit techniques (CAATs)


8.5.1 Introduction
Computer assisted audit techniques are exactly what the phrase says: making use of a computer to assist in
carrying out the audit. Although there is some extremely powerful and complex software available to assist in
performing audits, the concept is simple: wherever it is economical and efficient to do so, the power, speed and
versatility of the computer should be harnessed to assist with the audit. For many audit clients it would simply
be impossible to perform an audit without using CAATs.
Consider a very simple example:
A branch of a major bank has 22 371 account-holders who have call account deposits with the bank,
which earn interest on daily balances. At the year-end audit, we need to confirm that total interest paid on
8/66 Auditing Notes for South African Students

these call accounts (as well as various other savings accounts, fixed deposits, etc.) has been correctly
calculated, as reflected in the financial statements at R71 587 200.
• Imagine trying to obtain printouts of all 22 371 account holders and each of their daily balances for
365 days and then trying to test enough of these on our calculator, to form a representative sample of
interest calculations – clearly impractical, tedious, inefficient, very expensive and a high probability that
our audit staff would make many mistakes themselves along the way!
• Instead we are able to use audit software, which can re-perform all of these daily balance calculations
and provide an independently calculated total for interest payable by the bank for the year. Powerful
CAATs packages are able to perform a 100% of the population incredibly quickly thus providing huge
benefits to auditors by significantly reducing audit risk (100% testing rather than sample testing),
providing more reliable evidence (no human errors) and increasing audit efficiencies (millions of
calculations can be re-performed in a matter of minutes and hours rather than days and months).

8.5.2 How do CAATs fit into the audit process?


The auditor decides whether or not to use CAATs when considering the audit strategy (scope, timing and
direction) and the audit plan (nature, timing and extent of testing) which is necessary to reduce audit risk to an
acceptable level (refer to chapter 6 to refresh your memory if necessary). The decision made will result in
the auditor taking one or more of the following approaches:
• to audit around the computer
• to audit through the computer
• to audit with the computer.
The auditor is not restricted to selecting just one of these approaches. For further discussion on this, see
paragraph 8.5.2.4 below.

8.5.2.1 Auditing around the computer


• This approach treats the computer system and programs as a black box and relies on review and com-
parison of the input and output documents. The rationale behind this approach is that if the source
documents are valid, accurate and complete, and the output produced by the computer system as a
result of processing these source documents, is correct, then the processing functions of the computer
system are being performed correctly. The manner in which these processing functions are performed is
deemed to be of little consequence. This approach assumes that the computer-generated output can be traced
back, and compared to the input.
• The audit is performed by selecting a sample of transactions that have already been processed and then
tracing these transactions from their point of origin as source documents to the output documents or
records produced by the computer system.
• This approach is only feasible if the computer system under consideration is a simple, batch-oriented
system with no significant controls or automated/integrated functions built into the system.
• Additional requirements for the adoption of this approach are that control is maintained by segregation
of duties, independent checks and management supervision together with the maintenance of a clear audit
trail.
• The main advantages of auditing around the computer may be summarised as follows:
– There is no risk of manipulation of the client’s data by the auditor.
– The auditor requires little or no knowledge of computer technology.
– There is minimal disruption of the client's IT function.
– The costs associated with technology and computer expertise may be reduced.
• The disadvantages of auditing around the computer may be summarised as follows:
– Apart from the more trivial applications, computer systems generally involve volumes of data and
transactions which render manual testing ineffective.
– System controls and potential errors within the system are ignored.
– No use is made of the most powerful and valuable audit tool, namely the computer.
Chapter 8: Computer audit: The basics 8/67

8.5.2.2 Auditing through the computer


• This approach is concerned with testing the computer system and controls which are built into the
system.
– Simplistically this is achieved by the auditor sending transactions (test data), some of which will
contain errors which the system’s program controls should detect, through the system. In this way
the auditor tests whether controls are working as expected.
For example, if a transaction which the auditor knows is incorrect is picked up by the system, the
auditor has some evidence that the system is working (and vice versa). Thus, auditing through the
computer is primarily a “test of controls” approach.
• The main advantage of “auditing through the computer” is that it can be used effectively and efficiently
to audit a highly sophisticated computer system which processes huge volumes of data and relies
extensively on computerised controls, for example, banks.
• The disadvantages of “auditing through the computer” include the following:
– The auditor is required to have a high level of technical computer knowledge.
– Audit costs may increase due to the level of investment in technology and expertise required.
– The auditor is required to take stricter precautions due to the increased risk of corruption of the
client’s data and masterfiles.
– A high level of client co-operation is necessary, which may impinge upon audit independence.

8.5.2.3 Auditing with the computer


There are two aspects to “auditing with the computer”:
• using the computer to assist in the performance of audit procedures (mainly substantive testing)
• using the computer to produce electronic/automated workpapers, audit programs and financial
statements.
Using this approach for substantive testing, involves gaining access to a client’s files and using audit
software (programs which help the auditor to do what he has to do) to read, sort, compare and analyse data
on the file, very quickly and extensively.
The idea behind using the computer to automate the audit is to make it a more effective and efficient
audit by harnessing the power of the computer.
• The main advantage of auditing with the computer is that use is made of the power, speed and versatility
of the computer, which results in a more economical and efficient audit.
• The disadvantages are:
– costs/licence fees of audit hardware and software
– the audit team requires training on how to use the software
– there may be a tendency for the audit team to audit without thinking about what they are testing.

8.5.2.4 Combinations of the above approaches


As indicated in the introduction to CAATs, the auditor is in no way restricted to one of the three
approaches. In probably 99% of reasonably sized audits, where the client has a computerised accounting
system, the audit approach will be a mixture of the above approaches. Auditing is about getting the mix of
tests of controls and substantive testing right, based on the strength of the organisation’s controls and the
ease/efficiency with which substantive testing may be achieved. Also remember that some of the
procedures which the auditor carries out, may be unaffected by whether the client is computerised or not,
for example, scrutiny of minutes, or inspection of non-current assets. The overriding objective is to achieve
the most effective and efficient way of getting the audit done.

8.5.3 System-orientated CAATs


As suggested by their description, these CAATs concentrate on the accounting system and related control
procedures and are used predominantly to perform tests of controls, although some substantive evidence may
also be produced. The use of systems-orientated CAATs is regarded as “auditing through the computer.”
8/68 Auditing Notes for South African Students

8.5.3.1 Test data


This type of CAAT requires the auditor to create a set of transactions.
For example,
Clock cards that are outliers are keyed in and processed. The transactions will include both correct data
and incorrect data, in other words, a clock card with an invalid employee number and another with 55
hours of normal time, will be entered. What the auditor expects is that the invalid employee number will be
identified by the computer and written to an error report, and that the 55 hours normal time will be
identified by the programmed input limit check and the error highlighted immediately for correction.
Obviously, if entry and processing goes ahead as normal, the controls are not working!
• Using the test data, the auditor can design transactions to test any controls which the client claims are in
the system, but designing suitable transactions that contain the error conditions which the auditor wants
to be prevented or detected, can be time consuming.
• For the “test data” approach to be effective, the auditor must be fully aware of the controls that are in
the system and must know what the theoretical output should be in order tocompare it to the actual
output for the transactions that were processed.
• As with manual tests of controls, the test data approach only tells the auditor that the control was
working when tested and not that it worked throughout the whole period under audit.
• The auditor will also need to confirm that the program tested is the one that is used in live runs.
• The test data should be run against a “copy” of the live (production) program to prevent corruption of
the client’s data.

8.5.3.2 Integrated test facility (ITF)


This is really an extension of the “test data” approach. For instance, an artificial (dummy) unit is created
on the client’s system, Company “X” or Cost Centre “Y”. The auditor can then feed test transactions
through the system for processing along with normal transactions. The test transactions will, however, all
be coded for processing to the fictitious Company “X”, which is simply excluded for purposes of the
client’s normal accounting purposes. This type of CAAT therefore reduces the risk of corrupting the client’s
information.
For example:
The auditor could enter two fictitious (dummy) employees on the employee masterfile, in the proper
manner, for example, employee number, cost centre, grade, pay rate. He would then create fictitious clock
cards with error conditions for the dummy employees and would have them processed at the same time
and in the same manner as the client’s genuine clock cards when the “live” payroll run is being performed.
As long as they are coded to a fictitious cost centre (e.g. Cost Centre “Y”), they can easily be excluded
from the client’s normal financial reporting records.
• Again, the auditor will need to have a clear knowledge of the controls in the system and the results
which should be achieved (output).
• Once the “dummy records” have been created in the client’s files, the auditor can visit the client on a
number of occasions during the year under audit to perform the test; this helps to gather evidence that
the controls were working throughout the year.
• The major disadvantage of this technique is that fictitious transactions may be muddled in with the
client’s data if not correctly coded or if the dummy unit is not separated out before reports are sent to
users. For example, the foreman might be a little surprised and confused to see two additional
employees and an extra cost centre in his factory!
• It is also conceivable that client staff could manipulate ITF facilities for fraudulent purposes.

8.5.3.3 Parallel simulation


This type of CAAT involves running the client’s transaction data and masterfile information through a
“trusted” system set up by the auditor, as well as through the client’s normal system. The results of the two
processing runs are then compared and any discrepancies are followed up. These results can provide
evidence relating to controls (e.g. the auditor’s system may make effective use of a limit check which
identifies invalid data while the client’s system may not have such a check in place), as well as evidence of
a substantive nature (e.g. daily transaction totals can be compared to verify accuracy of client figures).
Chapter 8: Computer audit: The basics 8/69

8.5.3.4 Embedded audit facility


For this type of CAAT to operate, the auditor arranges to have an audit module inserted into the client’s
application programme. The module is designed to either identify transactions which might be of particular
interest to the auditor, or to re-perform certain validation controls and report thereon, while the client is
actually running the normal application programs.
For example:
The auditor may wish to identify all payments to creditors exceeding R500 000. The audit module would
identify these and write them to a file. Another example is that the audit module could be programmed to
perform reasonableness tests when salaries are processed and report on any items outside of given
reasonableness ranges. These embedded files would have strict access controls in place and the auditor
could appear at any time to audit/follow up on recorded transactions or exceptions written to the files.

8.5.4 Data-orientated CAATs


These CAATs are concerned mainly with substantive testing, that is, obtaining evidence to support the
assertions relating to balances in the statement of financial position and totals of transactions that underlie
the statement of comprehensive income. Use of these CAATs can be thought of mainly as “auditing with the
computer”.

8.5.4.1 Generalised/Customised audit software


These are programs that are used to extract/analyse/reformat data extracted from client systems.
For example:
The auditor may extract a report of all debtors amounts outstanding over 90 days.
Common features and facilities:
• Versions are generally available for use on a wide range of hardware and systems software.
• They are generally easily programmable to access various file formats and data fields thereby enhancing the
ease of use for the generalist auditor.
• They are menu driven, which adds to their user-friendliness.
• Special security features are generally included, such as restricting certain features of the software to special
classes of users.
Where generalised software (GAS) is not available to suit the needs of a particular set of circumstances,
customised audit software (CAS) may be specially developed.

8.5.4.2 System utilities and report writers


Many clients will have utilities and report writers resident on their computers. Utility programs can be used
to manipulate and analyse data and test whether programs function correctly. Report writing programs
enable users, including the auditor, to design and extract various reports, which may be particularly useful
in performing substantive tests.

• Advantages
– The software has already been loaded on the client's hardware.
– They are relatively simple to use.
– They perform many of the tests which GAS packages offer.
– The cost of using these packages is generally lower than using GAS.

• Disadvantages
– Many utility and report writers are available that may cause time delays seeing that the auditor will
have to assess how unfamiliar clients’ utilities and report writers function.
– These forms of CAAT may not be as well documented as GAS packages, and may not quite meet the
auditor’s requirements.
8/70 Auditing Notes for South African Students

8.5.5 Factors that will influence the decision to use CAATS


The following factors will be taken into account in making the decision as to whether CAATs should be
used:

8.5.5.1 Complexity of the client’s system


For example:
Where a client’s accounting systems are extensively computerised, such as in a financial services
organisation such as a bank, and of a high level of complexity or sophistication, the auditor cannot rely on
manual audit procedures alone.

8.5.5.2 Volume of transactions/output


The size of the business will usually govern the number of transactions that flow through the accounting
system.
For example:
As the volume increases at a bank that issues savings accounts for low income individuals, so do the
sizes of files which result from processing the transactions, making it impractical/impossible to perform
manual extraction, sorting, analysing, summarising of data, etc., due to normal audit time constraints.

8.5.5.3 Data stored in electronic form


For example:
The client will usually store data in electronic form, think debtors masterfile, inventory masterfile. In
such cases –
• it will not be feasible/efficient to audit the data manually, and
• normal audit trails may not exist so alternatives to normal manual procedures have to be sought, for
example, using CAATS.

8.5.5.4 Availability of skills in the audit team


Particular skills, sometimes of a high level, are required when using some types of CAATs (but see note (a)
below).

8.5.5.5 Potential loss of independence


The use of CAATs requires the co-operation of the client and where system-orientated CAATs are used,
the auditor may have to rely quite heavily on client personnel to run the CAAT (see note below).

8.5.5.6 The attitude of the client


Professionally run companies expect professional auditors and hence will expect their auditor to be up to
date with, and capable of, using advanced audit techniques (see note below).

8.5.5.7 Compatibility of the firm’s hardware and software with the client’s hardware
and software
The audit firm’s hardware and software is unlikely to suit every single client’s hardware and software so it
will need some adaptation, for example, additional software may be required (cost) in order to run audit
programs on client systems/files (see note below).

8.5.5.8 The utilities available at the client which can assist


Utilities are programs that can frequently perform tasks which are useful to the auditor, such as sorting/re-
organising files, copying, printing parts of a file, etc. They do many things that generalised audit software
does, so if the auditor has no suitable generalised audit software, he may consider using the client’s utilities.
Note that the completeness of the data set is all the more important in this instance.
Note: 8.5.5.1 to 8.5.5.3 above are factors in favour of the use of CAATs (and really make it obligatory to
do so). 8.5.5.4 to 8.5.5.7 are factors that negatively influence decisions relating to the use of
CAATs, but are often outweighed by the benefits of using CAATs, for example, better quality and
more extensive evidence, resulting in more effective and efficient audits and reduced detection
risk. If the audit firm does not have the necessary skills, it should acquire them, or consider giving
up the audit.
Chapter 8: Computer audit: The basics 8/71

8.5.6 Audit functions that can be performed using data-orientated CAATs


• Sorting and file re-organisation.
• Summarisation, stratification and frequency analysis.
• Extracting samples.
• Exception reporting.
• File comparison, for example, current masterfile to prior year’s masterfile.
• Analytical review, for example, extraction of ratios.
• Casting and recalculation.
• Examining records for inconsistencies, inaccuracies and missing data including sequential numbers and
duplicates (and creating reports thereon).

APPENDIX 1 – ILLUSTRATION OF WHAT A DATA-ORIENTATED CAAT (AUDIT SOFTWARE)


CAN DO
A chart of what the inventory masterfile at 30 June 0002 of an electrical supply company might look like
when printed appears below. Of course this is a tiny part of the file, showing only seven line items or
records. The actual masterfile may have 5 000 line items, which, if printed, would produce a 160-page
printout!
Item no. Description Location Category Quantity Unit Cost Value S Price Last Sale Last Purch
A 123 Fuse Box WH 2 A 20 710.00 14 200.00 690.00 5/0001 3/0002
P 492 Regulator WH 3 B -6 42.50 -255.00 56.50 2/0002 4/0002
L671 Plugs WH 4 A 410 8.00 3 280.00 14.00 11/0001 10/0001
G 893 WH 2 C 91 44.00 4 004.00 52.75 1/0002 2/0002
Connector WH 1 D 18 2.20 396.00 4.20 5/0002 7/0002
Q 456 Junction A 3 618.00 1 854.00 7/0001 8/0001
P 769 Brushes WH 1 B 0 34.20 34.20 36.40 4/0002 6/0002

Things that can be done with audit software:


1. Scan the entire file and produce a report of missing fields or duplicated item numbers, for example,
missing item number, description, location and selling price (see item number Q456).
2. Sort the file by category, and add up value field by category to determine whether the major portion of
the inventory value is of a particular category. This will provide the auditor with a better idea of where
to direct the inventory audit focus.
3. Sort the file by location and add up value and quantity fields to assist in planning attendance at the
inventory count.
4. Extract a list of items with negative quantities, values or unit costs (NB a negative × a negative equals
a positive – see item number P492).
5. Extract a listing of inventory items where the quantity field is zero (0) but the date of last purchase is
after the date of last sale (see item number P769).
6. Re-perform the quantity × unit cost calculation and compare the result to the field to identify any
differences with the client’s file (see connector R2,20 × 18 = R396,00?? and P769, 0 × R34,20 =
R34,20??).
7. Compare unit cost field to selling price field to identify instances where cost exceeds selling price (see
item number A123).
8. Extract a list of items where date of last sale is (say) more than nine months ago, but date of last
purchase is, less than three months ago, and by enquiry establish why the order was placed,for
example, was it because goods in the inventory are damaged? (See item number A123.)
9. Extract a listing of items where date of last sale is (say) more than nine months (and purchase date is
also more than nine months) prior to masterfile date (30 June 0002) to assist in identifying non-
saleable inventory/inventory which should be written down.
8/72 Auditing Notes for South African Students

10. Extract a listing of items where either the date of last sale or date of last purchase falls after the
inventory masterfile date (see connector 7/0002).
11. Extract a random sample of items to be counted at the inventory count (after summarising by location,
quantity and value).
12. Cast the value field to obtain the total value of inventory for comparison to the figure used in the trial
balance.

8.6 Data management


8.6.1 Introduction
One of the lessons of the information age is that data is only as useful as our ability to manage it.
What turns the chaos of massive amounts of data into business opportunity is how you analyse the data.
For example:
• to reveal patterns, trends, and associations especially relating to consumer behaviour, for example,
when online shopping trends are analysed, determining a pattern when consumers are most likely to
purchase, that is, time of day and which day of the week
• to identify and differentiate useful data and its business value, for example, online purchase trends can
be used for future marketing, and
• to understand the rate of change of data sets, for example, determine new online purchase trends, or if
certain products have stopped selling.
Organisations need to understand their data life-cycle and the sequence of stages that a particular unit of
data goes through from its initial generation or capture to its eventual archival and/or deletion at the end of
its useful life. This will ultimately help organisations to create end to end data management processes and
structures.
The image below shows the high-level data life-cycle and key data management areas to consider:

Having mature data and analytics in place requires the translation of business needs into practical steps and
initiatives. At the same time, it requires a solid foundation to support these steps and initiatives. In order to
accomplish this, organisations need to consider organising themselves in the following way and drive the
following structures within data management:
Chapter 8: Computer audit: The basics 8/73

Companies have to define, at a corporate level, a data privacy strategy that meets the requirements of the
countries where the organisation has a footprint. If the company’s operation is only based in South Africa,
then that simplifies the strategy. If, however, the organisation operates across a number of countries, it will
need to consider tailoring the strategy to meet all the privacy laws across all the countries it operates in.
Below are the key focus areas an organisation needs to consider when drafting a data privacy strategy:

8.6.2 Terminology
• Patterns: A pattern is a set of data that follows a recognisable form, which analysts then attempt to find
in the current data.
• Trends: A trend is when a set of data constantly displays similar patterns over a given period of time.
• Data relationship: A data relationship exists between two relational database tables when one table has
a foreign key that references the primary key of the other table. Relationships allow relational databases
to split and store data in different tables, while linking disparate data items.
• Algorithms: An algorithm is the way computers process data. Many computer programs contain algo-
rithms that detail the specific instructions a computer should perform (in a specific order) to carry out a
specified task.
• Data strategy: The vision that supports an organisation’s ability to manage and exploit data. It creates a
direct link between strategic goals and data assets. It also provides an umbrella for all domain-specific
strategies, such as analytics, big data and data governance.
• Driving data value: Unlocking the value within ever-growing volumes of data is key to a competitive
advantage. The value of data is derived from the insight it can provide, enabling organisations to make
better decisions.
• Data asset management: To gain as much value from the data as possible, it should be of high quality
and readily accessible in the right format.
There are various types of Big data – the following explains the key categories:

8.6.3 Big data


Big data is the collection of large data sets within an organisation. The data will need to be analysed to
reveal patterns, trends, and data relationships or else the data will be of no value. The ultimate goal of big
data is to interpret large sets of data in such a way that an organisation can use the analysed data to enable
informed decision-making. Apart from big data projects being disruptive, they are highly versatile and
create a competitive advantage within an organisation. Big data is costly to set up but the benefit of
advanced and mature algorithms of big data will lead to informed decision-making and increased revenue.
Big data and environ (IoT) are closely related due to the interconnectivity of artificial intelligence and data
extracted from IoT devices provide valuable insights from a data content and context perspective.
8/74 Auditing Notes for South African Students

Characteristics of big data:

8.6.4 Audit and control procedures


The following controls and procedures should be considered when testing big data:
• Confirm that management has signed off the big data strategy.
• Determine whether the big data strategy is aligned with the overall business strategy.
• Confirm that the big data policy incorporates data security, privacy, measures, data landscape and
storage.
• Do the documented business and technical requirements align with the current big data projects and do
these objectives align with the strategy?
• Is the analysis done on the data extracted meaningful and is business reviewing and using the measures
and metrics?
• Confirm that the risk management process is adhered to and whether findings are managed through a
risk register.
• Confirm the existence and scrutinise the content of the service level agreements between the organ-
isation and third parties accumulating and analysing big data on their behalf.
• Inspect roles and responsibilities that have been defined for big data as well as overall organisational
data ownership.
• When auditing IT general controls, confirm that the logical access management controls over big data
are included, specifically supporting privacy controls.
• When auditing IT general controls, confirm that change management controls over big data are included.
• Confirm that back-up procedures and disaster recovery controls are in place.
• Determine whether training occurs on the big data monitoring tools.
Chapter 8: Computer audit: The basics 8/75

8.6.5 Risk implications


Big data presents many advantages but there are also many risks that have to be taken into consideration,
such as the impact on our privacy. The following risks need be managed to govern big data carefully:
• Data privacy is a key critical risk because big data generally contains a lot of personal and sensitive
information. A leak of this data can cause serious reputational risk.
• Data privacy legislation is becoming more prevalent and not adhering to this is in breach of compliance
regulations.
• Lack of governance with multiple sources of data and unstructured data plans as this may cause
mayhem within the big data bubble.
• Inadequate validation checks within applications lead to data quality issues that become a dreadful task
to clean.
• Viruses can cause serious data corruption which impacts decision-making.
• Big data can become costly in terms of data storage and archiving costs.
• Due to the volumes of big data, organisations are forced to look at alternative storage solutions, namely,
cloud-based storage solutions that have their own risks, such as data security.
• Misinterpretation of data, data quality issues and incorrect data can lead to incorrect decision-making.
CHAPTER

9
Computer audit: New technology*

CONTENTS
Page

9.1 Introduction ...................................................................................................................... 9/3


9.1.1 General .................................................................................................................. 9/3
9.1.2 Trends in information technology (IT) ..................................................................... 9/3
9.1.3 Mobile applications................................................................................................. 9/3
9.1.4 Going mobile/Bring your own device...................................................................... 9/6
9.1.5 Cryptocurrencies..................................................................................................... 9/8
9.1.6 Cloud computing .................................................................................................... 9/9

9.2 The use of mobile information and communication technology on audits.......................... 9/10
9.2.1 What this technology can do ................................................................................... 9/10
9.2.2 Security implications of using mobile information and communication
technology on audits ............................................................................................... 9/12

9.3 Data storage...................................................................................................................... 9/12


9.3.1 Introduction ........................................................................................................... 9/12
9.3.2 Terminology ........................................................................................................... 9/13
9.3.3 Audit and control implications ................................................................................ 9/14
9.3.4 Risk implications .................................................................................................... 9/14

9.4 Networks .......................................................................................................................... 9/15


9.4.1 Introduction ........................................................................................................... 9/15
9.4.2 Terminology ........................................................................................................... 9/15
9.4.3 Audit and control implications ................................................................................ 9/17
9.4.4 Risk implications .................................................................................................... 9/20

9.5 Databases ......................................................................................................................... 9/20


9.5.1 Introduction ........................................................................................................... 9/20
9.5.2 Terminology ........................................................................................................... 9/20
9.5.3 Audit and control implications ................................................................................ 9/21
9.5.4 Risk implications .................................................................................................... 9/21

______________
*
For further reading and references on new concepts on internal auditing processes, refer to Internal Auditing: An Introduction
6th ed 2017, Performing Internal Audit Engagements 6th ed 2017 and Assurance: An Audit Perspective 1st ed 2018, GP Coetzee,
R du Bruyn, H Fourie, K Plant, A Adams and J Olivier, LexisNexis.

9/1
9/2 Auditing Notes for South African Students

Page

9.6 Electronic messaging systems ............................................................................................ 9/21


9.6.1 Introduction ........................................................................................................... 9/21
9.6.2 An illustration of electronic data interchange ........................................................... 9/22
9.6.3 Audit and control procedures .................................................................................. 9/24
9.6.4 Electronic funds transfer (EFT) ............................................................................... 9/26

9.7 The Internet/e-commerce ................................................................................................. 9/29


9.7.1 Introduction ........................................................................................................... 9/29
9.7.2 Terminology ........................................................................................................... 9/30
9.7.3 Risks and controls: Trading on the Internet .............................................................. 9/30

9.8 Computer bureaux/service management organisation ...................................................... 9/34


9.8.1 Introduction ........................................................................................................... 9/34
9.8.2 Terminology ........................................................................................................... 9/34
9.8.3 Audit and control implications ................................................................................ 9/34
9.8.4 Risk implications .................................................................................................... 9/36

9.9 Viruses .............................................................................................................................. 9/36


9.9.1 What viruses are ..................................................................................................... 9/36
9.9.2 Virus categories ...................................................................................................... 9/36
9.9.3 Audit and control implications ................................................................................ 9/37
9.9.4 Risk implications .................................................................................................... 9/37
Chapter 9: Computer audit: New technology 9/3

9.1 Introduction
9.1.1 General
The previous chapter dealt with the basics relating to computer auditing. This chapter deals with more
complex issues and focuses on new technology that inevitably will have an impact on the audit.
With the rapid speed of technology many organisations have chosen to embrace the technology era and
have in some form adopted IT within their businesses. Large corporates have embarked on extensive
technology journeys, spending millions on transforming the way they work. Although organisations have
made significant investments in IT some have overlooked the detailed risks that IT may pose to their
business.
Ultimately, the auditor will play an integral role having to provide assurance over these new technologies
and assess the potential impact and risk that these technologies expose an organisation to.
This chapter discusses several new technologies you may come across at your audit clients but consider-
ing the rapid speed of technology, they are not limited to.

9.1.2 Trends in information technology (IT)


IT is a constantly evolving technology and if an organisation wants to be one step ahead of its competitors,
it must be aware of the current trends and innovations within the industry.
The current IT trends an organisation should focus on are the following:
• Cloud computing: Cloud computing allows you to store data on a remote shared server instead of using
a local server. This will result in efficiencies, consistency and cost savings.
• Cyber security: The aim of cyber security is to protect the data, applications and hardware of a compa-
ny from unauthorised access. Also refer to chapter 8 for more detail.
• Internet of Things (IoT): This is the ability of devices to communicate with each other via the Internet
without much human intervention, for example, activating machinery via a mobile application remotely.
• Big data: Big data is, by definition, the collection of large data sets within an organisation. The data is
then analysed to reveal patterns, trends, and data relationships. Also refer to chapter 8 for more detail.
• Mobile applications: A mobile application is a software application developed specifically for use on
small, wireless computing devices, such as a smartphone rather than a desktop or laptop computer.
• Artificial intelligence: The development of computer systems able to perform tasks normally requiring
human intelligence.
• Blockchain data: Blockchain is a distributed database existing on multiple computers at the same time.
It is constantly growing as new sets of recordings, or “blocks”, are added to it. Each block contains a
time stamp and a link to the previous block, so they actually form a chain.
These trends can have a significant financial gain for an organisation when incorporated into its IT systems
as it will lead to an increased client base.

9.1.3 Mobile applications


9.1.3.1 Introduction
Mobile applications are relatively inexpensive and are thus becoming an alternative, and very lucrative,
sales channel at an alarming rate. It is expected that by 2024 the total mobile applications downloaded will
be in the region of 853 billion. The growth in downloads can be attributed to major smartphone manufac-
turers’ regular hardware updates and introduction of new features. Many of these applications are core to
global businesses, and companies depend on them financially.
Mobile applications can be used as a strategic asset to support an organisation in multiple ways. Mobile
devices have become more freely available to the man on the street as smartphones have become increas-
ingly more affordable over the last number of years. This has simplified many business functionalities and
effortlessly made the human dependent on its use. For example, mobile devices enable organisations to
engage with their customers on a client centric convenient platform and support quality customer service.
Mobile applications are also useful to use as sales and marketing tools as well as to fulfil compliance
requirements.
9/4 Auditing Notes for South African Students

The innovative way mobile applications are developed will create the need for increased rigor relating to
governance, risk management and transparency within an organisation.
Mobile applications are the future and can have a significant financial benefit and competitive advantage
when implemented and managed appropriately. In addition, to mobile devices, take cognisance of the fact
that smartwatches also support the same applications.
The audit of mobile applications is necessary to confirm the confidentiality of sensitive information that
is handled by both internal and external applications.
These applications are available on two platforms, Google’s Android or Apple’s iOS mobile operating
systems. Therefore, when applications are being developed by an organisation, they need to be compatible
for both Android and Apple iOS development, their respective controls and compliance requirements.
Auditors have to test the implementation of mobile applications, the on-going governance thereof
and the protection of sensitive data (inclusive of interfaces). Mobile application audits are necessary to
confirm the confidentiality of sensitive information that is handled by both internal and external business
applications.
There should be no debate about whether mobile applications should be tested as part of the audit, and
auditors should understand the associated risks to ultimately allow them to test mobile application controls.
In addition, due to the nature of the information and the resources that are accessed, third-party business
mobile application security audits are also required for all applicable platforms.
Several examples of mobile applications that may exist within organisations or where organisations have
been established due to a very successful application follow:
1. Lifestyle mobile applications promoting: fitness, dating, food, music and travel, such as Spotify, Trip-
advisor, Apple Music and Uber.
2. Social media mobile applications: building social networks. Many applications, including Facebook.
Instagram, Pinterest and Snapchat allow you to share photos, products, high scores, or news items with
your social network.
3. Games/entertainment mobile applications: these apps, such as Angry Birds, Clash of Clans and Sub-
way Surfer, are popular among developers because they bring users back multiple times each week,
sometimes multiple times per day.
4. Productivity mobile applications: these applications, such as Docs, Sheets, Wallet/Pay, Evernote and
Wunderlist, help their users accomplish a task quickly and efficiently, making what are sometimes
mundane tasks easier and perhaps a little more fun.
5. News/information mobile applications supply their users with the news and information they’re look-
ing for in a user-friendly layout that efficiently navigates them to the things they care about most. They
include Buzzfeed, Smartnews, Flipboard and Google Weather.

9.1.3.2 Terminology
• Smartphone: A mobile device that performs several of the functions of a computer, generally has a
touchscreen, Internet access, and an operating system capable of running downloaded apps.
• Mobile application: A mobile application (app) is a software application developed specifically for use
on small, wireless computing devices, such as a smartphone, rather than a desktop or laptop computer.
• iOS operating system: iOS is a mobile operating system created and developed by Apple Inc. Apple
iOS is considered a closed source and is solely “subscribed to” by Apple products.
• Android operating system: The Android OS is an open source operating system mainly used in mobile
devices. It is written in Java and based on the Linux operating system. It was initially developed by
Android Inc. and was eventually purchased by Google in 2005.
• Smartwatch: A computing device worn on a person’s wrist that offers functionality and capabilities
similar to those of a smartphone. Smartwatches are designed to, either on their own or when paired
with a smartphone, provide features like connecting to the Internet, running mobile apps, making calls
and more. A number of companies currently have smartwatches on the market, including Google, Sam-
sung and Apple (the iWatch).
Chapter 9: Computer audit: New technology 9/5

9.1.3.3 Audit and control procedures


The auditing of mobile applications is imperative in order to confirm that the controls that have been
embedded in the application functions accurately, and that the mobile application interfaces accurately and
completely with the back office (financial applications and all supporting infrastructure). The auditor will
be required to test new and existing mobile applications as well as the controls governing the mobile appli-
cation data/information that supports the everyday functionality.
As part of the entity level control tests, the auditor needs to identify the existing mobile applications,
their purpose, any development that occurred during the financial period and supporting infrastructure:

(a) Planning phase


Once the entity level control tests have been performed for mobile applications, the auditor will be in a
position to perform mobile application control testing.
• Determine security measures and configurations. For example, detection of code protectors, firewalls,
code jammers, authentication and authorisation mechanisms.
• Determine how the mobile application interfaces with the back-office applications to transfer data. For
example, sales that are made via a mobile application and an interface with a bank.
• Review interface exception reports between mobile applications and back-office applications/data-
bases for evidence of reviewing the reports and the correction of differences.
• Review the information stored on the mobile application and the controls to prevent access to sensitive
data.
• Determine whether the organisation has implemented version control for the mobile application to
track all changes to the source code.
• Determine whether the organisation has implemented data encryption to prevent unauthorised access
to the source code.
• Determine whether the organisation has implemented antivirus and antimalware software.
• Determine whether information/content provided on the mobile application is derived from an
external source. For example, where an organisation offers international sales on its mobile applica-
tion, exchange rates are obtained from the web daily.
• Review the business logic and whether the code pertains to a secure back-end web or application
server on a cloud or in a database.
• Determine whether adequate licenses are available for mobile applications.
• Determine whether the organisation has defined governance procedures to manage mobile applications
and their performance.
• Consider compliance and legislation relating to mobile applications and whether policies have included
these aspects. There are guidelines, requirements and rules from the App Store that also have to be
adhered to.
• Determine whether mobile applications have a custodian/owner.
• Determine if any key man dependencies exist.
• The auditor should consider performing pen testing that incorporates stress testing and hacking into
mobile applications in a real-time environment to ascertain whether confidential information can be re-
trieved from the mobile application.

(b) Auditing of a third-party mobile application service provider


Many mobile applications are not hosted by the organisation itself due to costs, but are instead hosted by a
third party, that poses additional risk and reliance on others (consider obtaining ISAE 3402 reports from
service providers hosting mobile applications).
The auditor should:
• Determine if the organisation has outsourced to a third party to provide mobile application services and
review the service level agreements.
• Determine whether the mobile application impacts privacy relating to customers and controls that have
been implemented to restrict exposure.
9/6 Auditing Notes for South African Students

For IT general controls, consider testing the following:


• Review logical access and change management of masterfile data that is the “source” of the mobile
application information.

9.1.3.4 Risk implications


Successfully managing strategic risk is a product of assessing risk from both a historical and futuristic
perspective. Although managing strategic IT risks within the mobile application process presents its chal-
lenges, if done successfully, the business will not only gain through protecting its intellectual property but
will ultimately gain by improving its competitive advantage.
Some of the key risks and threats that need to be taken into consideration (cybercrime):
• Hackers may try to breach your firewall to obtain sensitive data.
• Lack of complete service level agreements, as many mobile applications are outsourced and managed
by independent tech companies.
• No mobile application custodian or owner within the organisation.
• Lack of IT controls relating to mobile applications.
• Lack of version control for the mobile application source code.
• Lack of interface management around mobile applications.
• A lack of governance and reporting of mobile applications performance.
• An “open” cellphone that has been stolen will expose the mobile device and the authentic software
restrictions may have been compromised. These devices are vulnerable to malware and may pose a risk
to mobile applications.
• Risk of identity theft for mobile application users, should the application be hacked.
• A mobile application is only as secure as the device it is hosted on.
• Multi-platforms pose a risk that the application may not be displayed correctly on different types of
devices.

9.1.4 Going mobile/Bring your own device


9.1.4.1 What does it mean to be “going mobile”/bring your own device?
Until recently, mobile devices were only used for communication purposes. However, in the past few years
a phrase has been coined, namely, “Bring Your Own Device” (BYOD).
Organisations are widely encouraging staff and clients to BYOD as online services are also provided on
mobile devices through either mobile applications or mobile-friendly websites.
This growing trend will continue to increase services, like mobile banking, providing customers with
value-added services or contactless mobile payments. The development of connected objects, also referred
to as the Internet of Things (IoT), will have an impact on the development of mobile applications as users
will have the ability to control sensors and processes through their mobile applications.

9.1.4.2 Mobile devices’ integration in an organisation’s network and security


Organisations supporting BYOD for employees and visiting clients need to confirm that a mobile device
that is not controlled by the organisation does not add new threats once connected to the network. A key
consideration for an organisation is the following:
• Type of access or services that will be allowed for BYOD devices.
• Whether organisational restrictions will apply (e.g., no access to social media) or devices may have
access to intranet, corporate emails or even server files or internal infrastructure. The more unrestricted
the access to company assets, the higher the risks to the company.
• Management of access through third-party applications that will introduce additional security threats.
This option will require alignment of the organisation’s passwords, email requirements to prevent unau-
thorised access and management of access to confirm that access is deactivated, and stored data wiped
when the employee leaves the organisation.
• Encryption applications are imperative in all the instances noted above as stored and transferred data
needs to be encrypted in line with the organisation’s policies.
Chapter 9: Computer audit: New technology 9/7

Organisations should therefore consider the following when mobile devices are integrated to the network
including security aspects:
• a BYOD policy defining the allowed use of mobile devices and the remote wiping of the information on
mobile devices and mobile applications in the event of the device being stolen
• guidelines relating to the respective measures taken by the organisation to secure access to company
assets through BYOD devices
• the sensitivity of data that will be available on the mobile applications and devices, and the impact of
the reputational damage in the event of the data leaking
• the sensitivity of data that will be available on the mobile applications and devices, and the impact of
privacy laws, and
• network architecture caters for mobile devices accessing the organisation.

9.1.4.3 Terminology
• Bring your own device (BYOD), also referred to as bring your own technology (BYOT), bring your own phone
(BYOP) or bring your own personal computer (BYOPC), refers to the policy of permitting employees to
bring personally owned devices (laptops, tablets and smartphones) to their workplace, and to use those
devices to access privileged company information and applications. The phenomenon is commonly
referred to as IT consumerisation.
• IT consumerisation is the proliferation of personally owned IT at the workplace (in addition to, or even
instead of, company-owned IT), that originates in the consumer market, to be used for professional
purposes.

9.1.4.4 Audit and control implications


As part of the audit, you may be required to review the organisations’ BYOD policy. The BYOD policy
will define acceptable business use relating to devices that are not owned or managed by the organisation,
but directly or indirectly support the business. Many employees use their own devices for email and strictly
confidential client information may be easily available on these devices should they be lost, stolen or
compromised. Consider the following to be represented in the BYOD policy:
• The organisation should provide specifics about what devices are allowed, how they are allowed to be
used, and best practices for security.
• Antivirus and/or anti-spyware software. It only takes one mistake or one employee breach for the entire
network to be compromised.
• In order to prevent unauthorised access, devices must be password protected using the features of the
device and a strong password is required to access the organisation’s network (in line with access man-
agement password policy described in chapter 8).
• The device must lock itself with a password or PIN if it is idle for a certain number of minutes to pre-
vent unauthorised access.
• After three failed login attempts, the device will lock. Contact IT to regain access.
• Smartphones and tablets that are not on the organisation’s list of supported devices are/are not allowed
to connect to the network.
• Smartphones and tablets belonging to employees that are for personal use only are/are not allowed to
connect to the network.
• Smartphones and tablets belonging to clients will have to be restricted to only access limited infor-
mation.
• Some applications on devices may be blocked from the network, for instance, Facebook and Instagram.
• Employees’ access to company data is limited based on user profiles defined by IT and is automatically
enforced.
• The company reserves the right to disconnect devices or disable services without notification.
• Lost or stolen devices must be reported to the company within 24 hours. Employees are responsible for
notifying their mobile carrier immediately upon loss of a device.
9/8 Auditing Notes for South African Students

• The employee is expected to use his or her devices in an ethical manner at all times and to adhere to the
company’s acceptable use policy, as outlined above.
• The employee assumes full liability for risks including, but not limited to, the partial or complete loss of
company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or
other software or hardware failures, or programming errors that render the device unusable
The organisation reserves the right to take appropriate disciplinary action up to and including termination
for non-compliance of the BYOD policy. The employee’s device may be remotely wiped if:
• the device is lost
• the employee terminates his or her employment, or
• IT detects a data or policy breach, a virus or similar threat to the security of the company’s data and
technology infrastructure.

9.1.4.5 Risk implications


Going mobile adds to the risks that organisations have to manage, and will most definitely be reason for
concern to the auditor, as integration and security of mobile applications are two key challenges for many
organisations.

9.1.5 Cryptocurrencies
9.1.5.1 Introduction
Cryptocurrencies use very intricate and complex encryption, acting as an exchange medium in order to
conclude financial transactions. Cryptocurrencies rely on decentralised control and the decentralisation is
controlled by synchronised digital data that contains the relevant details for every transaction that has ever
been processed. This is distributed across multiple locations known as a blockchain that acts as a public
financial transactional database. Bitcoin was the first decentralised cryptocurrency.
Examples of cryptocurrencies include:
• Bitcoin – The original fiat cryptocurrency
• Bitcoin Cash – Similar to Bitcoin with some technical differences
• Litecoin – Often referred to as the silver to Bitcoin’s gold
• Monero – A cryptocurrency that provides additional anonymity and security for users

9.1.5.2 Terminology
• Blockchain: Blockchain is a decentralised public digital ledger that is used to capture transactions involv-
ing multiple computers to confirm that records are not updated without the updating of all subsequent
blocks.
• Encryption: Encryption is used to secure data so that only authorised users can access and read the
encrypted data. It uses an algorithm to encrypt and a key to decrypt the data.
• Decentralisation: Decentralisation is a process involving planning and decision-making that is distributed
away from a central location.
• Digital data: Digital data is represented in the form of machine language that can be interpreted by
several technologies. A binary system is the most common example that stores information using a
combination of ones and zeros.

9.1.5.3 Audit and control procedures


• The auditor should confirm that automated controls are in place to enable validation of transactions
before they are executed.
• The auditor must ascertain if there are adequate cyber security controls in place to prevent and detect
phishing attacks as the risk of fraud is prevalent in such a case.
• Confirm that controls are in place to test accuracy and completeness of transactions concluded.
• Confirm adequate controls and procedures exist to comply with Anti-Money Laundering regulations.
• Validate that all transactions are disclosed and accounted for.
Chapter 9: Computer audit: New technology 9/9

9.1.5.4 Risk implications


• Due to the fact that cryptocurrencies are not backed by a financial institution, the value is determined
by the transactions concluded. A loss of confidence can lead to a decrease in trading and a subsequent
collapse and thus a significant decrease in value.
• The risk of fraud is very probable as the cryptocurrency transactions are concluded on the Internet. This
makes it very easy for hackers to intercept transactions and obtain personal information.
• With cryptocurrency, there is no process to reverse a transaction when a mistake is made while conclud-
ing a transaction.
• Regulatory and compliance risks exist because cryptocurrencies are decentralised and also due to the
high number of participants (located in different countries) no single Anti-Money-Laundering (AML)
policy exists.

9.1.6 Cloud computing


9.1.6.1 Introduction
Cloud computing stores and accesses data using remote Internet storage rather than local storage on your
computer network. The cloud computing services are paid for by a cloud customer as and when needed.
These services are classified into three categories: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service
(PaaS) and Software-as-a-Service (SaaS).
Cloud computing examples:
• SaaS: Salesforce
• IaaS: DigitalOcean
• PaaS: AWS

9.1.6.2 Terminology
• Storage: Data from applications, databases, data warehouses, archiving and backups are stored via a
process called storage. It is a mechanism that enables computers to keep data.
• Network: A network is two or more connected devices that can communicate with each other. A net-
work comprises several computer systems that can be connected by physical or wireless connections. It
can be a personal computer sharing data to global data centres or even to the world-wide web itself.
Networks have the capability to share information and resources.
9/10 Auditing Notes for South African Students

• Software-as-a-Service (SaaS): This is a software distribution model in which a third-party provider hosts
applications and makes them available to customers over the Internet. SaaS is one of three main categories of
cloud computing, alongside infrastructure as a service (IaaS) and platform as a service (PaaS).
• Infrastructure-as-a-Service (IaaS): This is a form of cloud computing that provides virtualised computing
resources over the Internet.
• Platform-as-a-Service (PaaS): This is a cloud computing model in which a third-party provider delivers
hardware and software tools, usually those needed for application development. A PaaS provider hosts
the hardware and software on its own infrastructure.

9.1.6.3 Audit and control procedures


As the auditor you will be required to do the following:
• Determine what data is hosted on the cloud.
• Verify that only authorised staff has access to the relevant cloud services.
• Confirm that the cloud service provider has adequate data and security policies in place.
• Confirm that a service level agreement (SLA) exists between the cloud service provider and the organi-
sation, and that it is relevant for the period.
• Ascertain whether the SLA is managed and monitored and whether any issues were raised during the
financial period.

9.1.6.4 Risk implications


• Unauthorised access to cloud computing that may result in financial losses.
• The SLA may not be applicable for the period and expose the organisation.
• The IT control environment of the third party may not be sufficient and may expose the organisation.
• As cloud computing uses remote storage, different compliance and regulatory requirements can apply
based on the location of the cloud storage service provider. This may result in significant fines.
• Financial losses could be incurred as the cost of cloud computing is more expensive nowadays than a
few years ago if not implemented as required and then changes need to be re-tested and implemented.

9.2 The use of mobile information and communication technology on audits


It has been common practice for auditors for many years to “audit with the computer”, using laptop com-
puters to perform many of the fundamental tasks they are required to carry out. These laptops have ena-
bling facilities and software that the auditor is able to use to create and store clients’ audit files, download
client trial balances and other financial information, complete work papers and audit programmes, refer to
relevant legislation, standards, complete timesheets, and many other tasks. As computers become more and
more integrated with communication technology, audit management and their teams are evolving towards
being able to communicate to and from remote client locations so that critical audit information is shared
instantly, backups are made to secure central servers and information on the audit firm’s office networks
can be updated wherever audit staff happens to be. This brings some security issues to light just in the same
way as it would have if this information were being manually transferred. Before considering security
issues, this section looks at how portable information and communication technology assists the modern
auditor.

9.2.1 What this technology can do


9.2.1.1 Planning and administration
• Audit files can be maintained, updated and shared by all members of the audit team.
• Soft copies of engagement letters can be reviewed and updated as needed.
• Available financial data can be communicated to the auditor and charted/graphed/analysed, for exam-
ple, to assist with the performance of a preliminary analytical review.
• Spreadsheets can be used to produce risk matrices and to document all the factors considered in the
assessment of the risk of material misstatement by assertion and determination of planning and per-
formance materiality.
Chapter 9: Computer audit: New technology 9/11

• Copies of standard audit programmes/prior year audit programmes can be tailored as and when neces-
sary, for use on the current engagement.
• Spreadsheets can be used for the preparation of detailed time and money budgets so that actual audit
times can be loaded at regular intervals in order to allow audit supervisors to effectively monitor pro-
gress and costs.
• Industry-specific information can be downloaded from the Internet to assist the audit team in gaining an
understanding of the entity.

9.2.1.2 Obtaining an understanding of internal controls


• Graphics and flowcharting packages facilitate documenting and updating of the auditor’s understanding
of client systems.
• Soft copies of standard internal control questionnaires (ICQs) can be used to enable client responses to
be updated directly onto electronic work papers.
• Intelligent software and/or exception reporting facilities can be used to summarise weaknesses identi-
fied by the completion of ICQs to facilitate evaluation of audit risk and planning of the audit.
• Expert systems/databases can be used to assist with risk assessments and identifying appropriate audit
procedures.
• Management letter points on systems and control weaknesses, and drafting of the management letter
can be facilitated by integrating audit software, relevant databases and word-processing functions.

9.2.1.3 Obtaining and documenting audit evidence


• Prior years’ work papers and audit programmes, including comparatives where applicable, can be rolled
forward and updated in respect of the current audit.
• Audit software can be used to assist with selection of random statistical samples, calculation of appro-
priate sample sizes and the evaluation of the results.
• Soft copies of confirmation letters can be prepared/updated by audit staff and passed to clients for
printing without having to return to the auditor’s office.
• Client trial balances can be emailed or downloaded onto multimedia and audit software can then be
used to:
– create electronic work papers, and
– allow for automatic updates to all affected work papers when audit adjustments are processed.

9.2.1.4 Preparation and review of financial statements


• Consolidation modules may be incorporated into audit software to facilitate production of consolidated
financial statements.
• Client tax computations/formulae can be automatically checked by use of appropriate programme
functions, for example, spreadsheet programmes have such functions.
• Soft copies of standard formats for the presentation of financial statements can be:
– amended/tailored to suit each client’s particular requirements, and
– integrated with trial balance functions to allow for automatic generation of financial statements.
• Again, use can be made of spreadsheet-based financial modelling programmes to assist with the perform-
ance of an overall review.

9.2.1.5 Application of generalised audit software


• Client files can be saved to multimedia storage devices to enable the auditor to apply procedures to the
information through audit software (e.g., select a monetary unit sample selection from a debtor’s file).
• The auditor should generally not gain access to the client’s environment to perform tests unless the
client creates a copy of the live environment in a test environment for the auditor to use. The copy will
have to be reconciled.
Refer to computer assisted audit techniques for a full discussion on generalised audit software.
9/12 Auditing Notes for South African Students

9.2.2 Security implications of using mobile information and communication technology


on audits
The use of such technology on audits brings with it the need for adequate security in two main areas:
• security over audit “work papers”, and
• security over client information when being interrogated/manipulated or communicated by the auditor.

9.2.2.1 Security over “work papers” – controls to restrict unauthorised access to the firm’s
computers and storage devices
• All audit staff must be thoroughly briefed on the importance of maintaining the confidentiality of the
data on their computers and storage devices.
• Computers should be switched off when not in use and time-out facilities should be enabled.
• User IDs and passwords should be required to start up the computers and to access applications. Sound
password controls should be adhered to.
• The audit senior should act as a “mobile librarian” and should, for example, be responsible for:
– ensuring all computers/storage devices left on the client’s premises are locked away securely (audit
team members will usually be responsible for their own laptops)
– ensuring backups are taken and kept secure, and separate from computers, especially overnight and
over weekends
– monitoring the use of storage devices by the staff under his/her supervision
– returning all storage devices that are no longer required to the audit firm’s office.
• Sensitive information, such as evaluations of management, should not be taken to the client’s premises
at all.
• There should be a library system at the audit office under the control of a designated librarian or admin-
istration manager. Sound controls should be put in place including control over the movement of (hard
copy) files and multimedia/storage devices.
• Controls over files/storage devices should confirm that they are signed out by the person withdrawing
them for use.
• All backup copies should be equally well protected.

9.2.2.2 Security of client files


Precautions must be taken to prevent destruction of or damage to client files.
• Where possible, copies of the client’s files should be made and only the copies accessed.
• Where it is necessary to access the files themselves (e.g., where there is doubt as to whether the copy is
the same as the original) then:
– only audit software that has been thoroughly tested by a computer audit specialist should be used
– the full procedure should be done in the presence of the client’s IT personnel
– the software should be “read only” software if possible
– access should be restricted to only those files necessary for audit purposes
– the client’s staff should not have access to the audit software, and
– the client should have backed up all information to time of access by the auditor.

9.3 Data storage


9.3.1 Introduction
To the layman it would seem that trends in information technology are geared to speeding up processing, devel-
oping smaller storage devices that can store much more data and making computers more user-friendly. These,
together with developments in communications technology and some other more technical developments,
have helped facilitate the ability of businesses to deal in huge transactional volumes and to communicate
globally in an instant.
Data storage capacity requirements define how much storage is required to run applications.
It would seem that trends in information technology are moving towards speeding up processing and develop-
ing smaller storage devices that can store much more data and make computers more user-friendly.
Chapter 9: Computer audit: New technology 9/13

Developments in technology and other more technical developments have helped facilitate the ability of
businesses to handle huge transactional volumes and to communicate globally in an instant.
Data storage refers both to a user’s data generally and to the integrated hardware and software systems
used to capture and manage data. This includes data in applications, databases, data warehouses, archiv-
ing, backups and cloud storage.

9.3.2 Terminology
• Databases: A database is an organised collection of data, generally stored and accessed electronically
from a computer system. Where databases are more complex, they are often developed using formal de-
sign and modelling techniques.
• Data warehouses: A data warehouse is a system used for reporting and data analysis, and is considered a
core component of business intelligence. They store current and historical data in one single place and
are used for creating analytical reports.
• Archiving: Data archiving is the process of transferring data that is no longer actively used to a separate
storage device for long-term retention. Archive data consists of older data that remains important to the
organisation or must be retained for future reference for a required period of time for regulatory compli-
ance reasons.
• Backup appliance: Backup appliance is a data storage device that accumulates the backup software and
hardware components within a single device. It is a type of turnkey and all-inclusive backup solution
that provides a central interface for backup processes, tools and infrastructure.
• Cloud storage: Cloud storage is a service model in which data is maintained, managed, backed up
remotely and made available to users over a network – normally the Internet. Data is stored in global
data centres with storage data spread across multiple regions or continents.
• The move from mainframes to personal computers: This trend is well established. Improvements in technol-
ogy have brought about huge increases in processing power and data storage capacity. As a result, there is
a move away from centralised data processing units towards “end-user computing”, that has significant
implications for the internal controls of the company and for the extent to which the auditor can rely on
these controls. To be more specific, employees in all sectors of a company have PCs on their desks that
potentially give them access to all the data, programmes, masterfiles, etc., on the system.
Division of duties is placed under threat, and data integrity and confidentiality can be compromised if
the correct control techniques are not put into place. The auditor has also benefited from the reduction
in size of computing devices. It is now common practice for auditors to use a laptop computer to docu-
ment their work in electronic work papers in the field.
• Client/server systems architecture: The term “architecture” refers to the way in which the hardware and
software is configured or set up. The simplest version of client/server architecture is a local area net-
work (LAN) configured to promote the sharing of files, printers and other computer resources.
Machines that use these resources are known as “clients”, and machines that offer these resources are
known as “servers”. Critical computer resources, such as operating systems, application programmes
and databases, are distributed among various processors, that can themselves be scattered throughout
the organisation’s premises. Again, this has significant internal control implications for the company
and the auditor, for example, breakdown in division of duties, integrity and confidentiality of the IT sys-
tem being compromised.
• Open systems: This term refers to a drive to promote interoperability and transportability between soft-
ware and hardware. This aim can only be made possible through the application of common standards
among all manufacturers and developers of hardware and software. Open systems result in greater ease
of access by all who use resources that comply with open system standards. Again, this has internal con-
trol implications for the company and the auditor.
• Image processing: As computers increase their processing and storage capabilities and become more cost
effective, so image processing, for example, scanning, will become more common. Where image pro-
cessing is used, there is increased reliance on the backup of electronic information to prevent the loss of
audit trails – again, this may pose risk to the auditor.
• Multimedia, USB and memory devices: Several small effective data storage media devices have been
developed in recent years. These devices present both an opportunity and a threat. They facilitate the
sharing of information and facilitate the backup of data. For example, auditors can use these devices to
9/14 Auditing Notes for South African Students

obtain large quantities of data from their clients to analyse or to back up their electronic work papers
when in the field. However, these devices also present a security threat as they make it easy for an unau-
thorised individual to copy or steal large quantities of sensitive data if no password protection or
encryption exists on these devices. Organisations should implement policies and processes within the
end-user computing controls environment to manage this risk. Refer to end-user computing (para-
graph 8.2.10 in chapter 8). The auditor should consider which policies, processes and controls the
organisation has in place to manage IT general controls over devices that carry end-user data, namely,
encryption and password protection regarding storage media devices.
• Smartcards: A smartcard contains a micro processing chip, as opposed to the magnetic strip of a normal
swipe card. Smartcards therefore possess storage space as well as intelligence and can be used to en-
hance identification and authentication procedures, for example, through storage of biometric data (like
retina scans). The improvements in access control, that are possible using smartcards, have positive
implications for the auditor, as better controls over access to the system make the system more secure
from both the company’s and the auditor’s perspective.
• Communications technology: The last decade has seen rapid advances in communication technologies.
Electronic funds transfer (EFT), the Internet, electronic data interchange (EDI), all of which are cov-
ered in this chapter, are now common in business. Wireless communication has facilitated mobile busi-
ness people, for example, sales staff, to have access to real-time information and to submit orders while
on the move dealing with customers.
• Web enabled: Many business applications are becoming “web enabled”. This term refers to the ability
for users to interface with the application concerned via their web browser. As a result, these applica-
tions can be accessed from outside the organisation, (i.e., over the Internet).
• Cloud computing: Simplistically, this is the term used to describe the practice of storing a company’s (or
an individual’s) data and programmes on a storage device that is deemed “remote” and that is accessed
via the Internet. Service providers who offer this service have termed this as “cloud computing”. Of
course, this does not mean that the data is stored in a “cloud”, but it does mean that it is stored on giant
servers in some super secure facility somewhere in the world and often hosted by a third-party service
provider.
• Historic data storage: Due to regulatory requirements, such as tax, data storage of historic data is required. As
mentioned in the retiring of application section (refer to chapter 8 para 8.2.7) maintaining old applications
that are deemed obsolete is not cost efficient but, in most scenarios, they are not retired due to the data they
host. It is therefore important to note that it may be more cost efficient to host historic data in a cloud solu-
tion; in addition. It may simplify the architecture solution and limit interfaces. The IT controls over this data
needs to be established to confirm no unauthorised access and changes occur.

9.3.3 Audit and control implications


The auditor must confirm that the following controls/procedures have been implemented and maintained:
• data backup procedures
• recovery procedures in a case of data backup need to be restored
• access control procedures to the data storage devices
• checkpoints to minimise data loss during data transfer
• monitoring of database performance, and
• capacity planning and monitoring of the storage devices.

9.3.4 Risk implications


• Hardware storage failure could occur and with insufficient backups may lead to loss of data.
• Hardware data servers that are not kept in a secure access-controlled environment may lead to unau-
thorised access.
• Natural disasters occur frequently, such as fires and flooding, and could lead to loss of data.
• Cloud storage providers do not provide dedicated servers for each client as server space is shared, there-
fore your data may be at risk.
Chapter 9: Computer audit: New technology 9/15

• When sensitive data is passed to the cloud you could lose control over data privacy as multiple clients
have access to these servers.
• In the cloud you don’t need to manage your data. If your cloud storage provider gets impacted by a
hardware outage, access to your data is impacted and compromised.

9.4 Networks
9.4.1 Introduction
It is thought that networks originated through a desire to share printers among several people in an organi-
sation. Instead of having numerous printers that all cost money, but that lie idle for a lot of the time, it
made sense to think of a way to link the users to one printer that could be more productive for much longer
periods of time. This idea has progressed significantly so that networks are now used to promote the shar-
ing of virtually any resource linked to the network concerned. The term “resource” is used to refer to
hardware (such as printers and processors) as well as software (such as application programmes and data-
base management systems) and data (such as masterfiles and databases).

9.4.2 Terminology
9.4.2.1 LAN
A local area network (LAN) is a data communications system that links several independent resources,
normally by means of a cable, within a small geographic area (e.g., a building). LANs are commonly used
to allow communication and sharing of resources among employees in a department or area of a build-
ing/organisation.
For example:

9.4.2.2 WAN
A wide area network (WAN) is similar in concept to a LAN but extends over a wider geographic area.
Usually, additional hardware and software are required, such as bridges, routers and gateways, to make
links over a wide area possible.
There are additional considerations regarding the communication channels themselves in a WAN,
namely:
• whether to use a leased line (a line dedicated solely for electronic communication), or
• whether to use a switched line (a dial-up facility with more subscribers than lines), or
• whether to use lines that communicate in analogue or digital form.
If in analogue, then modems are necessary for conversion from the digital form used by computers to the
analogue form used by telephone lines. If in digital form, then Diginet connections would be used rather
than telephone lines.
Each of these options have different implications in terms of cost, security and access control.
WANs are commonly used to link an organisation to its remote branches, its service providers (the
banks), or its trading partners (where EDI is used).
9/16 Auditing Notes for South African Students

For example:

9.4.2.3 Storage Area Network (SAN)


Network storage is synonymous with business continuity in an increasingly competitive world. Businesses
that want to stay ahead need to find ways to optimise data access and data storage and ensure that im-
portant backups are done on a regular basis. One way to achieve these aims and more is by using a storage
area network (SAN).
A SAN, or network behind the servers, is a special purpose high-speed computer network that provides
any-to-any access to storage. The main purpose of a SAN is to transfer data between different storage
devices and between the computer network and storage devices.
For example:

9.4.2.4 Value added network (VAN)


Value added networks (VANs) are business entities that offer links to the expensive message transmission
systems referred to in 9.4.2.2. In effect, this service allows numerous companies to share these systems at a
fee, rather than having to buy, install and maintain them. The use of VANs is therefore a necessary and
cost-effective arrangement for many organisations that wish to communicate electronically with remote
sites and independent third parties. A VAN is like a telephone exchange; all telephone subscribers are
linked into the exchange and calls are received and distributed from the exchange. A fee is charged for
being a member and for making use of the service. A VAN works on exactly the same principle.

9.4.2.5 Virtual private network (VPN)


A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as
the Internet, to provide remote offices or individual users with secure access to their organisation’s net-
work. A VPN can be contrasted with an expensive system of owned or leased lines that can only be used by
one organisation. The goal of a VPN is to provide the organisation with the same capabilities, but at a
much lower cost. A VPN maintains privacy by creating a secure “tunnel” in the public infrastructure using
encryption.
Chapter 9: Computer audit: New technology 9/17

For example:

9.4.2.6 Internetworks
This is the term used to signify the linking up of LANs, WANs, etc. Internetworks exist both within and
among organisations. They arise because of links from PCs to mainframes, mainframes to other main-
frames, LANs to LANs, LANs to WANs, WANs to WANs and many other possible combinations of
these linkages. There are many combinations, but the risks remain the same – increased opportunity for
unauthorised access to the system and all the problems which that brings, as well as the potential for data
to be lost or changed during transmission. Hence the validity of the data is also at risk.

9.4.2.7 Server
A server is an important part of the network. It is a powerful microcomputer that controls the usage of a
particular resource available to the users of the network. The print server controls the use of the printer, the
file server controls the use of data files and application programme files so, just as the name suggests, a
server “serves” the network with the resource it controls.

9.4.2.8 Distributed processing


As the phrase suggests, distributed processing is the distribution or decentralisation of computer processing
and storage among devices that share a data communication network. You will realise immediately that in
a distributed system, processing (or storage) is not limited to one easily controlled site; it could take place at
some remote point or points. Therefore, access control becomes even more important, as does the security
of the communication link.

9.4.3 Audit and control implications


The major areas of concern for the auditor when evaluating the accounting system and related internal
controls of a client whose systems are networked will be access and the security of the networks data com-
munication channel. The auditor is interested in the validity, accuracy and completeness of the data that is
produced by the system. The auditor will also be interested in the change control procedures and that the
configurations to the networks are locked down.

9.4.3.1 Access control


Each new user who gains access to the computer system of the company increases the risk of invalid access
and hence the risk that the auditor may not be able to rely on the integrity of the client’s data or program-
mes exists.
Invalid access could result, for example, in:
x obtaining confidential information from files including those stored at remote sites
x intercepting data in transmission
x altering or modifying programmes or data, and
x blocking the flow of data, etc.
9/18 Auditing Notes for South African Students

The effectiveness of security/access controls are therefore of critical importance to the company and the
auditor, and becomes increasingly so, as the client environment:
• becomes more highly networked, and
• tends more towards distributed processing.
Unauthorised access to the network may be gained:
• via a bona fide network PC, or
• via connecting an unauthorised PC to the network (e.g., plugging a laptop into a network socket).
The auditor therefore needs to test access controls in accordance with the IT general controls. Refer to
chapter 8 paragraph 8.2 to confirm that all users have allocated roles and profiles and that these have been
assigned to access authorisation levels. Access management tests include granting access to resources,
authorising modification of access and termination of access when users leave.

9.4.3.2 Access via network PCs


The greater the number of PCs that are linked to the network, the more points of access to the computer
resources there are to be controlled. The way that these are controlled is by the implementation of sound
general controls, for example, control environment, policies and guidelines, trustworthy personnel and,
more specifically, by strict access controls, both physical controls with only authorised resources having
access (e.g., via biometrics) and logical access controls, such as password control.
• Physical controls in networks are more difficult because, by their very nature, networks are spread out.
With PCs being dispersed and some perhaps being at remote sites, it is obviously not a matter of placing
them all in one room and putting access controls at the door! This does not mean that all physical con-
trols can be ignored and a measure of physical control over the PC can still be achieved by having
strong office security. It is not uncommon for PCs, considered to be particularly sensitive, to have addi-
tional physical security, for example, payroll clerks will normally lock their offices when not in them in
order to protect confidential information stored on their computers.
• Logical control becomes very important and will be achieved by the implementation of access controls at
both system and application level based on:
– identification of users
– authentication of users and computer resources
– authorisation by defining the levels of access to be granted to users and computer resources
– encryption, scrambling or encoding data to make it unintelligible to unauthorised users, and
– logging, that is the recording of time and details of access and access violations for later investigation.
It is worth noting that while the threat of security breaches from external “hackers” is a serious business
concern, the auditor is typically more concerned with the controls to prevent internal users (i.e., employees)
from performing unauthorised tasks.
For example:
An organisation has predefined user profiles per role, and these cannot be modified without a review. In
addition, the organisation reviews the user profiles frequently and also perform a segregation of duties
review and toxic combination review on a regular basis to confirm users do not have unauthorised access.
Most of this type of fraud tends to be perpetrated internally by employees! The company’s computer
security personnel will be very concerned about external threats to the company’s information system.

9.4.3.3 Security of network data communication channels


As networks increase in size and geographical distribution, the opportunities for gaining unauthorised access to
the network increases – “hackers” have more communication channels to choose from and longer lines that can
be explored for points of vulnerability. Controls over the security of these communication lines or channels are
therefore additional areas of concern for the auditor when considering the audit of a networked client. Remem-
ber that the communication channel that the company uses will, particularly in the case of WANs, be provided
and controlled by a service provider, not the company. Despite this there are certain controls the company can
implement or insist upon. Specific controls that may be implemented to reduce the risk of unauthorised access to
the network through hacking include the following:
• Restricting access to dial-up lines, for example, a telephone line that links a company’s computer to its
bank’s computer. Physical and logical access controls should be in place to confirm that only authorised
employees gain access to these lines.
Chapter 9: Computer audit: New technology 9/19

• The use of a call-back facility. A call-back facility works as follows: when a valid user dials into a com-
puter system and is identified, the computer cuts the connection and immediately redials the number
that is stored in the computer for that specific user. This protects the system against hackers posing as
authorised PCs, because reconnection will be with the authentic terminal rather than the poser. How-
ever, hackers have found ways around this control.
• Automatic lockout of a user account after more than three unsuccessful attempts to log in. This would
assist in guarding against hackers using password cracking programmes to access the network.
• The application of industry standards that prescribe that the network is developed and controlled the
right way.
• The use of sophisticated user authentication techniques specially designed to cope with the complexities of
controlling access in a networked environment where distributed processing takes place.
• The use of encryption methods to protect sensitive data against access while it is being transmitted, for
example, public key, private key.
• The use of network monitoring devices that are can inspect activity taking place on the network, termin-
ate sessions with vulnerable devices and log unauthorised access.
• a secure network architecture using devices, such as firewalls, that help secure networks from external
threats and can be used to segregate areas within a network to promote a secure environment.
Do not lose sight of the fact that this is a very technical aspect of computing and that the points above
present an overview only.

9.4.3.4 Accuracy and completeness of data communications


Anybody transmitting information along a communication line wants it to arrive at the other end in an
accurate and complete state. Equally obvious is that all the millions of users around the world cannot do
their “own thing”. If they did, communication would simply be chaotic. This is resolved by using commu-
nication protocols that define the requirements, rules and regulations that must be adhered to for the com-
munication of information. The International Standards Organisation, that, among others, develops the
standards by which the international computer community operates, has published a protocol (the Open
System Interconnection) that is widely implemented.
Essentially users are in the hands of the service provider, and clearly the accuracy and completeness of
data transfer, that is, making sure that data is not lost or damaged and arrives at the correct address, must
be of paramount importance to the service provider.
To confirm that information is transmitted successfully between two (or more) computers, software that
carries out specific tasks is installed on both (or all) computers. These tasks can be described as:
• access control, linking the devices that send and receive the data
• network management, that controls data traffic to and from the communication devices, routing mes-
sages to their proper destination and logging all network activity
• data and file transmission, that controls the transfer of data, files and messages between the various
communication devices
• error detection and control, that confirms that the data received is the same as the data sent, and
• data security, that protects the data from unauthorised access during transmission.

9.4.3.5 Change management controls


You will also need to consider the change management controls relating to networks:
• Do only authorised users have access to change network configuration?
• Do only authorised users have access to data flow in networks?
• Have all changes to networks during the period under review been authorised?
A change in the configuration of network devices can have a significant impact on a network’s perform-
ance, uptime and availability, hence the following controls and procedures need to be in place:
• a procedure to alert the network administrator needs be in place to report any configuration changes
and the details of the change, as it can affect the network’s performance and availability
• controls to manage the processes of maintenance including the upgrading of networks
9/20 Auditing Notes for South African Students

• procedures to minimise configuration errors as part of change management


• procedures to document all network configuration changes, and
• network configuration backup procedures.

9.4.4 Risk implications


If inadequate controls and procedures exist, the following risks become prevalent:
• You can compromise your network security and the functioning of your network.
• Changes made to your network can affect all systems within your organisation if the change process is
not managed adequately.
• Rolling back changes when required to a previous network configuration will not be possible if inade-
quate backups exist and will affect the performance thereof.

9.5 Databases
9.5.1 Introduction
A database is a pool of interrelated data, that is managed, structured and stored in such a way that:
• duplication of data is minimised
• it contains all necessary information that is needed to provide for sharing of common data among
different programmes and users
• the data is quickly accessible by all authorised users, and
• many users can access the same data simultaneously and will be provided with the same view of the
data at any one time, despite updates that may be in progress.
A database therefore provides for sharing of common data among different programmes/users, and so is a
prime example of a resource that is particularly suited to a networked environment. Examples include
common databases such as Microsoft SQL and Oracle.

9.5.2 Terminology
• A database administrator (DBA) should be appointed to manage the database. Duties include:
– defining access privileges of database users
– design, definition and maintenance of the database, and
– defining and controlling backup and recovery procedures.
• Database structure may be hierarchical, network or relational. No further details regarding these struc-
tures are considered necessary for a general understanding of audit implications of databases. Most
financial database systems are structured as relational databases.
• Data ownership is a term that relates to the administration of data, rather than the management/admin-
istration of the database. Responsibility for defining access and security rules for specific data elements
within the database is delegated by the DBA to appropriate individuals (e.g., the credit controller may
be data owner of customer credit limits and therefore responsible for advising the DBA as to who
should be granted access privileges to this data). Data ownership therefore promotes the integrity of the
database.
• Data sharing. The ability of users involved in different applications to use the same data for different
purposes, for example, the quantity on-hand information for an item of inventory may be used by the
buyer as a basis for purchasing more inventory, while the inventory controller may use the same infor-
mation to produce a “value of inventory on hand” report.
• Data independence. This means that the data is independent of a specific application. It can be shared by
other applications as described in data sharing above.
• Data warehouse is a term commonly used for a very large database that usually consolidates information
from several different sources (applications) within an organisation and is used to provide management
reports.
Chapter 9: Computer audit: New technology 9/21

9.5.3 Audit and control implications


General controls relating to database systems have a pervasive effect on application processing. It is there-
fore particularly important that the auditor assesses the degree of reliance that can be placed upon these
general controls when auditing database systems:
• The DBA’s functions are critical in terms of control of the database therefore the auditor should review
these functions to confirm that they are being adequately performed. Of particular importance in this
regard are the concepts of data ownership and access control; who has authority to change data, and what
access privileges are granted to users.
• The effectiveness and reliability of the database in controlling access and updates should be analysed by
the auditor by:
– using query language (e.g., SQL) and other utilities, and
– attempting unauthorised access to the database.
Note: This will be carried out by computer audit specialists.
• Definition and implementation of standards for programme development/programme changes are of great
importance since data is shared by so many different users using so many different application pro-
grammes. The auditor should therefore assess the adequacy of, and adherence to, such standards.
• Segregation of duties of those who design, implement, operate and use the database is also necessary to
promote integrity, accuracy and completeness of the database. Programmers who work on database
programmes should, for example, not be involved in updating data on the database. The auditor should
assess controls in this regard by inspecting organisational charts and by observation and enquiry of
appropriate personnel.
Again, if the above is simplified, it becomes apparent that control over the database comes down to the
application of sound general controls with a little added emphasis on programme development/change
controls, segregation of duties and, most importantly, access controls.

9.5.4 Risk implications


If insufficient database controls are in place, the following risks may occur:
• unauthorised activity or misuse by authorised database users, database and network administrators
• hackers may gain unauthorised access to the database (e.g., unauthorised access to sensitive data or
unauthorised changes to the database programs, structures or configurations)
• cyberattacks cause incidents such as unauthorised access, leakage of personal data, corruption of data or
programmes and interference of authorised access to the database
• performance constraints resulting in the inability of authorised users to use data as intended
• physical security of the database may be compromised
• programming bugs in database systems creating various security vulnerabilities, for example, data
loss/corruption, and
• data corruption and/or loss caused by the input of invalid data due to human error.

9.6 Electronic messaging systems


9.6.1 Introduction
Electronic messaging systems involve communicating, transacting and recording electronically rather than in
the traditional paper-based manner. Two forms of electronic messaging commonly used in business are
electronic data interchange (EDI) and electronic funds transfer (EFT). The term “electronic data inter-
change” means the ability of a user to transact or trade electronically with other parties via links between
their computer systems. Electronic data interchange can take place using a direct link with another com-
pany, or by being a member of a value-added network (VAN) or over the Internet. The term “electronic
funds transfer” involves the transfer of money from one account to another on the strength of an electronic
instruction.

9.6.1.1 Benefits
The characteristics of electronic messaging systems are speed, minimal use of paper and less repetition of data
that results in a more efficient business practice (e.g., lower costs, quicker response times, and fewer errors).
9/22 Auditing Notes for South African Students

9.6.1.2 Risks
These include:
• system failure, that could result in the business being brought to a standstill, losing customer confidence,
failure to meet supply deadlines, etc.
• a loss of confidentiality of the data being “interchanged”
• the opportunity to introduce manual controls may be reduced, for example, stopping an invalid pay-
ment that has got through the system. An invalid cheque payment could have been “stopped” from
going through by contacting the bank. An electronic transfer cannot be stopped easily (note: cheques are
no longer an accepted form of payment in South Africa)
• increased reliance on networks and data communications
• loss of audit trail – no paper, and
• difficult legal liability issues, for example, if confidential information about a supplier is obtained illegal-
ly off the system at large, who is responsible? Company A? Company B? The VAN, or the communica-
tion channel provider?
As with all risks, controls can be put into place to address them. These controls are what the auditor will be
interested in.

9.6.2 An illustration of electronic data interchange


Perhaps all of the above is best illustrated by an example. In the example below, Company X wishes to
purchase goods from Company Y. This could be done manually or by using electronic data interchange.

9.6.2.1 Without EDI – manually


• Company X will generate a multicopy order for the goods required, that is then posted to Company Y.
• Company Y, on receipt of the order form from Company X, will recapture the order details onto an
internal sales order, will select the goods ordered, and may even then recapture all these details onto a
delivery note.
• The delivery note is then sent together with the goods to Company X.
• When the goods arrive at the premises of Company X, they are checked, and goods that are received in
a satisfactory condition will be signed for and recorded on a goods received note.
• Company Y will then invoice Company X for goods accepted and post the invoice.
• Company X will then probably wait for Company Y to post a monthly statement before eventually
making a cash deposit (or EFT) to pay for the goods purchased.
• The proof of payment will then be send to Company Y who will have to check on its bank statements
whether the amount has indeed been received, and whether it has cleared.
It is clear in considering the above example that communication of the information relating to each pur-
chase that Company X makes is very slow and that a lot of constant information has to be recaptured at
each different stage of the process.

9.6.2.2 With EDI


(a) Direct links between the companies, that is, not via a VAN
• Company X sends an electronic order via its computer to Company Y’s computer.
• Company Y’s computer receives the order and generates the necessary instructions to fill it.
• Company Y’s computer then adds data, such as delivery details and prices, before retransmitting the
message back to Company X’s computer in the form of an electronic invoice.
• Company X then simply adds the date when the goods are received to this message in order to generate
the equivalent of a goods received note.
• Payment would then also take place electronically, with Company Y’s computer advising Company X’s
computer to pay the relevant amount directly into its bank (Bank B).
• Clearing information for the payment would also be communicated electronically between Bank B and
Bank A.
Chapter 9: Computer audit: New technology 9/23

WITH EDI: DIRECT LINKS

Company X Company Y

Electronic Orders

EDI Invoice/Delivery Note

Bank A Bank B

(b) Companies linked via a value-added network (VAN)


As discussed earlier in the chapter, a VAN is a business entity that offers the service of linking business
partners at a central “depot” where electronic messages can be left by one company to be retrieved by
another. Companies use VANs because it would be impractical and very expensive for a business to link
itself to all its trading partners and its bank. Where a VAN is used, all messages between the EDI partners
would still be sent electronically, but they would be sent to the VAN initially. The services provided by the
VAN would include:
• resolving any compatibility problems due to differing hardware and software requirements that the
different EDI partners may have, and by providing the necessary conversion facilities between systems,
protocols, etc., and
• provision of a mailbox facility that allows for storage, forwarding and retrieval of messages sent
between EDI partners. The computers of the various EDI partners then simply check their mailboxes at
regular intervals to retrieve any messages that have been sent and stored for them.
9/24 Auditing Notes for South African Students

WITH EDI: COMPANIES LINKED BY A VALUE-ADDED NETWORK

Company X

Bank A Bank B
VAN

Company Y
Company Z and
others

9.6.3 Audit and control procedures


• The basic requirements of internal control do not change in an electronic messaging environment. Man-
agement must still confirm that transactions are complete and accurately recorded and that they are
properly authorised (valid).
• Many of the conventional general and application controls remain relevant, as is clear from the table
below (refer to chapter 8 for more detail on these).
• When considering controls in an electronic messaging environment, the suggested approach is still to
identify risks or objectives and then to determine which control procedures are most appropriate, as
illustrated by the table below.
Chapter 9: Computer audit: New technology 9/25

Summary of audit and control implications in an EDI environment

Risk/Objective Appropriate controls


Implementation of a new EDI system • The normal systems development controls apply:
– standards specific to the development of new EDI systems
should be applied, and
– an EDI champion (employee) should be appointed by the
steering committee to specifically oversee all EDI related
matters.
Continuity • The normal general controls apply here, including:
– physical protection
– adequate backups and redundancy, and
– disaster recovery plan, for example, reverts to a manual
system.
Confidentiality/unauthorised access • Normal access control principles apply.
• Access control principles specific to networks should also be
implemented (covered earlier in this chapter).
• Encryption is of importance for sensitive information, for
example, user credentials (user names and passwords for au-
thorising transactions).
Fraud/error • Segregation of duties should be enhanced through physical
and logical access controls.
• Sound personnel practices should be applied to confirm com-
petent, reliable and honest staff.
• Supervisory control should be exercised using supervisory
codes to authorise transactions, for example, after reviewing a
transaction that is about to be sent electronically, a supervisor
adds his personal “code” as evidence of having authorised the
transaction.
Loss of manual controls • Compensating programme controls, for example, use of check
digits on creditors a/c numbers as they are input, reasonable-
ness check on quantities field, missing data checks, etc.
Lack of audit trail • Parameters within the messaging system should be set to
confirm that appropriate use is made of control logs to com-
pensate for any loss of essential audit trails.
• Reports on electronic transactions should be adequate and
timely to allow for identification and treatment of problems
and errors.
Legal liability • Use of standard EDI trading contracts to define respon-
sibilities and penalties (see below).
Use of a VAN Despite the VAN provider’s desire to implement and maintain
A company making use of a VAN lays itself sound controls, users of VANs should insist upon:
open to the risk of unauthorised access to its • a VAN contract that sets out the responsibilities and duties of
“mailbox” located at the VAN. the VAN provider and user, that will specify (among
However, the company offering the VAN others):
service will want to protect its client’s data – message content and format details
otherwise it will have very unhappy clients and – message acknowledgement requirements
will go out of business. – security obligations
Subscribers to the VAN always expect their – details of liability/non-performance, and
data to be protected from unauthorised access, – validation checks for data received, for example, a reason-
damage, loss or breaches of confidentiality. ableness check on quantity ordered.
• independent certification from time to time that there is:
– adequate control over physical access to storage media at
the VAN

continued
9/26 Auditing Notes for South African Students

Risk/Objective Appropriate controls


– strict logical access control
– sound backup and contingency plans
– enough logging of transactions at each stage of the
process, and
– application controls that confirm the completeness and
accuracy of data.

9.6.4 Electronic funds transfer (EFT)


As discussed earlier, EFT is an electronic messaging system that transfers money electronically. Most
companies currently make extensive use of paying creditors and employees by EFT. It is generally regarded
to be a far safer method of paying than cash (wages), but if it is not strictly controlled, the consequences can
be very severe. EFT principles are explained in terms of two examples given below.
The procedures for making EFT payments will vary depending on the bank’s requirements and the needs
of the business. For example, a business that makes a limited number of payments, including once-off
payments, will make EFT payments in a slightly different manner to a large business that pays hundreds of
employees and creditors each month. The principles will be the same. The essence of the difference is that
payments can be made from either a terminal that has been authorised, (i.e., it has certain of the bank’s
EFT software loaded on it) or from a normal terminal that has no bank software loaded on it. The former
will be more suitable for large companies wanting to transfer a file of payments as opposed to a small
company wanting to make a few payments, including once-off payments. The following examples will
illustrate this:

Example 1
Boomtown (Pty) Ltd, a small company, has 30 suppliers that it wants to pay by EFT. It will also need to
make three or four once-off payments for other items purchased. Not all creditors are paid every month.
1. To set up payment by EFT, the financial manager will have to visit the company’s bank and provide
extensive evidence of his identity, the existence of the company, his authorisation to use the service, etc.
The facility will then be activated specifically for the company’s bank account from which EFT pay-
ments will be made. He will also provide the bank with his mobile number.
2. Once the financial manager has set up the facility with the bank, his first task will be to list the 30 sup-
pliers on the system. To do so he will access the bank’s site on the Internet. He will then log into the
website by entering the Boomtown (Pty) Ltd’s bank account number and PIN supplied by the bank. If
this is successful, the screen will request the entering of a confidential password. On successful entry of
the password, the bank’s system will automatically send an SMS to the mobile number provided by the
financial manager. This alerts him to the fact that someone has accessed the bank account and is just a
precautionary control.
3. Following on screen instructions, the financial manager creates a list (profile) of the 30 regular suppliers
that Boomtown (Pty) Ltd intends to pay by EFT. The list will contain the name and full banking details
of the suppliers, for example, bank, branch, account number.
3.1 To enter a supplier onto the list (initially or in the future), the financial manager must select the
“add beneficiary (payee)” option. At this point the bank’s system will send another SMS that con-
tains a one-time password consisting of numeric and alphabetic characters. This password can be
used only once and must be entered by the financial manager for him to be able to add a supplier
onto the list of payees (suppliers). Once the list has been created, it remains on the bank’s system.
4. When the financial manager actually wants to pay suppliers on the list, say at the end of the month, he
accesses the bank account (gets an SMS to alert him that someone has accessed the account), and fol-
lowing the prompts, selects each supplier to be paid, and enters the amount each is to receive (all the
other information, e.g., bank details, etc., is already on the system), and sets the transfer in motion by
selecting the appropriate option, for example, proceed, or next. The transfer will then go through.
5. The procedure for making once-off payments is slightly different. Once-off payments are made to
payees who are not on the profile and to which the company is unlikely to make regular payments. On
accessing the company’s bank account (SMS is received as usual), the financial manager will select the
once-off payment option, and at this point will receive a one-time password via SMS.
Chapter 9: Computer audit: New technology 9/27

5.1 Once this password has been entered, the financial manager will be taken through a series of
screens onto which he enters details of the payee (beneficiary) and the payee’s bank, account num-
ber, branch code, reference and amount to be paid.
5.2 On selecting the proceed option, a second one-time- password will be sent via SMS, which the
financial manager must enter before the transfer will be activated. Note: Two one-time passwords
are required for once-off payments as added security.
6. When payments are made in this manner directly via the terminal by an employee, the procedure is
independent of the company’s financial accounting system in the sense that there is no preparation of a
file of EFT payments created on the company’s computer system and transferred to the bank as a file.
7. It is important to note that the bank’s controls do not prevent the financial manager from adding invalid
payees, such as himself or an associate in an attempt to defraud the company. The bank requires a PIN
and normal password, and also adds protection against unauthorised transfers by sending additional
once-off passwords to a specified mobile number, but it will be the responsibility of Boomtown (Pty) Ltd
to make sure that only valid payees are added to the profile and only valid once-off payments are made.
7.1 The risk in this situation arises because of a lack of segregation of duties. The financial manager
has access to the PIN and password for the company’s bank account and the one-time passwords
come to his mobile phone. This lack of segregation of duties will be made worse if confirmation of
the payment is also sent to the financial manager and even more so if he reconciles the bank state-
ment, which may well be what happens in a small company.
7.2 The nature and extent of controls that a company like Boomtown (Pty) Ltd will be able to imple-
ment to address this risk will depend upon the number of employees it has, as segregation of duties
will be the best preventive control. Controls over EFT payments should focus on prevention but
must be supported by detective controls. Possible controls are:
Preventive
• All EFT payments should be documented on preprinted, sequenced EFT payment vouchers.
• Each EFT payment voucher should be authorised by two employees (preferably independent of
the individual making the EFT payment).
• EFT payment vouchers should be sequenced checked, and verified against supporting docu-
mentation, before being authorised. The banking details of payees receiving once-off payments,
should be verified independently.
• The financial manager should log onto the bank’s website and an SMS should be sent to his
mobile phone, but the password to access the facility to make EFTs should not be known to
him. Another senior employee should have this password and must enter it (note: the financial
manager’s profile should allow him to do other things on the site, e.g., download bank state-
ments).
• The PIN and passwords should be strictly confidential, and the financial manager should not
leave his mobile lying about.
• A limit on the amount that can be transferred in a single 24-hour period or in a single EFT
payment should be agreed with the bank.
• The terminal should shut down after three unsuccessful attempts to access the bank
account/EFT facility.
• The ability to access the Internet should be restricted to the PCs of those employees who need it
to do their jobs to the extent that it is practical to do so.
Detective
• Confirmation of all EFT payments sent by the bank should be printed, matched to the EFT pay-
ment voucher and attached to it.
• From time to time a senior manager (or the person to whom the financial manager reports)
should access the list of payees on the payee file and reconcile it to an audit trail of payees added
and/or removed over the preceding period.
• Security violations should be logged and followed up.
• The cash book reconciliation should be carried out regularly, and by someone independent of
the payment process.
9/28 Auditing Notes for South African Students

Example 2
Marathon Ltd is a wholesale company that pays its creditors by EFT. The company has many creditors.
1. A company that makes a large number of payments would want to prepare a file of payments on its
system that they can transfer to the bank over the Internet to pay creditors (and salaries).
2. To facilitate this, Marathon Ltd’s bank would load its EFT software on a limited number of terminals at
Marathon Ltd so that the access to the bank via the terminals is more secure, and the two systems can
communicate with each other.
3. Access to the bank’s site on the web will be gained in the normal manner via the Internet, but once the
Marathon Ltd employee gets onto the site, an additional PIN and password, unique to that user, will
have to be entered.
4. If this identification and authentication process is accepted, a menu of the functions available will
appear, for example:
• balance enquiry
• download bank statement, and
• make EFT payment.
Access to any of these functions will be directly linked to the employee’s user profile, for example, some
employees will be able to download bank statements, and a (very) limited number will be able to make
EFT payments. Remember that the employee has already identified and authenticated himself to the sys-
tem, so an additional password may not be required. The employee will then click on the function he
requires to exercise his privileges. If the user profile does not allow access to the function “clicked on”,
there will either be no response and/or a screen message “access denied” will be sent.
5. Obviously the function that must be most protected is the EFT payment function, and the bank will
require that additional controls be implemented.
5.1 The first additional control is to require an additional “password” from the user. This is achieved
in different ways by different banks.
Example 1
• A leading bank requires that a (physical) device, called a dongle, be inserted into the USB port of
a PC that has had the bank’s software loaded on it.
• A dongle is given only to those employees of Marathon Ltd who are authorised to make EFT
payments.
• The dongle is unique to that employee and must be kept safe and secure at all times. It is in
effect a “physical” password that communicates with the bank’s software on the terminal.
Example 2
• Another leading bank gives the authorised employees at Marathon Ltd a random number gen-
erator. This is a small device that provides a one-time password.
• Each random number generator is unique to the person whom it is issued to.
• The device has its own unique registration number and, when it is issued, the registration num-
ber is linked to the employee’s user profile on the bank’s software.
• Once the employee has logged onto the site to make an EFT payment, the screen will request
the employee to enter his one-time password. The employee presses a little button on the device
and a random number appears. Remember that the employee has already identified and
authenticated himself to the system, so the system can link the random number to the employee
who entered it
• Of course, the employee must not give his password and number generator to anyone.
5.2 The second additional control is to require two employees to effect (put in motion) an EFT.
• One employee is to authorise the payment file and another to release the payment file.
• The payment file will not go until both authorise and release functions have been activated, and
they must happen in the correct order.
• Once the first employee has selected the authorise option, nobody can write to the file of pay-
ments (including the employee who will release the file).
Chapter 9: Computer audit: New technology 9/29

• If the releasing employee requires changes, he will have to return the file to the authorising
employee who will make the change and start the process again.
• Both parties will need to have their own additional password to carry out their functions, (i.e.,
the release employee will also have a dongle or a unique random number generator).
6. In addition to the controls over actually making the EFT payment, there must be good controls over the
preparation of the file to be transferred. This will be achieved by conventional access controls and care-
ful checking of the content of the file, for example, confirming payments to creditors against supplier
invoices, etc. Of particular importance will be controls over masterfile amendments.
In a large company like Marathon Ltd, control over EFT payments should be very strict. Controls
should include:
Preventive
• Strict controls over the compilation of the payments file to be transferred, for example, authority for
masterfile changes (adding a creditor, changing a bank account number).
• Bank software is to be loaded on the minimum number of terminals necessary to facilitate EFT pay-
ments efficiently and securely.
• Only more senior employees are to be authorised to effect an EFT.
• Only a limited number of employees are to be given privileges to make EFT payments.
• Once access to the bank account has been granted, further access should be given on the “least priv-
ilege” principle, for example, some employees can download bank statements but not make pay-
ments.
• User IDs, PINs, passwords are to be subject to sound password controls (see chapter 8).
• Devices such as random number generators and dongles are to be the responsibility of the authorised
employee at all times, for example, not left with an assistant or left lying about.
• The “two signatories” principles (authorise and release) must be applied.
• The terminals on which the EFT software is loaded should shut down after three unsuccessful at-
tempts to access the bank account.
• An arrangement may be made with the bank to transfer the money from the company’s main bank
account to another clearing account and then to creditors’ (or salary earners’) bank accounts. Limit-
ing the accounts to which transfers from the main bank account can be made, protects the main bank
account, as attempts to transfer electronically to accounts other than the designated clearing accounts
will not be successful.
• The amount that can be transferred within a 24-hour period can be limited.
• Data can be encrypted.
Detective
• A log of authorised access and access violations should be kept and reviewed; problems should be
followed up.
• An audit trail of all EFT payments should be downloaded the following day and checked against the
payments file.
• The audit trail should be independently reviewed by a senior official and payments randomly
checked against source documentation.
• All bank accounts should be regularly reconciled in a timely manner by an employee independent of
the EFT function.

9.7 The Internet/e-commerce

9.7.1 Introduction
The Internet began as a single network (ARPANET) that originated in the United States of America in the
late 1960s as part of a defence research project. It has since been used to connect to hundreds of thousands
of other networks in countries throughout the world. It may therefore be described as a huge network of
networks all connected to make up the largest network in the world. Any company that uses the Internet
9/30 Auditing Notes for South African Students

takes on the risks of any network, namely an increase in the risk of unauthorised access to its own system
and its resulting problems, including loss of confidentiality, corruption of data and programs, and the
introduction of viruses.
Use of the Internet for commercial purposes is growing at a phenomenal rate. This has a direct effect on
the auditor because more and more clients are using the Internet to conduct their normal business activ-
ities.
In the same way as a LAN allows employees in an office to share computer resources in that office, the
Internet allows users throughout the world to share services and resources made available on millions of
computers worldwide.
A wide variety of services are available on the Internet. Different protocols are associated with each ser-
vice and some protocols are recognised as being more reliable and secure than others. A protocol is simply
a standard way of doing things, or to be more precise, a set of procedures, requirements and regulations for
each service. The most important services, for commercial purposes, are explained by the terminology that
follows.

9.7.2 Terminology
• The World Wide Web (WWW): This is the fastest growing aspect of the Internet and offers the greatest
attraction for business. It uses a concept known as hypertext technology to link documents located at
different websites. These documents are known as web pages and may include text, graphics, sound and
video files. It is controlled by a protocol called hypertext transfer protocol (http). There is a more secure
protocol, called https, that should be used when communicating sensitive information (e.g., credit card
details) – the additional security includes encryption.
Web pages can be used:
– to market and advertise products to an audience of millions of people
– to offer customers “24/7” service (i.e., access 24 hours per day, 7 days a week for every day of the
year) to information, products and facilities for placing of orders and/or making payments
– as a valuable source of information for businesses, and
– to facilitate the download of products, for example, music, articles and information.
• Electronic mail: Provides users with the ability to communicate quickly and economically, using text or
graphics, with other Internet users throughout the world. Email is controlled by the simple mail transfer
protocol (SMTP).
• File transfer: This is similar to email, but is used to look for, as well as to transmit, large files as opposed
to short email messages. This is controlled by file transfer protocol (FTP). It is worth noting that there is
a more secure, encrypted version, called SFTP.
• Remote terminal access and command execution: This service allows access to a remote system as if you
were on a terminal/PC that was directly attached to that system. Use of this service could therefore
provide an organisation with access to powerful processors, large databases, useful programmes and
other resources that it may not otherwise be able to access.

9.7.3 Risks and controls: Trading on the Internet


Many organisations have decided to sell their products over the Internet, providing them with a wider
platform to market and sell their products. Broadly speaking, organisations will have to set up a website,
design catalogues through which Internet shoppers can browse to establish whether they wish to make
purchases, provide a quick and easy way for the order to be placed, and, most importantly, have some safe
method of being paid for the goods purchased. Trading on the Internet presents a company with several
different risks that must be controlled. The risks that arise and the control techniques required to address
them are presented below. Remember that, as with all more complex computer issues, a high level of
technical expertise is usually required to understand and implement controls. As a general auditor, you are
not expected to have this specialist knowledge, but you should have a broad understanding of the risks and
how they are controlled.
(a) Risk: Any company selling its products over the Internet must comply with the Electronic Communi-
cations and Transactions Act. Failure to comply with this Act, which is designed to protect consum-
ers, may well result in the company facing liability.
Chapter 9: Computer audit: New technology 9/31

Control: Appointing/consulting personnel with the necessary legal and computer skills to implement
the requirements of the Act and to monitor compliance on an ongoing basis.
(b) Risk: By connecting to the Internet, the company creates a channel or link to the outside world that
could facilitate unauthorised access to the company’s computer system. This could lead to service dis-
ruption, virus contamination, data destruction or corruption, and the loss of confidential information.
Control: A number of controls could apply, including:
• Configuring the company’s own system to restrict the access that the Internet link provides to only
those resources that need to be linked.
• Processing and storing particularly sensitive applications on separate systems (systems not linked to
the Internet), for example, a computer that is not physically connected to the other computers
linked to the Internet.
• Providing a means of restricting traffic to and from the Internet so that it all has to go through a
carefully controlled route. This is achieved by introducing what is termed a firewall – specialised
hardware and software that is configured with sets of rules that dictate the permitted protocols,
source and destination locations. The firewall is placed between the Internet network and the com-
pany’s system.
• Installing Internet and email monitoring software, for example, Web Marshall and Mail Marshall.
These products can:
– log the sites on the WWW that have been accessed by employees (this will dissuade staff from
accessing illegal or unacceptable sites from the office, and wasting time on the Internet)
– prevent users from accessing certain websites
– control the addresses, length and content of emails by monitoring the email protocol (smtp),
thus, emails to or from certain specified addresses or over a certain length or containing attach-
ments (e.g., video footage), may not be allowed to pass
– pass all incoming files through a virus scanner
– encrypt emails that are sent to specific sites, and
– control the delivery of messages to specific PCs.
(c) Risk: Orders may be accepted, and the goods dispatched but payment may not be received from the
customer.
Control: Before the company fills any orders, it needs to be satisfied that it is dealing with a genuine
customer and that there is a very high expectation that the customer will pay. Essentially the customer
needs to be identified and authenticated. This can be achieved as follows:
• The company can obtain personal details about the client (over the Internet) including citizen
identification numbers, or credit card details that can be authenticated. The customer can then be
provided with a password that must be kept secret and used by the customer when placing an order
to identify and authenticate him- or herself.
• If further authentication is required, the customer can be subjected to “challenge-response” where,
before transacting, the user is required to provide answers to questions about details that were pro-
vided when the customer opened his account, for example, what is the name of the family pet? The
computer then compares the answer given by the user to the customer’s file.
• An email address can be requested. This provides an additional way of tracing a transaction and
allows the company to contact the address to confirm the order. It is not foolproof, but may alert a
person whose email address has been used fraudulently to the transaction.
• Restricting the method of payment to credit card only. The system should obtain clearance on the credit
card details supplied by the customer. A direct link with the bank will provide the supplier with confir-
mation that the card is genuine, not reported stolen or expired and that the account contains the neces-
sary funds. Before the goods are despatched, the funds transfer should have been authorised. Of course,
genuine card details do not mean that the owner of the card consented to its use (it may have been sto-
len) but that is the concern of the card owner. Passwords, pins and cards must always be kept secure. An
additional point to remember is that if a person is trying to obtain goods fraudulently over the Internet,
he has to gain physical access to the goods, so a delivery address must be provided. This will leave a trail,
but it will be time consuming and costly to follow this up if the sale proves to be fraudulent. It is far
more efficient to prevent the situation from arising.
9/32 Auditing Notes for South African Students

Note: A company trading over the Internet may accept orders from a customer and charge the sale to
the customer’s account (i.e., like a normal credit sales/debtors transaction). In this case all the normal
controls for extending credit should be adhered to, for example, creditworthiness checks, credit limits,
as well as identification and authorisation of the user prior to accepting the order.
(d) Risk: Information keyed in by the customer may be inaccurate or incomplete, resulting in orders that
cannot be filled, for example, if the customer does not indicate the quantity required, the order can’t be
filled. This will lead to customer dissatisfaction and lost sales.
Control: This risk is reduced (eliminated) with adequate input validation and reasonableness checks,
for example, web pages that:
• are properly designed to display spaces for all information required and are easy to follow, and
• require the customer to key in the absolute minimum.
For example:
instead of keying in the description of the item required, the customer will simply select and click
against a list of goods available that appears on the screen (drop-down lists).
• contain programme checks that enhance accuracy and completeness.
For example:
alphanumeric or number fields and a mandatory field check on the quantity ordered field where an
item has been selected
• all other information.
For example:
The item number pertaining to the item ordered will be linked to the description and will not have
to be entered.
(e) Risk: Unauthorised disclosure of confidential customer information (by hacking, eavesdropping)
and/or loss of data integrity (data is changed in some way), once transmission of the transaction is
underway.
Control: The inclusion and enabling of transport layer security techniques (e.g., secure socket layer)
that:
• encrypts sensitive data to confirm confidentiality
• authenticates the user (thus ensuring authorised access)
• implements programmed checking that tests the completeness of data as well as any changes thereto
(integrity). For example, details of the order are relayed back (on screen) to the customer by the
sales system for final acceptance. The customer is required to select and click on the desired option,
for example, “confirm amount” or “cancel”, and
• transaction logs and transmission logs are produced and reviewed to confirm that all transactions
sent were received.
(f) Risk: Potential customers may be lost (and the reputation of the company damaged) if customers are
not satisfied that the website does not contain malicious code or content, and that the company is a
legitimate business.
Control:
• Confidence in the site can be enhanced by having the site verified (on an ongoing basis) by a reput-
able certificate provider; for example, Thawte and Verisign, and displaying the company’s privacy
policy on the site.
• Web applications should be designed to be secure. Adequate input validation, reasonableness
checks and user authentication techniques must be implemented. This is a highly specialised area
where specialists should be used.
(g) Risk: By selling over the Internet, the company becomes a 24 hour a day, 7 days a week, 365 days a
year business. Any lack of availability or functioning of the site will result in lost sales and may affect
the company’s reputation.
Control: A reputable service provider must be used, and the company must employ staff with the
necessary computer and website maintenance skills to confirm that the website is always available and
fully functional (and that the website is up to date, attractive and user-friendly). Adequate redundancy
and disaster recovery that is commensurate with the needs of the business/website should be imple-
mented.
Chapter 9: Computer audit: New technology 9/33

(h) Risk: The consequences of incorrect pricing become more significant:


• As the company does not only sell its products via the Internet, it may be in competition with itself.
For example, if it sells through retail outlets, the Internet price should not be so favourable that
retail suppliers are compromised, or that overall profitability is reduced.
• If the true costs of selling over the Internet are not carefully identified before setting Internet prices,
overall profitability may be compromised (i.e., the selling price of Internet products are set too low).
Control: The company must employ staff with the necessary competence, and implement information
systems that provide this staff with the ability to:
• set selling prices for all products (whether they are sold over the Internet or by other means) that
optimise sustained profitability, and
• identify all costs that are applicable to the Internet business, for example, transport/delivery, addi-
tional staff, warehousing and any other on an ongoing basis.
(i) Risk: Unless the website in some way restricts the geographical areas to which Internet sales can be
made (e.g., South Africa only), the company will face the risks of international trade. The company
may:
• unknowingly contravene export regulations (and import regulations of other countries)
• unknowingly contravene financial export regulations, or
• fail to meet customer expectation due to a poor delivery service (too slow, unreliable, etc.) thereby
damaging the reputation of the company.
Control: Again, the response to this risk would be to employ staff who have the necessary expertise,
and implement and monitor policies and procedures on an ongoing basis that can cope with these
additional risks. For example, a separate department may be set up, headed by a competent Internet
trading manager, and all deliveries handled by a single reputable international courier service.
Note: Even if the company does not sell outside the country’s borders, if the delivery method, for
example, courier or postal service, does not meet customer expectation, the business will suffer loss of
sales.
(j) Risk: An inadequate audit trail may hinder the company’s ability to defend itself against legitimate or
fictitious claims or queries pertaining to a transaction.
For example:
• repudiation – the customer denies having placed the order, or
• the customer claims to have placed an order that was not filled.
Control: The methods that are used to prevent repudiation are all reasonably complex and are beyond
the scope of this text. However, the control techniques that can be put in place for the company to
defend itself against both repudiation and customer claims include the use of:
• digital signatures (a unique mark that only the sender of the message can make, and that is attached
to the message and can be recognised or authenticated by another party)
• time stamping (that identifies the date and time of the message so it cannot be refuted), and
• having software that provides a comprehensive audit trail consisting of transaction logs, transmis-
sion logs and system activity logs that record all stages of the transaction; this is perhaps the best
defence.
Remember: There are numerous other aspects of the cycle that must still be controlled by conventional
means. In effect, selling over the Internet is just a revenue and receipts cycle with a difference. In our
example of selling over the Internet, once the order has been received, it must still be picked, packed and
despatched. Inventory must still be safeguarded, goods purchased for sale must still be properly ordered,
received and recorded, and salaries and wages must still be paid. Conventional manual and computerised
application controls will still be required.
9/34 Auditing Notes for South African Students

9.8 Computer bureaux/service management organisation


9.8.1 Introduction
A computer bureau is a business entity that processes other entities’ data for a fee. The bureau provides the
necessary hardware, software and skills to perform the function. This may be appealing to certain com
panies as it means that they do not have to outlay money for equipment and computer staff.
Some companies use bureaux to enhance confidentiality of sensitive information, for example, salaries
may be processed off site by a bureau. The use of a bureau simply means that a stage in the accounting process
does not take place at the client, but at a separate business entity. However:
• data must still be input
• data must still be processed, and
• output will still be created.
It follows therefore that controls over each of these functions must still be maintained but that the responsi-
bility for the controls in each function will depend upon whether the client or the bureau is performing the
function.

9.8.2 Terminology
A bureau may provide several different levels of service, including:
• facilities management – in which computers are housed at the bureau and the bureau staff may provide
infrastructure support for the hardware, operating system and database, but applications are managed
by the business itself
• application service providers (ASPs) – the entire service related to a particular application is provided by
the bureau, or
• full outsourcing – in which case all IT services are provided by the bureau.

9.8.3 Audit and control implications


As indicated above, when a company uses a bureau it is adding another dimension to the accounting
system that will need to be controlled. The auditor, in formulating his audit strategy and plan, will need to
evaluate the controls over the use of the bureau. Ultimately, he needs to determine whether the accounting
system, of which the bureau is now a part, and related internal controls, will provide valid, accurate and
complete data. Of course, it is in the interest of the client and the bureau to provide precisely that, but the
auditor cannot rely on this and will therefore need to evaluate the bureau’s role.
It is very unlikely that the bureau is going to allow the auditors of all its clients to come in and perform
an indepth evaluation of its general and application controls, because doing so would be impractical and
inconvenient. At the same time the auditor cannot simply disregard the bureau’s role. The auditor’s assess-
ment of the bureau will probably be centred on:

(a) An assessment of the bureau’s suitability


For the auditor, the use of a bureau by a client is similar to relying on an expert. Hence the auditor should
assess the professional reputation of the bureau including:
• its competence
• its independence in relation to the auditor’s client
• its stability
• the range of services offered to the client
• the reputation for confidentiality the bureau enjoys
• the security arrangements the bureau employs to safeguard the integrity of the clients’ files, reports and
programmes
• its efficiency and reliability in meeting deadlines, and
• its ability to service the client using the most reliable and up-to-date computer developments.
It is not always easy for the auditor to assess the above, but he should make the best use possible of trade
publications, professional bodies to which the bureau may belong, and discussions with the client and other
users as well as a review of correspondence between the client and bureau, that may provide evidence of
Chapter 9: Computer audit: New technology 9/35

the above. The auditor should also observe the relationship between his client and the bureau to gain the
above insights.
Some bureaux will arrange independent evaluations of their business from time to time. It is in their
interests to do so as the evaluation report can be used to promote the bureau. If such an evaluation exists,
the auditors of the bureaux’s clients should make use of it; for example, a report, that provides an inde-
pendent opinion on the operating effectiveness of the key controls operating at the bureau. See page 17/23
in this regard.

(b) An evaluation of the bureau agreement


This agreement is very important as it defines the responsibilities of the client and bureau and will be the
primary source of reference in any dispute. It should cover the following:
• identification of liaison personnel and their authority, at both the bureau and the client, for example, if
there is a problem, the person to be contacted
• a description of:
– the input to be provided
– the processes to be performed, and
– the output
• deadlines for input and output delivery, and the procedures and consequences of these deadlines not
being met
• bureau responsibility in respect of:
– data preparation
– input control, and
– masterfile amendments – how they happen and how they are authorised, etc.
• client responsibility in respect of:
– data acceptance
– handling errors, and
– notifying client of system changes/programme developments
• backup processing arrangements
• ownership of data files, programmes and documentation
• liability of the bureau for loss of data in any of its forms (e.g., files, input documents)
• the term, renewal options and cancellation of the agreement
• basis of fee charging for various services offered
• insurance cover for the bureau
• fidelity insurance for bureau employees
• disaster recovery plans
• the access the auditor might or might not be entitled to, and
• training and support of client personnel who interact with the bureau.
Typically, these agreements include formalised service levels. These service levels are often reported against
in monthly reports. In many cases there are penalty clauses for non-compliance with the contracted service
levels.

(c) An evaluation of the controls put in place at the client over the functions that are the responsibility of
the client
This will involve performing conventional tests of controls (observation, enquiry, inspection, etc.) over the
functions that are the responsibility of the client, for example, gathering data for processing or reconciling
output.
Remember that the use of a bureau takes care of only certain functions within a cycle. The other func-
tions must still be controlled as they would be if computing took place at the company itself. For example,
a bureau may process a client’s wages, but the client is still responsible for the personnel function, time
9/36 Auditing Notes for South African Students

keeping, and possibly making the relevant EFT payments to employees, all of which will still be evaluated
and tested by the auditor. Equally, substantive tests will still be performed as required on transactions,
balances and totals.
Assurance reports
The bureau/service management organisation will have to obtain an ISAE 3402 report from its auditors
that provides its clients with an assurance report over the controls. As the auditor, you may consider the
ISAE 3402 report as part of your audit where the client has outsourced its controls to a service manage-
ment organisation.

9.8.4 Risk implications


• Loss of control over processes, standards and defined IT policies.
• The SLA must define expected turnaround times and financial penalties for the service management
organisation as poor performance causes reputational damage and potential financial losses for the
company.
• The service management organisation must have adequate security features in place to avoid data and
system breaches that can lead to compliance risks for the organisation.
• When unexpected system downtime occurs, loss of productivity could be longer when the service
management organisation needs to resolve the issue versus an internal person having to do so.
• The service management organisation might have access to sensitive data and there is no certainty as to
how confidential they will keep the data.

9.9 Viruses
Viruses are possible in virtually any computer environment, but the risk is increased in highly networked
end-user computing environments (especially the Internet) in which large numbers of relatively uninformed
users, who are not adequately control conscious, have access to computer resources.

9.9.1 What viruses are


A virus is a computer programme that spreads from one system to another, eventually performing the illicit
function for which it was designed. Each reproduced virus works independently of the initial virus. It is
common for viruses to be transmitted via email.

9.9.2 Virus categories


(a) Destructive viruses
• Massive destruction: attacks the format of storage devices, whereby any programme or data damaged
will not be recoverable.
• Partial destruction: erasure or modification of a specific portion of a storage device, affecting any files
stored in that portion.
• Selective destruction: erasure or modification of specific files or file groups.
• Random havoc: random changes to stored data during normal programme execution, or changes to key
stroke values, or data from other input/output devices.
• Network saturation: systematic demands on computer memory or space to impede performance or
cause the system to crash.
(b) Non-destructive viruses
• Annoyance: displaying messages, changing display colours, changing keystroke values (e.g., changing
the effect of the SHIFT/ALT keys), deleting characters displayed on a visual display.
(c) Kinds of virus
Viruses or “malicious code” as they are sometimes called are also described in terms of their capability.
Some examples follow:
• Trojan horse – code that results in the performance of an additional function that is unexpected and
unknown to the user, for example, copies passwords as they are entered by users.
Chapter 9: Computer audit: New technology 9/37

• Logic or time bomb – code that sets off an action when a specific condition or date occurs, for example,
“on 1 April delete . . . ”
• Trapdoor – code that allows access other than in the conventional manner (almost like a secret pass-
word).
• Worm – code that spreads itself through a network.
• Spyware – a programme that “steals” information from the system on which it is running, such as user
names, passwords, credit card numbers, etc.

(d) Spam, phishing and pharming


Spam “attacks” email systems. The intention is to send so many useless emails to an address that the
system crashes (gets saturated). This is also termed “denial of service attack”.
Phishing is the practice of sending emails to users to get the recipient to give away some confidential
information, for example, confirm a bank account number and password. The email is worded and (visual-
ly) made to look very authentic and genuine but is in effect a bogus email. Many people are, however,
fooled and respond.
Pharming is the illegal practice of re-directing a website’s traffic that may include confidential infor-
mation from the official website to an alternate site and is a major threat to e-commerce and online bank-
ing.

9.9.3 Audit and control implications


A security system should include the following controls, and this should be tested:
• All software and data files should be backed up at regular intervals – if a virus causes destruction, this
will facilitate the rebuilding process.
• Antivirus software that is regularly updated with the latest virus definitions should be loaded onto all
PCs.
• Antivirus software should also be used to scan all emails entering and exiting an organisation’s network.
• Only software from reputable suppliers should be used.
• All users should be informed of the need for data security, and of the potential threats that viruses pose
to the integrity of their data, for example, spam, phishing.
• All purchased software should be carefully examined before use. New software should be loaded onto
an isolated PC that contains no critical or sensitive files.
• Access to PCs should be restricted to authorised personnel who should be accountable for their PCs.
• Instructions are to be issued to users not to open emails received from unknown or suspicious sources.
• Installation of anti-spam systems and education of users.

9.9.4 Risk implications


• Viruses that log key strokes can obtain personal information and then be used to commit identity theft
and fraud. This may result in reputational damage for the organisation.
• Viruses can be used to corrupt data and if no adequate backups exist, can lead to loss of data.
• Viruses can affect software performance and stability and can cause severe financial losses.
• Viruses can lead to hardware failure that is very costly to replace or repair.
• Viruses can be expensive to get rid of depending how deeply embedded in your system they are.
CHAPTER

10
Revenue and receipts cycle

CONTENTS
Page
10.1 Accounting system and control activities ......................................................................... 10/3
10.1.1 Introduction ....................................................................................................... 10/3
10.1.2 Objective of the first section of the chapter ........................................................... 10/3
10.1.3 Characteristics of the cycle .................................................................................. 10/3
10.1.4 Basic functions for any revenue and receipts cycle ................................................ 10/4
10.1.5 Documents used in the cycle ............................................................................... 10/5
10.1.6 Narrative description of a manual revenue and receipts cycle by function .............. 10/6
10.1.7 Flow charts for a manual revenue and receipts cycle............................................. 10/9
10.1.8 Computerisation of the revenue and receipts cycle ............................................... 10/19
10.1.9 Internal control in a cash sales system .................................................................. 10/32
10.1.10 The role of the other components of internal control in the revenue and
receipts cycle ...................................................................................................... 10/35

10.2 Narrative description of the revenue and receipts cycle at ProRide (Pty) Ltd.................... 10/36
10.2.1 Introduction ....................................................................................................... 10/36
10.2.2 Background to the company ................................................................................ 10/36
10.2.3 Overall control awareness ................................................................................... 10/36
10.2.4 Computerisation in this cycle .............................................................................. 10/36

10.3 Sales – How the system works at ProRide (Pty) Ltd .......................................................... 10/36
10.3.1 Receiving orders ................................................................................................. 10/37
10.3.2 Opening an account ............................................................................................ 10/39
10.3.3 The production of picking slips ............................................................................ 10/39
10.3.4 Picking the goods ................................................................................................ 10/40
10.3.5 Despatch ............................................................................................................ 10/41

10.4 Receipts – How the system works at ProRide (Pty) Ltd..................................................... 10/41
10.4.1 Recording and entering receipts from debtors ....................................................... 10/42
10.4.2 Credit notes and adjustments to debtor’s accounts ................................................ 10/43
10.4.3 Monitoring ......................................................................................................... 10/43
10.4.4 Conclusion ......................................................................................................... 10/44

10/1
10/2 Auditing Notes for South African Students

Page
10.5 Auditing the cycle ............................................................................................................ 10/44
10.5.1 Introduction ....................................................................................................... 10/44
10.5.2 Auditing the revenue and receipts cycle ............................................................... 10/45
10.5.3 Important accounting aspects of the revenue and receipts cycle ............................. 10/45
10.5.4 Financial statement assertions and the revenue and receipts cycle ......................... 10/46
10.5.5 Fraud in the cycle ............................................................................................... 10/47
10.6 The auditor’s response to assessed risks .......................................................................... 10/48
10.6.1 The auditor’s toolbox .......................................................................................... 10/48
10.6.2 Overall responses to risks of material misstatement at financial statement level ..... 10/48
10.6.3 Responding to risks at the assertion level ............................................................. 10/48
10.6.4 Other audit procedures ........................................................................................ 10/48
10.7 Audit procedures – Test of controls and substantive procedures ........................................ 10/50
10.7.1 Tests of controls .................................................................................................. 10/50
10.7.2 Substantive procedures........................................................................................ 10/52
10.7.3 Substantive procedures of transactions in the revenue and receipts cycle ............... 10/53
10.7.4 Substantive procedures on the trade receivables balance ....................................... 10/56
10.7.5 Substantive procedures for the audit of bank and cash .......................................... 10/59
10.7.6 The use of audit software(substantive procedures) ................................................ 10/61
10.7.7 Automated application controls in the revenue and receipts cycle ......................... 10/62
Chapter 10: Revenue and receipts cycle 10/3

10.1 Accounting system and control activities


10.1.1 Introduction
Chapters 10 to 14 cover the basic business cycles that are found in the accounting system. Each chapter
outlines three main sections – the accounting system and control activities in the cycle, a narrative descrip-
tion of the cycle at ProRide (Pty) Ltd, and finally, the considerations and actions when auditing the cycle.
The revenue and receipts cycle is covered in this chapter. Chapter 11 then deals with the acquisitions and
payments cycle. Chapter 12 covers the inventory and production cycle, that is, an internal cycle linking
both the revenue and acquisitions cycles. Chapters 13 and 14 outline the payroll and personnel cycle and
the finance and investment cycle respectively. The following flowchart outlines the link between the vari-
ous cycles.

Revenue and receipts cycle


Chapter 10

Inventory and Production cycle


Chapter 12
Acquisitions and payments cycle
Chapter 11 Payroll and personnel cycle
Chapter 13

Finance and investment cycle


Chapter 14

10.1.2 Objective of the first section of the chapter


The revenue and receipts cycle is sometimes referred to as the sales and collection cycle and perhaps this
name better describes the activities of the cycle. This chapter deals initially with the accounting system (that
is part of the company’s information system) and the control activities that are put in place to control the
sale of the company’s goods or services, and the collection of amounts owed in respect of those sales. The
latter part of the chapter deals with the audit of the cycle.
Our objective in the first section of this chapter is to provide you with the necessary information to
understand how revenue and receipts cycles function. Revenue and receipts systems can vary considerably;
the approach in this chapter is to provide a thorough knowledge of a manual system and then to illustrate
how things may change as computerisation is introduced into the system. Remember that computerisation
does not change what is required of the system, for example, take an order, pick the goods, raise an invoice,
etc., but it does change how the transactions are carried out and recorded.

10.1.3 Characteristics of the cycle


10.1.3.1 Variation
A number of different products and services are sold by companies, which means that there will be plenty
of variations in the systems you encounter in practice.
For example, goods can be sold over the counter, over the Internet, over the phone or as a result of a
hardcopy customer order. Physical objects are sold as well as non-physical objects (e.g. services) and a
“sale” may take a long time to complete (e.g. in a construction contract or a gym membership contract) or
may be instantaneous (e.g. over-the-counter cash sale).

10.1.3.2 Cash sales


Many businesses sell goods for cash and on credit to account holders. Having cash in the business is a
security risk that must be addressed. There is a potential for theft and physical harm to employees who deal
with cash.
10/4 Auditing Notes for South African Students

10.1.3.3 Credit sales


When a company allows a customer to charge a sale made to an account (rather than settle the amount
immediately by, say, cash or credit card), there is a risk that the customer will not pay and the company
will suffer a loss. Important activities in a revenue and receipts cycle will be the checking of creditworthi-
ness of a customer before the sale is made, and the timeous collection of amounts owed.

10.1.3.4 Legislation
For companies that sell and provide services to consumers, for example, retailers and service providers, the
Consumer Protection Act (CPA) is an important Act which must be complied with.

10.1.4 Basic functions for any revenue and receipts cycle


For the purposes of this text, we have chosen to describe a system
for a business that has conventional functions; it receives orders Something to consider . . .
from its customers, supplies the goods from its warehouse and How could the CPA protect the
charges the sale to the customer’s account. These functions, consumer against unethical sales
which are essentially those required for most revenue and re- practices?
ceipts cycles, can be broken down as follows:

10.1.4.1 Order department


• Receiving customer orders: These may be received in a variety of ways, for example, by phone, receipt of
a customer’s written order, over the Internet or over the counter.
• Authorising the sale: This will involve granting or confirming credit before the order is processed. This is
an important activity because companies do not want to make sales for which they will not be paid! (At
the authorising stage, an inventory availability test may also be carried out to confirm that the order can
be filled.)

10.1.4.2 Warehouse/despatch
• Processing the order: This involves the manual process of gathering together (picking) the goods from the
stores to fill the order.
• Despatch: This is the manual process of releasing the goods ordered to the customer. The customer may
collect the goods; the goods may be delivered by the company’s own delivery vehicle or by a transport
company, for example, railways, courier service.

10.1.4.3 Invoicing
• This is the very important step of notifying the customer of the amounts owed for goods purchased. The
invoice may be sent with the goods, or at a later stage. There is no fixed rule, but generally the sooner
the invoice is sent, the sooner the customer pays.

10.1.4.4 Recording sales and raising the debtor


• This involves creating the records of the sales that have been made, as well as who owes the company
money, namely, debtors. Can you identify the debit and credit entries in such a transaction?

10.1.4.5 Receiving and recording payment from debtors


• This is also a very important step and involves collecting payment from debtors, ensuring payment is
banked and recording the receipts in the cash receipts journals and debtor’s ledger.

10.1.4.6 Credit management


• Evaluating creditworthiness: These are the activities carried out to determine whether credit can be
extended to a customer, and, if so, what the terms (how long the debtor is given to pay, e.g. 60 days)
and limits (the amount of credit, e.g. R20 000) will be.
• Approving sales orders, particularly those that are from debtors who have exceeded their credit terms
and/or limits.
Chapter 10: Revenue and receipts cycle 10/5

For example:
A debtor may have a credit limit of R1000 purchases, but intends to purchase items worth R1 500.
Will the sale be approved? A further example where credit terms may be extended is during Covid-19,
where debtors may be allowed an extended period to pay back their debts.
• Collecting amounts owed: These are the activities carried out to ensure amounts owed by debtors, are
paid when they are due.

10.1.4.7 Other activities


In addition to the above, there are other lesser activities within the cycle that must be controlled. They are:
• controlling goods sold but have been returned by the customer
• passing credit notes for goods returned or other reasons, for example, overpayment by a debtor
• granting discounts on payments from customers, and
• considering and effecting write-offs of bad debts.

10.1.5 Documents used in the cycle


This section outlines the commonly used documents used in the cycle. This is not an exhaustive list, but it
highlights the conventional documents that may be found in the revenue and receipts cycle.

10.1.5.1 Customer order


The customer’s instruction as to what goods are required (could be sent by post, email, or fax, or be placed
over the phone).

10.1.5.2 Internal sales order


A document compiled by the company’s own sales order clerk that records the goods ordered by the cus-
tomer. It is used for sales authorisation and as a basis for creating the picking slip. This is a very important
document when orders are taken orally, for example, over the phone.

10.1.5.3 Picking Slip


This document lists all the items that the customer has ordered. It is used to assist the stores personnel to
“pick” the goods needed to fill the order from the store so that they can be despatched to the customer.

10.1.5.4 Invoice
This is the document that is sent to the customers to notify them of the quantity and price of the goods sold
to them, the total amount of the sale, discounts and VAT.

10.1.5.5 Delivery note


This document details the date, description and quantity of the goods despatched to the customer and is
signed by the customer to acknowledge receipt of the goods. When the company delivers to its customers,
details of the deliveries, for example, address and delivery note number, will be entered on a delivery list that
is used by the delivery staff to schedule and control deliveries.

10.1.5.6 Statement
This is a summary of all of the transactions for a period, usually a month, sent by the company to the
customer. The statement reflects the opening balance, sales made, payments received, other adjustments,
such as credit notes, and the closing balance, as well as a breakdown of the periods for which the total
amount owed has been outstanding, for example, 30 days, 60 days, 90 days and over.

10.1.5.7 Credit application form


This document is filled in by a prospective customer so that the customer’s creditworthiness (ability to pay)
can be evaluated. The customer will be required to provide trade references, income and expenditure
details, bankers, etc., that are then followed up by the company. Trade references and credit bureau are
usually contacted before the company decides on a credit limit and terms appropriate for the customer.
10/6 Auditing Notes for South African Students

10.1.5.8 Receipt
The receipt records details of payments received from customers.

10.1.5.9 Remittance advice


This is a document sent by the customer with his/her payment to indicate precisely which invoices are
being paid. Where a payment is made directly into the company’s bank account by direct deposit or EFT,
the customer should send the remittance advice (and proof of payment) under separate cover.

10.1.5.10 Remittance register


This is a register or list of payments received by the company (payments from debtors not deposited direct-
ly in the company’s bank account by the debtor).

10.1.5.11 Credit note


A credit note is a document made out by the company and sent to the customer to acknowledge that the
customer’s account has been reduced (credited) for some reason other than for a payment received, for
example, goods that have been returned by the customer for which credit must be passed.

10.1.5.12 Deposit slip


This is a bank document that is filled in by the company to record the deposit of payments received from
the customer, into the bank.

10.1.5.13 Price lists


This is a document containing prices (and discounts) of the company’s products to be referred to by the
sales order clerk when customers require prices on placing orders.

10.1.5.14 Back-order note


A document that contains details of goods that could not be supplied when ordered by a customer as there
was no inventory available. The back-order notes are filed and regularly and frequently reviewed to estab-
lish whether an order has been placed with a supplier for the outstanding goods.

10.1.5.15 Goods returned voucher


A document made out by the company itself that is used to record the details of goods that have been
returned by a customer.

10.1.5.16 Masterfile amendment form


This is found in a computerised system in the form of a document used to record an amendment to the
debtors masterfile.

10.1.5.17 Logs, variance reports, etc


In a computerised system, the computer can be programmed to compile logs, variance reports, etc. A log is
simply a record of an activity that has taken place on the computer, for example, a log of masterfile
amendments or a log of access to the authorised supplier masterfile.
In addition to the above documents, the company will make use of a sales journal, cash receipts journal
(cash book), a sales returns and allowances journal (into which details of credit notes, etc., will be entered)
and the debtors ledger. In a computerised system there will be transaction files and the debtors masterfile.
Documents used in the system will essentially be the same, but will be printed off the computer where
necessary.

10.1.6 A narrative description of a manual revenue and receipts cycle by function


This section outlines the description, with examples, of a manual revenue and receipts cycle by function.
We suggest you read this section (para 10.1.6) in conjunction with the flow charts in section 10.1.7 and the
schedules on pages 10/12 to 10/19.
Chapter 10: Revenue and receipts cycle 10/7

10.1.6.1 Order department


As the name suggests, the order department is responsible for receiving orders from customers and setting
in motion the filling of the order. This will involve instructing the warehouse department to select the items
ordered from the stores so that the items can be despatched to, or picked up by, the customer. Before
setting this process in motion, the order department should confirm that the customer’s account is “up to
date”, in other words, that the amount owed is within the terms and limit set for that customer and that
processing the current order will not push the customer beyond his credit limit.
For example:
Stepps (Pty) Ltd, a customer of Ladderland Ltd, has a credit limit of R50 000 on its account and must
pay within 60 days. If an order for goods costing R10 000 is received, the order department must check
whether any portion of the balance on Stepps (Pty) Ltd’s account has been outstanding for longer than 60
days and that the current balance is no more than R40 000. If Stepps (Pty) Ltd is not within its terms and
limit, the order department will need to obtain the authorisation of the credit management department to
initiate the sale. In most businesses, the order department will also confirm that the goods ordered by the
customer are “in stock” (available) before initiating the sale. If goods are not “in stock”, the sales order
clerk will contact the customer to ask whether the customer wishes the order to be placed on a back order
list to await the arrival of more inventory (the inventory cycle is covered in chapter 12).
In a manual system, all orders received by the order department should be entered manually onto a pre-
printed, sequenced, multicopy, internal sales order (ISO), regardless of how the order is received, for
example by phone, through the post, fax or by email.
The order clerk will take the ISO to the credit management department to have it signed (authorised)
once the customer’s credit standing has been checked by that department.
If an order is received from a non-account holder, the credit management department will go through the
process of checking the customer’s creditworthiness and setting credit terms and limits as described in
10.1.6.6.
A copy of the ISO will be delivered to the warehouse to act as the “picking slip”, that is, the document
that informs the warehouse employees which goods to select for despatch to the customer.
A copy of the ISO will be filed in the order department in numerical sequence and a copy will be sent to
the accounting department.

10.1.6.2 Warehouse/despatch
• The warehouse/despatch function is required to select the goods to be sent to the customer in terms of
the ISO/picking slip. (In multipart stationery, the second copy of the ISO can be headed “picking slip”.)
This function will also be responsible for controlling the removal of the goods from the warehouse to
the despatch area for delivery to, or collection by, the customer (i.e. the goods should be signed out of
the custody section of the warehouse and into the despatch section).
• In a manual system, the ISO/picking slip sent to the warehouse will be given to a warehouse employee
to select (pick) the goods listed on the ISO/picking slip.
• This employee will tick off the goods picked on the picking slip and mark clearly any items that are not
available (note: inventory availability checks carried out in the order department are not foolproof and
some companies may choose to make out the ISO without carrying out the inventory availability test.
Using this method, “out of stock” items will be identified at the “picking” stage.)
• A warehouse clerk will then manually complete a preprinted, multipart, sequenced delivery note,
detailing the goods picked.
• Once the delivery note has been completed, the goods will be moved to the despatch area with the
supporting documentation where they will be checked, boxed or packaged. The despatch clerk will sign
the documentation (copy of the delivery note or picking slip) to acknowledge the transfer of the goods
into his custody.
• When the goods are despatched to the customer, they will be accompanied by two copies of the delivery
note. Both copies will be signed by the customer, one of which will be retained by the customer and the
other returned to the company.
• Where goods are to be delivered to the customer (not collected), delivery lists will be compiled and the
goods loaded onto the delivery vehicle under supervision. The driver will acknowledge taking custody
of the goods by signing the delivery list.
10/8 Auditing Notes for South African Students

10.1.6.3 Invoicing
• The objective of invoicing is to notify the customer promptly of the amount due and when to pay it.
• Accounting employees will collect the supporting documentation for the sale that has been made, for
example, the ISO and the copy of the delivery note signed by the customer. They will check all the de-
tails of the sale and create an invoice.
• A copy of the invoice will be sent to the customer. (Note: in some systems the invoice is made out at the
same time as the delivery note. This may lead to more errors in invoicing because the invoice is made
out before the customer has checked and accepted the goods, but does have the advantage of getting the
invoice to the customer sooner.)
• A preprinted, multicopy, sequenced invoice will be made out manually, taking the details from the
supporting documentation.
• Debtor details, pricing, discounts, casts and extensions and VAT will be checked, and a copy of the
invoice sent to the customer.

10.1.6.4 Recording of sales and raising debtors


• The purpose of this function is to create a record of sales (the sales journal) and to raise the amount
owed by the customer as a debtor (debtors ledger).
• In a manual system, a copy of each of the invoices for the period (day, week, month) will be sent to the
designated accounting clerk who will write up the invoices in the sales journal in numerical sequence.
• Before the total of sales is posted (transferred) to the general ledger and the individual sales are posted
(transferred) to the debtors ledger, another staff member will check the sequence of invoices entered in
the sales journal, follow up on any missing numbers, and check the accuracy of the amounts entered in
the sales journal against the invoices themselves.
• Amounts will then be posted (transferred) to the respective ledgers.

10.1.6.5 Receiving and recording payments from debtors


• The objective of this function is to accurately record the receipts of payments from a debtor. The func-
tion will include the “mailroom” (mail receiving function).
• There are basically two ways in which debtors pay, namely, by cash or by direct deposit into the com-
pany’s bank account. This can be done by the debtor going to the company’s bank and depositing cash
or by effecting an electronic funds transfer (EFT) (a transfer from the debtor’s bank account to the com-
pany’s bank account).
• It is very seldom that a company will pay another company in cash (and payment via cheque is no
longer an option); however, payments in cash are still carried out and the accounting system must ac-
commodate this method of payment.
• Direct payments into a company’s bank account are quicker and safer but do change the procedures and
control activities for receiving and recording payments from debtors.
• At the end of the month, the debtors clerk will draw up a statement for each debtor that summarises the
transactions with that customer for the month, for example, sales made, payments received, credit notes
issued. The balance on the statement that will be sent to the customer should reconcile with the debtors’
account in the debtors ledger.
• Receipts will be made out to all debtors who pay in cash.
• The cashier will agree the cash received to the receipts and make out a bank deposit slip.
• Cash will need to be (physically) taken to the bank to be deposited.
• The other part of this function is to record the receipts from debtors in the cash receipts journal. The
cash book clerk will write up the cash receipts journal from the receipts and deposit slips and will subse-
quently post (transfer) the amounts to the debtors ledger and general ledger.
• Where a debtor has paid directly into the company’s bank account, the debtors clerk will need to obtain a
bank statement from the bank. This will reflect the payments made directly into the company’s bank ac-
count. A schedule of these receipts will be drawn up and used to write up the cash receipts journal.
Chapter 10: Revenue and receipts cycle 10/9

10.1.6.6 Credit management


• The main objective of this function is to minimise the risk of losses from bad debts. The control activi-
ties centre around extending credit only to creditworthy customers, setting reasonable credit terms and
limits, preventing customers from exceeding their limits,
and following up promptly on debtors who are showing
signs of falling behind in their payments. The passing of
credit notes may also be managed by this function. Something to consider . . .

• In a manual system, all documentation will be hard- These are areas that students struggle with
quite often Are you able to draw up your
copies and the follow-up of information supplied by a
own flow diagrams to assist in your founda-
prospective customer in the credit application form, will tional know-ledge of the cycles? Use these
be followed up by a phone call or letter. The credit limits sections as a basis to build on more infor-
and terms will need to be recorded on a schedule or in mation that is needed later.
the debtors ledger. Authorisation of a customer order
(ISO) will be a manual exercise.

10.1.7 Flow charts for a manual revenue and receipts cycle


A flowchart of the cycle is presented on the following two pages. The intention of these flowcharts is to
keep them simple so that you can get a basic understanding of what happens in the cycle. This is followed
by a series of tables that expands on the functions, risks and control activities in the cycle.
We have chosen to illustrate the cycle as a manual accounting system as it is very important for you to
understand the basics. Once you have mastered the basics, it is considerably easier to understand the
introduction of computerisation into the cycle.
The functions, which are described in the tables and/or flowchart, are:
• order department
– receiving customer orders, and
– sales authorisation.
• warehouse/despatch
• invoicing
• recording of sales/debtors
• receipts of payments from debtors
• recording of receipts
• goods returned by customers
• credit management.
For the purposes of the illustration, we have chosen a reasonably straightforward company with the follow-
ing characteristics:
• adequate staff for sound division of duties
• phone orders and documented orders are accepted
• credit sales only, although some debtors send cash in the post to pay their accounts (for illustration
purposes!)
• receipts are made out for all payments from debtors
• no inventory availability test is conducted when orders are received; “out of stock” items are identified
at the “picking” stage
• the company makes all of its own deliveries to customers, and
• there is a sound control environment and the appropriate properly designed documents and records, for
example, ledgers and journals, are used.
ORDER DEPARTMENT WAREHOUSE/DESPATCH INVOICING RECORDING OF SALES
10/10

Customer Picking slip Internal sales Invoice


order (ISO) order
Obtain credit 2 3 2
approval

+
Pick goods Signed delivery
from stores note
Sales order Enter in sales
2
Picking slip journal
3
Internal sales
2 order
Match and
1 check above
3 documents
Delivery Invoice Post to general
2 note ledger and debtors
1 2 ledger

3
Invoice
2
Both sent with
N 1
goods to N
customer N

With
One delivery picking
note signed and slip A
returned by To customer
customer
2 With ISO and
delivery note

KEY N = filed numerically A = filed alphabetically = document = action


Auditing Notes for South African Students
RECEIPTS – MAIL ROOM RECEIPTS – CASHIER RECORDING OF RECEIPTS GOODS RETURNED

Remittance Deposit slip Goods +


register and customer
Cash cash 2 documentation

+ Check and receive


Prepare goods returned
Remittance
receipt Match register
advice
to cash
Chapter 10: Revenue and receipts cycle

Goods returned
Enter in cash receipts journal 2 voucher GRV
1
Prepare
remittance
register Deposit slip Post to general
2 ledger and
1 debtors ledger Transfer goods and
documents to store
Prepare debtors
Debtors statement
2 statement
1 Authorised GRV
Remittance Cash and deposit and customer
register slip to bank documentation

N
Bank stamped
deposit slip To customer Credit note
2 2
1
A To customer
Note: Deposit slip 1 kept by bank
10/11
10/12 Auditing Notes for South African Students

The series of tables that follow expands on the functions, risks and control activities in the cycle. For each
function, the documents that may be used are identified. Further, the business risks that may exist in each
functionare described.

Receiving customer orders (order department)


Documents
Function Business Risks
records
To record orders from customers and initiate Customer order • Order may be accepted from a non-account
action to fill them. Internal sales order holder, resulting in possible bad debtors who
Orders will be received in document form (ISO) cannot pay the amounts owing to the compa-
(customer order) or over the telephone. Price lists ny.
Internet orders are dealt with in chapter 9. • Orders may not be acted upon timeously or at
Persons receiving the order need to establish all, resulting in a loss of sales and customer
that the customer is a valid customer and goodwill.
that the details of the order are accurate and • Inaccurate or incomplete order details may be
complete in every respect, (e.g. description, recorded, that will result in incorrect deliver-
quantity, delivery address). As this is the ies, returns and customer dissatisfaction.
initiation of the transaction, it is particularly
important to get everything right. If the
customer does not have an account,he/she
must be referred to the credit manager who
will send the customer a credit application.

Control activities including brief explanatory comments


1. Record all orders on sequentially numbered internal sales orders.
2. No orders to be accepted if the customer is not an approved customer, for example, no account number (NB: we
are dealing with a credit sales system). Order clerk will check approved customer list.
3. Attach customer order to internal sales order and have second staff member cross check detail (if practical).
4. For phone orders, order clerk to:
4.1 request customer’s account number
4.2 request customer’s order reference, and
4.3 confirm all order details, including delivery address and price of goods, by reading order details recorded back
to customer.
5. Order clerk to sign all ISOs to indicate performance of control activities.
6. ISOs are to be sequence checked (for completeness) regularly, and matched to delivery notes to identify any orders
that have not been acted upon.
Note: If necessary, order clerk should have price lists, lists of customer account numbers, and inventory descriptions
and codes to check validity and accuracy of information supplied by customer. (This is very easy in a comput-
erised system.)
Note: Employees must sign documentation/records to acknowledge the control procedures they have conducted.
Note: These controls are essentially preventive in nature.
Note: Many companies that take orders over the phone will supply customers with product catalogues that include
descriptions and product codes.

Something to consider . . .
For each of the control activities above, identify which control objectives
these activities are trying to achieve? Is it validity, accuracy of complete-
ness?
Perform the same exercise for each of the control activities described in the
series of tables that follows.
Chapter 10: Revenue and receipts cycle 10/13

Sales authorisation (order department)


Documents
Function Risks
records
To assess whether orders should be accepted. Credit application • A sale will be made to a customer who is not
The intention is to determine whether the and debtors ledger creditworthy (i.e. will not pay, resulting in a
customer is creditworthy and has not exceed- loss to the company).
ed his credit limit.
The function begins earlier when the cus-
tomer completes a credit application form
that is evaluated and credit limits and terms
are set.
(see “credit management” on 10/18)

Control activities including brief explanatory comments


1. Before processing the order, checks should be carried out by the credit controller (department) to establish:
1.1 that the customer has not supplied fictitious details
1.2 customer’s credit status is satisfactory
by reference to the customer’s details, for example, his account balance and credit terms held on file and/or in the
debtors ledger.
2. ISOs (picking slip) to be authorised by signature of the credit controller before being sent to the warehouse.
Where the order is from a prospective customer, credit application procedures must be conducted before the order
is filled:
• the credit application form must request the customer to provide banking details, trade references, income and
expenditure details
• the credit controller must follow up by contacting trade references and credit bureaus and assessing customer
liquidity
• terms and limits must be set by the credit controller and approved by the financial manager.
Note: Employees must sign documentation/records to acknowledge the control procedures they have conducted and
the financial manager must not approve the terms and limits without reviewing the supporting documentation.

Warehouse
Documents
Function Risks
records
To fill accepted orders promptly and accu- Picking slip • Valid ISO/picking slips may not be acted
rately and to ensure only authorised orders Delivery note upon.
are acted upon. Back-order note • Goods may be removed (picked) from inven-
This is the manual function of picking the tory for fictitious/unauthorised sales.
goods from the warehouse using a signed • Incorrect items and quantities may be picked.
copy of the ISO (picking slip), and creating a • Inaccurate and incomplete delivery notes may
delivery note. be made out, resulting in loss of revenue.
Goods that cannot be picked because they • “Out of stock” items may not be identified on
are sout of stocks will also be identified and a the picking slip.
back order note created.
• Customer not notified of “out of stock” items
resulting in loss of the sale and customer
goodwill.
10/14 Auditing Notes for South African Students

Control activities including brief explanatory comments


1. Picker to initial the picking slip for each item picked and identify on the picking slip, items that cannot be supplied
(out of stock).
2. Supervisory checks should be carried out by the warehouse foreman to ensure that all goods picked are supported
by signed picking slips. See also control activity number 1 under “despatch”.
3. Warehouse clerk to:
3.1 check goods picked to picking slip
3.2 prepare delivery note from picking slip (delivery note cross-referenced to picking slip)
3.3 prepare back-order note from the picking slip and cross-reference both documents (see also control activity
number 1 under “despatch”)
3.4 send copy of the back-order note to order clerk to enable the order clerk to notify customer, and
3.5 send copy of the back-order note to the buying department.
4. Order clerk to follow up back orders regularly and frequently. When inventory becomes available, order clerk
should confirm that the customer still requires the goods and, if so, make out an ISO to initiate the sales process.
(The back-order note in effect becomes the customer order.)
5. Delivery notes and picking slips to be matched and filed numerically. Unmatched picking slips to be followed up
to determine whether goods have been picked.
Note: Employees must sign documentation/records to acknowledge the control procedures they have conducted.

Despatch
Documents
Function Risks
records
To ensure that only goods supported by Delivery note • Theft may be facilitated by uncontrolled
properly authorised picking slips, and List of deliveries despatch.
accompanied by accurate and complete • Despatch errors may occur:
delivery notes, are despatched. – incorrect goods or quantities despatched
To ensure prompt despatch of goods that – goods delivered to wrong customer.
have been picked to the correct customer.
• Customers may deny having received goods.
Once the goods have been picked and
• Goods released from the warehouse are never
delivery notes made out, they are transferred
despatched.
to despatch to be packed, labelled and
delivered.
Controls must be sound because, by this
stage, the goods have left the custody of the
warehouse and are thus susceptible to theft.
In addition, the goods are moving between a
number of parties, so isolation of responsibil-
ity is very important.
Chapter 10: Revenue and receipts cycle 10/15

Control activities including brief explanatory comments


1. On receipt of the goods, picking slip and delivery notes from the warehouse, the despatch clerk should:
1.1 check quantities and description of goods against the authorised picking slip and delivery note
1.2 sign picking slip and delivery note to acknowledge receipt of goods, and
1.3 retain two copies of the delivery note and return the signed picking slips to the warehouse (once goods are
packed).
2. The goods picked should be checked to the picking slip and delivery note as they are packed into a box for deliv-
ery. The address on the box should be checked against the delivery address on the documentation and the box
sealed immediately.
3. Despatch clerk should prepare a two-part list of deliveries to be made. The list should be matched to the delivery
notes and the physical goods loaded onto the vehicle, for example, delivery note number P1234 – 4 boxes.
4. Delivery staff (e.g. driver) should supervise loading the truck and sign a copy of the delivery list to acknowledge
receipt of the delivery notes and the corresponding goods:
• driver to retain one copy of delivery list, and the delivery notes, and
• despatch clerk to retain signed copy of delivery list.
5. Gate controls, such as security, should check all goods to be delivered appear on the delivery list and are supported
by delivery notes. Both copies of each delivery note should be date stamped by gate control (gate controls can be
impractical – if they are, then despatch controls must be very tight).
6. On delivery, the customer should sign both copies of the delivery note (having checked the goods), retain one copy
and return the other copy with the driver.
Note: Employees must sign documentation/records to acknowledge the control procedures they have conducted.

Invoicing
Documents
Function Risks
records
To notify the customer promptly of amounts Sales invoice • Goods despatched may not be invoiced,
due for goods supplied. Price lists resulting in revenue not being recorded
On return of the signed delivery note from the • Invoices may be inaccurately prepared/mis-
customer it should be matched with the sales stated (prices, quantities, descriptions, dis-
order and an invoice should be generated. counts, VAT).

Control activities including brief explanatory comments


1. A copy of the internal sales order should be held in numerical order in a temporary file in the “invoicing section”
(accounting department).
2. As signed delivery notes are received, they should be matched to their ISO and filed sequentially by delivery note
number.
3. On a frequent and regular basis, ISOs remaining on the temporary file should be investigated.
4. The file of matched delivery notes should be sequence tested and gaps in sequence investigated.
5. The invoice clerk should:
5.1 compare details on the ISO and delivery note
5.2 check prices quoted to the customer, and entered on the ISO, against official price lists and discount schedules
5.3 prepare a numerically sequenced invoice and cross-reference it to the delivery note/customer order.
6. Second employee (supervisor) to check and sign invoice after checking:
6.1 prices, extensions, casts
6.2 discount and VAT calculations
6.3 customer details.
Note: Employees must sign documentation/records to acknowledge the control procedures they have conducted
10/16 Auditing Notes for South African Students

Recording of sales
Documents
Function Risks
records
The purpose of this function is to record the Invoice • Invoices are omitted from the sales journal.
sales made and to raise the corresponding Sales journal • Invoices are duplicated in the sales journal.
debtor promptly. Debtors ledge • Invoices are inaccurately entered in the sales
Invoices must be recorded accurately and General ledger journal, for example, R4 325,50 entered as
entered against the correct debtor in the R432,55.
debtors ledger. Total sales for the period • Invoice entered against incorrect debtor when
must also be posted to the sales and debtors posting (transferring) to the debtors ledger ac-
control accounts in the general ledger. counts.

Control activities including brief explanatory comments


1. Invoices to be entered in the sales journal in numerical sequence:
1.1 sequence to be continued period to period, and
1.2 the numbers of any cancelled invoices to be recorded in the sales journal and marked “cancelled”.
2. Prior to entry in the sales journal, invoices to be added to obtain control total. This control total is then compared
to the total in the sales journal after entry of individual invoices (batch control system).
3. Independent staff member to:
3.1 sequence check sales journal entries and follow up on any missing invoices
3.2 compare customer name and amount entered in sales journal to the invoice for accuracy, and
3.3 check postings (transfers) from the sales journal to the debtors ledger (individual debtors) and general ledger.
4. Reconciliation of the debtors ledger to debtors control account in the general ledger on a regular basis, to be con-
ducted by an independent employee.
Note: Employees must sign documentation/records to acknowledge the control procedures they have conducted.

Receipts mail room/cashier


Documents
Function Risks
records
The arrival of a payment from a debtor is Remittance register • Payments received may not be banked due to
recorded and prepared for banking. Customer remit- theft or carelessness.
Receipts should be made out for all cash tance advice
received. Receipts
Bank deposit slip
Chapter 10: Revenue and receipts cycle 10/17

Control activities including brief explanatory comments


1. Post must be opened by two people working together.
2. All payments received in the post should be recorded in a remittance register by those responsible for opening the
post and a receipt should be made out for each payment received.
3. Prenumbered receipts should be issued for all payments received.
4. All amounts received should be banked daily.
5. Deposit slip to be made out by the cashier, not the employees opening the post.
6. Cashier to reconcile cash to the receipts before accepting them for banking.
7. The receipts issued should subsequently be reconciled to bank deposits (bank statement) by an independent super-
visory employee.
8. Bank deposits should be reviewed regularly and gaps in daily banking, investigated by management.
Note: Employees must sign documentation/records to acknowledge the control procedures they have conducted.
Note: Payments by debtors are most frequently made directly into the company’s bank account either by direct deposit (customer
going to the bank and depositing the amount owed) or by electronic funds transfer (a transfer directly from the debtors’ bank
account to the company’s bank account).
To control this, the debtors clerk should obtain (download) bank statements frequently from the bank and compile a list of
payments from debtors. Where possible, this list should be matched to remittance advices “proof of payment” documents,
sent by the customer. The list should be checked by a supervisory level employee and used to write up the cash receipts jour-
nal. The list should be compiled on preprinted, sequenced documents and filed in numerical order (that should also be in
date order).

Recording of receipts
Documents
Function Risks
records
The role of this function is to record the Bank deposit slip • Deposits may never be recorded/not recorded
receipts from debtors in the cash receipts Cash receipts timeously.
journal and credit the debtors’ accounts Journal (CRJ) • Recorded deposits may be:
promptly. Receipts must be recorded accu- Debtors ledger – inaccurate (errors)
rately and entered against the correct debtor.
General ledger – overstated (fictitious deposits), or
The total amount received from debtors for
– credited to the wrong debtor.
the period must also be posted to the debtors
control account in the general ledger.

Control activities including brief explanatory comments


1. The cash receipts journal should be written up on a daily basis by date and receipt number (if receipts are issued).
2. Supervisory staff should review cash receipts journal for missing dates and gaps in sequence of receipts. They
should also test postings to the debtors ledger.
3. The “cash book” should be reconciled to the bank statement every month by an employee independent of the
banking/recording of cash. The bank reconciliation should be reviewed by a senior (financial) employee.
4. Queries from debtors should be investigated by an employee independent of debtors and banking.
5. Reconciliation of the debtors ledger to the debtors control account in the general ledger should be conducted
regularly by the financial accountant.
Note: Employees must sign documentation/records to acknowledge the control procedures they have conducted.
10/18 Auditing Notes for South African Students

Goods returned by customer


Documents
Function Risks
records
The role of this function is to control goods Goods returned • The description and quantity of goods returned
that have been returned by customers. The vouchers may be incorrect resulting in an incorrect
goods must be recorded on their return and Credit note credit note being passed.
the debtor’s account must be credited. Returns and • A credit note may be passed for goods that
This requires the creation of two documents, allowances journal have not been returned.
a goods returned voucher, and a credit note. Debtors ledger • Credit notes may be inaccurately recorded
Credit notes will be recorded in a returns and and credited to the incorrect debtor.
General ledger
allowances journal. Particular attention must
be given to the control of credit notes.

Control activities including brief explanatory comments


1. All goods returned must be received by the company’s goods receiving department
2. The goods receiving clerk must:
2.1 count and check the description of the goods being returned (check also for damage)
2.2 make out a goods returned voucher, cross referencing it to customer documentation, and
2.3 sign and retain a copy of the customer documentation and attach it to the goods returned voucher.
3. On transfer of goods from receiving into the warehouse, the stores clerk must:
3.1 check description and quantity of physical goods to goods returned voucher and customer documentation,
and
3.2 sign to acknowledge the transfer of the goods into his custody.
4. Credit notes to be:
4.1 made out by accounting department
4.2 cross-referenced to original invoice, and
4.3 presented to a supervisory employee (with signed goods returned note and customer documentation). This
staff member must be satisfied that granting of the credit note is valid and that the company’s policies have
been adhered to, for example, the goods cannot be returned, say, after 30 days from purchase date.
5. Credit notes to be entered sequentially in returns and allowances journal and normal control procedures over
recording to be put in place.
6. Senior (financial) manager should review this journal frequently and follow up on suspicious credit notes, for
example, large amounts, credit notes to the same customer regularly.
Note: Care must be taken to identify goods returned that are defective/damaged as these should not be returned to
the inventory of saleable items. Defective/damaged goods will be received from the customer in the manner
described (this facilitates the credit note) but must be carefully identified as damaged/defective.
Note: Employees must sign documentation/records to acknowledge the control procedures they have conducted.

Credit management
Documents
Function Risks
records
The purpose of this function is to limit the All records in the • Debtors do not pay at all or pay late.
loss from bad debts and to encourage debtors cycle are relevant • Debtors are prematurely or inappropriately
to pay promptly. Monthly state- written off.
The function is closely linked to sales auth- ments • Debts are written off without authority.
orisation and as explained under that func- Age analysis
tion, the process begins with sound controls Credit bureau
over the acceptance of new customers and information
the extent of credit granted to them.
Credit management should also identify
debtors to be handed over to lawyers and
subsequently written off if necessary.
Chapter 10: Revenue and receipts cycle 10/19

Control activities including brief explanatory comments


1. Credit application controls as discussed under sales authorisation (page 10/12).
2. Monthly statements should be sent promptly to debtors by the debtors section (accounting dept).
3. Monthly age analysis of debtors and immediate follow up by phone or letter if credit terms are exceeded.
4. If this is not successful, the credit controller should personally contact the customer to (possibly) renegotiate credit
terms or threaten the handing over of the debtor to a lawyer for collection.
5. If still no success, the debtor must be handed over before too long a period has elapsed.
6. If the debt cannot be recovered, the debt write-off must be recommended by the credit controller and authorised by
an independent senior financial employee after review of the supporting documentation.
7. Credit manager should reconcile all bad debt write-offs after they have been entered in the journal to supporting
documentation.
8. Senior (financial) manager should be provided regularly with sufficient information to effectively manage the
debtors, such as a list of debtors over their limits and how they are being followed up, bank and debtors balances,
the age analysis, list of debtors that have been written off.
Note: Employees must sign documentation/records to acknowledge the control procedures they have conducted.

10.1.8 Computerisation of the revenue and receipts cycle


Before we deal with the computerisation of this cycle, it will be useful for you to remind yourself of the
following points. You can also refer to chapter 8 for a more comprehensive discussion on these points.

10.1.8.1 Access
Many businesses will run their accounting systems on a local area network (LAN). Simplistically speaking,
this means that there will be a number of terminals, usually from different departments, “linked” together
and sharing resources. Therefore, access to the network and to individual applications, must be carefully
controlled:
• access to the network should only be possible through authorised terminals, and
• only employees who work in the various functions of the cycle need access to the revenue and receipts
application and only to those modules or functions of the application necessary for them to do their jobs
(least privilege/need to know basis). Certain managers will have read only access for supervisory and
review purposes.
Various techniques are used to control access.
For example, the user:
• must identify himself to the system with a valid user ID (e.g. using the employee staff number as a valid
user ID)
• must authenticate himself to the system with a valid password, and
• will only be given access to those programmes and data files to which he is authorised to have access in
terms of his user profile.
Once the user has got onto the system, access is usually controlled by what appears or does not appear on
the user’s screen. For example, only the modules of the application to which the user has access will appear
on the screen, or alternatively, all the modules will be listed, but the ones the user has access to will be
highlighted in some way, for example, a different colour.
If the user selects a module to which he does not have access (this is determined by his user profile),
nothing will happen and/or a message will appear on the screen that says something like “access denied”.
In another similar method of controlling access, the screen will not give the user the option to carry out a
particular action. For example, certain sales orders awaiting approval from the credit controller are listed
on a suspense file. Although other users may have access to this file for information purposes, when they
access the file, their screens will either not show an “approve” option, or the “approve” option will be
shaded and will not react if the user “clicks” on it. Only the credit controller’s screen will have an approve
option that can be activated.
Remember that access controls are a very effective way of achieving sound segregation of duties and iso-
lation of responsibilities.
10/20 Auditing Notes for South African Students

10.1.8.2 Menus
Current software is all menu-driven and generally easy to use. Menus can be tailored to the specific needs
of a user (based on the user profile) and “items” can be selected by a simple “click of the mouse”. Menus
facilitate access control and segregation of duties.

10.1.8.3 Integration
The extent to which the accounting system is integrated will vary, but most systems these days are integrat-
ed in the sense that a transaction entered onto the system, will instantly update all the records it affects.
For example, the processing of a sales invoice will simultaneously update the sales account, debtors mas-
terfile, inventory masterfile and possibly the general ledger. This significantly improves the accuracy of the
records but makes the control over input extremely important.

10.1.8.4 Screen aids and programme (automated) checks


These control techniques, which are obviously only available in computerised systems, help ensure that
transactions processed actually occurred, were authorised and are accurately and completely recorded and
processed. The extent to which these are incorporated into the revenue and receipts application will vary
depending on the quality and cost of the software. These controls are essentially preventive at the input
stage and detective thereafter.
For example, using drop-down menus to select key supplier information is regarded as a screen aid to
reduce the risk of inaccurate information being recorded on the computerised system.

10.1.8.5 Logs and reports


A computer can be programmed to produce any number of logs and reports. These can be used as detective
controls or for monitoring performance. For example, in the revenue and receipts system, a log of debtors
masterfile amendments should be produced by the computer. This log will be a listing of all amendments
that were made, what the amendment was (e.g. credit limit changed), who made the amendment and when
it was made. “Read only” access to this file will be given to a senior member of the revenue/accounting
section so that the amendments made can be confirmed as being authorised, accurate and complete by
reference to the masterfile amendment forms. This log can be printed or accessed on screen.
Another example in a revenue and receipts system would be the production of a report of all debtors who
have exceeded their credit limits. This could be used to monitor the performance of the credit controller.
The important point about logs and reports is that unless an employee actually uses them and follows up on
any problems, they are worthless. Their huge potential value is that if the log and report files are properly
access protected, they provide independent evidence of what has taken place on the computer. They form a
very important part of the audit trail.

10.1.8.6 Matching and minimum entry


Once data is in the database, other data can be “matched” against it. A simple example would be where a
debtor’s account number is matched against the debtors’ masterfile to determine whether it is a valid
number. The fact that data is stored in the database also means that the principle of minimum entry can
apply.
For example, when a customer wishes to place an order over the phone, the entry of a valid customer’s
account number will bring up all the other standing detail relating to the customer so that the sales person
does not have to enter this data. The speed, accuracy and completeness of input are enhanced.

10.1.8.7 On system approval


Where hardcopy documents require approval, it is usually just a matter of presenting the authorising
employee with the document and supporting evidence. In a computerised system, approval is frequently
given on the system itself and the supporting evidence is also frequently on the system as well. There will
be variations on how this is done, depending on the software and how user profiles have been pre-
determined.

10.1.8.8 Audit trail


An audit trail is a record of the activities that have happened on the system that enables the sequence of
events for a transaction to be tracked and examined, from start to finish. It should be possible to identify a
Chapter 10: Revenue and receipts cycle 10/21

sale reflected in the general ledger and trace it back to the order received from the customer. A system
where there is a poor audit trail will be a weak system. The trail will often be a combination of electronic
and hardcopy data.

A narrative description of a computerised revenue and receipts cycle


For the purposes of this illustration, we have described a sales system for a medium-sized wholesale company that
sells its products (toys) to a large selection of retailers. The system has been simplified as the intention is to illustrate
how control policies, procedures and techniques can be implemented. We have provided comments and explanations
to clarify certain points as the intention is to convey principles and not the fine detail:
• Its accounting systems are integrated.
• Sales are made only on credit to approved customers.
• Sales transactions are entered and processed in real time and all records affected by the sale are updated instantly,
for example, debtors masterfile, inventory masterfile.
• Orders are taken from customers over the phone (obviously, in practice, orders are also sent to the company via
email, fax or post, but as the controls are essentially the same as for phone-in orders, we have not dealt with hard
copy or email orders). Telesales order clerks are located in their own secure area.
• The company is large enough to implement sound segregation of duties with separate departments, (i.e. ordering,
warehouse, etc.).
• Debtors are invoiced at the time the goods are despatched.
• The company has a link to its bank and debtors are encouraged to pay by EFT.
10/22 Auditing Notes for South African Students

The debtors masterfile


The debtors masterfile is central to the revenue and receipts system. Integrity of the masterfile must be maintained
and access to the masterfile, particularly write access, i.e. the ability to make amendments, must be strictly controlled.
Equally important is the control over the amendments themselves to ensure they are authorised (valid), accurate and
complete. Unauthorised amendments could include adding a fictitious debtor (to record fictitious sales), changing
(usually extending) credit terms or credit limits. With most modern accounting packages, trying to fraudulently reduce a
debtors balance or delete the debtor would not be possible through the masterfile amendments module.
To reduce a balance, a fraudulent credit note, journal entry or receipt would have to be processed. To delete the
debtor altogether, the balance would need to be reduced to nil and then the delete process followed. This would be
linked to a user profile and would be logged. Controls will be primarily preventive, but there will be detective con-
trols. There will be both user and automated (programme) controls.
Much of the information on the debtors masterfile is the responsibility of the credit management section, so it makes
sense for this section to be primarily responsible for the integrity of the file and the amendments. All amendments
should be logged and there must be independent reconciliation and review of the log by a senior employee, for
example, the financial manager.
Activity/procedure Control, comment and explanation
1. Record all masterfile 1.1 All amendments to be recorded on hard copy masterfile amendment forms
amendments on a source MAFs (no verbal instructions) (see Note (b) on page 10/24).
document. 1.2 MAFs to be preprinted, sequenced and designed in terms of sound docu-
ment design principles.
2. Authorise MAF. 2.1 The MAFs should be
• signed by two reasonably senior employees in the section (e.g. credit con-
troller and senior assistant) after they have agreed the details of the
amendment to the supporting documentation, for example, the approved
credit application document for the addition of a new customer
• cross-referenced to the supporting documentation.
3. Enter only authorised masterfile 3.1 Restrict write access to the debtors masterfile to a specific member of the
amendments onto the section by the use of user ID and passwords (see Note (a) on page 10/24).
system accurately 3.2 All masterfile amendments should be automatically logged by the computer
and completely. on sequenced logs and there should be no write access to the logs (this allows
subsequent checking of the MAFs entered for authority).
3.3 To enhance the accuracy and completeness of the keying in of masterfile
amendments and to detect invalid conditions, screen aids and programme
checks can be implemented.
Screen aids and related features
• Minimum keying in of information.
For example:
When amending existing debtor records, the user will only key in the
debtors account number to bring up all the details of the debtor
• Screen formatting, screen dialogue
• The account number for a new debtor is generated by the system.
Programme checks (see Note (c) on page 10/24)
• Verification/matching checks to validate a debtor account number
against the debtors masterfile (invalid account number, no amendment)
• Alphanumeric checks
• Range and/or limit/data approval checks on terms and credit limit field
For example:
Credit limit must be between R5 000 and R75 000 (range) or cannot
exceed R75 000 (limit), and terms can only be 30 days or 60 days (da-
ta approval)
• Field size check and mandatory/missing data checks, for example, credit
limit and terms must be entered
• Sequence check on MAFs entered
• Dependency check, for example, the credit limit granted may depend
upon the credit terms granted. A debtor granted payment terms of
90 days may only be granted credit up to a limit of R2 000 (a relatively
low amount) for instance.
continued
Chapter 10: Revenue and receipts cycle 10/23

Activity/procedure Control, comment and explanation


4. Review masterfile amendments 4.1 The logs should be reviewed regularly by a senior staff member, for exam-
to ensure they occurred, were ple, financial manager.
authorised and were accurately 4.2 The sequence of the logs themselves should be checked (for any missing
and completely processed. logs).
4.3 Each logged amendment should be checked to confirm that it is supported
by a properly authorised MAF, and
4.4 That the details, for example, debtor account number, amounts, etc., are
correct.
4.5 The MAFs themselves should be sequence checked against the log to
confirm that all MAFs were entered.
Note (a): The authority needed to enter different types of masterfile amendment can be given to different levels of
employee, for example, changing a credit limit may be restricted to a single senior employee, but changing
an address or contact details could be assigned to a lower level employee.
Note (b): Unused MAFs and other important supporting documentation should be subject to stationery controls as it
is more difficult to create an invalid masterfile amendment without the source document.
Note (c): A masterfile amendment should be carefully checked in all respects before it is authorised, for example, the
validity of credit terms and limits in relation to each other, so there should be a minimum of errors or in-
valid conditions having to be identified (detected) by the programme controls. Each company will
decide for itself the extent of programme controls it wishes to implement.

Ordering
All orders from customers need to be entered into the system accurately and completely and subjected to credit-
worthiness and inventory availability checks.
Only orders from approved customers should be accepted. Remember that for the purposes of this illustration, orders
are taken over the phone. A number of automated checks will be in place as the objective is to prevent errors in the
information entered. The system will not allow the order clerk to continue taking the order if (programmed) automat-
ed checks are not satisfied. All employees in the cycle who make use of the computer to fulfil their functions will have
user IDs and unique passwords and their screens will be “linked” to their user profiles. They will log onto the system
in the normal manner.
Activity/procedure Control, comment and explanation
1. Access the order system. 1.1 All incoming sales order calls are directed to a telesales order clerk (a
We will assume that telesales queuing system will direct the call to the next available operator).
operators (order clerks) each 1.2 Write access to the sales order module will be restricted to order clerks.
have their own terminal 1.3 The order clerk’s user profile gives him read only access to the debtors
in a secure telesales area. masterfile and the inventory masterfile.
1.4 As there is a dedicated telesales area, taking of orders may be restricted to
terminals in this area (access controls are more commonly centred around
users as opposed to terminals).
2. Identifying and authenticating 2.1 On receiving a phone call, the order clerk should request the customer’s
the customer account number and key it in; a programmed (automated) verification
check will take place. If it is a valid account number, the details of the cus-
tomer will appear on the screen, for example, name, delivery address, etc.,
formatted as a sales order. The computer has satisfactorily matched the ac-
count number against the masterfile.
2.2 The order clerk should then request the caller to provide other information
that has appeared on the screen to authenticate the customer. Note: the or-
der clerk should not give the information to the caller and ask him to con-
firm it – the caller must provide the information.
2.3 If the account number is a match to the debtors masterfile, the system will
automatically allocate a unique transaction number that will identify the sales
order as it progresses through the system.
2.4 If the customer does not have an account, he will not be on the debtors
masterfile and will be referred to the credit management department. The
system will not allow the order clerk to proceed with an order.
continued
10/24 Auditing Notes for South African Students

Activity/procedure Control, comment and explanation


2. Identifying and authenticating 2.5 At the time the account number is validated against the debtors masterfile,
the customer the order clerk may receive a message on the screen that there is a “hold”
(continued ) on the account, which prevents the order clerk from continuing with the
taking of the order.
For example:
The debtor may have been handed over to a lawyer because he has not paid
his account. On these occasions, the order clerk should refer the customer
to the credit controller.
• Only the credit controller (not the order clerk) should have the power to
remove the “hold” on the debtors account.
• All “hold” removals should be logged automatically by the computer and
the logs subsequently followed up by the financial manager.
• The system will not allow the order clerk to proceed with the order.
3. Entering and confirming the 3.1 Only once the customer has been validated can the details of the order be
detail of the order taken. To facilitate the complete and accurate entry of the order, the follow-
ing programmed (automated) controls should be in place:
• Screen formatting: The screen will be formatted as a sales order.
• Minimum entry: For example, entering the inventory item code will bring
up the description of the item being ordered and the price. The customer
may have the necessary inventory item code on his own system or may
have a catalogue (hard copy or website) which gives the inventory item
code, or the order clerk will access the inventory masterfile once the cus-
tomer has described what he wants to order).
• Mandatory fields: For example, to progress with the order, a number must
be entered in the quantity field, and a customer order reference must be en-
tered.
• Alphanumeric check, for example on the quantity field.
• Limit/reasonableness check, for example, on the quantity field, if applic-
able.
• Screen prompts will require the order clerk to confirm details of order and
important details, such as delivery address and email address, with the
customer.
3.2 Fields on the “on screen sales order” that cannot be changed by the order
clerk, for example, account number, delivery address and transaction num-
ber, are shaded and will not react if clicked on. Mandatory fields have a red
star next to the box into which the information must be entered.
3.3 The system will allocate a customer reference number to every sales order
that is given to the customer at the time of placing the order. If the customer
wishes to follow up on the order or resolve a query, he will quote this num-
ber (see note (a) on the next page).
4. Checking inventory 4.1 The order clerk will have read-only access to the inventory file. He needs
availability this because he must be able to answer customer queries about availability,
alternative products, selling price, etc. The sales order clerk will key in an
inventory code or description, and the inventory record for the item will
appear. (Telesales clerks are not just there to record sales orders. They
should have a good knowledge of the company’s products and should offer
the customer alternatives and try to promote special deals, etc.)
4.2 If the goods are not available, the order will be placed on a back-order file if
the customer agrees (note: the customer may choose to go elsewhere to pur-
chase the goods).
continued
Chapter 10: Revenue and receipts cycle 10/25

Activity/procedure Control, comment and explanation


5. Checking creditworthiness 5.1 Once all the details of the order have been entered, the computer will
(credit approval) instantly calculate the total value of the sale, add it to the balance on the
debtor’s (customer’s) account, and compare this total to the debtor’s credit
limit. If the new sale will push the amount owed by the debtor beyond this
credit limit, a screen message will appear alerting the order clerk. The cus-
tomer will be informed and the sales order can be modified to fall within
the credit limit or can be left as it is and placed on a pending sales order file to
await the approval of the credit controller.
5.2 At the same time, the system will check whether the debtor is in breach of
his credit terms (i.e. amounts overdue). If so, the sales order will be placed
on the pending sales order file.
Note: An order that exceeds the customer’s credit terms or limit is not auto-
matically rejected. The company wants to make the sale (that is what busi-
ness is all about) and very often there is a valid reason that the customer has
exceeded his credit terms and limit. It does not mean that the customer will
not pay.
5.3 If there are no problems with the order, it will be placed on the sales order
file to await the picking process in the warehouse/despatch.
5.4 In some systems, the order clerk may be given authority to override the
control that prevents a sales order that pushes the customer past his credit
limit, for example, if a R50 000 sales order pushes the customer only
R1 000 past his limit, there is little point in upsetting the customer or delay-
ing the sale.
• If the order clerk has this authority, there will be a programmed control
that limits the amount he can override.
• Details of all overrides will be logged.
Note (a): In terms of the Consumer Protection Act, once the order has been
taken, the company must send a confirmation of the order to the customer
that provides details of the order and provides a reference number for the
customer to follow up on the order. This can be sent by SMS, email or hard
copy.

Warehouse/despatch
The picking, packing and despatch of goods are manual procedures. Pickers need a document to indicate which items
they must pick.
Activity/procedure Control, comment and explanation
1. Obtaining the hard copy 1.1 Access to the sales order file will be restricted:
picking slip: • no write access to anyone
• The warehouse administra- • no access to pickers
tion clerk will access the sales • read only access to the warehouse administration clerk
order file from his terminal in
• read only access to warehouse supervisory employees
the warehouse. This will
reveal a list of sales orders • read only access to appropriate management staff, for example, the sales
identified by their transaction manager. This privilege gives management and supervisory staff the
number. The clerk will opportunity in a real-time system to trace an order from their terminals as
“click” on the sales orders he it moves through the process. This may be in response to a customer
wants to select for picking. query about an order, or may be to find out if the warehouse personnel
are carrying out their duties promptly.
1.2 The sales orders selected will automatically be transferred from the sales
order file to the picking slip file. In effect the sales order has “become” a
picking slip and at the same time, a hard copy picking slip is printed.
1.3 The sales order will not necessarily be transferred to another file. A com-
mon technique is for the system to automatically allocate (attach) a status
code to the sales order that indicates that it has been selected for picking
and is now at the picking slip stage. Anyone accessing the sales order file
will be able to see the status of the original sales order. The code will also
prevent the sales order from being selected again for picking.

continued
10/26 Auditing Notes for South African Students

Activity/procedure Control, comment and explanation


2. Picking the goods 2.1 The goods picked are ticked off by the picker against the quantity field on
the picking slip, or a number can be entered in a designated field.
2.2 If the quantity of goods required in terms of the picking slip is not available,
the actual quantity picked will be entered by the picker on the picking slip
against the item. Although a stock availability test was carried out when the
order was taken, quantities per the inventory masterfile do not always agree
with physical inventory. Goods can be lost, stolen or damaged, and errors
in the inventory masterfile can occur.
2.3 The picker will sign the picking slip.
3. The goods picked are moved 3.1 A picking control clerk checks the physical goods picked against the picking
with the picking slip from the slip and if there are mistakes (wrong goods picked) or differences between
warehouse to a transition area the quantity that was physically picked, and the quantity on the picking
slip, the picking control clerk will go into the warehouse (accompanied by
the picker who picked the goods initially) to get the correct goods and con-
firm that any items short-picked are actually not available.
3.2 The picking control clerk must sign the picking slip.
4. Correcting and approving 4.1 Access to the picking slip file will be restricted:
the picking slip • write access is granted only to the picking control clerk and
• only to the quantity field
• read access is granted to the management and warehouse supervisory
staff for purposes explained earlier
• read access is granted to the despatch controller, and
• no access to pickers.
At this point the picking slip on the system will be in agreement with the
physical goods picked.
4.2 The picking control clerk will then access the picking slip file and select the
transaction number of the picking slip he is dealing with.
The screen will come up formatted as a picking slip and the picking control
clerk will adjust the quantity field so that the quantity actually picked and
the adjusted quantity on the picking slip, agree.
4.3 All quantity adjustments will be logged by the computer.
5. The physical goods are moved 5.1 Suitable physical protection should be given to goods.
to the despatch area.
The original picking slip will
accompany the goods. It will
have been signed by the picker
and the picking control clerk
and will reflect any quantities
short picked.

Invoicing
As discussed in our manual system description, a sales invoice can either be made out and sent with the goods, or it
can be made out after the goods have been delivered to the customer. Because controls over accepting and processing
orders in an up-to-date computerised environment are generally very good, there are few problems with delivering the
wrong goods or the wrong quantities. This means that businesses can safely invoice the goods before the customer has
actually taken delivery. Any delivery problems can be resolved at a later date. In general, the sooner the customer is
invoiced, the sooner the business will be paid. In this example, we have assumed that the invoice is made out and sent
with the goods. There will usually still be a despatch/delivery note of some kind for the customer to sign in order to
acknowledge acceptance of the goods, and an additional copy of the invoice will normally be sent to the customer as
well (email or hard copy).
continued
Chapter 10: Revenue and receipts cycle 10/27

Activity/procedure Control, comment and explanation


1. Final check of goods before 1.1 The despatch controller will access the picking slip file on the system; his
creating the invoice access will be read only.
1.2 He will select (click on) the picking slip for the goods he wishes to check,
identified by its transaction number or picking slip number:
• there is no keying in of any information to select the picking slip, and
• the screen will come up formatted as the picking slip.
1.3 The despatch controller will then match the physical goods with the on-
screen picking slip and the hard copy picking slip. The goods to be des-
patched must agree with the on-screen picking slip (as it will be “converted”
into the invoice).
1.4 If there are any errors either in the goods picked (wrong goods) or the
quantity picked, the despatch controller cannot alter the picking slip or
change the goods. The problem must be resolved by the picking control
clerk.
1.5 He will also confirm that the picking slip has been signed by the picker and
the picking control clerk and then sign it himself.
1.6 The checking of the goods will take place as they are packed for despatch.
2. Creating the invoice 2.1 Once the despatch controller is satisfied that the goods and the on-screen
picking slip match completely, the despatch controller will select the ap-
prove/confirm option and the screen will come up formatted as an invoice.
In effect, the picking slip has been converted into an invoice.
On selecting the approve/confirm option:
• a hard copy invoice is printed for inclusion with the goods, and
• a delivery label is printed to be stuck on the box, and the status code on
the picking slip on the system will automatically change to indicate that
the picking slip has become an invoice (has changed its status).
The invoice is transferred from the picking slip file account, and real-time
processing takes place on the system, i.e. the debtors masterfile, sales ac-
count and inventory masterfile are updated simultaneously.
2.2 The approve/confirm option will be restricted to the despatch controller
through his user profile.
2.3 The picking control clerk would not be able to approve a picking slip to
create an invoice at any stage, for example before the despatch controller
has carried out his final check. His screen, which is linked to his user pro-
file, would not reflect an active “approve/confirm” option for him to click
on.
2.4 There will be no write access to the file, for example nobody, including the
despatch controller, will be able to change anything on the invoice.
3. Goods are delivered to the 3.1 The customer must sign a document (delivery note) to acknowledge that the
customer goods have been received. (Any delivery problems should be noted on the
This is a physical procedure and delivery note.)
the principles described in the 3.2 This document should be filed in the despatch section in numerical order so
manual system will apply. The that any delivery queries can be followed up.
most important control is that
the customer signs a document
to acknowledge receipt of the
goods.
4. Sales orders on the pending 4.1 These sales must be approved or rejected by the credit controller (see sec-
sales order file tion on credit management page 10/28).
10/28 Auditing Notes for South African Students

Receiving and recording payments from debtors


In the present business environment, customers (debtors) usually pay by electronic funds transfer from their bank
account directly into the bank account of the business to which they owe money. The business receiving the payment
in its bank account now needs to record the receipts as soon as possible so as to maintain its debtors ledger (and cash
journal), right up to date. If the company does not keep its debtors ledger right up to date, the debtor’s individual
accounts will not reflect the correct amount owed and further sales might be lost on the grounds that the debtor has
exceeded his credit limits. There are basically two ways in which the company can obtain the details of deposits into
its bank account for entry into its accounting records, and both require that the company create a direct link to its
bank via the Internet. The bank account is accessed every morning and the bank statement downloaded and printed
out as a hard copy or downloaded straight into the company’s system. If the bank statement is printed, each deposit
will have to be keyed into the system. A daily schedule of receipts will be produced and the detail of each receipt
would have to be entered via the keyboard. Even in a highly computerised system, some debtors may still pay with
cash. In this case, conventional manual receipting controls and depositing would be in place but the entry onto the
system would probably be from the downloaded bank statement. This illustration assumes that the bank statement is
downloaded directly onto the company’s system.
Activity/procedure Control, comment and explanation
1. Accessing the bank account 1.1 To link the company’s system with the bank, the bank will load its software
onto a limited number of terminals at the company:
• One of these terminals will be in the debtors section, usually the terminal
of the senior debtors clerk.
• Access to the bank’s site will be gained in the normal manner but to access
the company’s bank account, the senior debtors clerk will need to enter a
PIN and password.
• If this identification and authentication procedure is successful, a menu
of the functions available will be displayed, one of which will be “down-
load bank statement”.
• This function will be linked to the senior debtors clerk’s user profile to
enable him to initiate the download.
Note: general access controls will apply, for example the terminal should
shut down after three unsuccessful attempts to access the company’s bank
account.
2. Accessing the downloaded bank 2.1 The ability to access (read only) the bank statement file once it has been
statement on the system downloaded will be restricted to only those who need to work with the
bank statement, including management and supervisory personnel:
• The ability to process a receipt should be restricted to the senior debtors
clerk.
3. Processing the receipt 3.1 The bank statement should be downloaded each working day so that
receipts from debtors (and other items on the bank statement) can be pro-
cessed promptly to individual debtors so that the debtors ledger is right up
to date.
3.2 Debtors should be regularly reminded to:
• Clearly reference their EFT payments when effecting the transfer. This
should preferably be a number (not a name) and, if possible, the invoice
numbers to which the payment refers, should be included. (However,
there is only limited space for references on the bank statement.)
• Submit a remittance advice (preferably electronically) to the debtors sec-
tion.
3.3 When processing the receipts reflected on the bank statement, the senior
debtors clerk will work with the references on the bank statement and the
remittance advices:
• There are various ways of processing the receipts, but the invoice number
will usually be the “hook”. On entering an invoice number, the system
will match the invoice number and amount to the file of unpaid invoices
and if it finds a match, the debtors account to which the invoice is linked,
will come up on the screen.

continued
Chapter 10: Revenue and receipts cycle 10/29

Activity/procedure Control, comment and explanation


3. Processing the receipt 3.1 The bank statement should be downloaded each working day so that
(continued ) receipts from debtors (and other items on the bank statement) can be pro-
cessed promptly to individual debtors so that the debtors ledger is right up
to date.
3.2 Debtors should be regularly reminded to:
• Clearly reference their EFT payments when effecting the transfer. This
should preferably be a number (not a name) and, if possible, the invoice
numbers to which the payment refers, should be included. (However,
there is only limited space for references on the bank statement.)
• Submit a remittance advice (preferably electronically) to the debtors sec-
tion.
3.3 When processing the receipts reflected on the bank statement, the senior
debtors clerk will work with the references on the bank statement and the
remittance advices:
• There are various ways of processing the receipts, but the invoice number
will usually be the “hook”. On entering an invoice number, the system
will match the invoice number and amount to the file of unpaid invoices
and if it finds a match, the debtors account to which the invoice is linked,
will come up on the screen.
• The debtorsclerk will select the enter (proceed) option, and the system
will update the debtors account in the debtors masterfile and cash book
records, as well as the file of unpaid invoices.
Note: Potential problems are the following:
• The senior debtors clerk cannot identify which invoice is being paid.
Without a match to the unpaid invoice file, the system cannot process the
receipt.
• The invoice number matches, but the amount does not because the debt-
or has reduced the amount paid by taking an early discount settlement.
Again, because there is not a proper match, the system will not process
the receipt.
3.4 Any receipt that cannot be matched to an invoice number on the system
will be processed to a “receipt suspense file” where it will remain until the
problem can be resolved.
• Removal of the receipt from the receipt suspense file will be restricted to
the senior debtors clerk.
3.5 Any receipt for which there is a match to an invoice number, but the
amount does not match will be written to “a receipt pending file”.
• The credit controller should access this file daily to determine whether
the discount can be approved. The authority to approve will be restricted
to the credit controller in the normal manner.
• If the discount is approved, the receipt will be processed immediately.

Credit management
Computerisation does not change the objectives of credit management, but it can make it far more efficient and
effective than in a manual system. The computer is used in a number of ways.
For example, the credit application from the applicant and the following up of the information can be done online,
and the efficiency in the day-to-day management of debtors can be improved. This may involve resolving sales orders
and receipt queries on pending files, sending statements by email, identifying slow-paying debtors and reconciling
accounts. In addition, the computer’s ability to produce analytical and other reports, for example, aging schedules,
ratios, will be of huge benefit.
Activity/procedure Control, comment and explanation
1. Granting of credit terms 1.1 Regardless of how it is done (online, personal visit), a credit application must
and limits (new customers) be submitted. The application must contain customer banking details, trade
references, financial information:
• All details should be followed up with bureaus such as Transunion or
Credit Secure, which will supply an assessment of the applicant’s credit
rating.
continued
10/30 Auditing Notes for South African Students

Activity/procedure Control, comment and explanation


1. Granting of credit terms 1.1 Regardless of how it is done (online, personal visit), a credit application must
and limits (new customers) be submitted. The application must contain customer banking details, trade
(continued) references, financial information:
• All details should be followed up with bureaus such as Transunion or
Credit Secure, which will supply an assessment of the applicant’s credit
rating.
• Online access to a bureau site will be password protected (supplied on
registration with the bureau), and should be known only to the credit con-
troller and his assistant, and must be kept confidential.
• A credit rating should be obtained directly from the applicant’s bank.
1.2 The company should have guidelines for:
• the credit terms given, for example, only 30 or 60 days
• initial credit limits (to be reviewed after a relationship has been developed
with the customer), and
• handing over a debtor who has not paid, for example,
– amounts owed for over 90 days, handed to a credit agency, and
– large amounts outstanding over 120 days handed over to a lawyer.
(Note: before handing a debtor to an outside party, the credit controller will
negotiate with the debtor to make payment.)
1.3 The final credit terms and limits must be agreed between the credit control-
ler and financial manager in terms of company policy:
• The terms and limit will be recorded on the credit application form that
will be signed by the credit controller and the financial manager.
2. Adding the new customer 2.1 This will be a masterfile amendment and the controls over masterfile
to the debtors masterfile amendments described earlier, will apply. The credit application form will
be the supporting documentation for the MAF.
3. Approving sales orders on the 3.1 The authority to approve a sales order on the pending sales order file will be
sales order pending file restricted to the credit controller.
3.2 The decision to approve (or not) should only be made after contacting the
client to discuss the matter, reviewing the debtor’s payment record, deter-
mining whether the non-payment has arisen out of a dispute over a sale and
whether there are other pending sales to the debtor.
3.3 The credit controller (and assistants) will have read access to the debtor’s
account history, for example, can bring up a list of all previous invoices,
payments, current balance, days outstanding, previous payment issues, etc.
3.4 All approvals will be logged and followed up by the financial manager.
3.5 If a pending order is not approved, the customer is notified and the sales
order remains on the pending file until the customer can resolve the matter.
3.6 If the sales order is approved, it is transferred to a sales order file for pro-
cessing in the normal manner. It will no longer appear (or will be suitably
status coded) on the pending sales order file to indicate that it has been
resolved.
4. Approving discounts 4.1 The authority to approve an early settlement discount taken by a debtor
(receipts pending file) should be restricted to the credit controller and should only be given if the
discount is in line with the terms and conditions applicable, for example:
• early settlement terms have actually been satisfied
• the amount of the discount taken is correct (percentage and calculation).
4.2 All discounts approved should be logged and a report should be generated
for review by the financial accountant.
Note: If the discount is approved, the system may automatically process a
credit note (a report of credit notes generated will be produced).
continued
Chapter 10: Revenue and receipts cycle 10/31

Activity/procedure Control, comment and explanation


5. Credit notes and journal adjust- 5.1 Supporting documentation should be prepared for credit notes and adjust-
ments, for example, bad debt ing journal entries, and approved by suitably senior personnel.
write-off 5.2 All credit notes and journal entries that affect debtors should be approved
by the credit controller.
5.3 Access to any credit note or journal entry module should be restricted in the
conventional manner, i.e. user profile.
5.4 A weekly report of credit notes passed indicating the reason they were given
should be printed and reviewed by the financial accountant.
6. Debtors statements 6.1 A monthly debtors statement for each debtor should be produced by the
debtors department reflecting the state of the debtor’s account in the debtors
masterfile. Details of all invoices, receipts, credit notes and journal adjust-
ments should be included as well as a breakdown of the amount owed in
days outstanding, for example, 30 days, 60 days.
• Debtors statements should be sent or emailed to debtors promptly.
7. Day-to-day management 7.1 With modern software a great deal of analysis of information can be carried
(reports) out on the system and made instantly available to users. The credit manage-
ment function should make extensive use of these reports, some examples
of which are as follows:
• new accounts opened
• changes to terms and credit limits for individual debtors
• debtors exceeding their credit terms and limits
• age analyses, and
• debtors payment patterns, etc.

Processing controls
As mentioned in chapter 8, the accuracy, completeness, etc., of processing is evidenced by reconciliation of output
with input and the detailed checking and review of output by users, on the basis that if input and output can be recon-
ciled and checks and reviews reveal no errors, processing was carried out accurately and completely, and only trans-
actions that actually occurred and were authorised, were processed. To make sure it does its job, the computer will
perform some internal processing controls on itself, but the user will not even be aware that these are going on. The
users within the cycle make use of the logs and reports that are produced relating to their functions, whilst the IT
systems personnel make sure that processing aspects of the system are operating properly.

Summary
The description of the system above provides an illustration of how the control activities described in chapter 5 (and
referred to in ISA 315 (revised)), can be implemented. It also provides an illustration of how specific automated
(programme) controls can be introduced, for example:
Segregation of duties • Separation of functions, for example, ordering, warehouse,
processing receipts.
• Separation of responsibilities within functions, for example,
receiving order, picking, picking control, invoicing.
Isolation of responsibilities • Isolating responsibilities through granting access privileges, for
example, only credit controller can approve sales orders in the
pending sales order file.
• Having pickers, the picking control clerk and despatch control-
ler sign the picking slip.
Approval and authorisation • A sales order clerk is prevented from proceeding with a sales
order unless the customer satisfies the preset credit worthiness
requirements.
• The financial manager and credit controller approve the
credit application.
Custody • Access to the bank account (custody of the company’s money)
and the functions that can be performed via the Internet, is
strictly controlled by user IDs, PINs and passwords.
continued
10/32 Auditing Notes for South African Students

Custody(continued )
• The information on the debtors masterfile (which is an asset)
is also protected by user IDs and passwords to restrict unau-
thorised amendments.
Access controls • All users on the system must identify and authenticate them-
selves by IDs and passwords, and what they are authorised to
do is reflected in their user profiles.
Comparison and reconciliation • The system reconciles the allocation of receipts to debtors in
the debtors ledger, to the total amount of the deposits into the
company’s bank account downloaded onto the system.
• The system compares current period information about sales
and debtors with corresponding prior period information and
produces reports.
Performance review • The real-time processing system allows supervisory and man-
agement staff to go into the pending sales order file to see how
a sales order is progressing, for example, to determine whether
there is a backlog in picking.
• The sales manager accesses the “sales order pending file” to
determine whether pending sales orders are being speedily
dealt with by the credit controller.
• Reports containing information about debtors, for example,
aging, days outstanding, etc., are produced to be compared to
performance targets set by the company to measure the per-
formance of credit management.
Control techniques and application controls • Screen aids and related features
– minimum entry: keying in customer’s account number
brings up all other detail
– screen formatting: the picking slip
– mandatory fields: customer purchase reference.
• Programme checks
– validation check on customer number
– alphanumeric on quantity field.
• Output control
– masterfile amendment logs are checked against source doc-
uments
– access to debtor information on the system is restricted on a
“need to know basis”.
Logs and reports • Log of changes made by picking control clerk to picking slips
on the system.
• Daily reports of sales orders received, debtors exceeding credit
limits or terms.
This does not cover every control, policy or procedure that could be in place, and is not intended to. This knowledge
will only be acquired when you go into different companies and work with their systems.

10.1.9 Internal control in a cash sales system


10.1.9.1 Introduction
The making of cash sales presents some unique and difficult risks:
• The major risk is loss to the business due to the theft of cash. Cash is easily stolen and to some of those
who work with it, the temptation is too great
• This ease of theft can also significantly increase the risk of collusion either with other employees and/or
with a customer.
Chapter 10: Revenue and receipts cycle 10/33

For example:
In the case of collusion with another employee, a salesman may make a cash sale to a customer, not
enter it, and share the proceeds with the security guard whose duty it is to check the goods against a
sales docket (in this case there will not be one) before the goods are taken out of the shop. A customer
can also easily be drawn into a theft of cash by answering “no” to such questions as “do you want/need
a receipt” or answering “yes” to a question such as “do you want to pay cash, because if you do, we
don’t have to charge VAT”. A customer may knowingly or unknowingly answer “yes”!
• The control of cash can be particularly difficult in smaller businesses that don’t have the resources to
have a strong division of duties or purchase equipment that can assist in preventing some forms of cash
theft, for example, surveillance cameras or sophisticated point-of-sale systems.
• In a smaller business, say an owner/managed business, the extent of the desire of the owner/manager
to control cash will be a major factor in how well it is controlled. Remember that the owner/manager
may be keen to understate his cash sales so as to reduce tax. This attitude also affects the control envi-
ronment and other employees will soon notice and may even exploit it.
• There is also the risk of armed robbery and injury to employees, so cash (at all stages, see 9.2) should be
physically safeguarded.

10.1.9.2 Stages of a cash sale


For the purposes of describing the controls that should be in place, we will assume that the business has
reasonable division of duties and the desire to implement and maintain good control over cash sales. The
description will concentrate on principles, as the variations in the nature of businesses that make cash sales
are vast, ranging from car washes to food outlets, petrol stations to supermarkets.
A cash sale usually goes through the following stages:
• Goods or services are requested from an employee of the business, or are selected by the customer to be
paid for at an exit point. Typically there is no order document.
• The prices of the goods are rung up on a cash register and a total amount owed is calculated, or a cash
sale invoice is created on a computer or manually.
• The customer hands over the cash and is presented with a receipt and change where necessary.
• Before leaving the premises, a security guard may check the goods against the receipt/invoice.(This
control has practical implications, e.g., it is unlikely that groceries are going to be unpacked and
checked against the till slip.)
• The cash is kept in the cash till until it is collected for banking.
• The cash is reconciled with a record of sales made, for example, a till roll slip and a deposit slip are prepared.
• The cash is banked.
• The cash receipts journal is written up (and subsequently posted to the general ledger).

10.1.9.3 Principles of control and examples


• Physical safeguards should be in place to protect cash registers and employees and to prevent theft.
For example:
– limited exit points and exit points positioned to minimise the risk of a customer leaving without
paying as in a supermarket
– cash not held on an employee’s person: petrol attendants and car wash personnel should take all
money to a central secure cash point
– security guards and camera surveillance
– signage should encourage customers to request a receipt.
• An independent record of every sale must be kept.
For example:
– All sales should be “rung up” (entered) on a cash register that retains a total of all cash sales made. If
sales by credit card or cash are made, it is useful if the record kept by the cash register records the
method of payment for reconciliation purposes.
– If a cash sale invoice is printed on a computer to support a cash sale, a report of daily cash sales
should be printed.
10/34 Auditing Notes for South African Students

– If the system is manual, a cash sale invoice should be written out in an invoice book; one copy given
to the customer, one copy retained.
– In some businesses a counter of some kind may keep an independent total related to the number of sales
that take place, for example, a car wash bay may keep a running total of cars entering the bay.
• The independent record should not be alterable
– There should be no access to the till roll (or other record) in the cash register in a supermarket, other
than to supervisory/management employees.
– Handwritten invoices are only protected by the fact that alterations will be visible.
– Access to reading, recording and resetting an independent counter (as in a car wash) should be
restricted to the manager/owner.
• The independent record should be sequenced so that missing records can be identified.
For example:
– Till rolls or equivalent should be date sequenced (and should identify the cash register they came
from).
– Cash sale invoices should be numerically sequenced.
• Cash should not be allowed to accumulate for too long in the cash till (or equivalent).
For example:
– In a supermarket, cash tills should be emptied regularly during the day and taken to a secure area.
This activity may coincide with the changing of the cashier.
– A car wash manager/owner should ensure that cash is banked every day.
• Whenever cash is transferred from the custody of one person to another, it should be counted, reconciled,
documented and signed for by both parties in a safe location.
For example:
– When cash is to be removed from a cash register, the till lane will be closed. The cash drawer will be
removed by the cashier in the presence of the supervisor and taken to a secure back office by the two
of them.
– The two individuals should then count the cash and total the credit card slips and reconcile them to
the independent record that, in this case will be the locked-in till roll (or similar) that will be accessi-
ble only to the supervisor. The cash reconciliation would take into account the cash float given to the
cashier (and signed for) at the start of the shift.
– The reconciliation should be recorded on a multicopy, preprinted, sequenced document and should
contain information, such as date, time, till, cashier name, the actual reconciliation showing any
“overs” or “unders”, any relevant comments and the signatures of both parties.
– At no stage during the reconciliation exercise should either of the parties leave the room.
– Where multiple reconciliations are carried out, to a secure back office lots of tills, the individual
reconciliations should be consolidated onto a “daily cash sales” summary.
– The same principles will apply when armed security removes cash for banking.
– In the car wash business, the manager/owner should count the money with the employee responsible
for handling the cash, agree the total to the cash sales invoices for the day and the independent coun-
ters on the car wash equipment.
• Cash should be banked regularly (at least daily) and intact, in other words, cash should not be removed to
pay wages or other expenses.
For example:
– A deposit slip should be made out by the supervisor and agreed to the daily cash sale summary.
– A second senior staff member should agree the bank deposit slip to the supporting reconciliations and
daily summary sheets and sign the documentation.
– The same principles will apply in a smaller business, to the extent possible. A manager/owner is
likely to be involved in reconciling and banking of cash.
• The cash receipts journal should be written up promptly.
• The financial accountant should regularly inspect the cash receipts journal to confirm that the daily
receipts are being banked promptly, and completely, and that the amounts agree with the deposit slips
Chapter 10: Revenue and receipts cycle 10/35

and supporting documentation. The financial accountant will also carefully check the monthly bank
reconciliation. All procedures will be acknowledged by signature.
Note 1: Cash registers and point of sales systems have numerous features that assist in the control of
cash sales (and other sales). These features relate to some of the principles discussed above, for
example, keeping independent totals and, in addition, will frequently provide reports that can
be used for analytical purposes. Reports of cash sales by shift, cashier, salesperson, day of the
week, etc., can be produced. Comparison and analysis may reveal trends that should be investi-
gated, such as more frequent discrepancies for a particular cashier, or generally lower sales on
the till manned by a particular cashier regardless of which till it is. These modern systems will
also produce reports of the activities that have taken place on the till, such as supervisor overrides,
correction of ringing up errors, which can be followed up if they look suspicious, for example,
a supervisor who appears to “override” far more than another supervisor.
Note 2: In some businesses the relationship between cash sales and inventory can provide a good indi-
cation of theft of cash. For example, the owner/manager of a fast food outlet may require that,
at the end of the business day, cash in the till be reconciled with movement in “food” invento-
ry. If the cash register is able to record separately the different products sold (very common),
the number of each product sold can be reconciled with the corresponding inventory on hand.
If the outlet started with 500 hamburger patties on hand and ended the day with 100, the cash
register should have recorded the sale of 400 hamburgers. If it only shows 390 sold, 10 ham-
burger patties are unaccounted for. The cash in the till will agree with what has been rung up,
so it suggests that some sales are not being rung up.
In our car wash business, the manager/owner may be able to pick up variances between the month’s water
and electricity expenses and the number of car washes recorded as sales. More water and electricity used
should equal more cars washed. Surprise visits by the manager/owner and cash reconciliations may also
reveal irregularities.
These analytical control activities, which are in fact performance reviews, are not foolproof in themselves,
but when combined with further techniques, may become very effective. For example, further analysis may
reveal that inventory shortages occur consistently when a particular supervisor is on duty at the fast food
outlet.
The point is that where a business has cash sales, a full range of formal controls should be put in place,
supported by innovative analysis and follow up.

10.1.10 The role of the other components of internal control in the revenue and receipts
cycle
This chapter has concentrated on the information system and control activities components of internal control.
However, these components are affected by the other components and a brief mention of the other compo-
nents is appropriate.

10.1.10.1 The control environment


The tone of the business with regard to control is generally set for the business as a whole by the actions
and behaviour of the directors and management, and will flow down to the employees in the different
cycles that make up the business. Of importance in the debtors section is that senior members, such as the
sales manager, credit controller and debtors manager, should enforce the controls strictly but fairly and
judiciously, especially when a customer is directly involved. For example, a debtor should not simply be
handed over for collection to a lawyer without attempting other ways of trying to settle the debt first.
Sales prices should be fair and realistic and the Consumer Protection Act and other relevant legislation
should be complied with. The integrity of staff dealing with cash sales and confidential debtor information
should be at a high level. Special attention should be paid to controls that address the risk of fraud in the
cycle, for example, invalid credit notes, or debt write-offs. In a smaller entity there should be comprehen-
sive owner/management involvement.

10.1.10.2 Risk assessment procedures


Formal risk assessment procedures should address the overall risks faced by the company in the market
place, including the promotion of the company’s products, methods of selling, sales policies, etc. Less
formal risk assessment can be undertaken by the members of the department assessing the risks they face in
10/36 Auditing Notes for South African Students

meeting the function’s specific risks as described in the chapter. In smaller entities, it is the owner/man-
ager’s informal assessment and response to risks identified in his involvement with the cycle (that is not
likely to be particularly strong on formal controls) that will make the difference.

10.1.10.3 Monitoring
Monitoring is about “looking in” on the cycle to determine, over time, whether the internal control system
as a whole, is achieving its objective and adequately addressing the risks facing the company. In the context
of the revenue and receipts cycle, there are a number of monitoring activities that can take place. Broadly
stated, the objectives of the cycle will be to supply customers promptly with the correct goods at fair prices,
to collect amounts owed by debtors according to the terms of the sale and to limit losses from bad debts.
These can be monitored by:
• period-based comparisons of ratios and statistics, such as “debtors days outstanding”, bad debt write-
offs, etc.
• assessing customer satisfaction by customer complaints, the number and reasons for the issuing of credit
notes, analysis of the buying patterns of major customers, and indirectly by changes in turnover

10.2 Narrative description of the revenue and receipts cycle at ProRide (Pty) Ltd
10.2.1 Introduction
The following narrative description is designed to give you an idea of how the revenue and receipts cycle
functions in an actual operating company. The name of the company has been changed as have the names
of the staff involved. Certain aspects of the company and its systems have been simplified for the purposes
of this narrative but in essence, we have described “how it actually happens”. Before reading this narrative,
we suggest that you read chapter 9 – Computerisation at ProRide (Pty) Ltd.

10.2.2 Background to the company


The company wholesales bicycles, parts and accessories to the retail trade. Customers include the major
chain stores, for example, Makro, Game, numerous independent bicycle dealers and other general retailers.
The company has a turnover of around R140m and about 2 000 debtors. Both foreign and local purchases
are made and customers are located mainly in South Africa but sales are also made in other African coun-
tries. The company’s administrative offices are attached to the warehouse. All goods are received at, or
despatched from, the warehouse. The company has a computerised perpetual inventory system with literal-
ly many hundreds of inventory items, that are each assigned an inventory item code and a narrative
description in the masterfile.

10.2.3 Overall control awareness


The company is very “control aware”. The tone is set by the senior financial managers who, as you will see
later on, monitor all aspects of the business continuously aided by an excellent computerised information
system. All the components of internal control (see chapter 5) are present, for example, there is a strong
control environment, sound control activities are implemented and there is ongoing monitoring by senior
management. As you read through the narrative, you can be satisfied, for example, that the people in the
system are competent and trustworthy, there is isolation of responsibility, clear lines of reporting, and all
documents used in the cycle are preprinted, prenumbered and properly designed.

10.2.4 Computerisation in this cycle


This cycle is highly computerised. Sales, debtors and inventory are all run on the IBM AS 400 system,
using the JD Edwards software. The company makes daily use of its Internet link to its bank to download
details of payments made directly into its bank account by debtors so that the debtors ledger can be kept
right up to date.

10.3 Sales – How the system works at ProRide (Pty) Ltd


It should be noted that great care is taken to ensure that sales orders taken are accurate and complete and
that customers are within their credit terms right from the start. This cuts down significantly on problems
arising at a later stage. Orders are dealt with promptly; goods will be picked and despatched (usually)
within 24 hours.(This is one of the company’s performance measures.)
Chapter 10: Revenue and receipts cycle 10/37

10.3.1 Receiving orders


The company does not make “over the counter” sales. Sales are made to account holders only.
The three order clerks are located in their own office and are equipped with terminals linked to the AS 400,
telephones and a direct fax line. They have “read only” access to the inventory masterfile and the debtors
masterfile, and for confidentiality purposes not all information on these masterfiles is available to them. All
orders are directed to this office.
Orders are received by phone, email, fax and through the post. Orders that are phoned in, are not neces-
sarily confirmed by a hardcopy/email order. It should be noted that ProRide (Pty) Ltd’s customer base is
very varied and ranges from large companies with very formal financial systems, to small general dealers
and “bike shops” in small towns and rural areas that have far less formal systems for ordering their goods
and paying their accounts.

10.3.1.1 Telephone orders


We will assume for the purpose of this illustration that one of the order clerks is Jazelle Roos. When a
phone call comes in from a customer, it is directed to the first available order clerk by a phone queuing
system.

(a) Validation of the customer


• On receiving the call, Jazelle will greet the caller and enquire as to whether he is an account holder. If
so, she will request the customer’s account number (or company name) that she will enter onto the sys-
tem.
• If the number (or name) given by the customer is a match to a debtor on the debtors masterfile, further
details pertaining to the customer will appear on the screen and Jazelle will ask the caller to supply
(some of) this additional detail to “validate” the customer.
• If the number (or name) given is not a match, no order can be taken.
• If the caller is not an approved customer, the caller will be referred to Judith Oldman, the credit man-
ager.

(b) Debtors with a hold on their account


• When a customer’s account details appear, there may be an on-screen message that conveys to Jazelle
that the debtor’s account is on “hold”, meaning that no orders can be taken for that customer.
• The decision to place a hold on a customer’s account will have been taken by Judith Oldman (credit
manager) and Johan Els (financial manager) and the reason would be that the customer is no longer
considered to be creditworthy.
– The hold is effected by the entry of a code into a designated field on the debtor’s account in the
masterfile (write access to this field is restricted to Judith and Johan and holds are logged for subse-
quent review by Brandon Nel the financial director).
– Note that this hold has nothing to do with the value of the new order the customer wants to place, so
it is not a matter of a current order pushing the customer past his credit limit. This hold is about iden-
tifying a customer with whom the company does not want to trade!
– If the account comes up with a hold on it, Jazelle will inform the customer and transfer the call to
Judith.
– The hold can only be lifted if Judith and Johan agree, after thorough investigation, that the custom-
er’s problems can be resolved. Lifting of this hold is not done until the customer has brought his ac-
count into line, and may not even be lifted at this point.
– Removal of the hold code is restricted to Judith and Johan, it must be supported by a signed motiva-
tion, and is logged for review by Brandon. The intention of this strict set of procedures is to limit
losses from bad debts.

(c) Taking an order from a customer


• ProRide (Pty) Ltd does not operate a complete telesales system in that the orders taken over the phone
are not entered directly onto the system. It would probably be more efficient to do so, but the system as
it is works well.
• Once Jazelle has “validated” the customer as above, she can take the order details. All order details are
manually written onto a sequenced, preprinted internal sales order (ISO).
10/38 Auditing Notes for South African Students

• Order clerks are regarded as sales personnel. With many hundreds of different inventory items, custom-
ers are frequently not aware of the precise inventory codes and descriptions of what they require despite
having access to catalogues, a website, etc.
For example:
A dealer might wish to order bicycle spokes; at this point Jazelle will access the inventory masterfile
(read access only) and, making use of her “enquiry” privilege, will enter “bicycle spokes”. This brings
up a list on screen that contains a description of each of the different types of bicycle spoke ProRide
(Pty) Ltd carries, the inventory item code, description, number of items in inventory and the selling
price. Line items appear as follows:
BS 123 Stainless steel 700c 48 R17,50
BS 149 Galvanised Black 700c 26 R13,20
With this information Jazelle is able to establish exactly what the customer requires, whether it can be
supplied (in stock) and the selling price. As each item is agreed, she manually records the item code and
quantity on the ISO, and before moving onto the next item, confirms with the customer.
• All order clerks receive ongoing training relating to the products the company sells. This sound personnel
practices control enables the order clerks to promote sales rather than just take orders.
For example:
If a customer wants an item but it is “out of stock”, Jazelle is competent to offer alternatives. The in-
ventory masterfile also has a field into which additional information can be added (not by Jazelle) to
indicate inventory items that may be “on special” at a reduced price. With this information the order
clerks can offer these items to the customer.
• Once the order details have been taken, a customer order reference is obtained, and all details of the
order are confirmed. The customer is given the ISO number as his reference to the order placed and the
telephone conversation is then terminated. Jazelle will then promptly complete the ISO (checking
details to the inventory masterfile where necessary) and sign it (isolating her responsibility for taking the
order.)

10.3.1.2 Backorders
If an item is “out of stock” and a satisfactory alternative cannot be agreed upon, Jazelle will ask the cus-
tomer whether he wishes his order to be placed on “back order”. If so, she will manually record the details
on a back-order list. Each week she will access the inventory masterfile to determine whether any inventory
items appearing on her back-order list have been received into inventory. Once an inventory item is availa-
ble, she will phone the customer. An ISO is not automatically compiled. If the customer wishes to place the
order, the normal procedure is followed.

10.3.1.3 Hardcopy orders (fax, post and emails printed)


All hardcopy orders received through the post are sent to the order department by “mail receiving”. Pro-
Ride (Pty) Ltd’s customers are provided with the order department’s fax number and a dedicated order
department email address, and are also requested to mark their hardcopy orders confirmation only if the
order has been placed telephonically. As mentioned earlier, customers do not always confirm telephone
orders. All orders that are not marked “confirmation only” are checked against the copies of the ISOs held
in the order department to ensure that the order is not duplicated. If there is any doubt, the customer is
contacted.
The procedure for hardcopy orders is basically the same as for telephonic orders. An ISO is made out for
each order after the debtor’s status and inventory availability checks have been carried out. Thus an order
placed by a customer who may have a “hold” on their account will be identified, as will an “out of stock”
order. These conditions will be treated in the same manner as a telephonic order.
The result of the procedures in the order department is the production of a source document (ISO)
that represents an order from a customer in good standing, accurately compiled and complete with
all necessary detail to proceed with filling the order.
Chapter 10: Revenue and receipts cycle 10/39

10.3.2 Opening an account


As indicated, the company sells only on credit to account holders. Before a business entity is accepted as a
customer it must complete a credit application form and submit it to ProRide (Pty) Ltd. (To speed up this
process the customer can use the “online” facility available on ProRide(Pty) Ltd’s website.)
The credit application form requires the potential customer to provide:
• the business entity’s basic details, for example, name, address, phone numbers, email address, etc.
• the business entity’s registration number, where applicable, for example, company or CC registration
number
• full details of directors, members (CC) or partners of the business entity
• trade references, and
• credit terms and limits required.
Judith (the credit manager) then uses a credit bureau (that we will call Credit Secure) to investigate the
creditworthiness of the potential customer. Credit Secure offers their service online, and to make use of this
facility, ProRide (Pty) Ltd has registered with Credit Secure. On registration, ProRide (Pty) Ltd was sup-
plied with a unique password that must be entered once the Credit Secure website has been accessed. The
password is only known to Judith and her senior assistant. The website then requires that key details, for
example, the company registration number, be entered. This initiates a search of relevant databases and the
production of a report by Credit Secure. This report provides ProRide (Pty) Ltd with an assessment of the
business entity’s creditworthiness as well as a credit rating, for example, A = excellent, E = poor. If Credit
Secure has insufficient information about the entity on its databases, it will undertake a special investiga-
tion if asked to do so.
Once the Credit Secure report has been obtained, it is filed with the original application (hardcopy) and
discussed by Judith with Johan (the financial manager), at their weekly “debtors” meeting. At this meeting
a decision is made on whether credit should be granted and on what terms. This decision is recorded on a
document and signed by both Judith and Johan. The document is used as the authority to add the new
customer to the debtors masterfile. Dalene Burger (accounting supervisor) actually enters the new debtor
onto the masterfile. All amendments are logged by the computer.
The financial director, Brandon, is supplied with a printout (log) each month of new account holders and
he will review the supporting documentation relating to these account holders.

10.3.3 The production of picking slips


10.3.3.1 Entering details from the ISO
Once the ISO is complete, it is placed in a secure pigeon hole at the door to the computer department (that
is physically separate from the order department). At regular intervals through the day, Rushda Devon, the
data clerk, will remove the ISOs from the pigeon hole and capture the details of each ISO to create a
“picking slip” (PS). Access to the sales application is restricted. Rushda has her own password and is given
read or write privileges to only those modules that she needs to perform her function (least privilege prin-
ciple). The application is menu-driven and Rushda will select the “create picking slip” module. The screen
will then come up formatted (laid out) as a “picking slip” and she will enter the information into the appro-
priate fields. Rushda is required to enter minimal information only, and does not have write access to any
fields other than those that she must complete, i.e. she cannot change any standing data, for example, an
address. Fields to which she does not have write access are shaded on her screen.
• Entry of the customer’s account number brings up the rest of the customer’s details.
• Entry of the inventory item code brings up the description of the goods ordered.
• The quantity ordered must be entered.
• The programme automatically provides the document number (sequenced and that cannot be altered)
and the date.
• The corresponding ISO number must be entered.
10/40 Auditing Notes for South African Students

10.3.3.2 Credit limit check


You will recall that when an order is initially received, any debtor’s account that has a “hold” on it is
identified, and no sales order will be accepted from that debtor. This is in effect an initial creditworthiness
check and a second credit check takes place when Rushda enters the ISO.
• Once all order details have been entered, the computer instantly calculates the total value of the new
order and adds it to the debtor’s balance. The new balance is compared on the system to the debtor’s
credit limit, that is held on the debtors masterfile. (Note that this is only a control procedure; the debt-
or’s account is not updated at this point, nor is a picking slip produced.)
• If the debtor’s credit limit will be exceeded if the new order is processed, the picking slip cannot be
printed and the ISO will be written to a sales order pending file on the system.
• At the same time as the sales order is written to the pending file, a screen message is sent to Judith
Oldman (credit manager), alerting her that the sales order is on the pending file
– As soon as she is able to, Judith will access the pending file and decide on whether to authorise the sale or
not. To be in a position to do so, she carefully considers the payment record of the debtor, the amount by
which the limit has been exceeded, and, if necessary, will phone the debtor to discuss the
problem and a possible solution. If she is satisfied in her own mind that the debtor will pay, she will ap-
prove the sale. Only Judith can effect this approval, as only a screen linked to her user profile will re-
veal the “approve” option.
– On approval, the sales order will be transferred to the picking slip file from where it is treated as a
normal approved order. The sales order pending file is updated to reflect that the pending sales order
has been approved.
• If on entry of the sales order, the debtor’s credit limit check is satisfied (which is normally the case), and
the sales order is written to the picking slip file. Once Rushda is satisfied with what she has captured,
she selects the “print picking slip” option and a picking slip is produced. The printed picking slip con-
tains the following:
– inventory item code, and description of goods
– quantity ordered
– document number and ISO number
– customer details (including delivery address), and
– an empty block next to the quantity ordered for each item (the actual quantity picked is later entered
in this block).
As the picking slips are produced, they are placed in a secure pigeon hole in the picking area. A batch
system is not used.

10.3.4 Picking the goods


10.3.4.1 Physical picking
The picking area is located next to the warehouse (see diagram in chapter 12). It is broken down into
numerous designated sections where items picked for each order can be placed. It is secure to the extent
that only pickers, warehouse management (Reg Gaard, the warehouse manager, and his foreman, Patrick
Adams), and senior management are allowed into the area unaccompanied by warehouse management.
Patrick closely supervises the team of pickers. Using the picking slip, a picker will take each item from its
inventory location (bin, box or shelf) and place it in a designated section in the picking area. Each item that
is picked will be ticked off in the empty block next to the quantity indicated on the picking slip. If the
correct quantity cannot be picked, the actual quantity picked is entered in the block. The picking slip is
signed by the picker and left with the items that have been placed in the designated section of the picking
area. Patrick will test check the goods picked against the picking slip randomly. (They are checked again at
the packing stage.)

10.3.4.2 Preparing the invoice


• At regular intervals throughout the day, Patrick collects the completed picking slips and delivers them
to Dalene (the accounting supervisor). She calls up the “prepare invoice” module at her terminal locat-
ed in the computer department by entering the picking slip number. The “picking slip” appears on the
screen and Dalene, with reference to the hard-copy picking slip, makes any reductions to the quantity
Chapter 10: Revenue and receipts cycle 10/41

field that may be necessary. Although an inventory availability check is done at the order taking stage,
situations do arise where the theoretical “inventory on hand” quantity in the masterfile is greater than the
actual number of items on hand. This could occur where inventory items have been stolen or placed in
the wrong inventory location.
• Alterations to other fields on the picking slip cannot be made. For example, additional items cannot be
added and any amendment to the quantity field for a quantity that is greater than the quantity field on
the picking slip, will be rejected.
• The result of entering the actual quantity of items picked is that the invoice produced agrees exactly
with the goods that have been picked for despatch. As you would perhaps expect, details of any quanti-
ty reductions entered are automatically written to a report by the computer. The report is used to notify
the customer of the problem and for Reg (the warehouse manager) to investigate before the “stock on
hand” field is corrected in the inventory masterfile. Reg does not have the necessary access privilege to
make the alteration in the inventory masterfile as this would amount to a poor division of duties
between custody and record keeping relating to inventory.
• Access to the “prepare invoice” module is restricted to Dalene, with Rushda Devon as backup. Once
Dalene is satisfied that the “on screen” invoice is in agreement with the hardcopy picking slip, she
selects the confirm option. This immediately updates the debtors masterfile and quantity field on the in-
ventory masterfile and the general ledger accounts. The applicable picking slip on the picking slip file is
coded to indicate that the goods have been picked and invoiced. She then prints the invoice in triplicate.
The picking slip and invoice have the same document number, but the invoice contains the additional
information necessary to record the sale, for example, prices, extensions, value of the sale, VAT, settle-
ment terms, etc.
– Copy 1 is filed numerically in the debtors section with the picking slip.
– Copies 2 and 3 are sent directly to Reg Gaard (warehouse manager).
• Upon receipt of the two invoices, Reg and Patrick supervise the packing of the items in each designated
section of the picking area, into boxes, checking the goods picked to the invoice. Both copies of the
invoice are signed by either Reg or Patrick. One copy of the invoice is placed in the box with the goods,
and the second copy is used as a delivery note (see despatch below).

10.3.5 Despatch
ProRide (Pty) Ltd does not make its own deliveries. The company uses a road transport company (Road-
line) that delivers countrywide on a daily basis. Roadline has a small office staffed by two of their employ-
ees situated in ProRide (Pty) Ltd’s despatch area (see diagram in chapter 12). The despatch area is
physically very secure using conventional methods. The boxes for delivery are moved from the picking area
into despatch under the supervision of Reg or Patrick and one of the Roadline employees. Taking the
details off the “delivery note/invoice”, the second Roadline employee generates a sticker and waybill (four
copies). Each box is sealed and the sticker, with the customer and delivery details (including the number of
boxes in the consignment and the relevant invoice number), is stuck onto the box.
The Roadline waybill contains a waybill number, the customer’s name and address, the ProRide (Pty)
Ltd invoice number and the number of boxes to be delivered to that customer. The four copies of the
waybill are used as follows:
• Copy 1: filed in numerical sequence by Roadline with the ProRide (Pty) Ltd invoice/delivery
note.
• Copy 2: filed in numerical sequence by ProRide (Pty) Ltd. Before the boxes for delivery are
finally released to Roadline, Reg or Patrick checks the details on the waybill to the
sticker on the box in the presence of the Roadline employee. Both sign the waybill as
evidence of this check.
• Copy 3 and 4: go to the customer who signs them to acknowledge receipt of the delivery and returns
one to Roadline as proof of delivery.

10.4 Receipts – How the system works at ProRide (Pty) Ltd


All of ProRide (Pty) Ltd’s debtors pay by EFT. No debtors pay cash directly to ProRide (Pty) Ltd, but a
number of the general dealers in rural areas still deposit cash directly into the company’s bank account.
10/42 Auditing Notes for South African Students

10.4.1 Recording and entering receipts from debtors


10.4.1.2 Recording direct deposits and electronic transfers into the bank account
• Judith Oldman (credit manager) accesses the company’s bank account via the Internet and downloads a
bank statement every morning. (See chapter 9 for a description of the controls applicable to this proced-
ure).
• The bank statement is passed to Amy Mostert (debtors clerk) who, assisted by other debtors clerks when
necessary, compiles a preprinted “electronic receipts input sheet”.
– All debtors are requested to enter their name and account number as a reference when depositing or
transferring money into ProRide (Pty) Ltd’s bank account and to (preferably) email a remittance
advice advising exactly which invoices are being paid.
– The electronic receipts input sheet is then checked by a second debtors clerk and signed by both
debtors clerks.

10.4.1.3 Entering the receipts onto the system


The intention is to maintain an up-to-date debtors masterfile. As debtors are debited in “real time” when
the invoice is created, it is important that receipts from debtors are also processed as soon as possible. To
achieve this, Amy updates the debtors masterfile on the AS 400 every day. To do so, she does the follow-
ing:
• Accesses the sales application in the normal manner (user ID and password) and selects the “process
receipts” module from the menu that appears on the screen and is tailored to her user profile.
• On keying in a debtors account number (taken from the receipt input sheet), the screen will reveal the
debtor’s account including a list of the unpaid invoice numbers on the account.
• Amy will select the invoice in respect of which the payment has been received and enter the amount
that was paid and is recorded on the electronic receipts input sheet into the designated field.
• If the amount entered does not agree with the amount of the invoice on the system, an on-screen mes-
sage will appear requesting Amy to confirm the amount. If there are differences between the invoice
and the payment received, the detail will be written to a report for subsequent follow up by the debtors
clerks. (Note: Debtors do not always pay exactly the amount owed; the debtor may make a mistake, or
take a discount, etc.)
• Once Amy has entered all the receipts from a specific debtor, she will move to the next debtor.
• If no invoice is listed on the debtor’s account in the masterfile against which the receipt can be matched,
the receipt is not processed to the debtor’s account but is written to a suspense account and subsequent-
ly followed up by Amy.
• When all receipts have been processed, the computer will produce a report showing the total of all
amounts entered, broken down into amounts posted to individual debtor’s accounts and the suspense
account (if any). Amy will agree the total of all amounts entered to the totals on the two receipt input
sheets and resolve any discrepancies.
• The system will also produce a listing of all invoices in respect of which the amount received was not
correct in terms of the amount reflected on the invoice.
• As each receipt is processed, the debtors masterfile and the general ledger accounts are updated.

10.4.1.4 Independent reconciliation


• Every Friday afternoon, Johan Els (the financial manager) extracts a report of daily receipts processed
to the masterfile from the system for the preceding week, and reconciles it to the remittance register, the
receipt input sheets, and the bank statement.
• He also extracts a report of all amounts in the suspense account and a report of all invoices in respect of
which incorrect amounts were received and that have not been resolved. These reports are discussed
with Judith Oldman, the credit manager.
• On the 25th of each month, Amy Mostert produces a debtors statement reflecting the state of the cus-
tomer’s account at that date and emails it to the customer (some statements are posted).
Chapter 10: Revenue and receipts cycle 10/43

10.4.2 Credit notes and adjustments to debtor’s accounts


Controls over the passing of credit notes, for example, for goods returned by a customer, or making adjust-
ments, for example, writing off a bad debt, are strict.
• Every Thursday morning Judith Oldman, the credit manager, and Johan Els, the financial manager,
will meet to discuss and approve credit notes and other adjustments. A schedule will be prepared based
on:
– a list of “customer return notes” (CRNs) prepared by the warehouse department for damaged or
incorrect goods returned by the customer: Copies of the CRNs are attached to the list. The sequence
of the CRNs is tested following on from the previous week’s CRNs and checked for the signature of
the warehouse manager (Reg Gaard)
– the computer-generated report of invoices for which the correct amount was not paid and the details
of the subsequent follow-up thereof. For example, the customer may have taken a discount. If the
discount is valid, a credit note will be passed
– any relevant correspondence from a debtor: For example, a debtor may have been invoiced in error
for goods he never received or ordered (seldom happens), or
– any notification from the company’s attorneys that the amount of a long outstanding debt is not
recoverable.
• Judith and Johan will prepare the schedule of credit notes and adjustments:
– The schedule will include the debtor’s name, account number and the amount of the credit
note/adjustment to be passed, and the total of the credits to be passed and the accounts to be debited.
The credit notes will also be coded to indicate the reason for passing the credit, for example:
Code 1 = incorrect goods supplied
Code 2 = damaged goods returned
Code 3 = special discount.
– Both Judith and Johan will sign and date the schedule.
– The schedule will be passed to Brandon Nel (financial director) who will scrutinise it carefully,
resolve any issues he might have, and sign it to indicate his approval.
• Only Rushda Devon (the data entry clerk) has write access to the “credit note and adjustment module”.
Access is controlled in the normal manner.
• Once Rushda has accessed the individual debtor’s account (by entering the account number), she will
enter the details of the credit note/adjustment, working her way through each credit note/adjustment
on the schedule:
– Normal input controls apply, for example, minimum entry, validation of debtor’s account number,
mandatory fields on the credit note code and account to be debited fields. Credit notes entered auto-
matically update the debtors masterfile and general ledger accounts in real time.
– The computer maintains a total of the credits entered that Rushda compares to the total on the
schedule once the entering process is complete.
• A copy of the credit note is either emailed to the debtor or printed and posted or faxed. A copy of each
credit note is also printed in order to be filed with the schedule and other supporting documentation.
• A day end report, that lists all credit notes and adjustments processed and provides a breakdown of
which accounts were debited, is produced. It is reviewed and approved the following morning by Judith
Oldman, the credit manager.

10.4.3 Monitoring
As we mentioned earlier, the control environment in the company is very strong. Over and above the
involvement of senior management explained above, the control exercised by Brandon Nel is very signifi-
cant. He is able to keep his eye on the system by making use of the up-to-date information that the
JD Edwards system can provide. This information is supplied by accessing the system (read access only!)
or by the scrutiny of various printouts presented to him, some every day, others every Thursday, and others
at month end. The examples given below are not exhaustive but are sufficient to illustrate the point being
made.
10/44 Auditing Notes for South African Students

10.4.3.1 Monitoring order picking and invoicing


• Because the above activities are “real time”, Brandon Nel is able to access the system at any time during
the day and obtain a great deal of information about these functions.
For example:
The number and rand value of orders entered for the day as well as the gross profit margin on those
orders are provided for him on screen. He can also ascertain at any stage how many of the orders
received have been picked and how many have been invoiced. He is also provided with cumulative
sales for the day, month-to-date, year-to-date and gross profit for all these cumulative totals, actual and
budget. If the process looks to be slow, a phone call or visit to the sales department usually resolves the
problem!
• If he wishes, he can call up a list of picking slips that are pending (because the sale pushes the debtor
over their credit limit) for discussion with Judith Oldman.
• He can obtain a breakdown of invoiced sales by category, item code, or by debtor, all provided with
gross profit margins.
• He also extracts a list of all sales made that produced a gross profit margin of less than 25%. These
should only be items that are on “special” or for which there are unique circumstances, for example,
bicycles donated as prizes (these are entered as a normal sale with a selling price equal to cost or less).

10.4.3.2 Debtors
A great deal of information is instantly available about debtors:
• new accounts opened
• debtors who have exceeded their credit limits
• a weekly age analysis
• an analysis of the sales
For example:
An analysis of the sales made to the top 200 customers (debtors). Any amount of detail can be
extracted, for example, total value of sales month-to-date, year-to-date and comparisons to the prior
year. In addition, a breakdown of what items are being purchased by the customer, by description,
quantity, value and gross profit margin can be obtained instantly. Brandon Nel uses this to monitor
trends. If, for example, sales to a particular debtor are falling, he will attempt to establish why – is the
debtor in financial trouble, has he moved his business to another supplier, is he dissatisfied with the
treatment he is receiving from ProRide (Pty) Ltd?
• Brandon Nel also receives a weekly report of credit notes that have been entered, broken down into
categories (by codes).For example, if a large number of “Code 1” credit notes that result from incorrect
goods being supplied have to be passed, an investigation into the picking of goods will result. Similarly,
“Code 2” credit notes that result from damaged goods being returned, may indicate a packing, delivery
or quality problem.

10.4.4 Conclusion
It is as a result of these controls that the revenue and receipts cycle at ProRide (Pty) Ltd produces up-to-
date, valid, accurate and complete information relating to the totals and balances produced by the cycle,
namely, the sales, debtors and inventory.

10.5 Auditing the cycle


10.5.1 Introduction
For the purpose of this chapter and all other “cycle” chapters (chapters 10 to 14), the sections are arranged
as follows: the first step is to get an understanding of the accounting aspects in the cycle. With this, it is
important to understand how fraud that impacts on the auditor’s risk assessment may be committed by
management. These considerations are taken in light of the financial statement assertions relating to the
transactions in the cycle and the related balance. The next part of the audit cycle deals with the identifica-
tion and assessment of risks. Overall responses, “further” and “other” audit procedures are then discussed
within each of the cycles. Finally, the chapter describes using audit software in the auditing cycle.
Chapter 10: Revenue and receipts cycle 10/45

10.5.2 Auditing the revenue and receipts cycle


The revenue phase of the cycle is concerned with making sales of the company’s products, services or
expertise and the receipts phase is concerned with ensuring that the company is paid for supplying the
product, service or expertise. Sales can be made in various ways.
For example:
For cash, on credit, or by instalment, and can also be paid for in different ways, such as cash, credit card,
or electronic transfer.
Therefore, from an audit perspective, the auditor will need to consider a fair number of aspects relating
to the cycle. For example, the auditor needs to have a good understanding of the accounting aspects of the
revenue and receipts cycle, namely, whether the sale has been appropriately recognised in terms of the
relevant accounting standard, whether all cash sales have been recorded and whether the trade receivables
balance in the financial statements is fairly valued.
The audit of this cycle follows the conventional process stipulated in the relevant ISAs. In terms of
ISA 315 (revised), the auditor is required to identify and assess the risk of material misstatement at both
financial statement level and at account balance and transaction level. This means in the context of this
cycle that the auditor will need to evaluate whether there is anything in the assessment of risk at financial
statement level that may filter down into the audit of the cycle and whether there are any specific risks
pertaining to the trade receivables balance in the Annual Financial Statements (AFS), as well as its related
disclosures, or to the recorded sales or receipts (payments) from debtors transactions.
For example:
• At financial statement level, if there is an incentive for the directors to manipulate the financial state-
ments, one of the ways in which they may do so is by understating or overstating profits by manipulat-
ing sales. This can be done in a number of ways, such as by creating fictitious sales to related parties,
manipulating cut-off at year-end, or not recording all cash sales.
• At account balance level, there may be an identified risk that the accounts receivable balance will be
overstated because of an inadequate allowance for bad debts.
• At transaction level, risk assessment procedures may have revealed that the controls over cash sales are
totally inadequate or that sales invoices are raised before the goods ordered by the customer have even
been picked from the warehouse.
Once the cumulative effect of the identified risk has been assessed, the auditor will be in a position to plan
“further” and “other” audit procedures.

10.5.3 Important accounting aspects of the revenue and receipts cycle


IFRS 15 – Revenue from contracts with customers provides guidance on the recognition of revenue. When
auditing a sales transaction, the auditor must confirm that all the following conditions have been met for
the sale to have been correctly recognised. These criteria are particularly important where there is an
assessed risk that sales may be overstated. If the audit client is simply a wholesaler or retailer, there is not
usually much difficulty in determining whether a sale should be recognised, but there are some potential
complications, for example, consignment inventory sent to an agent, pre-invoicing, “lay-by” sales and “on
approval” sales.

10.5.3.1 Sales to customers


A sale should only be recognised if:
• There is an approved contract to perform specific obligations, and the performance obligation is satis-
fied. A contract may be verbal or written. Obligations of the contract are what the seller has promised
the buyer – to build a house, to deliver a large vacuum cleaner, to whiten their teeth, etc. The perform-
ance obligations are satisfied once the seller has performed his promise to the buyer.
• Each party’s rights can be identified per the contract. This is usually straightforward as a party/parties
will be promising to provide a good/service/combination thereof, and a counterparty/counterparties
will be obtaining such a good/service/combination thereof.
• The payment terms of the contract can be identified. Payments exclude amounts collected on behalf of
third parties.
10/46 Auditing Notes for South African Students

• The contract has commercial substance. A company is highly unlike to start providing a service or sell
goods at a loss as that would not have commercial substance. Commercial substance looks at the busi-
ness as a whole. A transaction where perishable goods are sold the day before they would expire, at a
price below their cost, still has commercial substance, as they would not have sold any of these perisha-
ble goods the next day.
• It is probable that the payment will be collected. A company is highly unlikely to sell goods to an entity
from which it knows they cannot recover the money. Recording a fictitious sale would contravene this
requirement.

10.5.3.2 Allowance for doubtful debts


In accordance with IFRS 9 – Financial instruments, the measurement of the receivable recognised when a credit
sale transaction takes place will need to take into account the uncertainty arising from the collectability of the
receivable. An uncollectible amount, or an amount for which recovery is no longer probable, after being
recorded as sales, should be expensed, rather than an adjustment to revenue being made, in other words, an
allowance for bad debts is created rather than reducing the amount of revenue (sales) recorded.
Before moving onto the second part of the audit of the cycle (i.e. the response to assessed risk), it is nec-
essary to remind ourselves of the assertions relating to the transactions in the cycle and the related balance,
that is, the trade receivables (which are often referred to as accounts receivable or trade debtors).

10.5.4 Financial statement assertions and the revenue and receipts cycle
Sales
Occurrence: Sales that have been recorded have occurred (they are not fictitious), and such
sales pertain to the company.
Completeness: All sales that should have been recorded have been recorded, and all related
disclosures that should have been included in the financial statements have been
included.
Accuracy: The amounts of sales and other data relating to recorded sales have been recorded
appropriately and related disclosures have been appropriately measured and
described.
Cut-off: Sales have been recorded in the correct accounting period.
Classification: Sales have been recorded in the proper accounts.
Presentation: Sales are appropriately aggregated or disaggregated and clearly described, and
related disclosures are relevant and understandable in the context of the applic-
able financial reporting framework.

Receipts (from trade receivables)


Occurrence: Receipts that have been recorded have occurred (they are not fictitious), and such
receipts pertain to the company.
Completeness: All receipts that should have been recorded have been recorded.
Accuracy: The amounts of receipts and other data, if applicable, relating to recorded receipts
have been recorded appropriately.
Cut-off: Receipts have been recorded in the correct accounting period.
Classification: Receipts have been recorded in the proper accounts.

Trade and other receivables


Existence: Receivables exist at year-end.
Rights: The company holds the rights to the receivables.
Completeness: All trade and other receivables that should have been recorded have been record-
ed, and all related disclosures that should have been included in the financial
statements, have been included.
Chapter 10: Revenue and receipts cycle 10/47

Accuracy, valuation
and allocation: Trade and other receivables have been included in the financial statements at
appropriate amounts and any resulting valuation or allocation adjustments, for
example, allowance for bad debts have been recorded, and related disclosures
have been appropriately measured and described.
Classification: Trade and other receivables have been recorded in the proper accounts.
Presentation: Trade and other receivables are appropriately aggregated or disaggregated and
clearly described, and related disclosures are relevant and understandable in the
context of the applicable financial reporting framework.

10.5.5 Fraud in the cycle


10.5.5.1 Fraudulent financial reporting
There are a number of ways in which management can manipulate account balances and totals in this cycle:
• Creating fictitious sales (occurrence) and the corresponding fictitious debtor (existence) – this increases profits
and current assets, and improves related ratios.
• Understating sales (completeness) and the corresponding debtors (completeness) – the object here may be to
reduce taxation or present a less favourable picture of the company so as to reduce the “value” of the
company for, say, negotiating a management buyout.
• Understating the bad debt allowance (accuracy, valuation and allocation) – normally part of a trend of
manipulating allowances and provisions to improve profits, assets and related ratios.
• Manipulating the recognition of revenue from sales (occurrence or completeness) – rather than create a “ficti-
tious” sale, the company may indulge in activities such as pre-invoicing (raising a sale at year-end that
is only going to be made or that the company expects will be made in the next financial year, or by re-
cording “lay-by” or “appro sales” as sales). Management may also decide not to record sales that have
actually been made (completeness), depending on their motives.

10.5.5.2 Misappropriation of assets


There are a number of ways in which management or employees can misappropriate assets relating to this
cycle:
• Theft of cash from the cash sales (completeness of sales).
• Theft of cash received from debtors.
• Arranging sales to customers at unauthorised reduced prices – this is like “virtual theft” from a compa-
ny and usually occurs when the perpetrator can gain a direct advantage, for example, he is running his
own business “on the side”, or the sale is to a friend or family member, or a bribe will be paid over by
the person to whom the sale was made.
• Theft of goods at the picking/despatch stage (existence of inventory) – poor controls over this function
may enable warehouse personnel to steal goods by including them in a genuine order, for example,
company A orders 10 items, but 15 are picked and despatched. This will normally require collusion
with someone outside of the company, such as a friend or relative.
• Not paying over VAT on all sales (completeness of liabilities) – this amounts to theft from SARS and is
not restricted to unrecorded sales (where VAT is very unlikely to be paid), but can occur for recorded
sales as well.
• Making invalid adjustments to debtors accounts (completeness of debtors) – the intention here is to
settle a debtor’s account without the debtor actually paying, by passing an invalid credit note or writing
the debt off as bad when it isn’t. This is also normally done where the perpetrator has an interest in the
debtor, for example, a debtor is a friend, family member, or the perpetrator’s own business on the side,
or where a bribe will change hands.
• Despatching goods in the normal manner but never raising an invoice. Having the goods despatched in
the normal manner gets the goods (physically) out of the warehouse without suspicion, and deliberately
not raising the sale makes it theft.
10/48 Auditing Notes for South African Students

10.6 The auditor’s response to assessed risks


10.6.1 The auditor’s toolbox
As discussed in chapter 5, in terms of ISA 500, the auditor has the following types or categories of audit
procedure available to him:
• inspection • re-performance
• observation • analytical procedures
• external confirmation • inquiry
• recalculation

10.6.2 Overall responses to the risk of material misstatement at the financial statement
level
In terms of ISA 315 (revised), the auditor shall identify the risks of material misstatement at the overall
financial statement level and at the assertion level for transactions, account balances and disclosures.
Further, a significant risk is an identified risk that, in the auditor’s judgement, requires special audit con-
sideration. This does not mean that the auditor needs to be familiar with a whole new range of audit pro-
cedures (have additional tools in his toolbox), but it does mean that he will look closely at the nature,
timing and extent of the further audit procedures that will be conducted, as well as the skills and experience
of the audit team.
In the context of this cycle, significant risks may include:
• fraudulent financial reporting (understatement or overstatement of sales)
• revenue recognition for complex “sales” transactions, such as long-term contracts
• completeness of cash sales in a cash-orientated business (supermarket), and
• extensive sales to related parties.
In terms of ISA 330, the auditor must implement overall responses to address the risk of material mis-
statement at the financial statement level.
For example:
• assigning more experienced staff to the audit, for example, in response to an assessed risk that manage-
ment may manipulate the financial statements by the inclusion of fictitious sales with related parties
• emphasising to the audit team the need to maintain professional scepticism, for example, to be alert to
the risk of unrecorded sales
• providing more supervision
• carrying out procedures in a different manner to prior audits, for example, carrying out an “early verifi-
cation” positive debtors circularisation for the current audit when only subsequent receipt testing has
been undertaken in the past.

10.6.3 Responding to risks at the assertion level


The auditor’s further audit procedures will be a mix of tests of controls and substantive tests. If the
auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and
extent of substantive tests, he cannot simply assume that the controls have operated effectively; he will
need to design and perform tests of controls. If controls prove to have operated effectively, the nature,
timing and extent of planned substantive procedures may change, for example, less testing (smaller sam-
ples) may be conducted. The opposite will also apply, that is, less effective controls equals more substantive
testing. Bear in mind that the “further audit procedures” will depend on the outcome of the risk assessment
procedures.

10.6.4 “Other” audit procedures


10.6.4.1 Introduction
In terms of ISA 200, the auditor is required to conduct procedures to comply with all ISAs relevant to the
audit, and these procedures are referred to as “other” procedures. An important ISA the auditor must
comply with is ISA 265 that requires that the auditor communicate deficiencies in internal control to those
Chapter 10: Revenue and receipts cycle 10/49

charged with governance. The following paragraphs provide a broad outline of what is required to comply
with this statement:

10.6.4.2 ISA 265 – Communicating deficiencies in internal control to those charged


with governance and management
(a) Objective
The objective of the auditor is to communicate any deficiencies in internal control that the auditor has
identified during the audit and that the auditor believes those charged with governance and management
should give some attention to, to those charged with governance and management.

(b) Deficiencies
A deficiency in internal control exists when:
• a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and
correct, misstatements in the financial statements on a timely basis, or
• a control necessary to prevent, or detect and correct, misstatements in financial statements on a timely
basis is missing.

(c) Significant deficiencies


ISA 265 draws a distinction between deficiencies and significant deficiencies. The reason is that the parties
to whom they are reported will differ:
• The general rule is that all significant deficiencies will be communicated to those charged with governance
and to management.
• However, if communicating directly with management is not appropriate, the auditor should not do so.
This situation will arise where the significant deficiency may “call into question” the competence or in-
tegrity of management.
• Deficiencies that are not significant will be reported to management if, in the auditor’s opinion, the
deficiency is of sufficient importance to merit management’s attention (but not so important that those
charged with governance need to be communicated with).

(d) Determining significance


• A deficiency does not require that a misstatement must have already occurred for it to be significant.
Although a misstatement may have occurred, the auditor is also concerned about the potential for mis-
statement to occur, and alerting those charged with governance will allow the deficiency to be respond-
ed to and potential misstatement prevented.
• A number of deficiencies, that individually would not be significant, may be significant when consid-
ered collectively.
• The following matters, among others, will be considered by the auditor in determining whether a defi-
ciency is significant:
– the likelihood of the deficiency leading to material misstatement
– the susceptibility to loss or fraud to which the deficiency gives rise
– the volume of activity associated with the account balance or class of transaction that is affected by
the deficiency, and
– the importance of the “deficient” control in relation to the financial reporting process, for example,
deficiencies in controls over the prevention of detection and fraud, or the identification of related
party transactions, or year-end journal entry approval may tend towards being significant.
• Indicators of significant deficiencies in internal control include:
– the suspected presence of management fraud
– lack of action or concern by management in responding to deficiencies communicated
– inadequate company risk assessment processes or a failure to respond to risks timeously or at all, and
– detection of misstatements by the auditor – proof that the system is not “working”.
10/50 Auditing Notes for South African Students

(e) Content and form of the communication


• Significant deficiencies should be communicated in writing (not orally).
• Communication with management of non-significant deficiencies may be oral (less formal). For
example, they could be communicated in a meeting with management and should be recorded in the
minutes of the meeting.
• The communication should contain:
– a description of the deficiencies and an explanation of their potential effects
– an explanation that the purpose of the audit was to express an opinion on the financial statements,
and not for the purpose of expressing an opinion on the effectiveness of internal control, and
– that the deficiencies being reported are limited to those identified during the audit that the auditor has
concluded, are of sufficient importance to merit being reported to those charged with governance.

10.7 Audit procedures – Test of controls and substantive procedures


10.7.1 Tests of controls
10.7.1.1 Objective
The auditor tests a control to determine whether it has been effective in achieving the objective for which it was
implemented in the first place.
For example:
In the context of this cycle, one of the objectives of the controls implemented by the company will be to
ensure that a credit sale is only made to a customer who will pay.
To achieve this objective, the controls implemented might include a requirement that a thorough investigation of
the customer’s creditworthiness be carried out before any sales can be made to the customer. This control will
then work in conjunction with other controls that require that all sales orders be approved (signed) by the credit
controller before they are executed. In a computerised system, approval of the sales order could be achieved by a
combination of programme (automated) controls.
For example:
• a sale cannot be initiated on the system unless the customer is an approved customer on the debtors
masterfile (validation/verification check)
• a “hold” (that prevents initiation of the sale) being placed on an approved customer whose account
balance is in excess of the customer’s credit limit, and
• the “hold” can only be lifted if the credit controller exercises the “approve” option, that is granted only
to him by his user profile.
Remember that if a sales order cannot be initiated on the system, there will be no picking slip, so no des-
patch, and that equals no sale!
The auditor is interested in these controls because if they are effective, the trade receivables balance will
contain far fewer debtors who will not pay their accounts. That in turn reduces the risk that trade receiv-
ables will be overstated by the inclusion of debtors who are not going to pay (valuation assertion). From an
audit perspective, the assessed risk of material misstatement will be reduced, and that in turn will affect the
nature, timing and extent of the auditor’s substantive testing. An additional benefit to the auditor is that
these controls will also reduce the risk of fictitious sales being made and included in the trade receivables
balance. To extend the example, the company may also have a control procedure in place that requires an
employee to conduct regular checks that goods that are despatched to a customer are actually raised as a
sale and debited to the customer’s account (i.e. despatch notes have resulted in invoices). In a computerised
system this may again be achieved on the system.
For example:
• the creation of a despatch note may automatically “trigger” the creation of an invoice, and
• automatic updating of the debtors ledger.
The auditor is interested in these controls because if they are effective, there is less risk that sales and
accounts receivable will be “incomplete”. However, the auditor cannot just assume that these controls (man-
ual or computerised) are effective; he will need to conduct tests of controls to satisfy himself that they are
effective.
Chapter 10: Revenue and receipts cycle 10/51

10.7.1.2 Timing of tests of controls


The auditor needs to gain evidence that the controls on which he intends to place reliance were operating
effectively throughout the financial year under audit, so tests of controls may be carried out at different
stages throughout the year during interim visits to the client. (For some large audit clients such as a bank,
testing controls may be an ongoing process.) However, on most audits, to satisfy himself that controls were
operating effectively throughout the year, the auditor will rely on the audit trail created for the transaction.
For example:
The auditor could choose a selection of sales transactions from throughout the year and inspect the sup-
porting documentation to see that it consists of an order from an approved customer, a corresponding
internal sales order, a despatch note and an invoice, all of which tie up with the description of goods,
quantities, dates and document numbers, and which reveal the signatures of employees involved in the
process.
This of course does not prove that the sale was approved before it was made or that checking of prices,
calculations, etc., did actually take place, but, combined with other evidence the auditor will seek, such as
whether the debtor paid the amount reflected on the invoice, strong pervasive evidence that the controls
were functioning at that time will have been gathered. If, however, other evidence reveals that there are des-
patch notes for which there are no invoices, or that there are large numbers of credit notes subsequently
being issued because incorrect goods are being sent to customers, or incorrect prices are being charged, the
auditor gains evidence that the controls (are) were not effective. This is likely to increase the substantive
tests that will need to be carried out.

10.7.1.3 Nature of tests of controls


As pointed out earlier in the section, the auditor uses an assortment of procedures when conducting tests of
controls. Controls in this cycle will vary from company to company and the auditor will need to select a
suitable mix of procedures to achieve his overall objective of determining whether the controls implement-
ed were (are) effective. The following procedures are examples of tests of controls that could be carried out:
Inspection
• A sample of recorded sales could be selected and the supporting internal sales order inspected for a valid
authorising signature. The inspection of a signed picking slip and despatch note signed by the customer
provides some evidence that the sale did actually occur. The best evidence that the sale occurred would
be obtained by inspecting the cash receipts journal/bank statement and customer’s remittance advice
and matching the recorded sale to the corresponding receipt from the customer. Of course the customer
may not have paid, in which case the amount should appear in the debtors masterfile.
• A sample of credit notes issued to customers could be inspected for an authorising signature and the
detail on the supporting documentation, for example, a customer returns note could be inspected and
matched to the credit note.
• The log of masterfile amendments and supporting documentation could be inspected to confirm that
appropriate procedures are carried out in respect of evaluating the creditworthiness of new customers
before credit is extended, and that the limits and terms granted are approved.
• A sample of daily till sales reconciliation schedules (cash reconciled to till rolls) could be inspected and
compared to bank deposit slips to determine whether cash sales are banked timeously and intact.
In a computerised system, the appropriate way of testing programme (automated) controls may be for the
firm’s computer audit division to conduct system-orientated CAATs.
For example, the computer auditor may attempt to process an order:
• using an invalid customer number
• leaving out a customer order reference number
• inserting an invalid product code
• (or process an order) that will result in the customer’s credit limit being exceeded.

Inquiry
• Inquire of the despatch clerk as to what happens if goods are transferred from the warehouse to the
despatch area for delivery without a picking slip.
• Inquire of the invoicing clerk as to what procedures he actually follows to ensure that all despatches/
deliveries of goods result in invoices being made out.
10/52 Auditing Notes for South African Students

• Inquire of the credit manager as to what use he makes of daily reports that are generated on the system,
of credit notes and other adjustments processed against the debtors masterfile.
• Inquire of the financial accountant as to whether and how sales to related parties (e.g. companies within
the same group) are identified.
Note: Questions put to employees should be expressed in a way that requires more than a “yes” or “no”
response. In this way the auditor will learn more about the effectiveness of the control and may be
provided with information he least expected.

Observation
• Observe the despatch clerk counting and checking goods against the picking slip/despatch note before
packing items into boxes for delivery.
• Observe the procedures undertaken at the counter when a cash sale is made, for example, if the sale has
been rung up.
• Observe whether gate control personnel actually check goods leaving the premises (being delivered)
against the delivery note/invoice.
Note: Observation is not a very convincing procedure as the employee is likely to do what he is supposed
to do because he knows that the auditor is watching! Observation would always be matched with other
procedures.
For example:
In addition to observing the despatch clerk counting and checking, the auditor might ask the despatch
clerk how he resolves a situation where the physical goods for despatch do not agree with the picking slip.
With regard to the testing of controls over the accuracy and completeness of processing and recording of
sales transactions and receipts from debtors promptly and in the correct accounts, the auditor takes into
consideration that modern software is very fast, efficient and reliable. It is more likely that, instead of re-
performing numerous calculations and tracing postings through the system, the auditor will concentrate his
tests of controls on the effectiveness of the authorisation/approval of transactions and the effectiveness of
controls over reviewing and reconciling the results of processing, for example, logs, day-end reports, list-
ings, etc. This is perfectly acceptable because if the client is using up-to-date, well-supported reputable
software, the auditor is most likely to assess the risk of material misstatement arising out of inaccurate or
incomplete processing and recording (accuracy and classification, cut-off and completeness) as low.

10.7.2 Substantive procedures


10.7.2.1 Nature of substantive procedures
In auditing the cycle so far, the auditor will have carried out procedures to:
• identify and assess the risk of material misstatement, and
• gather audit evidence about the operating effectiveness of the controls (tests of controls).
The auditor is now required to conduct substantive tests that, as we have seen, are designed to detect
material misstatement at the assertion level. Substantive tests consist of:
• tests of detail of classes of transactions, account balances and disclosures, and
• substantive analytical procedures.
The difference between tests of detail and analytical procedures is that the former consists of auditing the
detail of the transactions, account balance or disclosure whilst the latter provide more general or overall
evidence. The types of procedure (tests of detail) carried out will still be those listed in point 5.3 with the
obvious exception of analytical procedures.
For example, in carrying out a test of detail to determine whether transactions in a sample of sales invoices
have been allocated to the correct accounting period at the financial year-end (cut-off), the auditor would
inspect the description of the goods sold, cross-referencing dates and customer signature on the supporting
documentation (e.g. internal sales order, picking slip) in detail to confirm that the sale was made prior to
year-end. When conducting substantive analytical procedures, the auditor does not consider the detail but
rather the overall picture. He will compare totals of transactions and balances on accounts period to period,
or consider changes in the making up of totals or balances to other periods or industry norms, etc., with the
intention of identifying any strange or unusual fluctuations. For example, as a “completeness of sales” test,
the auditor may compare the total of sales month to month for the current year and to the previous year,
Chapter 10: Revenue and receipts cycle 10/53

and follow up on any strange fluctuations. He may also analyse the accounts receivable balance in terms of
the age of debtors’ (days outstanding) average amount of debt outstanding, and compare the results to the
same ratios and breakdowns for the prior year.
In terms of ISA 330, the auditor must design and perform some substantive procedures for each material
class of transaction, account balance and disclosure, regardless of the assessed risk of material misstate-
ment. In other words, the auditor cannot decide that there is no need to do any substantive testing because
he has assessed the risk of material misstatement for the account heading, class of transactions or disclo-
sures as low, and because his tests of controls provide persuasive evidence that controls had operated
effectively for the period under review. The reasons for this are that:
• risk assessment is judgmental and the auditor may not have identified all risks, and
• internal control has inherent limitations, including management override, for example, a member of
management may simply override the credit manager and write off a bad debt that should not actually
be written off.
However, the auditor does not necessarily have to carry out both tests of detail and analytical procedures. If
assessed risk is judged as low and tests of controls indicate that controls are operating effectively, the
auditor may decide that all that is required to reduce audit risk to an acceptable level is the performance of
analytical procedures. In practice it is more common for the auditor to use a combination of tests of detail
and analytical procedures when conducting substantive tests.

10.7.2.2 Timing of substantive procedures


Most substantive testing takes place at or after year-end. This is logical as these tests are aimed primarily at
gathering evidence about the account balances, transaction totals and disclosures in the financial state-
ments. In practice there is often an audit deadline (a date by which the audit must be completed) that forces
the auditor to carry out substantive (and other) testing at an interim date, say two months prior to year-end.
In the context of this cycle, the auditor may choose to conduct substantive procedures to verify the balance
on the trade receivables account at the ten-month period and then “update” this work for the year-end trade
receivables account by conducting tests on the remaining two months, during the two months and at year-
end. These tests, that will be a mix of tests of controls and substantive tests, are termed “roll forward tests”.
(A reasonably common “early verification procedure” in this cycle is the debtors circularisation.)

10.7.2.3 Extent of substantive procedures


The extent of substantive testing is generally regarded as being a function of (determined by) the assessed
risk of material misstatement and the results of tests of controls. In general, the greater the risk of material
misstatement and the less effective the controls appear to be, the greater the amount of substantive testing.
The extent of testing is usually reflected in the size of samples used for testing.
Overall, the auditor is required to obtain sufficient appropriate evidence to satisfy himself that the audit
risk has been reduced to an acceptable level.

10.7.3 Substantive procedures of transactions in the revenue and receipts cycle


The emphasis of substantive testing of sales for the year will often be combined with the substantive testing
of the trade receivables balance because they are so closely linked. Of course, if the company makes cash
sales, some variations on the procedures conducted will be required. Gathering evidence pertaining to the
assertions relating to sales will be achieved by a combination of tests of controls and substantive testing and
may be obtained by conducting dual purpose tests.

10.7.3.1 Occurrence – Recorded transactions have occurred and they pertain to the company
• To obtain evidence that recorded sales actually occurred, the auditor would need to trace a sample of
recorded sales transactions back to the source and inspect the supporting documentation for the invoice,
to confirm:
– that an order was received from an approved customer
– that a picking slip and despatch note for the goods invoiced, duly signed by the picker and despatcher
(and possibly the customer to acknowledge receipt) exist, and
– that the goods invoiced to the customer were of a type sold by the company.
10/54 Auditing Notes for South African Students

• The auditor should also trace each sale in the sample through to the cash receipts journal/bank state-
ment and customer remittance advice and, by inspection, determine whether a payment of the correct
amount for each invoice was received. (If a payment has not been received, the auditor would trace it
through to the debtors account in the debtors ledger.)
• The results of tests of controls will have a significant effect on the extent of these tests. If, for example,
tests of controls reveal that the sales initiating and approving controls make it virtually impossible to in-
clude a sale that did not actually occur in the accounting records, the auditor’s substantive procedures
as described above will be reduced.
• In certain instances the auditor may need to give specific consideration to whether the performance
obligations per the contract have been met, for example:
– where the goods are supplied to the customer on approval (that means that the customer may return
the goods by a specified date if he does not want them). A sale should not be recognised until the
buyer has “approved the goods” or the specified date has been reached
– where goods have been placed with an agent on consignment, a sale should not be recognised until
the agent has sold the goods, and
– where a buyer purchases goods but requests that the supplier delays delivery, the sale can only be
recognised when the contractual performance obligation has been met. Therefore, whether delivery
was an aspect of the contractual obligation will need to be considered.
• With regard to cash sales, there is usually very little risk that cash sales that have been recorded have
not occurred. There is a far greater risk that cash sales made will not be recorded. This relates to the
completeness assertion. However, to test occurrence, the auditor may choose to select a small sample of
recorded cash sales and trace them to the relevant deposit slip/cash book/bank statement and to the
original cash sale invoice/receipt, till roll or daily cash sales spreadsheet.

10.7.3.2 Accuracy – The amounts of sales have been recorded appropriately


• As pointed out earlier, the combination of modern accounting software and very reliable hardware,
results in transactions that are processed, recorded in and transferred between different accounts, very
accurately. The risk that sales are recorded inappropriately will usually be low. However, the computer
will process the information it is fed in terms of the “instructions” and controls in the programmes, and
despite the low risk relating to the accuracy and classification assertions, the auditor will still need to
conduct tests of controls to determine whether the processing of the transactions and the transfer of
amounts to the various accounts, are appropriate and executed correctly. To do this the auditor could
have a test pack of sales transactions processed through the system. He would then check the results of
processing the test pack against the results that he had pre-determined should have been achieved. An
easier way would be for the auditor to select a random sample of invoices and for each invoice:
– confirm the mathematical accuracy of the invoice by recalculating all extensions, casts, discounts and
VAT calculations
– confirm prices and discounts charged and granted to official price lists or other sources
– confirm that the invoice is a valid tax invoice (e.g. VAT registration number is included), and
– agree the quantity and description of the goods invoiced to the quantity and description of the goods
on the despatch note.
In effect, these tests will be dual purpose tests in that if the results are as expected, they provide evidence
that the controls and procedures are effective and that sales are appropriately recorded.

10.7.3.3 Cut-off – The sales transactions have been accounted for in the correct accounting period
The testing of cut-off of sales is designed to establish whether the sales around the year-end were accounted
for in the correct period, i.e., sales made after year-end have not been recorded as if they had been made
before year-end, or sales that were made before year-end were not recorded until after year-end. The audit-
or should be aware that management may deliberately manipulate cut-off at year-end to overstate sales or
understate sales, depending on their motives. Cut-off can be tested in various ways but will hinge on
obtaining evidence about the dates when the risks and rewards of ownership actually transferred. The
auditor should:
• at year-end obtain the document numbers of the last documents used in the financial year, for example,
sales invoices, and despatch notes
Chapter 10: Revenue and receipts cycle 10/55

• at a later stage he should agree this number to the last entry in the sales journal and sequence test, say,
the last two weeks of invoices before year-end, for any missing invoice numbers (these may represent
sales that have been made but not entered prior to year-end)
• scrutinise the subsequent month’s sales journal for any invoice numbers lower than the cut-off number
(none should be found)
• select, say, the first 20 invoices (or invoices for material amounts) entered in the sales journal for the
month after year-end and trace them to the supporting despatch notes/delivery records and by inspect-
ing dates on the documents, confirm that the goods were not actually delivered prior to the year-end,
and
• select, say, the last 20 despatch notes prior to the year-end cut-off despatch note number and by inspec-
tion of the sales journal, confirm that the corresponding sale was raised prior to year-end.
Note:
– If the company receives an order before year-end but only processes (picks and delivers) and records
it in the following year, there is no “cut-off” issue.
– If the company receives an order before year-end, processes it (picks and delivers it) before year-end
but only records it after year-end, there is a “cut-off” issue.
– If the company receives an order before year-end, records the sale before year-end but only processes
(picks and delivers) it after year-end, there is a “cut-off” issue.
• inspect the cash sales records (e.g. till slips, cash receipts) for, say, the two or three days either side of
the financial year-end and confirm by inspection of the cash sales ledger account and dates on deposit
slips, that the sale and the asset were raised in the correct accounting period.

10.7.3.4 Classification – All sales have been recorded in the proper accounts
• See comments on “accuracy” above.
• The auditor may also choose to
– test transfers of amounts from the monthly sales journals (both cash and credit sales) to the sales and
VAT accounts in the general ledger to confirm that the amounts were posted to the correct account,
and
– inspect the sales account for the inclusion of any amounts that are recorded as revenue, but do not
constitute sales, for example, interest, income, dividend income.

10.7.3.5 Completeness – All sales that should have been recorded, have been recorded
The testing for the completeness of sales is difficult because as explained earlier, the auditor is looking for
sales that are not recorded in the accounting records. (The completeness of cash sales can be particularly
difficult to audit.) When the auditor conducts tests of controls on the sales cycle, he may select a random
sample of despatch notes (or even ISOs) and follow them through to confirm that they gave rise to an
invoice. This is a completeness test but not one that will help to identify sales that were not even initiated.
The substantive procedures that the auditor will conduct for completeness testing will be analytical.
For example:
• analysis of gross profit fluctuations
• comparisons of sales/debtors to prior periods
• analysis of recorded sales by characteristic for comparison to prior periods, for example, by product,
branch, region, month, customer, and
• comparison of sales ratios to prior periods, for example, sales commission to sales, cash sales to credit
sales.

10.7.3.6 Presentation
Inspect the financial statements to confirm that:
• sales are reflected as a single aggregated line item in the statement of comprehensive income
• any disaggregation of sales in the disclosure notes is accurate, relevant and clearly described, for example,
where sales have been broken down (disaggregated) to reflect sales by product, location or division, and
• the accounting policy is clearly expressed and understandable.
10/56 Auditing Notes for South African Students

10.7.4 Substantive procedures on the trade receivables balance


10.7.4.1 Assertion: Rights – the company controls or holds the rights to the trade receivable
• By inspection of:
– prior year work papers
– minutes of directors’ meetings
– loan agreements
– bank confirmations, and
• By enquiry of management, determine whether receivables have been factored, ceded or encumbered in
any way.

10.7.4.2 Assertion: Existence –trade receivables included in the balance actually exist,
they are not fictitious
The two major procedures for existence testing are:
• debtors circularisation by which, with the consent of management, independent confirmation is sought
from the debtor
• the matching of amounts owed at year-end (receivables) to payments from debtors received after year-
end. (This is termed subsequent receipt testing.) The principle is simple; if a debtor is listed as “in
existence” at year-end, and a payment is received after year-end from that debtor, the existence of the
debtor at year-end is confirmed, provided the amount paid subsequent to year-end is in respect of the
amount owed at year-end, and not for sales made after year-end.

(a) Debtors circularisation


• The auditor takes control of all debtors statements (at a particular month-end) immediately after they
have been printed and:
– tests from the statement to the debtors ledger (or debtors schedule/age analysis list) and vice versa to
ensure that a statement has been produced for each debtor and that there is a debtor recorded for
each statement, and
– selects a sample of statements for circularisation.
• Two different types of confirmation may be used by the auditor:
– a positive confirmation requests that the debtor confirms with the auditor whether the balance on the
statement is correct or not, and
– a negative confirmation requests that the debtor confirms with the auditor only if the balance on the
statement is not correct.
• The positive circularisation therefore provides better evidence supporting the existence assertion, for
example, if a negative circularisation letter is not returned it could mean that:
– the debtors balance is correct
– that it went to a fictitious debtor, or
– that the debtors balance is incorrect but in favour of the debtor.
The point is that very little evidence is provided by the negative circularisation.
• For the sample selected, the auditor encloses the following in the envelope with the statement:
– a sticker/letter requesting that the debtor confirm the balance directly with the auditor, and
– a self-addressed envelope (for positive confirmations only).
• The auditor then supervises the mailing of all debtors statements and does the following:
– stamps all envelopes to direct “addressee unknown” statements to the auditor’s address, and
– tests debtors whose addresses are “PO Boxes” to confirm that they are not fictitious, for example, by
looking them up in the telephone/business directories and confirming the address with them tele-
phonically.
Chapter 10: Revenue and receipts cycle 10/57

• The auditor thereafter monitors all replies to the circularisation, following up all disagreements and
“addressee unknowns” (positive and negative circularisation) and “no replies” (positive circularisation
only) so as to collect evidence relating to existence and to a lesser extent valuation:
– disagreements should be followed up by reference to relevant source documentation, discussion with
credit controller, and, if necessary, follow up with the client’s attorneys, and
– “no replies” (positive)and “addressee unknowns” should be followed up by re-circularising the debtors
concerned (after correcting the address if necessary), telephone/fax enquiries, and reference to re-
ceipts after year-end for evidence of subsequent payment of balances that have not been confirmed.
• Errors identified through the circularisation should then be projected over the entire population of
debtors to establish the extent of possible misstatement of the overall debtors balance.

(b) Subsequent receipts testing


• A sample of debtors on the year-end debtors list is selected.
• Payments received after year-end from the selected debtors are identified (cash receipts journal).
• These are then traced to debtor’s remittance advices to identify which invoices the payment is in respect
of.
• These invoices and matching delivery notes are then inspected to confirm that:
– they are dated prior to the year-end, and
– they were included at year-end in the sales journal and debtors ledger.

10.7.4.3 Assertion: accuracy, valuation and allocation (gross amount) trade receivables
are included in the financial statements at appropriate amounts and related disclosures
have been appropriately measured and described
This assertion for trade receivables consists of two parts, namely the “gross” amount and the allowance for
bad debts.

(a) Gross amount


• The debtors control account in the general ledger should be reviewed for unusual entries, for example,
debits arising from journal entries at year-end , and followed up.
• The total on the list of individual debtors should be matched to the debtors control account in the
general ledger and the trial balance:
– amounts included on the list of debtors balances should be traced to the individual debtors accounts
in the debtors ledger.
• If the comparison of the debtors list (per the debtors ledger) to the balance in the debtors control
account reveals that there are reconciling items, the following procedures should be carried out on the
reconciliation:
– casts
– testing of the reconciliation logic
– follow up of reconciling items.
• The debtors list should be reviewed for credit balances and these should be followed up and reversed if
necessary (material).
• Reference should be made to the results of any debtors circularisation and subsequent follow up for
evidence of debtor valuation problems, for example, a debtor claiming that he has been charged twice:
– the debtors list and control account should be cast
– for debtors invoiced in a foreign currency
– obtain the amount of the sale in the foreign currency by reference to the invoice
– obtain, from a financial institution, the exchange rates at transaction date and at the financial year-
end date, and multiply the amount by each of the two rates, and
– where there is a difference, confirm by inspection of the debtors account, that the balance on the
account has been calculated using the financial year-end rate (i.e. the currency fluctuation has been
accounted for).
10/58 Auditing Notes for South African Students

(b) Bad debts allowance


• Enquiry should be made of the method and procedures adopted by management to estimate the allow-
ance for bad debts.
• The authorisation procedure should be established and evaluated, for example, is it authorised by the
credit controller (manager) or the financial director (the more independent of credit control the authoris-
ing person is, the better).
• An assessment of whether the basis of calculating the allowance is reasonable and consistent with the
prior year should be made, for example, whether circumstances that occurred during the year, such as a
change in credit policy, have been taken into consideration.
• All calculations should be re-performed.
• The aging of debtors should be re-performed by selecting a small sample of debtors and tracing the
amounts owed back to the source documents, for example, sales invoices and receipts, to determine
whether they have been allocated to the correct time period in the age analysis.
• All long outstanding debtors and material debtors outside their credit terms should be identified and
discussed with credit management.
• The debtors’ correspondence and legal files should be inspected to identify disputed debtors and debtors
who have been handed over.
• Analytical reviews should be performed:
– comparison of allowance (percentage) to prior year
– comparison of bad debts written off during the year to prior year
– comparison of age analysis to prior year, i.e., whether debt is getting older
– calculation of ratios, and investigation of changes year on year, for example, days outstanding debt-
ors compared to prior year.
• Enquiry of management should be made as to any matters that might affect the allowance, for example,
relaxing of the company’s credit terms during the year, deterioration in the trading conditions of the
business sector of the company’s major customers.
• The actual bad debt write-offs during the year under audit should be compared to the prior year allow-
ance to obtain an indication of the company’s ability to set a reasonable allowance.
• All reports given to management (say, on a monthly basis) about debtors should be reviewed, for exam-
ple, reports on specific debtors who have liquidity problems, lists of debtors written off.
Note (a): Potentially uncollectible debtors should be provided for on a debtor-by-debtor basis, i.e. an
assessment of the recoverability of each debtor should be undertaken. Simply creating an allow-
ance for bad debts by taking a fixed percentage of the gross debtors’ balance is not acceptable un-
less there is very strong historical evidence that the percentage chosen is an accurate reflection.
Obviously it is only those debtors that display worrying characteristics that need to be considered
individually, for example, long outstanding/disputed debtors.
Note (b): When considering a debtor for recoverability, all aspects of the debtor should be considered, for
example, a large chain store may only pay on 90 days, but at the same time the chain store may
be a reliable payer.

10.7.4.4 Assertion: Completeness – all trade receivables that should have been recorded have
beenrecorded and all related disclosures that should have been included have been
included
Completeness of debtors is not normally a major concern for the auditor. However, “cut off” testing to
confirm that sales, and hence debtors, were correctly raised at year-end should be conducted. It is possible
that the company delays invoicing to the new year to “get off to a good start”, particularly if sales targets
for the month prior to year-end, have been achieved. Analytical procedures conducted on the debtors
figures and related accounts also supply evidence of completeness. (See “cut-off” and “completeness”
testing dealt with in para 10.7.3.)

10.7.4.5 Assertion: Classification


By enquiry of management as to policy and scrutiny of debtors age analysis, confirm that only trade and
other receivables that are expected to be paid (received) within the next twelve months are included.
Chapter 10: Revenue and receipts cycle 10/59

10.7.4.6 Assertion: Presentation


• The auditor must inspect the financial statements to confirm that:
– the trade and other receivables appear as a separate line item under current assets on the face of the
statement of financial position, net of impairments
– the disclosure in the notes reflects trade receivables before and after impairment allowances, and any
other required information, for example, any encumbrances on receivables and/or comments on
credit risk.
• By inspection of the AFS and reference to the applicable reporting standard and the audit documenta-
tion, confirm that
– disclosures are consistent with the evidence gathered (amounts, facts, details)
– any disaggregation of the balance reflected in the statement of financial position is relevant and
accurate, for example, short-term loans and other receivables may be included in the aggregated
amount
– the wording of disclosures is clear and understandable, (e.g. explanation of encumbrances), and
– all required disclosures have been included.

10.7.4.7 Assertions: All, general


An overall analytical review of receivables should be performed, for example:
• comparison of receivables to prior year
• receivables in relation to credit sales compared to prior year, and
• number and amount of receivables, by division, branch, product.

10.7.5 Substantive procedures for the audit of bank and cash


10.7.5.1 Introduction
Some companies may have numerous bank accounts.
For example, a company may have:
• a number of branches around the country each of which has its own bank account. All the company’s
bank accounts could be with the same bank (e.g. Absa), or different banks (e.g. Absa, Nedbank and
FNB)
• a main bank account and a number of “clearing” accounts, such as a salaries account, and
• a number of different types of bank account, for example, a current account, call accounts, or a deposit
account.

10.7.5.2 EFTs and the discontinuation of cheques


From 1 January 2021, cheques are no longer an accepted form of payment in South Africa. This, combined
with the fact that EFTs are reflected almost instantaneously in the company’s bank account, has resulted in
the company’s “cash book” balance and the balance “per the bank statement” being closely aligned, partic-
ularly where the company downloads bank statements frequently to update its cash book for EFTs into its
bank account.
For example:
• If the company pays its creditors by EFT, even on the last day of the financial year, the company’s
account at the bank will reflect the payments and the cash book and bank account balance will agree.
• If a debtor pays directly into the company’s bank account by EFT and the company records the receipt
promptly in the cash book (which it should), the cash book and the bank account balances will agree.
• It is however possible that a year-end bank reconciliation could include a number of EFTs as reconcil-
ing items. This will happen where the company prepares the EFTs, enters them in the cash book, but
does not “release” the payments until after the year-end. As the EFT has not been processed by the
bank at year-end, the cash book and bank account balances will not agree.
10/60 Auditing Notes for South African Students

10.7.5.3 Window dressing


Window dressing is the intentional manipulation of the relationship between balances in the current assets
and current liabilities section of the statement of financial position. If done intentionally, the example of
preparing and entering EFT payments but not releasing them for payment would be window dressing.
Consider the following example:
Cash book Creditors Ratio
Balance without window dressing 100 000 50 000 2:1
Prepare EFTs but do not release 25 000 25 000
Balance with window dressing 75 000 25 000 3:1

10.7.5.4 Procedures (bank accounts)


(a) Assertion: rights, existence and completeness
• Obtain a schedule of all bank accounts held by the company at year-end
– Compare the accounts listed on the schedule to the prior year’s schedule and note any changes.
• Obtain a bank confirmation from the bank. Refer to chapter 17 – External confirmations from financial
institutions – SAAPS 6

(b) Assertion: accuracy valuation


• Agree the balances for each bank account on the schedule to the balances in the general ledger and cash
book(s).
• Agree the balances on the reconciliation to the cash book, bank statement and bank confirmation
balances respectively.
• Re-perform the casts on the reconciliation and, at the same time, test the logic of the reconciliation.
• Trace reconciling items through to the cash book prior to year-end, and agree the amounts and dates.
• Trace reconciling items through to the post-year-end bank statement to confirm that they went through
the bank and were not cancelled.
• Where reconciling items are anything other than immaterial, request the client to reverse the items,
particularly if there is any suggestion of window dressing, for example, EFT payments recorded in the
cash book but not actually paid until after year-end.
Note (a): Where the company makes material transfers close to the year-end between its own bank ac-
counts held at different banks and between its own bank account and other related party bank accounts, for
example, a subsidiary’s bank account, the auditor should:
• compile a schedule of all movements between the various accounts
• confirm by reference to source documentation and enquiry, that the transfers are in respect of valid
arm’s-length transactions, and
• that the transactions are properly accounted for in the correct period, in other words, that the payments
and receipts from and into the respective bank accounts are accounted for in the same accounting
period.
Note (b): Because the risks associated with EFT payments can be so high, the auditor may at this stage
decide to select a random sample of EFT payments from the bank statements to confirm the validity of the
bank account details to which the payment was made. Audit work would already have been done on this
when substantive tests on payments were conducted, but the auditor might wish to supplement his “cash at
bank” testing. For this specific test, it is not sufficient to refer solely to payee documentation, for example,
an invoice. With current accounting packages, it is very easy to duplicate the standard invoice produced by
these packages, but not to change the banking details on the invoice. The procedure would be to confirm
the banking details directly with the payee.

10.7.5.5 Procedures (cash on hand)


The majority of companies do not have large amounts of cash on hand at year-end, but some companies
do, for example, a supermarket or hardware store that does a lot of cash trading with the public. At year-
end there may be a fair amount of cash on hand that has not yet been banked and that the auditor might
decide to count. In these types of business, the company will count cash in the tills at the end of the day
and agree the takings to the total kept by the cash register. The takings from each till (adjusted for any
floats) will be entered on a till count reconciliation and subsequently onto a daily spreadsheet of takings.
Chapter 10: Revenue and receipts cycle 10/61

The spreadsheet will be cast and cross-cast, and a deposit slip will be made out. A security company usually
collects the takings for banking. If the auditor decides that the cash on hand should be verified, he should
• be present at the time(s) the cash in the tills is counted:
– he should make sure that he is not left on his own with an open till at any time (could be accused of
theft if there were a shortfall)
• observe the counting of cash closely, ensuring that cash and credit card slips are separately identified
• confirm that the totals of the different types of sales (cash or credit card) counted agree with the totals
recorded on the (independent) till roll total and that any differences are recorded on the till reconcilia-
tion document and that the cashier and the controller (person doing the counting) sign the till roll and
the reconciliation
• ensure by observation that the cash from the first and subsequent tills counted is kept separate and
secure and cannot be included in the cash counted for other tills, and that the tills that have been count-
ed are closed/deactivated
• confirm by inspection that the takings for each till (per the reconciliation) were entered accurately on
the daily spreadsheet and re-perform the casts and extensions
• obtain the spreadsheet for the two trading days prior to the current trading day and confirm that takings
for these days were banked prior to the year-end
• inspect the bank deposit slip for the current day’s takings and agree the totals to the daily spreadsheet
• inspect the bank statement subsequent to the year-end and confirm that the deposit went through the
bank
• a work paper should be created that records the balances and other details, and
• confirm by inspection of the respective ledger accounts that these cash sales/VAT were included at the
year-end.

10.7.5.6 Presentation
The disclosure of bank balances and cash on hand is relatively straightforward:
• The total will be shown on the face of the statement of financial position under current assets (other
than bank overdrafts) under the heading “cash and cash equivalents”.
• This will be supported by a note, that will distinguish between the different categories, for example,
cash on hand, current account balances and call account balances.
• The details of any security, pledge, etc., offered and attached to a bank overdraft will also be disclosed.

10.7.6 The use of audit software (substantive procedures)


If the client’s debtors are computerised, as they usually are, and suitable audit software is available, the
audit of debtors can be significantly enhanced.
(a) The debtors masterfile can be stratified by rand amount, customer profile, etc., and samples selected
for circularisation, and/or aging.
(b) The masterfile can be scanned for “error” conditions:
• duplicated account numbers
• negative balances
• blank fields, for example, no account number, no name.
(c) Debtors balances can be independently totalled for comparison with the client’s debtors listing total,
and totals by monthly break down (aging) can be agreed to the total amount owed.
(d) Lists of debtors, who have a unique characteristic identified on their record, can be extracted, for
example, a code may have been added to the debtors masterfile to indicate the debtor has been handed
over to the lawyers.
(e) A comparison of the masterfile at the current year-end may be compared to the previous year’s master-
file (if available) to identify:
• new accounts (that could be traced to credit applications to assist in substantiating existence of the
debtor)
• major fluctuations in individual account balances
• debtors no longer listed.
10/62 Auditing Notes for South African Students

(f) Lists of debtors who have exceeded their credit limits or terms, or a particular threshold, can be
extracted.

10.7.7 Automated application controls in the revenue and receipts cycle


The auditor can also rely on automated application controls to test the revenue and receipts cycle. Auto-
mated application controls apply to the processing of individual applications. They are “automated” or
“automated with manual procedures” that operate at a business process level. Automated controls are
controls designed to confirm completeness, accuracy and validity of processed transactions with a financial
impact. For more details on automated application controls, please refer to chapter 8.
Depending upon the audit approach adopted (substantive or control based), the approach for automated
application control tests may vary.
For example:
Should the IT general controls environment have limited findings and the control environment be con-
sidered effective, automated controls may be tested.
If the IT general controls environment is considered not effective, the auditor may still rely on automated
controls, but will need to test the access and change management around the automated application control
embedded in the application.
The auditor should report on shortcomings identified in the existing processes as well as weaknesses identified
during the review, with recommendations to improve.
Some automated application controls to consider when testing the revenue and receipts cycle:
(a) Invoice prices vs. masterfile prices
• Perform analytics on the revenue data to determine whether prices charged on the invoices align with
the price on the masterfile. Review significant discrepancies.
(b) VAT
• Confirm that the VAT was correctly configured within the application.
• Determine who has access to the VAT configuration in the application and whether the access is limited
to authorised personnel only.
• Have changes been made to the VAT configured in the application during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one determine whether the calculation is accurate.
(c) Credit notes
• Determine who had the rights to authorise credit notes during the period under review.
• Determine who has access to the credit notes configuration in the application and whether the access is
limited to authorised personnel only.
• Have changes been made to authorisation levels configured in the application during the period under
review?
• Have changes been authorised in the application?
(d) Credit note trend
• Obtain a list of approved credit notes for the period under review and, through analytics, assess whether
there is a trend, namely, who processed the credit notes, whether there are specific clients that have
recurring credit notes, amounts aligned to original invoice, bank details align to customer data, etc.
• Determine whether the client has edit and validation checks in the application when processing a credit
note.
(e) Link to debtors ledger
• Determine whether the client has configured an audit trail to link sales to the debtors ledger.
• Perform a walkthrough of one of to determine whether the transaction reflects accurately.
(f) Link to cash sales
• Determine whether the client has configured an audit trail to link cash sales.
• Perform a walkthrough of one of to determine whether the transaction reflects accurately.
Chapter 10: Revenue and receipts cycle 10/63

(g) Master data


• Determine who has access to the masterfile price list and whether the access is limited to authorised
personnel only.
• Have changes been made to the masterfile in the application during the period under review?
• Have changes been authorised in the application?
• Through analytics, perform a comparison of prices year on year.
• Assess client master data and determine whether all clients have an indicator for payment terms. Either
“IMMEDIATE”/“CASH SALE”/“COD” or “DEBTOR”/“CREDIT SALES”.

(h) Other tests


• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
10/64

APPENDIX 1
A SCHEDULE OF INDIVIDUAL DEBTORS EXTRACTED FROM THE DEBTORS MASTERFILE OF DO-IT (PTY) LTD AT 30 APRIL 2020
Account Account Address and contact Account Credit Credit *Statu
Current 30 days 60 days 60+ days
number holder details balance limit terms Code
Ab01 Able CC 4 Pan Rd, Ptown, etc. (1 000,00) 2 525,01 (3 625,01) 100,00 5 000 30 2
Am06 Amic (Pty) Ltd 63 Nail Drive, Dbn, etc. 6 332,25 3 332,25 800,00 2 200,00 5 000 60
Bo21 Bow (Pty) Ltd 9 Rep Rd, Dbn, etc. 30 046,98 5 870,00 24 176,98 50 000 30 2
Ed07 Edz CC 2 Crox Str, Ptown, etc. 78 842,13 47 909,80 15 617,24 12 234,29 3 079,80 75 000 60
Fi04 Fitt (Pty) Ltd 14 West Street,
Westmead, etc. 1 097,70 1 097,70 c.o.d.
Fy01 Fylta CC 221 Box Rd, Dbn, etc. 430,94 430,94 500 30
Ri06
i06 R Ltd 12 Wrong Rd, Umbilo, 3
etc. 21 090,00 20 040,00 162,01 887,99 20 000 30
Ru02 Rubb CC 42 001,50 35 050,00 6 951,50
Sk13 SK (Pty) Ltd 24 Moon Rd,
Chatsworth 93 009,40 49 808,20 43 201,20 100 000 120
Su06
u06 S Ltd 92 Gate Rd, Hillcrest,
etc. 14 267,00 14 267,00 15 000 30 2
Wi14 Wish CC 41 Golf Rd, Pmb, etc. 114 298,00 14 100.00 100 198,00 100 000 60
Ze09 Zed (Pty) Ltd 21 Penn Rd, Bluff, etc. 3 269,18 3 269,18 4 000 30 1
* Status code 1 Handed to attorneys
2 Current correspondence
3. New account
Auditing Notes for South African Students
APPENDIX 2
PROCEDURES THAT MAY BE CONDUCTED ON THE DEBTORS MASTER FILE OF DO-IT (PTY) LTD USING AUDIT SOFTWARE
Procedure Assertions EXAMPLE/NOTES
1. Stratify population by amount and express as a percentage of the total population. – Amounts : R100 000 and above
: between R75 000 and
R100 000, etc.
2. Scan the entire master file and produce reports of “error conditions”:
2.1 blank fields (selected fields) Existence, valuation Fi04,Ru02
Chapter 10: Revenue and receipts cycle

2.2 duplicate account numbers, account holders, address, etc. Existence –


2.3 negative balances Valuation (gross) Ab01
2.4 credit limit field is exceeded by balance field Valuation (allowance) Am06, Ed07, Fi04, Ri06, Ru02, Wi14
2.5 debtor has exceeded credit terms Valuation (allowance) Ab01, Bo21, Ed07, Ri06, Su06, Ze09
2.6 abnormal credit terms Valuation, existence Sk13, (Fi04)
3.. Selec samples for Samples could be selected from stratification or
3.1 circularisation (and express as a percentage of total amount receivable) Existence, valuation by debtor characteristic, for example age, or on a
3.2 account aging Valuation (allowance) random basis

4. Cast, cross casts Valuation (gross) Acc balance, age columns


5. Scan the entire master file and produce reports of:
5.1 code 1 debtors Valuation (gross and allowance) Ze09
5.2 code 2 debtors Potentially all assertions Su06, Bo21, Ab01
5.3 code 3 debtors Existence Ri06
6. Conduct analytical review procedures
comparison of current year master file with prior year, for example
• age columns as a percentage of total amount receivable Valuation (allowance) Is debt is getting older?
• major fluctuations in individual account balances Valuation, existence Auditor must establish reasons
• new accounts Existence Ri06
10/65
CHAPTER

11
Acquisitions and payments cycle

CONTENTS
Page
11.1 The accounting system and control activities ................................................................... 11/3
11.1.1 Introduction ....................................................................................................... 11/3
11.1.2 Objective of this section of the chapter ................................................................ 11/3
11.1.3 Characteristics of the cycle ................................................................................. 11/3
11.1.4 Basic functions for any acquisitions and payments cycle ...................................... 11/3
11.1.5 Documents used in the cycle .............................................................................. 11/4
11.1.6 Narrative description of a manual acquisitions and payments cycle
by function ........................................................................................................ 11/5
11.1.7 Flow charts for a manual acquisitions and payments cycle .................................. 11/7
11.1.8 Computerisation of the acquisitions and payments cycle ..................................... 11/13
11.1.9 The role of the other components of internal control in the acquisitions
and payments cycle ............................................................................................ 11/25

11.2 Narrative description of the acquisitions and payments cycle at ProRide (Pty) Ltd ........... 11/26
11.2.1 Introduction ...................................................................................................... 11/26
11.2.2 Suppliers ........................................................................................................... 11/26
11.2.3 Purchases .......................................................................................................... 11/26
11.2.4 Frequency of orders ........................................................................................... 11/27
11.2.5 Computerisation ................................................................................................ 11/27

11.3 Acquisitions – How the system works at ProRide (Pty) Ltd ............................................... 11/27
11.3.1 Initiating orders ................................................................................................. 11/27
11.3.2 Purchases from local suppliers ............................................................................ 11/27
11.3.3 Purchases from foreign suppliers ........................................................................ 11/28
11.3.4 Receiving the goods ........................................................................................... 11/31
11.3.5 Costing the inventory ......................................................................................... 11/32
11.3.6 Recording the cost of the goods received in the inventory masterfile .................... 11/32
11.3.7 Payment of creditors – Local suppliers ................................................................ 11/33
11.3.8 Payment of creditors – Foreign suppliers............................................................. 11/34
11.3.9 Updating the general ledger on the AS 400 system .............................................. 11/34

11.4 Auditing the cycle ............................................................................................................ 11/34


11.4.1 Introduction ...................................................................................................... 11/34
11.4.2 Financial statement assertions and the acquisitions and payments cycle ............... 11/35
11.4.3 Fraud in the cycle .............................................................................................. 11/36

11/1
11/2 Auditing Notes for South African Students

Page
11.5 The auditor’s response to assessed risks ............................................................................... 11/37
11.5.1 The auditor’s toolbox ......................................................................................... 11/37
11.5.2 Overall responses to risks of material misstatement at financial statement level .... 11/37
11.5.3 Responding to risks at assertion level .................................................................. 11/38
11.5.4 “Other” audit procedures ................................................................................... 11/38

11.6 Audit Procedures – Test of controls and substantive procedures ........................................ 11/38
11.6.1 Tests of controls ................................................................................................. 11/38
11.6.2 Substantive procedures....................................................................................... 11/40
11.6.3 Substantive procedures of transactions in this acquisitions and payments cycle..... 11/41
11.6.4 Substantive procedures on the trade and other payables balance .......................... 11/43
11.6.5 The use of audit software (substantive procedures) .............................................. 11/46
11.6.6 Automated application controls in acquisitions and payments cycle ..................... 11/47
Chapter 11: Acquisitions and payments cycle 11/3

11.1 The accounting system and control activities


11.1.1 Introduction
The acquisitions and payment cycle is closely aligned to the revenue and receipts cycle as covered in
chapter 10. The acquisitions and payment cycle deals with two major activities that are linked but also
quite distinct, namely:
• the ordering and receiving of goods (or services) from suppliers, and
• the payment of amounts due for the goods ordered and received.
The acquisition phase of the cycle attempts to ensure that the company orders and receives only those
goods that it requires and that the goods are of a suitable quality and price. The second phase of the cycle
attempts to ensure that only goods that have been validly ordered and received, are paid for and that
payment is authorised, accurate and timeous. The cycle is also referred to as the purchases and payments
cycle.
This chapter deals initially with the accounting system (that is part of the information system) and the
control activities that are put in place to achieve the above objectives.
The latter part of the chapter deals with the audit of the cycle.

11.1.2 Objective of this section of the chapter


Our objective in this section of the chapter is to illustrate how an acquisitions and payments cycle might
work. In practice, acquisitions and payment systems will vary considerably, depending on the products the
company sells or manufactures, its size, whether or not it imports goods, the software used by the
company, and a number of other factors, but all systems must adhere to the basic principles. Our approach
is to get these basic principles across to you by dealing with an easily understandable manual system, and
then describing how computerisation can be introduced into the system. Computerisation does not change
what is required of the system, but it does change how it is achieved.

11.1.3 Characteristics of the cycle


11.1.3.1 Importance of the cycle
Goods and services are acquired by a business for resale or for manufacture of a product, so the
consequences of a poor acquisitions cycle will have a very negative effect on the business. If the correct
products are not available, sales will be lost and production may be halted. It will not be long before the
company gets a reputation for being unreliable and customers will go elsewhere. Purchasing goods that do
not sell or cannot be used because of demand or quality issues will also result in losses. It is important
therefore, that the correct goods of the required quality and price are acquired and that they are received
timeously.

11.1.3.2 Susceptibility to fraud


• The cycle includes procedures that facilitate the payment of creditors, meaning that there will be the
necessary mechanisms to facilitate an outflow of funds from the business. Stealing from the company
through the official payment system may be considerably easier than say, stealing inventory or creating
fictitious workers to steal wages. For example, if creditors are paid by electronic funds transfer (EFT)
and controls are not extremely tight, theft from the company’s bank account in the form of a payment
to a fictitious creditor can be effected very quickly and efficiently.
• The cycle is also fertile ground for corruption. Suppliers may offer the company’s directors or buying
department employees, bribes or other illegal inducements to purchase their products. Senior personnel
may engage in tender fraud, for example, awarding tenders that are significantly inflated to suppliers,
and sharing the “extra” profits made by the supplier in their personal capacities.

11.1.4 Basic functions for any acquisitions and payments cycle


11.1.4.1 Ordering of goods
There must be a section or department that initiates the placing of orders for goods or services with
suppliers. Requests for orders to be placed will come from other departments, for example, the warehouse
(stores) department, the accounting department (stationery, etc.).
11/4 Auditing Notes for South African Students

11.1.4.2 Receiving of goods


This function will be responsible for receiving goods ordered from suppliers and acknowledging the
company’s acceptance of the goods.

11.1.4.3 Recording of purchases (acquisitions)


The purpose of this function is to raise the purchase and the corresponding liability (creditor) in the
accounting records.

11.1.4.4 Payment preparation


This function will be responsible for determining the amount to be paid to the creditor, confirming that the
payment is valid and preparing any documentation required for the payment to be authorised and initiated.

11.1.4.5 Actual payment and recording of the payment


• This function will be responsible for preparing the means of payment, for example, electronic funds
transfer, authorising it and carrying out the payment timeously.
• The function will also be responsible for recording the payment in the accounting records.

11.1.5 Documents used in the cycle


This section outlines the commonly used documents used in the cycle. This is not an exhaustive list, but it
highlights the conventional documents that may be found in the revenue acquisitions and receipts
payments cycle.
11.1.5.1 Requisition
This document is used to convey to the buying department that goods are required. The requisition can be
initiated in any department but will mainly come from the warehouse department. How the warehouse
department determines when goods are required varies, but the most common ways are:
• The use of reorder levels and quantities. Each inventory item is assigned a reorder level and a reorder
quantity and as soon as the reorder level is reached, a requisition for the reorder quantity is prepared by
the warehouse department. This presupposes that some kind of perpetual inventory recording system is
maintained. Alternatively, warehouse personnel could perform regular counts of physical inventory and
compare quantities on hand to reorder levels. This is not, however, very efficient! Using reorder levels
and quantities will be far easier in computerised perpetual inventory systems where the computer can be
programmed to print a daily report of inventory items that have reached their reorder level.
• The use of production schedules that indicate when particular inventory items are required.
• By particular request (preferably written), from a manufacturing or other department.

11.1.5.2 Purchase order forms


Purchase order forms that are completed by the buying department record the detail and price of the goods
to be purchased and are addressed to the supplier. They should be signed by the chief buyer.

11.1.5.3 Suppliers’ delivery note


This document is made out by the supplier and details the goods that are being supplied. It will be cross-
referenced to the purchasing company’s order form, and on delivery of the goods, will be signed by the
purchasing company to acknowledge the receipt of the goods.

11.1.5.4 Goods received note


This document is completed by the purchasing company when the goods are delivered by the supplier. It
records the actual goods received and will be cross-referenced to the supplier’s delivery note.

11.1.5.5 Purchase invoice


This document is sent by the supplier to the purchasing company to inform them of the goods for which it
is being charged, the price, any discounts and VAT.
Chapter 11: Acquisitions and payments cycle 11/5

11.1.5.6 Credit note


This is a supplier document that records any credits to the purchasing company’s account other than a
payment (i.e. when incorrect, damaged or unwanted goods are returned by the purchasing company).
Returned goods should be accompanied by a returned goods voucher.

11.1.5.7 Creditors statements


Produced by the supplier on a monthly basis, this document summarises the transactions between the
supplier and purchasing company for the month, in terms of the supplier’s records.

11.1.5.9 Remittance advice


A document sent by the purchasing company to the supplier that contains a breakdown of the invoices that
are being paid by the accompanying bank transfer.

11.1.5.10 Receipt
A document provided by the supplier to acknowledge that a payment of Rx has been received.

11.1.5.11 Logs, variance reports, etc.


In a computerised system, the computer can be programmed to compile logs, variance reports, lists, etc. A
log is simply a record of an activity that has taken place on the computer. For example, if a masterfile
amendment is made, the computer will automatically “store” the activity, who did it, when and where it
was done and the nature of the amendment.
In addition to the above documents, use is made of a purchase journal, creditors ledger, the general ledger, and
a purchases returns and allowances journal to record credit notes and any other adjustments.
In a computerised system, terminology is slightly different. For example, a goods received note may be
referred to as a receiving report, and the creditors ledger will be referred to as the supplier or creditors
masterfile.

11.1.6 Narrative description of a manual acquisitions and payments cycle by function


This section outlines the description of a manual acquisitions and payments cycle by function, with
examples. We suggest you read this section (i.e. para 11.1.6) in conjunction with the flow charts in
section 11.1.7 and the schedules on pages 11/10 to 11/13.

11.1.6.1 Ordering
The purpose of this function is to place approved orders with suppliers to obtain goods (and services) that
the company requires. The majority of goods ordered will be either inventory for resale or raw materials for
manufacture. However, other departments such as maintenance, accounting, sales and security, also
require items on a regular basis and these should also be ordered through the company’s purchasing
system. The ordering function is essentially responsible for obtaining the correct type and quantity of goods
at the best price and desired quality. Many companies have what are termed “approved suppliers” from
whom goods are purchased. Before being placed on the approved supplier list, the supplier will be
thoroughly investigated for reliability of delivery, quality and price. Company buyers also build up relation-
ships with particular suppliers who become “informally” approved suppliers over time.
Besides the obvious problems that arise out of inaccurate or late ordering, management needs to be
aware of the risk of buyers deliberately placing orders that are not at the best price and quality from the
company’s perspective, so as to earn “kickbacks” or “commissions” for themselves, at the expense of the
company. Buyers may also place orders at inflated prices with their own businesses, or those of a family
member or friend, again at the expense of their employer.
• In a manual system, hard copy requisitions from departments requiring goods of some kind will be
delivered to the buying department.
• The buying clerk will manually complete a multicopy preprinted, sequenced purchase order after
checking with the supplier as to availability and price of the goods to be purchased, and referring to
supplier catalogues for descriptions and codes.
• The buying clerk may refer to a hard copy list of approved suppliers or may choose a supplier himself.
• A chief buyer may scrutinise all purchase orders and approve them by signing the document.
• The order will often be placed by phone, and a hard copy sent as confirmation by fax or post.
11/6 Auditing Notes for South African Students

11.1.6.2 Receiving
• The role of the receiving function is to accept goods from suppliers and acknowledge receipt thereof.
Only goods for which valid purchase orders have been placed should be accepted. In the real world, the
receiving function often proves to be the weakest link. The usual way of perpetrating fraud in this area is
for the supplier’s delivery personnel to deliver only, say, half of the truckload, but for the receiving clerk
to sign for a full truckload. The goods that remain on the truck are then driven off the premises and sold
cheaply for cash, before the supplier’s driver returns to the supplier’s depot. The receiving clerk and
supplier’s driver share the proceeds from the sale of the stolen goods. Obviously this requires collusion
between the supplier’s delivery personnel and the company’s receiving and warehouse personnel, and
perhaps highlights collusion as the major limitation of internal control.
• A copy of all purchase orders will be sent to the receiving bay and filed in numerical sequence.
• On arrival of the goods from the supplier, the receiving clerk will match the purchase order reference on
the supplier’s delivery note to the purchase order to determine the goods to be received.
• The receiving clerk should count the goods received against the delivery note and purchase order and
should perform at least a superficial check of the quality of the goods. It is usually not practical to
quality check the contents of boxes, but obviously damaged or wet boxes should be rejected. Any
deliveries that are incorrect or rejected will be clearly marked on both copies of the supplier’s delivery
note and the amendment signed by the supplier’s employee and the receiving clerk.
• The receiving clerk will make out a sequenced goods received note for the goods actually received, cross
referencing it to the purchase order and delivery note.
• The goods will then be transferred from the receiving bay that should be a physically separate section of
the warehouse, to the inventory department, which is responsible for the custody of the inventory.

11.1.6.3 Recording of purchases and creditors


• The purpose of this function is to record the purchases made and the corresponding creditor for all
purchases, accurately and timeously.
• The purchases will be entered in the purchase journal and allocated to the correct account to be posted
to the general ledger and creditors ledger.
• Before being entered, the invoice sent by the supplier should be:
– matched to the purchase order, supplier delivery note and goods received note, and inspected for
signatures of employees who perform a control procedure, for example, the chief buyer
– checked against supplier price lists or prices quoted on the purchase order, and
– checked for accuracy of casts, extensions, discounts and VAT.
• All of the above will be performed manually on hard copy documentation. A copy of each of the
documents used, for example, customer order, will have been sent from the originating function/section
and filed in a temporary file awaiting the arrival of the invoice from the supplier.

11.1.6.4 Payment preparation


This is an extremely important function because if it is not controlled properly, invalid payments can be
made. All supporting documentation, namely order, delivery note, goods received note and invoice, should
have been matched as above and will now be reconciled to the creditors statement and the creditors
account in the company’s creditors ledger by employees in the creditor’s section. Creditors are normally
paid once a month and not as individual invoices arrive (although payments may be made on the strength
of valid invoices before any reconciliation to the creditor’s statement is carried out).
• Normally a creditor’s statement will be sent by the supplier towards the end of the month. The
statement will reflect the balance owed to the supplier at the start of the month, all invoices issued and
all payments received as well as any adjusting entries, for example, credit notes passed by the supplier
for goods returned, and the balance owing at the end of the month. This balance owing will be broken
down into the periods for which it has been outstanding, for example, current, 30 days, 60 days.
• The creditors statement will be reconciled with the supporting documentation and the creditors account
in the company’s creditors ledger.
• A schedule of “payments to creditors” will be prepared and remittance advices made out.
Note: It is, of course, possible that payments could actually be made by EFT in an otherwise manual
system.
Chapter 11: Acquisitions and payments cycle 11/7

11.1.6.5 Actual payment and recording of payment


• This function should be solely responsible for actually making the payments to creditors. The function
will also be responsible for recording the payment. Note that those responsible for approving and
releasing electronic payments will be independent of the payment preparation procedures.

11.1.7 Flowcharts for a manual acquisitions and payments cycle


A simple flowchart supported by a series of control activity charts is provided to give you a solid
understanding of how a manual system works. As with the other systems, we have assumed that the
company has sufficient staff to achieve a clear division between the different functions.

Something to consider . . .
These are areas that students struggle with quite often. Are you
able to draw up your own flow diagrams to assist in your
foundational knowledge of the acquisition and payments cycle?
Use these sections as a basis to add on more information that is
needed later.
11/8 Auditing Notes for South African Students
Chapter 11: Acquisitions and payments cycle 11/9
11/10 Auditing Notes for South African Students

The series of tables that follows expands on the functions, risks and control activities in the acquisitions
and payments cycle. For each function, the documents that may be used are identified. Further, the
business risks that may exist in each function are described.

Ordering of goods (and services)


Function Documents records Business Risks
The purpose of this function is to initiate Requisition • Ordering of incorrect or unnecessary
orders so that items/services required to main- Purchase order form goods, resulting in liquidity problems and
tain optimum conditions within the organ- wastage.
isation, are always available, for example, • Ordering unauthorised goods resulting in
manufacturing does not run out of raw mater- losses to the company through fraud.
ials or parts, or a retailer does not run out of • Requisitions not acted upon or orders not
goods to sell. placed timeously or at all.
The function is also responsible for placing • Obtaining inferior quality goods, resulting
official orders with suppliers having estab- in reputational damage to the company.
lished that delivery, quality, quantity and price
• Paying unnecessarily high prices for goods.
requirements have been satisfied.
• Orders placed with suppliers not filled/not
timeously filled.
• Order forms misused, for example, for
placing orders for private purchases.

Control activities including brief explanatory comments


1. Order clerks should not place an order without receiving an authorised requisition:
• the order should be cross referenced to the requisition, and
• prior to the requisition being made out, inventory/production personnel should confirm that the goods are
really needed especially where preset reorder levels and reorder quantities are used as the basis for the
requisition.
2. Before the order is placed, a supervisor/senior buyer should:
• check the order to the requisition for accuracy and authority, and
• review the order for suitability of supplier, reasonableness of price and quantity, and nature of goods being
ordered (are they items used or sold by the company).
3. The company should preferably have an approved supplier list to which the buyer should refer when ordering:
• if the company does not have approved suppliers the buyer should seek quotes etc. from a number of suppliers
before placing the order, and
• even when ordering from an approved supplier, the buyer should contact the supplier to confirm availability
and delivery dates.
Note: Before a supplier is approved, senior personnel should carefully evaluate the company in respect of their
reliability and the quality and price of its goods.
4. The ordering department should file requisitions sequentially by department (each department will have its own
book of requisition forms) and should frequently review the files for requisitions that have not been cross-
referenced to an order.
5. A copy of the order should be filed sequentially and the file should be sequenced, checked and frequently cross-
referenced to goods received notes, to confirm that goods ordered have been received. Alternatively, the pending
file of purchase order forms in the receiving bay can be reviewed for orders that are long outstanding.
6. Blank order forms should be subject to sound stationery control.
Note: Whenever a control procedure is carried out, the employee responsible for the control should sign the relevant
document record.

Something to consider . . .
For each of the control activities above, identify which control
objectives these activities are trying to achieve? Is it validity,
accuracy or completeness?
Perform the same exercise for each of the control activities
described in the series of tables that follow.
Chapter 11: Acquisitions and payments cycle 11/11

Receiving of goods
Function Documents records Risks
The purpose of this function is to accept and Supplier delivery • Acceptance of:
acknowledge deliveries of valid orders from note (DN) – short deliveries as full deliveries
suppliers and to record the delivery (goods Goods Received – damaged and broken items
received note). Note (GRN) – items not ordered, and
Prior to acceptance, physical checks on quan-
– goods not of the required type or
tity, quality and description of goods should be
quality.
carried out.
• Goods received notes not made out accu-
rately or completely.
• No goods received note made out.
• Theft by employees or outside parties, for
example, collusion with supplier delivery
personnel.

Control activities including brief explanatory comments


1. The responsibility for receiving goods should be designated to a goods receiving section that should be physically
secured and access controlled.
2. On arrival of the delivery vehicle, goods should be offloaded in the presence of a goods receiving clerk who
should:
2.1 obtain the supplier delivery note from the delivery personnel and by referring to the order number thereon,
locate the purchase order (that should have been filed numerically)
2.2 check the quantity and description of goods delivered against the purchase order and the customer delivery
note
2.3 perform at least a superficial test of the condition of the goods delivered, for example, broken or wet boxes
2.4 reject all incorrect deliveries and clearly identify rejections on both copies of the delivery note and purchase
order
2.5 accept goods short delivered but identify such goods clearly on the delivery notes and purchase order (the
quantity actually accepted must be clearly identified)
2.6 include only those goods that have been accepted on the goods received note
2.7 ensure that the supplier’s personnel sign both copies of the delivery note including all amendments, for
example, identification of short deliveries, and
2.8 sign the supplier delivery note.
3. On transfer of the goods to the warehouse (custody), the warehouse clerk should compare the physical goods to
the goods received note and acknowledge receipt by signing the GRN. Any discrepancies should be reported to
the warehouse controller immediately.
Note: Because collusion in this cycle is a major problem for many companies, isolation of responsibilities, sound
personnel practices and independent physical controls should be implemented by all companies in the supply
chain, for example, surveillance cameras, tracing devices on supplier vehicles, should be implemented.
Note: Whenever a control procedure is carried out, the employee responsible for the control should sign the relevant
document record.
11/12 Auditing Notes for South African Students

Recording of purchases
Function Documents records Risks
The purpose of this function is to raise the Purchase invoice (PI) • The recording of incorrect amounts arising
purchase and the corresponding liability in Credit note CN) from incorrect purchase invoices:
the accounting records. Creditors statements – quantity, quality and type not as
The recording of all purchases and trade Purchases journal ordered or received
liabilities should be carried out by the – prices of goods not as quoted
Purchases returns and
(creditors) recording function so that controls – calculation errors, for example, casts,
allowances journal
are not bypassed, for example, by the raising extensions, VAT.
of liabilities through the general journal by Creditors ledger
General ledger • The raising of fictitious purchases/cred-
other departments.
itors by the introduction of invoices that
are for goods never ordered or received by
the company (results in invalid flows of
cash leaving the company).
• Delays, misallocation and posting errors
when entering details into accounting
records resulting in reconciliation prob-
lems and failure to make use of favourable
settlement terms.

Control activities including brief explanatory comments


1. The purchase invoices received from the supplier should be:
1.1 matched to the corresponding goods received note, delivery note and purchase order for:
• quantity and description of goods
• correct prices and discounts (from order or supplier price lists)
1.2 reviewed to confirm that the amounts on the invoice have been allocated to the correct account, for
example, inventory, consumables, stationery.
2. When a requisition is made out to initiate an order, the account to which the purchase must be allocated in the
purchase journal should be selected from the “official list of accounts” and entered onto the requisition and then
transferred to the order. (If this is not done, the clerk responsible for the allocation of the purchase will not know
which account to allocate it to.)
3. All casts, extensions and calculations on the invoice should be re-performed.
4. A specific employee should be designated the responsibility of ensuring, by scrutiny of dates of goods received
notes and invoices in the pending file, that purchases are timeously and accurately recorded in the purchase
journal and correctly posted to the creditors ledger.
5. As the rendering of services by a supplier does not usually result in a GRN, the supplier invoice will normally be
signed by the head of the section/department to which the service was rendered, as proof and approval of the
service rendered.
Note: Whenever a control procedure is carried out, the employee responsible for the control should sign the relevant
document record.
Chapter 11: Acquisitions and payments cycle 11/13

Payment preparation (requisitioning)


Function Documents records Risks
The role of this function is to ensure that only Remittance advice • Payment to fictitious creditors.
valid creditors are paid and that they are paid (RA) • Payment of incorrect amounts.
the correct amount, on time. • Unauthorised payments.
• Discounts lost due to late payment.

Control activities including brief explanatory comments


1. The monthly creditors statement sent by the supplier should be reconciled to the supporting documentation, for
example, invoices, payments, etc., and the creditors clerk should ensure that the invoices were subjected to
accuracy controls before being recorded.
2. The individual creditor’s accounts in the creditors ledger should be reconciled with the monthly creditors’
statements sent by the suppliers.
3. A creditors clerk should identify those creditors who must be paid at month end to comply with the suppliers’
credit terms and to ensure that discounts available for early settlement, are deducted.
Note: Whenever a control procedure is carried out, the employee responsible for the control should sign the relevant
document record.

Note: As previously mentioned, the preferred method of paying creditors is payment by EFT. Paying by EFT does not mean
that the controls that must be in place before and after a payment is made, for example, scrutiny of supporting
documentation, two individuals to authorise payments and reconciliations and review of cash journals and bank
statements subsequent to payment, can be ignored; they will be implemented but in another form (this is explained
later in the chapter).

11.1.8 Computerisation of the acquisitions and payments cycle


Before we deal with the computerisation of this cycle, it will be useful for you to remind yourself of the
following points. You can also refer to chapter 8 for a more comprehensive discussion on these points.

11.1.8.1 Access
Many businesses will run their accounting systems on a local area network (LAN). Simplistically speaking,
this means that there will be a number of terminals, usually from different departments, “linked” together
and sharing resources. So access to both the network and individual applications must be carefully
controlled:
• access to the network should only be possible through authorised terminals, and
• only employees who work in the various functions of the cycle need access to the acquisitions and
payments application and only to those modules or functions of the application necessary for them to
do their jobs (least privilege/need to know basis). Certain managers will have extensive read only access
for supervisory and review purposes.
Various techniques are used to control access, for example, the user:
• must identify himself to the system with a valid user ID
• must authenticate himself to the system with a valid password, and
• will only be given access to those program and data files that he is authorised to have access to in terms
of his user profile.
Once the user is on the system, access is usually controlled by what appears or does not appear on the
user’s screen.
For example:
Only the modules of the application the user has access to will appear on the screen, or alternatively, all
the modules will be listed, but the ones the user has access to will be highlighted in some way, such as a
different colour.
If the user selects a module that he does not have access to (this is determined by his user profile),
nothing will happen and/or a message will appear on the screen that says something like “access denied”.
In another similar method of controlling access, the screen will not give the user the option to carry out a
particular action.
11/14 Auditing Notes for South African Students

For example:
Certain purchase orders awaiting approval from the chief buyer are listed on a pending file. Although
other users may have access to this file for information purposes, when they access the file their screens will
either not show an “approve option”, or the “approve option” will be shaded and will not react if the user
“clicks” on it. Only the chief buyer’s screen will have an approve option that can be activated.
Remember that access controls are a very effective way of achieving sound segregation of duties and
isolation of responsibilities.

11.1.8.2 Menus
Current software is all menu-driven and generally easy to use. Menus can be tailored to the specific needs
of a user (based on the user profile) and “items” can be selected by a simple “click of the mouse”. Menus
facilitate access control and segregation of duties.

11.1.8.3 Integration
The extent to which the accounting system is integrated will vary, but most systems these days are
integrated in the sense that a transaction entered onto the system will instantly update all the records it
affects.
For example,
The processing of a payment to a supplier will simultaneously update the cash records and creditors
masterfile. This significantly improves the accuracy of the records but makes the control over input
extremely important.

11.1.8.4 Screen aids and automated application checks


These control techniques that are obviously only available in computerised systems, help ensure that
transactions processed actually occurred, were authorised and are accurately and completely recorded and
processed. The extent to which these are incorporated into acquisitions and payments applications will
vary, depending on the quality and cost of the software. These controls are essentially preventive at the
input stage and detective thereafter.

11.1.8.5 Logs and reports


A computer can be programmed to produce any number of logs and reports. These can be used as detective
controls or for monitoring performance.
For example:
In the acquisitions and payments cycle, a log of all creditors masterfile amendments should be produced
by the computer. This log will be a listing of all amendments that were made, what the amendment was
(e.g. creditor’s banking details changed), who made the amendment and when it was made. “Read only”
access to this file will be given to a senior member in the creditors section so that the amendments made
can be confirmed as being authorised, accurate and complete by reference to the masterfile amendment
forms. This log can be printed out or accessed on screen.
Another example in an acquisitions and payments system would be the production of a report of all
purchase orders that are outstanding (e.g. goods have not been delivered).
The important point about logs and reports is that unless an employee actually uses them and follows up
on any problems, they are worthless. Their huge potential value is that if the logs and report files are
properly access protected, they provide independent evidence of what has taken place on the computer.
They form a very important part of the audit trail.

11.1.8.6 Matching and minimum entry


Once data is in the database, other data can be matched against it. A simple example would be where a
creditors account number is matched against the creditors masterfile to determine whether it is a valid
account number. The fact that data is stored in the database also means that the principle of minimum
entry can apply.
Chapter 11: Acquisitions and payments cycle 11/15

For example:
When a goods receiving clerk keys in a purchase order number on receiving a delivery, the full details of
the order will appear on the screen. The speed, accuracy and completeness of input are enhanced.

11.1.8.7 On-system approval


Where hard copy documents require approval, it is usually just a matter of presenting the authorising
employee with the document and supporting evidence. In a computerised system, approval is frequently
given on the system itself and the supporting evidence is also frequently on the system as well. There will
be variations on how this is done, depending on the software.

11.1.8.8 Audit trail


An audit trail is a record of the activities that have happened on the system that enables the sequence of
events for a transaction to be tracked and examined from start to finish. It should be possible to identify an
invoice raised against a creditor reflected in the general ledger and trace it back to the purchase order
placed with the supplier. A system with a poor audit trail will be a weak system. The trail will often be a
combination of electronic and hard copy data.

A narrative description of a computerised acquisitions and payments cycle


For the purposes of this illustration, we have described the system for a medium-sized wholesale company that
purchases its products (toys) from a large selection of local suppliers.
• Its accounting systems are integrated.
• Purchases are only made on credit from approved suppliers.
• Purchase transactions are processed in real time and all records affected by the purchase are updated instantly, for
example, creditors masterfile, inventory masterfile.
• Purchase orders are created on screen, approved and then either sent by email or fax to the supplier or the sup-
plier is phoned.
• The company is large enough to implement sound segregation of duties with separate departments, i.e. ordering,
goods receiving section.
• The company has a link to its bank and all creditors are paid by EFT.
• Creditors are raised at the time the goods are received.

The creditors masterfile


The creditors masterfile is central to an acquisition and payments system. The processing of genuine authorised
purchases and payments accurately and completely depends to a great extent on the integrity of this masterfile. The
creditors masterfile will contain information that controls which suppliers the company buys from, the terms that
affect payments, balances and most important, the banking details required to make EFT payments to the creditors.
Access to the masterfile, particularly write access (i.e. the ability to make amendments) must be strictly controlled.
Equally important is the control over the amendments themselves to ensure they are authorised and that they are
actually processed accurately and completely.
Controls over masterfile amendments will be primarily preventive, but will be supported by detective controls, for
example, checking of logs of amendments. Important amendments to the creditors masterfile will include adding an
approved supplier and changing a creditor’s banking details.
Activity/procedure Control, comment and explanation
1. Record all masterfile 1.1 All amendments to be recorded on hard copy masterfile amendment forms
amendments on a source MAFs (no verbal instructions) (see Note (b) on page 11/16).
document. 1.2 MAFs to be preprinted, sequenced and designed in terms of sound docu-
ment design principles.
continued
11/16 Auditing Notes for South African Students

Activity/procedure Control, comment and explanation


2. Authorise MAF. 2.1 The MAFs should be:
• signed by two reasonably senior creditors section/accounting per-
sonnel (e.g. creditors section head and financial accountant after they
have agreed the details of the amendment to the supporting docu-
mentation, such as MAF checked against the written notification from
the supplier that the company’s bank account details have changed),
and
• cross-referenced to the supporting documentation.
3. Enter only authorised 3.1 Restrict write access to the creditors masterfile to a specific member of the
masterfile amendments onto section by the use of user ID and passwords (see note (a) below).
the system accurately and 3.2 All masterfile amendments should be automatically logged by the
completely. computer on sequenced logs and there should be no write access to the logs
(this allows subsequent checking of the MAFs entered for authority).
3.3 To enhance the accuracy and completeness of the keying-in of masterfile
amendments and to detect invalid conditions, screen aids and program checks
can be implemented.
Screen aids and related features
• minimum keying-in of information, for example, when amending exist-
ing creditors records, the user will only key in the creditor’s account
number to bring up all the details of the creditor
• Screen formatting, for example, screen looks like MAF, screen
dialogue
• the account number for a new supplier is generated by the system.
Program checks, for example (see note (c) below):
• verification/matching checks to validate a creditor’s account number
against the creditors masterfile (invalid account number, no amend-
ment)
• alphanumeric checks
• data approval check, for example, must enter either 30 days or 60 days
in the payment terms field, not (say) 120 days
• mandatory/missing data checks, for example, credit limit and terms
such as account number of creditor and branch code for the creditor’s
bank must be entered
• sequence check on MAFs entered.
4. Review masterfile 4.1 The logs should be reviewed regularly by a senior staff member, for
amendments to ensure example, the financial manager.
they occurred, were 4.2 The sequence of the logs themselves should be checked (for any missing
authorised and were logs).
accurately and completely 4.3 Each logged amendment should be checked to confirm that it is supported
processed. by a properly authorised MAF.
4.4 Each logged amendment should be checked to confirm that the detail, for
example, the supplier’s bank account number, amounts, etc., is correct.
4.5 The MAFs themselves should be sequence checked against the log to
confirm that all MAFs were entered.
Note (a): The authority needed to enter different types of masterfile amendment can be given to different levels of
employee, for example, changing a bank account number may be restricted to a single senior employee,
but changing an address or contact details could be assigned to a lower level employee.
Note (b): Unused MAFs and other important supporting documentation should be subject to stationery controls as
it is more difficult to create an invalid masterfile amendment without the source document.
Note (c): A masterfile amendment should be carefully checked in all respects before it is authorised, so that there
should be a minimum of errors or invalid conditions having to be identified (detected) by the program
controls. Each company will decide for itself the extent of program controls it wishes to implement.
Chapter 11: Acquisitions and payments cycle 11/17

Ordering of goods
A purchase order clerk needs to know what goods to order. How this is done in practice varies, and will depend on
the size of the business, the products it sells, or whether there is a manufacturing process.
One of the ways that a requisition for goods to be ordered can be initiated is by the setting of reorder levels and
reorder quantities and then entering them in the inventory masterfile. This means that when the quantity field on the
inventory masterfile gets down to a predetermined level, the system will alert the inventory controller/buying
department. There are a number of interrelated activities that make up an acquisitions and payments system and
these are described below.
Procedure/activity Control, comment and explanation
1. Setting and protecting reorder 1.1 These levels should be set by experienced personnel for each item the com-
levels and reorder quantities pany purchases and are based on such things as supplier lead times, sales
recorded in the inventory forecasts, average sales over preceding months, etc.
masterfile. 1.2 The pre-set levels should be regularly reviewed.
1.3 The ability to change a level will be restricted to the chief buyer, and all
changes will be logged.
1.4 Levels will only be used as a guide for determining quantities to be pur-
chased.
2. Initiating a purchase order. 2.1 At regular intervals, say every Monday morning, a purchase requisition
report will be generated from the inventory masterfile of items that have
reached their reorder levels. The report printed out will contain:
• the company’s inventory code for each item that has reached its
reorder level
• a brief description of the item
• the recommended reorder quantity from the masterfile, and
• a space for the inventory controller to add in any additional comments
pertaining to the purchase, for example, changes to the recommended
reorder quantity, additional inventory items to be purchased.
2.2 The report itself should be clearly headed, dated, page sequenced, for
example, page 5 of 5, and clearly laid out.
2.3 The inventory controller should review the report, add comments and
meet with the chief buyer to discuss the purchase requisition report before
signing it.
2.4 Once the chief buyer has reviewed the schedule and added any comments,
he should sign it before passing it onto the buying clerk. A copy of the
report will be retained by the chief buyer.
2.5 The chief buyer has read access to the creditors masterfile so that for
urgent or large orders he can determine whether the account is up to date
etc., before the order is sent to the supplier.
3. Creating a purchase order: 3.1 Access to the “create purchase order” module should be restricted to the
• purchase orders are made purchase order clerk.
out only for goods that are 3.2 On accessing the module, the screen will come up formatted as a purchase
sold by the company order.
• purchases are only made 3.3 Valid goods: on keying-in the inventory item code in the designated field
from approved suppliers (taken from the requisition report) the description of the goods and the
• all details pertaining to the supplier’s inventory item code will appear. If the item code is not a valid
order are entered accurately inventory code, the order clerk will not be able to proceed.
and completely 3.4 Approved supplier: when the item code is entered, details of the supplier of
• an appropriate quantity is the item as listed in the inventory masterfile/creditors file will appear. The
ordered system will not allow the order clerk to enter any supplier who is not
• all goods on the purchase approved. The controls in 3.3 and 3.4 can be regarded as verification checks
requisition, and only goods and are also a form of data approval/authorisation check. The entry of the
on the purchase requisition inventory item code to bring up all related inventory details is an example
report are ordered. of the minimum entry principle.

continued
11/18 Auditing Notes for South African Students

Activity/procedure Control, comment and explanation


3. Creating a purchase order: 3.5 For accuracy and completeness of entry:
(continued ) • the system will automatically insert a purchase order number/reference
• alphanumeric check, for example, on quantity ordered field
• mandatory field check on the quantity ordered field and the account
that the purchase order must be allocated to, for example, stores,
stationery, security
• possible limit or reasonableness check on quantity ordered field, for
example, quantity greater than recommended reorder level on
inventory masterfile is not accepted (limit check), or the order clerk is
alerted (screen message) if the quantity entered is (say) in excess of the
average of the last three orders for that item, and
• the cost price of the items purchased will be imported onto the
purchase order direct from the inventory masterfile.
3.6 If the order clerk has any queries pertaining to the goods to be purchased,
for example, confirming a price or availability, he will contact the supplier.
The order clerk should have read access to the inventory masterfile.
4. Authorising and sending the 4.1 Once the order clerk has compiled the file of purchase orders, it will be
purchase orders. available on the system to be accessed by the chief buyer for approval
• the approval function will be linked to the chief buyer’s user profile
• the order clerk will not have approval privileges, for example, his
screen will either have no visible “approve” option for him to select or
it will be shaded and will not respond if “clicked” on.
4.2 The chief buyer will access the file of purchase orders (read only) and:
• check each order against the purchase requisition report for anything
unusual, as well as compliance with his instructions if any, relating to
the quantity ordered
• confirm that there is an order for all the items on the purchase requi-
sition report and that no additional items were ordered. (Note the
computer could be programmed to produce a list of all items ordered in
the same sequence as the purchase requisition report was produced.
Each item would be cross-referenced to the relevant purchase order for
easy checking.)
• the chief buyer should not have write access to the file and changes that
he might require, for example, a quantity change, will have to be made
by the order clerk and the approval process repeated (segregation of
duties)
• once the purchase order file has been approved by the chief buyer no
changes can be made to the purchase orders file by the purchase order
clerk.
4.3 Once the approval option is selected by the chief buyer, a message will be
sent to the order clerk’s terminal alerting him that the purchase orders have
been approved. He will then execute the orders either by phoning the
supplier, emailing or faxing the order.
5. Maintenance of the inventory 5.1 Before a new supplier is added to the creditors masterfile/inventory
masterfile. masterfile, a thorough investigation of the supplier should be carried out
An accurate and up to date with regard to pricing, quality of goods and the reliability of the supplier.
inventory masterfile is 5.2 Information about inventory items, for example, price changes, should be
absolutely essential for the kept up to date.
proper functioning of the
purchase order system, as
information from the inventory
file is used in the preparation
of the purchase order.
Chapter 11: Acquisitions and payments cycle 11/19

Receiving and recording the goods ordered


This is mainly the physical activity of accepting the goods delivered by the supplier, and recording the receipt of the
goods on the system. As the information about the goods being received is already on the system, there is no need to
create a goods received note from scratch. We have assumed for the purposes of this illustration that the supplier
invoice is delivered with the goods, accompanied by a delivery note. Remember that the policy should be for the
company to receive only goods that are included on the purchase order with regard to description and quantity. The
(receiving) company will not want to raise inaccurate supplier invoices on its system, for example, an invoice for
goods that were never ordered or received, or that has been inaccurately compiled.
Activity/procedure Control, comment and explanation
1. Receiving and checking the 1.1 Access to the receiving goods module should be restricted to the receiving
goods from the supplier. clerk. On selecting this module, the screen will come up formatted as a
goods received note.
1.2 Access to the receiving goods module may be restricted to a terminal(s) in
the receiving area.
1.3 On arrival of the goods, the receiving clerk should access the purchase
order file by entering the purchase order number taken from the supplier
delivery note:
• if no number is entered or a number is entered but cannot be matched
to a purchase order on the system, the receiving clerk will not be able
to proceed
• before rejecting the delivery, the receiving clerk will check with the
order clerk to confirm that the goods delivered were not ordered.
1.4 The receiving clerk will count the goods and compare what has been
delivered to the suppliers’ delivery note and the purchase order. He should:
• perform at least a superficial test on the condition of the goods, for
example, reject broken boxes
• reject all items delivered that were not ordered in terms of the purchase
order
• accept goods that have been short delivered in terms of the purchase
order
• reject any quantities of goods delivered over and above the quantity
ordered.
1.5 All discrepancies between what was ordered and what was delivered
should be noted on the supplier delivery note. Both the supplier’s delivery
personnel and the receiving clerk should sign the documentation to
acknowledge the discrepancies.
1.6 The receiving clerk will have write access to only the quantity field on the
GRN. Confirmation of the GRN (once any corrections have been made to
quantities) will update the inventory masterfile.
1.7 A copy of the GRN will be printed out to accompany the goods to the
custody section of the warehouse, and the supplier delivery note and
invoice will be sent to the accounting department. The accounting
department will be able to access the GRN on the system.
2. Recording the purchase and 2.1 Recording of the supplier’s invoice in the accounting department (not in
corresponding liability in the receiving).
records. 2.2 Access to the raising invoice module will be restricted to the creditor’s
clerk.
2.3 The creditor’s clerk should access the purchase order file by entering the
purchase order number relevant to the supplier invoice (this number
should be on the invoice). An incorrect or non-existent number will be
rejected.
continued
11/20 Auditing Notes for South African Students

Activity/procedure Control, comment and explanation


2. Recording the purchase and 2.4 On the entry of a valid purchase order number, the screen will come up
corresponding liability in the formatted as an invoice. This on-screen “document” will reflect the exact
records. details of the applicable purchase order, for example, supplier details,
(continued ) description of goods, cost and quantity of goods ordered. Where
necessary the quantity ordered would have been adjusted at the time the
goods were received.
2.5 The creditor’s clerk should compare the details on the screen to the hard
copy invoice and supplier delivery note and confirm that:
• only goods that were ordered were received (receiving clerk should
have rejected goods not on the purchase order)
• the quantity ordered, received and invoiced reconcile with each other
• prices on the supplier invoice are correct in terms of the purchase
order, and
• casts, extensions and VAT are correct.
2.6 If a price differs between the purchase order and the supplier invoice, the
creditor’s clerk should contact the supplier and the order clerk to confirm
the correct price. Note, the objective is to raise the correct amount owed
in respect of what was received.
2.7 The system will prevent the creditor’s clerk from adding additional items
onto the invoice.
2.8 All changes, for example, to cost prices, will be logged and followed up.
2.9 The on-screen supplier invoice should be approved by a second creditor’s
clerk.
2.10 On selecting the confirm/accept option, the file of invoices and the
creditors masterfile will be updated (the liability has been raised).
2.11 On a weekly basis, a report should be run of all GRNs for which a
supplier invoice has not been received, for example, the goods have been
delivered but the invoice has not been sent or has been lost.

Payment of creditors by electronic funds transfer


As discussed in chapter 9, EFT is a very fast and efficient method of making payments, but it is perhaps for these very
reasons that the risk of fraudulent payments (theft of funds from the company’s bank account) will be very high if
strict controls are not in place. The controls over EFT payments will centre on:
• controlling access to the creditors masterfile. It should not be possible to add a fictitious creditor to whom
fictitious payments can be made, and it should not be possible to alter an existing creditor’s banking details other
than under strictly controlled conditions
• approving details and amounts to be paid to the creditor
• controlling access to the company’s bank account
• reviewing EFT payments actually made promptly.
We have assumed, for the purposes of this illustration, that creditors are paid monthly and payments are made on the
strength of unpaid invoices listed on the system (i.e. the company does not wait for a statement from the creditor).
Creditors reconciliations (between suppliers statement and the creditors account in the masterfile) will take place at a
later stage.
Activity/procedure Control, comment and explanation
1. Preparation of the schedule 1.1 The preparation of the EFT schedule of payments to creditors and the
of payments. authorisation thereof will be carried out by different employees:
How the schedule is actually • the creditors clerk will prepare the schedule, and
compiled will depend on the • the head of the creditors section will authorise it.
software. The objective is to 1.2 As all the information to prepare the schedule is already on the system, the
prepare an accurate and software will be designed to minimise the need to enter any additional
complete schedule of information. This enhances accuracy and completeness and prevents the
amounts actually owed addition of fictitious payments.
and due for payment.
continued
Chapter 11: Acquisitions and payments cycle 11/21

Activity/procedure Control, comment and explanation


1. Preparation of the schedule 1.3 Write access to the “prepare payment module” will be restricted to the
of payments. (continued ) creditor’s clerk preparing the schedule.
1.4 Once the module has been entered, the creditor’s clerk will either select a
creditor by clicking on the list of creditors that appears on the screen, or
alternatively the screen will automatically display the first creditor in
alphabetic order:
• the screen will be formatted as a payment document that will reflect the
creditors standing data
• on selecting the “select invoices” option, a dropdown list of all unpaid
invoices for that creditor will appear (remember that a file of all unpaid
invoices is already on the system)
• the creditor’s clerk will select those invoices that the company should
pay, governed by the terms agreed with the creditor, for example, 30
days. The creditor’s clerk will have a facility that enables him to call up
supporting documentation on the screen or he may choose to inspect
hard copy. This procedure will be followed for each creditor and as
each payment document is completed it will be listed on the payments’
schedule
• if there is nothing to be paid to a creditor, the creditor will still be listed
but the amount to be paid will be nil
• a financial total of all amounts to be paid to creditors will be computed
and there may be a processing control that compares this total with the
amount by which the total on the unpaid invoices file has been reduced
• as the invoices are selected for payment, they will be removed from the
file of unpaid invoices or a status code will automatically be attached
to indicate that the invoice has been paid. This also ensures that it
cannot be selected for payment again.
1.5 Once the schedule has been prepared, the creditor’s clerk will select the
proceed option and at this point the file can no longer be altered. The
creditor’s clerk will not have an approve option on his screen.
2. Approval of the schedule 2.1 To approve the schedule of payments, the creditor’s section head will
of payments. access the schedule of payments file. He will have read access only. He
should:
• review the schedule for reasonableness, looking for any payments that
appear abnormal, for example, large amounts, or regular suppliers for
whom there is no payment amount
• run reports to assist him in his review, for example:
– report of creditors that are on the current month’s schedule but were
not on the previous month’s schedule. These will be confirmed
against the log of masterfile amendments as they should represent
new creditors put onto the masterfile
– a report (log) of all amendments to creditors’ bank details. He
should verify these against the masterfile amendment form and
supporting evidence supplied by the creditor and possibly even
confirm the change directly with the creditor
– a report that provides comparison of amounts paid to each creditor
for each of the previous three months
– a report of any discounts taken to ensure that the discount is valid
and correctly computed and that any discounts to which the com-
pany is entitled have been taken
continued
11/22 Auditing Notes for South African Students

Activity/procedure Control, comment and explanation


2. Approval of the schedule 2.1 To approve the schedule of payments, the creditor’s section head will
of payments. (continued ) access the schedule of payments file. He will have read access only. He
should:
• review the schedule for reasonableness, looking for any payments that
appear abnormal, for example, large amounts, or regular suppliers for
whom there is no payment amount
• run reports to assist him in his review, for example:
– report of creditors that are on the current month’s schedule but were
not on the previous month’s schedule. These will be confirmed
against the log of masterfile amendments as they should represent
new creditors put onto the masterfile
– a report (log) of all amendments to creditors’ bank details. He
should verify these against the masterfile amendment form and
supporting evidence supplied by the creditor and possibly even
confirm the change directly with the creditor
– a report that provides comparison of amounts paid to each creditor
for each of the previous three months
– a report of any discounts taken to ensure that the discount is valid
and correctly computed and that any discounts to which the
company is entitled have been taken
– make use of the facility that enables him to bring up on screen,
copies of the relevant purchase order, GRN and invoice to confirm
details of amounts owed. He may also refer to hard copy documen-
tation.
2.2 The head of the creditor’s section should not have write access to the
payment schedule file. Any changes he may require will be referred back to
the creditor’s clerk.
2.3 Approval of the payments schedule will be on screen (on the system) and
the ability to approve the file will be restricted to the section head.
Note: There is nothing to stop the schedule of payments from being printed
out for detailed checking and authorisation. If this is the case it will be
approved by signature and will need to be agreed to the schedule on the
system before the EFT is effected.
3. Access to the bank account 3.1 The bank’s EFT software will be loaded on a limited number of the
on the Internet. company’s terminals.
3.2 Access to the bank’s site on the web will be gained in the normal manner
but once the employee gets onto the site, an additional PIN number
supplied by the bank and a password, unique to the employee, will have to
be entered to gain access to the company’s account:
• the privilege to access the company’s account will only be granted to
employees who need access to the bank account to carry out their
duties.
3.3 If this identification and authentication process is accepted, a menu of the
functions available to the company will appear on the screen, for example,
balance enquiry, payment query, download bank statement, make EFT
payment.
3.4 Access to these functions will be directly linked to the employee’s user
profile on a need to know basis. The function that needs to be most
protected will be the ability to make an EFT payment:
• this privilege will be granted to a limited number of senior personnel
• an additional authentication procedure will be required, for example, an
additional one-time password or the insertion of a physical device into
the USB port of a terminal on which the bank’s software is loaded (see
Chapter 9 for a discussion on these devices).
continued
Chapter 11: Acquisitions and payments cycle 11/23

Activity/procedure Control, comment and explanation


4. Approving (effecting) the 4.1 At least two of the three authorised employees will be required to effect the
payment. payment of creditors, for example, the creditor’s section head will author-
We will assume for the ise the payment and the financial manager will release it by the entry of
purposes of this illustration, their one-time passwords provided by the random number generator.
that the company’s bank 4.2 Once the head of the creditors’ section is satisfied with the payment
requires an additional one- schedule he will select the “first confirmation” option and a system gen-
time password to be entered erated message will be sent to the financial manager (second signatory)
and that to generate the informing him that the file of payments is awaiting his approval.
number, each employee 4.3 The financial manager will then access the file of payments and carry out
authorised to effect an EFT whatever procedures he deems necessary to be in a position to authorise
is given a device to generate the payments, for example, review of reasonableness, access of masterfile
the random number. We will amendment logs, reference to original documentation:
also assume that the creditor’s • the “second signatory” (financial manager) will also not have write
section head and two other access to the file so cannot for example, add a payment
senior officials have this
• once the “second signatory” is satisfied he will click on "second con-
privilege.
firmation"
• the second confirmation cannot be activated before the first confirm-
ation.
4.4 The file of payments will now be fully approved, and the clicking on the
second confirmation will automatically convert the file to a format com-
patible with the bank’s EFT software.
4.5 Once this has been done, the creditors section head will click on the
authorise option (one-time password will be entered) and the financial
manager will click on the release option (one time password will be
entered):
• the release activity cannot be activated before the authorise option.
4.6 Additional controls that should be implemented are:
• automatic shutdown after three unsuccessful attempts to access the
company’s bank account on the system
• logging of attempts at unauthorised access (successful attempts will
also be automatically logged)
• the number of bank accounts to which transfers to other bank accounts
from the main bank account should be limited to protect the main bank
account. For the payment of creditors, an amount equal to the total of
individual payments to creditors should be transferred to a second
account and the actual transfer to creditors bank accounts should be
made from the second account. Transfers to creditors could be
scheduled only to take place on a specified date
• a limit on the total amount that can be transferred within a 24-hour
period can be arranged with the bank as well as a limit on individual
payments
• data should be encrypted
• conventional password controls will apply and physical authentication
devices must be kept safe and secure at all times.
4.7 The EFT will update the creditors masterfile, cash payments journal and
general ledger.
5. Detection of unauthorised 5.1 Within a day or two of making the EFT, the accountant (or similar level
payments. employee) should download a copy of the bank statement for the creditor’s
account and compare it to the schedule of payments to creditors.
11/24 Auditing Notes for South African Students

Processing controls
As mentioned in chapter 8, the accuracy, completeness, etc., of processing are evidenced by reconciliation of output
with input and the detailed checking and review of output by users, on the basis that if input and output can be
reconciled and checks and reviews reveal no errors, processing was carried out accurately and completely and only
transactions that actually occurred and were authorised, were processed. To make sure it does its job, the computer
will perform some internal processing controls on itself, but the user will not even be aware that these are going on.
The users within the cycle make use of the logs and reports that are produced relating to their functions, while the IT
systems personnel make sure that processing aspects of the system are operating properly.

Summary
The description of the system described above, provides an illustration of how the control activities described in
chapter 5 (and referred to in ISA 315 (revised)), can be implemented. It also provides an illustration of how specific
automated application controls can be introduced.
For example:
Segregation of duties • Separation of functions, for example, ordering, receiving goods, pro-
cessing payments.
• Separation of responsibilities within functions, for example, gener-
ating purchase requisition report, initiating purchase orders, author-
ising purchase orders.
Isolation of responsibilities • Isolating responsibilities through granting access privileges, for
example, only the chief buyer can approve purchase orders.
• The goods receiving clerk signs the supplier delivery note that isolates
his responsibility for accepting the delivery of goods from a supplier.
Approval and authorisation • The system will not allow the order clerk to place an order with a
supplier who is not on the creditors masterfile.
• The creditors’ section head approves the schedule of EFT payments
to creditors.
Custody • Access to the bank account (custody of the company’s money) is
strictly controlled by user IDs, PINs and passwords (those with
authority to make an EFT are effectively the custodians of the com-
pany’s cash).
• Goods received by the goods receiving section are kept securely until
they are transferred to the warehouse.
Access controls • All users on the system must identify and authenticate themselves by
IDs and passwords and what they are authorised to do is reflected in
their user profiles.
• Additional access controls such as terminal shut down and logging of
access violations are in place.
Comparison and reconciliation • The system reconciles the total amount (and number) of invoices
selected for payment with the reduction in the total and number of
invoices on the unpaid invoices list.
• The creditors’ clerk reconciles the supplier’s statement with the cred-
itor’s (supplier’s) account in the creditors masterfile.
Performance review • Supervisory and management staff can access the purchase order file
to see how efficiently approved purchase orders are being executed.
• Reports on inventory ageing (number of days inventory items are
held) can give an indication of the appropriateness of reorder levels
and the performance of the chief buyer and inventory controller.
• Monitoring complaints from the sales manager relating to sales lost
because of inefficient purchasing.
continued
Chapter 11: Acquisitions and payments cycle 11/25

Summary (continued )
Control techniques and application controls • Screen aids and related features:
– minimum entry: keying in the inventory code of an item on the
purchase order brings up the supplier, description, cost, etc., of
that inventory item
– screen formatting: purchase order, and
– mandatory fields: branch code for new customer banking details.
• Program checks:
– validation check on supplier number, and
– limit checks/reasonableness checks on quantity ordered field.
• Output control:
– masterfile amendment logs are checked against source documents
and
– bank statement checked against EFT payments entered onto the
system.
Logs and reports • Log of and changes to existing creditors banking details.
• Weekly reports of long outstanding purchase orders or of GRNs for
that there is no invoice.
This does not cover every control, policy or procedure that could be in place, and is not intended to. This knowledge
will only be acquired when you go into different companies and work with their systems.

11.1.9 The role of the other components of internal control in the acquisitions
and payments cycle
This chapter has concentrated on the accounting system that is part of the information system and control
activities components of internal control. However, these components are affected by the other components,
so a brief mention of the role of the other components is necessary.

11.1.9.1 The control environment


The control environment within the cycle will be directly influenced by the control consciousness of the
company as a whole. With regard to this cycle specifically, the tone will be set by the actions and control
awareness of the chief buyer, the head of the creditors section and the senior employees responsible for the
authorisation of payments to creditors. There should be strict policies in place relative to the acceptance of
inducements from suppliers to purchase their goods such as gifts from suppliers, kickbacks and bribes, but if
the chief buyer, or other senior personnel, show little regard for these restrictions, the control environment
will deteriorate quickly. Unfortunately, this type of practice is widespread.
The other function that must be surrounded by a strong control environment is the payment of creditors.
As mentioned earlier, this part of the cycle provides a legitimate process for getting money out of the
business, so if controls are not strictly enforced, fraud and theft will surely follow.
Practices such as disclosing of passwords for “authorising” and “release” of EFT payments should not
occur under any circumstances.
In a smaller entity there should be comprehensive owner/management involvement in the cycle as it is a
cycle very vulnerable to theft.

11.1.9.2 Risk assessment process


The company’s formal risk assessment process will address the major risks that face the company and that
may have a direct effect on this cycle.
For example:
Purchasing decisions, such as import or buy local, the need for alternative sources of supply, the social/
environmental reputation of the supplier, bribery and kickbacks, and information technology risk (EFT)
will be dealt with formally.
Less formal risk assessment can occur within the section by members of the section regularly evaluating
the risks and responses already in place to address the specific risks facing the section, for example, better
reorder levels to reduce overstocking, theft of deliveries from suppliers at the receiving stage, etc.
11/26 Auditing Notes for South African Students

Again, in a smaller entity it will be the owner/manager’s informal, but ongoing, assessment of risk that
will be important.

11.1.9.3 Monitoring
How is the cycle doing over time in meeting its objectives? That is the question that monitoring seeks to
answer. To express these objectives simplistically, we might describe them as, ensuring optimal quantities
of inventory are held, costs of items purchased is as budgeted, suppliers are reliable and that only valid
creditors are paid accurately and on time. These can all be monitored by period based comparisons (and
industry comparisons, if available) of such matters as:
• delays in production or sales lost because of inappropriate inventory holdings
• instances of the inability of suppliers to supply goods as required (price, time and quality)
• actual purchase costs compared to budgeted costs
• complaints from suppliers or letters from suppliers demanding payment
• losses from EFT fraud
• reductions in theft of inventory.
Monitoring can be carried out by the board through the scrutiny of reports on the above matters or by visits
from an internal audit team. Owner/managers pretty much monitor internal control themselves and may
do it very well, particularly if they are very involved in the day-to-day running of the business.

11.2 Narrative description of the acquisitions and payments cycle at ProRide (Pty)
Ltd
11.2.1 Introduction
At ProRide (Pty) Ltd, the acquisitions and payments cycle is taken very seriously. The basic principle (that
is followed in all cycles) is that if the initiation of the transactions in the cycle is carefully controlled, then
problems arising later in the cycle are kept to a minimum. As you will see, the two most senior members of
staff (the managing director and the financial director) are closely involved in initiating and authorising
purchase transactions.
Both the managing director (Peter Hutton) and the financial director (Brandon Nel) have extensive
knowledge of the bicycle industry. Great care is taken to ensure that inventory of the required quality, price
and saleability is obtained. There are two major reasons for this. Firstly, ProRide (Pty) Ltd’s largest
customers are the major chainstores, and failure to deliver the right product, at the right price, on time, will
result in the loss of an important market. Secondly, the company does not want to purchase inventory that
it cannot sell.

11.2.2 Suppliers
Each and every supplier to ProRide (Pty) Ltd is carefully evaluated by Peter and Brandon. They require
suppliers who are reliable with regard to delivery, who are consistent with quality and who are reasonable with
price. Suppliers are evaluated on an ongoing basis and a sound business relationship is built up with them.
This evaluation includes regular visits to the suppliers’ premises, a number of which are as far afield as
Taiwan and China.
Prices for each inventory item are negotiated and agreed with local and foreign suppliers, usually for the
following six months.

11.2.3 Purchases
As indicated in chapter 10, ProRide (Pty) Ltd wholesales bicycles and related spares and accessories. In
addition to goods purchased for resale, the company like any other company, purchases other items such as
stationery, consumables, minor tools and equipment, etc. While these “non-trading” items are also subject
to sound internal controls, they are not the concern of the two directors.
Purchases are made from both local and overseas suppliers. The basic controls over purchases from both
sources are the same. However, in respect of imported purchases, additional procedures arise as goods have
to be shipped in containers, and must be cleared through customs, etc., before being delivered. Payments to
foreign suppliers must be subjected to foreign exchange regulations. Foreign purchases far exceed local
purchases.
Chapter 11: Acquisitions and payments cycle 11/27

11.2.4 Frequency of orders


ProRide (Pty) Ltd does not place a huge number of orders. The goods they purchase are obtained from a
limited number of suppliers, who between them supply the full range of ProRide (Pty) Ltd’s inventory. To
make purchases from foreign suppliers is a reasonably time consuming exercise with long lead times due to
the fact that the goods are shipped to South Africa by sea in containers. Clearance through customs also
takes time. The result is that large orders are placed with foreign suppliers, usually at about six weekly
intervals. Because of this, ProRide (Pty) Ltd does not have a separate order department staffed by a chief
buyer and a number of buying clerks as it is not necessary. However, the company does have a purchases
manager (Ruth Taylor) and she is assisted by Zodwa Mashego and Tania Koetzee, the purchase clerks.

11.2.5 Computerisation
As indicated in chapter 9, the company uses JD Edwards’ application software run on an IBM AS 400
system. However, ProRide (Pty) Ltd has not integrated its acquisitions and payments cycle into this system
as the number of purchases made does not warrant the cost of integration. (You will recall from the
discussion in chapter 10 that the cashbook function is not integrated for the same reason.)

11.3 Acquisitions – How the system works at ProRide (Pty) Ltd


11.3.1 Initiating orders
11.3.1.1 Minimum inventory levels/reorder quantities
As explained in chapter 10, a computerised, real-time, perpetual inventory system is maintained. Each
inventory item on the inventory masterfile has preset minimum inventory level and reorder quantity fields.
These two fields are set by the financial director and the managing director after careful analysis of sales
trends, supplier lead times, customer needs etc. The levels are adjusted as conditions change.
Any changes to these fields are treated as masterfile amendments and are subjected to normal masterfile
amendment controls. Only Dalene Burger (accounting supervisor) and Gary Powell (IT manager) have the
necessary access privileges. Changes must be supported by documentation authorised by Brandon Nel
(financial director) and Peter Hutton (managing director). Adjustments are logged by the computer and the
logs subsequently reviewed by Brandon.

11.3.1.2 Inventory order reports


Once a week, a sequenced and dated printout called an inventory order report is produced. This lists all the
inventory items that have reached their preset minimum inventory levels. The list provides the item code,
description, supplier details, quantity on hand, cost price and reorder quantity. There is one report for local
suppliers and one for foreign suppliers. The foreign supplier report is also analysed by supplier name, for
example, Speedybikes Inc, supplier region, for example, Taiwan and inventory category, for example, bicycles.
The reason for this will be explained below. An item that has reached its minimum inventory balance will
continue to appear on the weekly inventory order report until an order for the item is placed and the order
is captured onto the AS 400 system (see 11.3.2.3 and 11.3.3.3 below).
Because an item appears on the “inventory order report”, does not mean that an order is automatically placed.
The reports are first given to Brandon Nel (financial director) and Peter Hutton (managing director) for
extensive analysis before the decisions about what to order and how many to order are taken. Before they
decide on what to order they will again consider factors such as past and future sales trends, the intentions
of their major customers, whether the particular item is sufficiently profitable as well as expected lead times
and other supplier conditions. This is why their knowledge of the industry is so important. Essentially, the
inventory order report is simply an indicator that inventory may be required.

11.3.2 Purchases from local suppliers


11.3.2.1 Frequency
As it is far less complicated and time consuming than ordering daily, purchases from local suppliers are
placed weekly. Once Brandon and Peter have decided what is to be ordered, they place the quantity to be
ordered in the blank box provided next to each item on the inventory order report for local suppliers. If an
item is not required, nil is written into the box. Both parties sign the inventory order report and pass it to
Zodwa Mashego (purchases clerk). The signed inventory order report is in effect, an inventory requisition.
11/28 Auditing Notes for South African Students

11.3.2.2 Purchase orders


Using a very simple in-house program, resident on her computer, Zodwa captures the details off the signed
inventory order report to create a purchase order (PO) two copies of which are printed out. Access to the
purchase order software is restricted to Zodwa and Ruth Taylor (purchases manager) using conventional
access controls. The principle of minimum entry applies so Zodwa does not have to capture supplier
details, etc., or details of the items to be ordered, i.e. entry of the supplier name or account number will
bring up the supplier details, and the entry of the item code will bring up the description of the item. (This
detail is on the inventory order report from which Zodwa is capturing.) The PO is sequenced and dated and
Zodwa cross-references it to the inventory order report. The details on the PO captured by Zodwa are then
checked against the inventory order report by Tania Koetzee, the other purchases clerk, who signs to
acknowledge the procedure.
The PO is then emailed to the supplier.
Note: A single inventory order report will usually result in orders being placed with more than one sup-
plier.

11.3.2.3 Entry onto the AS 400


At this point Zodwa enters the details off each purchase order onto the AS 400 system where it is stored in
the inventory orders placed file. A hard copy of the file is printed out, checked carefully to the purchase orders
by Tania (the other purchases clerk), and signed by both clerks to be filed with a copy of the PO and the
relevant inventory report. No updating of any files on the system takes place, for example, no changes are
made to the inventory masterfile. The information is placed on the system for information purposes only.
For example, Reg Gaard (warehouse manager) can access the system at any time to see what orders he can
expect to be delivered, and when the delivery arrives, to confirm what he is receiving is correct in terms of
the purchase order. Brandon Nel and Peter Hutton can also follow up on orders by using their enquiry
privilege.

11.3.3 Purchases from foreign suppliers


11.3.3.1 Frequency
Foreign purchases are far more complicated. You will recall that the foreign inventory order report is
analysed by supplier, supplier region and inventory category. This enables Brandon and Peter to order in a
more efficient manner. Goods are sent by sea in large containers, and it is very expensive and inefficient if
the container is not full. It is also impractical and expensive to place lots of orders (for small quantities)
with a supplier. Therefore in placing an order Brandon and Peter will attempt to fill a container. Having the
inventory order report analysed by supplier, region and inventory category (that is broken down into different
items) assists in the following way:
Supplier: All goods to be ordered from that supplier are identified. If only a few
items are required from a particular supplier, the directors may decide to
postpone the ordering of those particular items until a large order can be
placed.
Supplier region: All goods from suppliers in Taiwan are identified. This gives the directors
an idea of whether it would be efficient to order additional items from
other Taiwanese suppliers to fill a container.
Inventory category and inventory This provides an indication of which categories and items within the
items: category are selling. For example, if it appears that mountain bikes are
selling faster than road bicycles then additional mountain bikes may be
purchased.
The point that we are trying to illustrate here is that preset minimum inventory levels and reorder quantities are
used only as indicators, they do not result in an order being automatically generated and sent to a supplier.

11.3.3.2 The master form


Once Peter Hutton and Brandon Nel have decided what is to be ordered, the foreign inventory order
reports are amended, signed by both of them, and passed to Zodwa Mashego. Using her computer and in-
house developed software, she calls up a master form (MF) on screen. Each foreign supplier’s details are
stored on her computer, and once she keys in the name of the supplier a blank MF for that supplier,
Chapter 11: Acquisitions and payments cycle 11/29

indicating contact details, terms and a sequence number appears. Zodwa enters all the details of what is to
be ordered from the foreign inventory order report onto the MF. The MF is printed in duplicate and passed
to Tania Koetzee who checks it for accuracy and completeness against the foreign inventory order report.
The MF is then passed to Ruth Taylor (purchases manager) who authorises it. The MF is stamped with a
grid stamp to facilitate this process as follows:
Prepared by
Checked by
Authorised by

11.3.3.3 Contacting the supplier


A copy of the master form is then emailed or faxed to the foreign supplier and a pro forma invoice is
requested. The pro forma invoice is:
• an acceptance of the order by the supplier
• a document that can be used for preliminary planning by the shipping agents who clear ProRide (Pty)
Ltd’s imports through customs and warehousing, and
• is sometimes required by the bank when finance is being arranged.
When the pro forma invoice is received it is checked again for accuracy and completeness to the master
form by Ruth Taylor who signs it to acknowledge the check.
The signed copy of the pro forma invoice is passed to Zodwa Mashego (purchases clerk) for entry onto
the AS 400 system. As with the entry of local purchases, no updating of any accounting records takes place, the
purchase details are placed on the system for information purposes, for example, planning warehouse space
to receive goods, or for Peter Hutton and Brandon Nel to obtain information about outstanding orders.

11.3.3.4 Obtaining confirmation that ProRide (Pty) Ltd can pay


Purchasing from foreign suppliers raises two specific issues with regard to payment:
• foreign suppliers are most unlikely to ship the goods before they are satisfied that ProRide (Pty) Ltd will
pay
• the payment to foreign suppliers is controlled by ProRide (Pty) Ltd’s bank to comply with foreign
exchange legislation.
These issues are addressed as follows: Johan Els (financial manager) arranges a letter of credit (LC)
through Standard Bank, ProRide (Pty) Ltd’s bankers. A letter of credit is a credit facility in terms of which
ProRide (Pty) Ltd agrees to pay the supplier’s bank once certain conditions have been met, for example, all
shipping and custom documentation has been authorised and submitted to the bank.
Obviously Standard Bank will not issue a letter of credit unless it is satisfied with ProRide (Pty) Ltd’s
creditworthiness. Being the company’s bankers, they will assess this on an ongoing basis.
Once the LC has been authorised and issued by the bank:
• it is attached to the relevant pro-forma invoice from the supplier
• the supplier is notified by email of the details of the letter of credit.

11.3.3.5 The LC payment register


Using the pro forma invoice and corresponding letter of credit, Ruth Taylor writes up (manually) the LC
payment register. This is, in effect, a foreign creditors ledger, as it shows the amounts owed to the foreign
creditors.

11.3.3.6 Shipping the goods


Once notified about the letter of credit, the supplier will confirm with its bank that the LC is valid, and if it
is, will ship the goods and send the following documents to ProRide (Pty) Ltd. These documents are
termed the “non-negotiable documents” and are sent in duplicate:
• Bill of Lading: a document signed by the shipping agent that evidences the receipt of the goods on board.
• Packing list: a document that indicates the total number and type of packages, weights and contents of
the shipment.
11/30 Auditing Notes for South African Students

• Final invoice.
• Shipping file.
At this stage a (physical) shipping file is opened for each order. The file is very important as it will become
the final destination of all the documents and will provide a comprehensive audit trail for each foreign
order. Thus a completed shipping file will contain:
• foreign inventory order report
• master form
• pro forma invoice
• letter of credit
• bill of lading
• packing list
• final invoice
• any other correspondence
• goods received note (added once the goods have been cleared and delivered)
• clearing agents documents.

11.3.3.7 Forwarding and clearing (shipping)


All imported goods have to be shipped from their country of origin and cleared through customs when they
arrive in South Africa. Both of these activities require specialist knowledge due to the complicated nature of
the laws and regulations pertaining to importing. It is therefore usual that importers in South Africa make
use of agents to assist them; namely, forwarding agents who control and administer the shipping of the
goods, and clearing agents who guide the goods through customs. To simplify matters, ProRide (Pty) Ltd
deals directly with one company that offers both these services (i.e. forwarding and clearing). We will refer
to this company as ProRide (Pty) Ltd’s “shipping agents”.
Once received, the “non-negotiable documents” are passed to Ruth Taylor who files the duplicates and
sends the original documents to ProRide (Pty) Ltd’s shipping agents. (She also includes a standardised
clearing document that gives precise details of what is being imported.)
The shipping agent will make payments on ProRide (Pty) Ltd’s behalf for various forwarding (shipping)
costs as well as clearing costs, such as harbour fees (wharfage), duties and levies. Once the goods have been
cleared through customs these costs are recovered from ProRide (Pty) Ltd by the shipping agents and a fee
is charged. Like any other local supplier, the shipping agent will send an invoice and documentary
evidence of the payments they have made on ProRide (Pty) Ltd’s behalf, for example, forwarding agent’s
fee, the Portnet invoice for wharfage. Before submitting the invoice to Tania Koetzee for it to be included
on the creditors payment schedule (see 11.3.7.2 below), Ruth scrutinises the invoice and supporting
documentation to ensure that all charges are valid, accurate and complete. She then signs the invoice to
acknowledge this control procedure.

11.3.3.8 The container schedule


Once the “non-negotiable documents” are to hand, Ruth also prepares a hard copy “container” schedule.
This schedule is sent, with a copy of the Packing List, to Reg Gaard (warehouse manager) to assist him in
scheduling the receiving of the purchases and preparing the warehouse. The schedule contains the
following details:
• ship name and estimated date of arrival
• container number
• shipping file number
• master form (order) number, and
• supplier names.
Chapter 11: Acquisitions and payments cycle 11/31

11.3.4. Receiving the goods


11.3.4.1 Supervision
All goods, whether they are local or imported are received in the receiving depot, a physically secure area
in the warehouse (see diagram in chapter 12). As explained in chapter 12, the frequency of deliveries does
not warrant the appointment of a “specialist” receiving clerk and the responsibility is given to the dispatch
clerk and his assistants. Receiving is always supervised by either Reg Gaard or Patrick Adams the ware-
house manager and foreman, respectively. This improves the efficiency of receiving and reduces the
incidence of theft before the goods arrive in the warehouse.

11.3.4.2 The receiving procedure


Local goods are usually delivered in cartons or boxes by a road delivery service and generally it is imprac-
tical to check each item received against the purchase order as the delivery service is keen to get away to
make the next delivery. Therefore, the receiving procedure is broken down into two functions. The initial
function is taking delivery of the number of cartons/packages from the freight company. The “receiving
clerk” will match the description and labelling on the cartons and the delivery company’s waybill, and sign
the waybill to acknowledge what has been received. If there are any discrepancies, the receiving clerk and
the driver will mark the discrepancy on the waybill. A copy of the waybill is retained by the receiving clerk.
Imported goods are delivered in containers and a similar process is followed. Because it is not possible,
with the large orders received in the container, to check that each item ordered has been received, the first
function again is to offload the packages/cartons from the container and compare these to the description
of the packages/cartons on the Packing List. Remember that the Packing List describes the number, type
and weight of the packages/cartons included in the shipment. Once this “broad” check has been done,
Patrick or Reg (who supervise the receipt of imported goods closely) will sign the freight company’s
delivery note. This is simply an acknowledgement that the packages/cartons that were shipped have been
received. The contents have not, at this stage, been checked. A copy of the freight company’s delivery note
is retained.
All cartons or packages (local and imported) are retained in the receiving area and promptly unpacked
for detailed checking against the purchase order/GRN. The process is as follows:
• The “receiving clerk” will enter the purchase order number onto the system. If there is a match to the
inventory orders placed file (there usually is), the purchase order will come up as a GRN on the screen,
and two copies of the GRN (populated with all of the detail of the goods on the purchase order) will be
printed out.
• The goods delivered are then carefully checked against the GRN (twice).
• Goods that have been delivered incorrectly, for example, have not been ordered or have been over-
delivered, are not taken into inventory and are stored in a secure area in the receiving section, with a
discrepancy report for subsequent return to the supplier.
• Discrepancy reports are preprinted and sequenced. When a discrepancy report is completed, full details
of the discrepancy are recorded, it is cross-referenced to the purchase order and signed by two individ-
uals, usually the “receiving clerk” and either Reg Gaard or Patrick Adams.
• Where necessary, hard copy GRNs and the on-screen GRNs are amended to reflect the quantities
actually received. Changes to the descriptions of goods delivered are not made and no additions of
goods delivered but not ordered, are entered. The final GRN must reflect the actual quantities of goods
received and only goods on the purchase order. The only field that can be altered on the on-screen GRN
is the quantity field and no additional items can be added.
• Reg Gaard (warehouse manager) will confirm that the on-screen GRNs and the hard copy GRNs agree
exactly and he and the receiving clerk will sign the hard copy.
• Once Reg is satisfied with the on-screen GRN, he will select the “confirm” option and:
– the purchase order on the “inventory orders placed” file will be coded to indicate that the “purchase
order” is no longer outstanding, and
– the quantity field in the inventory masterfile will be updated.
11/32 Auditing Notes for South African Students

11.3.5 Costing the inventory


When the GRNs arrive in the purchasing department, each inventory item must be costed. This is done as
soon as all documents are available. For local purchases the cost is taken off the purchase order. For
imported goods a costing exercise to establish the true cost of “bringing the inventory to its location” must
be carried out.
The exercise is carried out by Zodwa Mashego or Tania Koetzee (purchases clerks) on a pre-designed
costing spreadsheet using Excel software.
An example of the Costing Schedule used by the company is shown below. We will assume that the
shipment consisted of 400 Raleigh RC bicycles.
ProRide (Pty) Ltd Costing Schedule
Date 9 Sept
Supplier Shimlee Taiwan File No. 702 Shim
Invoice No 1237
Value per Suppliers Invoice US$135507
At conversion rate × R10 (note 1) R1 355 070
Custom clearing charges 6 580
Freight 28 645
Cartage 2 555
Bank charges and fees 840
Total cost R1 393 690
Cost per unit: Raleigh RC: 400 units R3 484 (rounded)

Prepared by: Checked by:

The preparer signs the schedule and Ruth Taylor checks the costing from the supporting documentation
and also signs it. It is then placed in the Shipping File.
Note 1: ProRide (Pty) Ltd buys forward cover to pay for its foreign purchases and complies with the Inter-
national Accounting Standards when selecting the appropriate conversion rate for costing the
inventory.
Note 2: If the shipment contains a number of different items (which is usually the case) the total cost is
allocated to the different items purchased in terms of their value on the supplier’s invoice. For
example, if invoice 1237 (above) had been for 300 Raleigh RC bicycles at $338.75 each, and 200
Raleigh Bombers at $169.38, the total cost of R1 393 690 would have been allocated as follows:
$101 630
Unit price: Raleigh RC × R1 393 690 ÷ 300 = R3 484 (rounded)
$135 507

Unit price: Raleigh Bomber $33 877 × R1 393 690 ÷ 200 = R1 742 (rounded)
$135 507

11.3.6 Recording the cost of the goods received in the inventory masterfile
Tania Koetzee (purchases clerk) will enter the cost of the goods received onto the masterfile that is resident
on the AS 400 system. This is done as soon as the costing has been carried out so that the masterfile is kept
right up to date. Note that the quantity field has already been updated by the GRN. At the end of each day,
a dated inventory transaction report is generated. This report is a list of all inventory items that have had their
quantities increased, by how much, and the unit cost price entered. The report is handed to Zodwa
Mashego who checks it for accuracy and completeness against the relevant GRNs and costing schedules
where applicable. She signs to acknowledge this check. As a double control, Ruth Taylor re-checks the
inventory transaction report to the GRNs the following day.
Chapter 11: Acquisitions and payments cycle 11/33

11.3.7 Payment of creditors – Local suppliers


11.3.7.1 Recording of purchases from local suppliers
As indicated earlier, the acquisitions and payments cycle is not integrated into the other cycles on the
AS 400. Tania Koetzee (purchases clerk) is responsible for recording purchases and maintaining a creditors
masterfile on her computer using the in-house developed software. Remember that there are not that many
local suppliers. The following documentation is kept in the purchases department in temporary files by
sequence number (n) or alphabetically (a):
• local inventory order reports (n)
• purchase orders (n)
• goods received notes (n)
• invoices as they arrive by fax, email or post from the supplier (a): these invoices will not only be for
inventory purchases, but other items purchased on credit as well, for example, packaging, stationery,
invoices from service providers, including shipping agents, etc.
• supplier delivery notes and statements (a).
About every two days Tania enters invoices she has received onto her system. This means that the creditors
masterfile is kept up to date. Before entering an invoice, Tania:
• matches details on the invoice to the relevant purchase order and GRN (that can all be tied together by
the purchase order number), or to other supporting documentation in respect of invoices for which no
physical goods were received
• checks the prices to the inventory order report and purchase order (or other sources for non-inventory
items)
• re-performs extensions, casts and VAT calculations, and
• checks that the supplier invoices contain the necessary detail so that a valid VAT input credit can be
claimed.
If an invoice is incorrect, for example, ProRide (Pty) Ltd has been charged for goods which have not been
received, she confirms the detail against the discrepancy report and supplier delivery note if applicable, and
notifies the supplier. The invoice is placed in a pending file to await a corrected invoice from the supplier.
This essentially means that the purchase journal and creditors masterfile are updated for the correct amount
owed even if it means a delay in recording.
When Tania is ready to enter the invoices into the purchase journal (much like an Excel spreadsheet) she
accesses the “enter invoices” module (to which access is restricted). To enter the details off the invoice,
Tania will key in the supplier’s name taken from the invoice. This will bring up a screen that is populated
with the supplier’s details and formatted to receive only the necessary information to update the creditors
masterfile and purchase journal, in other words, the description of the goods purchased, unit selling price,
etc., is not required. Tania therefore enters only the:
• supplier invoice number (supplier name is already there)
• the account code to which the invoice must be allocated, for example, inventory, packaging, main-
tenance, shipping charges
• the amount of the invoice and the VAT, and
• the terms of the invoice, for example, 30 days, 60 days.
On selecting the “enter” option, the purchase journal file and the suppliers account in the creditors
masterfile are updated. There are a number of basic program controls over input, for example,
alphanumerics, missing data (all fields must be completed) and the entire entry process reflects the concept
of minimum entry.
During the course of the month, Tania will reconcile statements received from creditors with the
creditor’s account in the creditors masterfile.

11.3.7.2 The actual payment of creditors


Up until a few years ago, all local creditors were paid by cheque. This policy has changed and all payments
are now made by EFT. Payments to creditors are made on the 28th of each month and creditors are paid
on the strength of a valid invoice (not on a reconciled creditor’s statement) that has been entered on the
ProRide (Pty) Ltd system.
11/34 Auditing Notes for South African Students

Payment preparation
This is a “manual” procedure conducted by Zodwa Mashego or Tania Koetzee. Whoever is preparing the
schedule on that day will compile a list of suppliers to be paid that includes the amounts that are to be paid,
the invoices that are being paid, and the name and account number of the supplier. The schedule is
prepared on the screen with the information being taken from the creditors masterfile. The schedule is
printed out, checked by the other purchases clerk, signed by both clerks and Ruth Taylor (purchasing
manager), and given to Johan Els (the financial manager), along with the supporting documentation.
None of the terminals in the purchasing section have the bank’s software loaded on them and EFT pay-
ments cannot be made from them. On receipt of the schedule, Johan will carefully check the detail on the
schedule to the supporting documentation (initialling it as he does so). He will then access the EFT
creditor’s payment module and enter the detail of the payments to be made. ProRide (Pty) Ltd has a full
range of controls over EFT payments as described in a number of chapters in this text and they will not be
repeated here. (You can refer to the description of ProRide’s payroll system for of the detailed controls.)

11.3.8 Payment of creditors – Foreign suppliers


There are essentially three parties that must be paid. They are:
• the forwarding agent who administers the shipping of the goods
• the clearing agent who administers the clearing of the imported goods through customs
• the supplier.

11.3.8.1 The forwarding agent and the clearing agent


This is a simple process. As we indicated earlier, ProRide (Pty) Ltd deals with only one company that
forwards (ships) and clears its imports. This company makes payments to the various other parties on
behalf of ProRide (Pty) Ltd. It then invoices ProRide (Pty) Ltd for the entire amount owed to it. ProRide
(Pty) Ltd treats this account like any local creditor.

11.3.8.2 The supplier


The supplier is paid when the conditions of the Letter of Credit have been met. This is essentially when
ProRide (Pty) Ltd’s bank receives the necessary documentation namely, the bill of lading (duly stamped by
the customs authority) and the invoice. The bank will not pay unless the documentation is complete and
meticulously correct. Once they are satisfied, they will transfer the money to the supplier’s bank and debit
ProRide (Pty) Ltd’s bank account.

11.3.8.3 Updating the LC payment register


When the transfer has taken place, it will immediately be revealed on the daily bank statement that is
downloaded through the Internet. Ruth Taylor will manually update the LC payment register by debiting
the foreign suppliers account. Selma Green (cash book clerk) is also notified of the payment and can update
the cash book on her terminal.

11.3.9 Updating the general ledger on the AS 400 system


As we pointed out earlier, the purchases/creditors system is not integrated with the general ledger on the
AS 400 system. At month end, Johan Els (financial manager) compiles the necessary journal entries for
purchases, creditors and cash book transactions and enters them into the general ledger on the AS 400.
This entry is checked in detail by the IT manager, Gary Powell and the financial director, Brandon Nel.

11.4 Auditing the cycle


11.4.1 Introduction
As the name suggests, the acquisitions and payments cycle deals with the goods (and services) that a
company purchases, and the payment by the company for those goods.
The acquisitions phase of the cycle is concerned with ensuring that the company acquires only those
goods (and services) it needs and that the goods are of the necessary quality and price. The payments phase
of the cycle seeks to ensure that only goods that have been validly ordered and received are paid for and
that the payment is authorised, accurate and timeous.
Chapter 11: Acquisitions and payments cycle 11/35

Obviously, companies do not only buy goods for resale or manufacture. Depending on the nature of the
company’s business, there will be expenditures on advertising, travel, consumables, entertainment, station-
ery or items of plant and equipment. However, whatever the “acquisition” is, the principles of controlling
the expenditure remain the same, that is, only expenditure relating to the business should be incurred, it
should be authorised before it is incurred, it should be appropriately recorded, and the payment for the
acquisition should be the correct amount and should be authorised. The authority for incurring the
expenditure may differ.
For example:
For an inventory item it may be a requisition signed by the warehouse manager, and a purchase order
signed by the chief buyer. For travel expenses, it may be an authorised budget and a travel approval form
signed by a department head, and for the acquisition of an item of equipment, it may be an authorised
budget and a directors’ minute.
Payments are usually authorised by the signature of a department head on supporting documentation
after suitable scrutiny. Payments of different amounts may be authorised at different levels.
In most reasonably sized businesses, the vast majority of acquisitions (other than for large items of plant
and equipment that are financed in a variety of ways) will be made on “credit”, which simply means that
the goods or services etc., will be paid for some time after the goods are received, say 30 days or 60 days
later, depending on the terms agreed with the supplier. This means that at any point in time the company
will have creditors. So in effect, the acquisitions and payments cycle gives rise to transactions and an account
balance both of that will need to be considered by the auditor in carrying out the audit of the cycle.
The audit of the cycle consists of two parts. In terms of ISA 315 (revised), the auditor is required to
identify and assess the risk of material misstatement at both financial statement level and at account
balance and transaction level. This means that in the context of this cycle, the auditor will need to evaluate
whether there is anything in the assessment of risk at financial statement level that may filter down into the
audit of the cycle and whether there are specific risks pertaining to the creditors balance in the AFS or to
the recorded purchase or payment transactions.
For example:
• at financial statement level: if there is an incentive for the directors to manipulate the financial state-
ments, one of the ways they may do so is by understating the accounts (trade) payable balance
• at account balance level: there may be an identified risk that the creditor’s balance is understated due to
a failure to raise the liability for goods received just prior to year-end
• At transaction level: risk assessment procedures may have revealed that purchase orders can be made
out and placed by the purchase order clerk without authority, or that employees authorised to make
EFT payments share passwords for “convenience’s sake” and that there is no independent recon-
ciliation of EFT payments after they have been made to source documentation.
Once the cumulative effect of the identified risk has been assessed, the auditor will be in a position to plan
“further” audit procedures and “other” audit procedures. Before moving onto the second part of the audit
of the cycle (i.e. the response to assessed risk), it is perhaps necessary to remind ourselves of the assertions
relating to the transactions in the cycle and the related balance, (i.e. accounts payable).

11.4.2 Financial statement assertions and the acquisition and payments cycle
Purchases
Occurrence: Purchases that have been recorded have occurred (they are not fictitious), and such
purchases pertain to the company.
Completeness: All purchases that should have been recorded have been recorded.
Accuracy: The amounts of purchases and other data if applicable, relating to recorded
purchases have been recorded appropriately.
Cut-off: Purchases have been recorded in the correct accounting period.
Classification: Purchases have been recorded in the proper accounts.
11/36 Auditing Notes for South African Students

Payments to trade
creditors
Occurrence: Payments that have been recorded have occurred (they are not fictitious), and such
payments pertain to the company.
Completeness: All payments that should have been recorded have been recorded.
Accuracy: The amounts of payments and other data, if applicable, relating to recorded pay-
ments have been recorded appropriately.
Cut-off: Payments have been recorded in the correct accounting period.
Classification: Payments have been recorded in the proper accounts.
Trade payables
Existence: Trade payables exist at year-end.
Obligations: Trade payables included in the balance represent obligations of the company.
Completeness: All trade payables that should have been recorded, have been recorded and all
related disclosures that should have been included in the financial statements, have
been included.
Accuracy, valuation Trade payables have been included in the financial statements at appropriate
and allocation: amounts, and related disclosures have been appropriately measured and described.
Classification: Trade payables have been recorded in the proper accounts.
Presentation: Trade payables are appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and understandable in the context of
the applicable financial reporting framework.

11.4.3 Fraud in the cycle


11.4.3.1 Fraudulent financial reporting
The most common way of manipulating the financial statements in this cycle is the:
• Understatement of trade creditors (trade payables): this will usually be done to improve the ratios in the
working capital sector of the statement of financial position or to avoid a net liability position. Auditors
will conduct comprehensive completeness testing on creditors where they believe such a risk exists.
• A common way of understating creditors is to manipulate “cut-off” at year-end, for example,
accounting after year-end for a purchase of inventory made prior to year-end, but including the inventory
purchased in the inventory on hand at year-end. This also has the benefit of increasing profits, so all
round the financial statements look much better.
• Of course if the directors’ objective was to reduce profits, they could do so by fraudulently increasing
purchases.
• Where companies trade with numerous related parties, manipulation of trade payables becomes much
easier.

11.4.3.2 Misappropriation of assets


As this is a cycle that actually deals with outflows from the business (i.e. payments), there are real
opportunities for management and employees to misappropriate cash and to a lesser extent, goods.
• Ordering of goods by employees or management for their personal use and having the company pay. This will
amount to the inclusion of invalid purchases (occurrence), and, if the creditor has not been paid by year-
end, the inclusion of fictitious creditors (obligation). For this type of fraud to be effective, the
perpetrator has to get the goods that have been ordered, this can be done in numerous ways such as
colluding with receiving or warehouse staff, or having the supplier deliver to an address other than that
of the company. A similar “misappropriation” that does not involve physical goods and may be easier
to perpetrate, would be for a director/manager to have the company pay for personal air flights and
have the purchase/payment recorded as business travel.
• Making completely fictitious payments to creditors (occurrence of purchases/obligation of creditors): This
is plain theft where those with the power to authorise payments (e.g., EFT signatories), authorise
payments to their own companies, friends, etc. No goods change hands and false documentation is
produced.
Chapter 11: Acquisitions and payments cycle 11/37

• Company claims VAT to which it is not entitled (completeness of liabilities): This is very often a “by-
product” of the frauds described above.
• Directors or employees accepting bribes from suppliers as an inducement to purchase goods from that (supplier)
company: This is a difficult situation because from a financial reporting perspective there may be abso-
lutely no problem. The goods purchased may be of the required quality and price, the order properly
authorised etc. The payment of the bribe may well be a problem in the supplier’s business but is in effect
“outside” the business of the company at which the person receiving the bribe is employed. Accepting
this type of inducement is likely to be in contravention of the company’s employment policies. In terms
of section 45 of the Auditing Profession Act, where directors receive such inducements, there may be a
reportable irregularity. Directors or employees setting themselves, family or friends up as suppliers and
then directing business to those entities is a variation of this practice and is effectively, a related party
transaction.
• Theft of goods at the receiving stage (existence of inventory): This will normally be an employee fraud,
and amounts to receiving clerks signing for goods received but not taking custody of all the goods
signed for. The goods that are stolen are sent out on the truck in which they were delivered and off-
loaded elsewhere. Collusion with the supplier delivery staff is required.

11.5 The auditor’s response to assessed risks


11.5.1 The auditor’s toolbox
As we discussed in chapter 5, in terms of ISA 500, the auditor has the following types or categories of audit
test available to him:
• Inspection • Re-performance
• Observation • Analytical procedures
• External confirmation • Inquiry
• Recalculation
These tests are not specific to a particular phase of the audit and can be used as risk assessment procedures,
tests of controls or substantive tests.

11.5.2 Overall responses to the risk of material misstatement at the financial statement
level
In terms of ISA 315 (revised), the auditor shall identify the risks of material misstatement at the overall
financial statement level and at the assertion level for transactions, account balances and disclosures.
Further, a significant risk is an identified and assessed risk that, in the auditor’s judgement, requires
special audit consideration. This does not mean that the auditor needs to be familiar with a whole new
range of audit procedures (have additional tools in his toolbox), but it does mean he will look closely at the
nature, timing and extent of the further audit procedures as well as the skills and experience of the audit
team.
In the context of this cycle, significant risks may include:
• the risks of fraudulent practices as discussed in point 11.4.3 above
• significant acquisitions being made from related parties, for example, companies within the group or
entities owned by a director
• the risk of the understatement of trade and other accounts payable.
In terms of ISA 330, the auditor must implement overall responses to address the assessed risk of material
misstatement at the financial statement level.
For example:
• assigning more experienced staff to the audit. This could be a response to the risk of manipulation of the
financial statements by understatement of the trade payables balance
• emphasising to the audit team the need to maintain professional scepticism, for example, to be alert to
the possibility that management may be having personal expenditures paid for by the company, and
• providing more supervision.
11/38 Auditing Notes for South African Students

11.5.3 Responding to risks at the assertion level


The auditor’s further audit procedures will be a mix of tests of controls and substantive tests. When
assessing risk at the assertion level, there is an underlying expectation on the part of the auditor that the
controls are operating effectively and essentially that they provide a foundation from which the substantive
tests can be developed. Simply expressed, if the controls are very strong, the auditor can place more
reliance on the totals and amounts produced by the accounting system and will be able to perform less
substantive testing and possibly substantive tests of a different nature. Timing of substantive testing could
be also affected.

11.5.4 “Other” audit procedures


In addition to carrying out risk assessment procedures and further audit procedures, the auditor is also
required to carry out “other” audit procedures. These are procedures that are carried out to ensure that the
engagement complies with the ISAs. In the context of the audit of any cycle, one of the other procedures to
be carried out would be to comply with ISA 265 – Communicating Deficiencies in Internal Control, to
those charged with governance and management. For a summary of this statement you should refer to
chapter 10.

11.6 Audit Procedures – Test of controls and substantive procedures


11.6.1 Tests of controls
11.6.1.1 Objective
The auditor tests a control to determine whether the control has been effective in achieving the objective for
which it was implemented in the first place. For example, in the context of this cycle, one of the objectives
of the control activities implemented by the company will be to ensure that purchases (acquisitions) of
goods are made only for the company.
To achieve this objective, the controls implemented might be that no goods may be purchased without
an official purchase requisition that is signed by the warehouse manager, and an official purchase order
that is prepared by a purchase order clerk and approved by the senior buyer. The auditor is interested in
this control because if it is effective, he will have gained some evidence that the purchases recorded in the
accounting records do not include purchases that were made by employees for their own use (and that were
subsequently paid for by the company). To extend the example, the company will want to ensure that all
goods ordered were received, and only goods that were ordered and received, are paid for. The controls
implemented by the company to achieve these objectives will include the physical checking of the goods by
the receiving clerks, the completion of a GRN, and careful scrutiny by reasonably senior personnel before
payment is authorised. The auditor’s interest in whether these controls are functioning is obvious; if all the
controls are working effectively, the auditor obtains worthwhile evidence that the purchases recorded
actually occurred, were authorised and were accurately and completely recorded and processed.

11.6.1.2 Timing of tests of controls


The auditor needs to gain evidence that the controls on which he intends to place reliance were operating
throughout the financial year under audit, so these tests of controls may be carried out at different stages
throughout the year during interim visits to the client. However, much of the evidence that a control has
worked throughout the year, may be revealed by the audit trail that is created. For example, the auditor
could choose a sample of recorded purchases from throughout the year and test that the supporting pur-
chase documentation consists, inter alia, of a signed purchase requisition and approved purchase order.
This does not prove that the purchase requisition and purchase order were authorised before the order was
placed, but combined with other evidence that the auditor will seek, for example, about the receipt of the
goods and the payment for the goods, strong persuasive evidence that the controls were functioning at that
time will have been gathered. If however, the auditor discovers that there are GRNs and supplier invoices
that are not supported by an approved requisition and purchase order, he gains evidence that the controls
were (are) not effective. This is likely to increase the substantive tests that will need to be carried out.
Chapter 11: Acquisitions and payments cycle 11/39

11.6.1.3 The nature of tests of controls


As pointed out earlier in this section, the auditor uses an assortment of procedures when conducting tests of
controls in this cycle. Controls in this cycle will vary from company to company and the auditor will need
to select a suitable mix of procedures to achieve his overall objective of determining whether the controls
implemented were (are) effective. This can be illustrated as follows:

Inspection
• A sample of recorded purchases could be selected and the supporting requisition and purchase order
could be inspected for an authorising signature.
• A sample of purchase orders could be compared to the list of approved suppliers to confirm that pur-
chases are made only from approved suppliers. This procedure may be supplemented by inquiry and
inspection of supporting documentation that provides evidence that a supplier is only added to the list
of approved suppliers after a thorough and independent evaluation of the supplier. This reduces the risk
that purchases can be made from businesses connected to the company’s order clerk, buyer or members
of management, and that purchase of goods that are not for the company’s use, can be made.
• Inspect the masterfile amendment log and supporting documentation for indication of approval for the
addition of a supplier to the creditors masterfile during the year.
Note: In some systems there may be no visible indication of approval of say, the purchase order as it is
given “on the system”. This on-screen approval might be effected by the purchase order clerk being
unable to print or email a purchase order until approval has been given by the employee (chief
buyer) whose access profile permits approval of purchase orders. The appropriate test may be for
the computer audit division to look at and test user profiles as part of a system orientated CAAT.
Alternatively, the auditor may be able to infer (assume) that approval of the purchase order does in
fact take place if other tests of controls in the process, for example, controls over payments to
creditors, prove to be effective.

Inquiry
• For example, inquire of the receiving clerk as to:
– the procedures he follows when goods are delivered
– what happens to goods that are delivered but are not as listed on the purchase order (wrong goods,
short delivered, over delivered).
• Inquire of the purchase order clerk as to what procedure is followed for placing an order if there is no
purchase requisition provided, for example, he gets a verbal instruction to place an order.
• Inquire of the financial accountant (or similar) as to what happens when a payment by EFT must be
made and one of the individuals required to “authorise” a payment, is not available.
Note: Questions put to employees should be expressed in a way that requires more than a “yes” or “no”
response. In this way the auditor will learn more about the effectiveness of the control and may be
provided with information he least expected.

Observation
• Observe the procedures that are carried out by the receiving clerk when a delivery is received from a
supplier.
• Observe the “authorise” and “release” procedures being undertaken for the payment of a creditor.
Note: Observation is not a very convincing procedure as the employee is likely to do what he is supposed
to do because he knows the auditor is watching! Observation would always be matched with other
procedures, for example, when observing the receiving of goods, the auditor may request the
receiving clerk to insert an invalid purchase order number into the system to see what happens (it
should be rejected).

Re-performance
The auditor may choose to re-perform a sample of creditors’ reconciliations.
With regard to accuracy and completeness of processing and recording of transactions promptly and in
the correct accounts, especially in integrated real-time systems, current accounting software is very fast,
efficient and reliable. The auditor is likely to concentrate tests of controls on controls over the authorisation
11/40 Auditing Notes for South African Students

of transactions and the controls over reviewing and reconciling the results of processing, for example, logs,
reports, listings, etc. If these controls appear to be operating successfully, the auditor can assume that
processing controls are effective.

11.6.2 Substantive procedures


11.6.2.1 Nature of substantive procedures
In auditing the cycle so far, the auditor has carried out procedures to:
• identify and assess the risk of material misstatement, and
• gather audit evidence about the operating effectiveness of the controls (tests of controls).
The auditor is now required to conduct substantive tests that as we have seen, are designed to detect
material misstatement at the assertion level. Substantive tests consist of:
• tests of details of classes of transactions, account balances and disclosures, and
• substantive analytical procedures.
The difference between tests of detail and analytical procedures is that the former consists of auditing the
detail of the transaction, account balance or disclosure, while the latter provides more general or overall
evidence. The types of procedure carried out will still be those listed in point 11.4.4.3 with the obvious
exception of analytical procedures.
For example, in carrying out a test of detail on a purchase invoice, the auditor would inspect the
supporting documentation and agree dates, cross-referencing, amounts, etc., and may re-perform the casts,
extensions and VAT calculations.
When conducting substantive analytical procedures, the auditor does not consider the detail but rather the
“overall picture”. He will compare totals of transactions and account balances to the same totals and
account balances for different periods, or consider changes in the make-up of totals in relation to other
periods or industry norms, etc., with the intention of identifying any strange or unusual fluctuations.
For example:
The auditor may compare balances on individual creditor’s balances year-on-year and follow up on any
major or unexpected differences, or he may calculate ratios such as total purchases divided by accounts
payable, again for comparison to prior years.
In terms of ISA 330, the auditor must design and perform some substantive procedures for each material
class of transaction, account balance and disclosure, regardless of the assessed risk of material misstate-
ment. In other words, the auditor cannot decide that because he has assessed the risk of material misstate-
ment as low, and because his tests of controls provide persuasive evidence that controls had operated
effectively for the period under review, there is no need to do any substantive testing. The reason behind
this is that:
• risk assessment is judgmental and the auditor may not have identified all risks, and
• internal control has inherent limitations, including management override, for example, an employee
who refused to authorise a purchase order because it was not for goods used by the company, may have
been overridden by a senior member of management wishing to have the company purchase the goods
for his own personal use.
However, the auditor does not necessarily have to carry out both tests of detail and analytical procedures. If
assessed risk is judged as low and tests of controls indicate that controls are operating effectively, the
auditor may decide that all that is required to reduce audit risk to an acceptable level is the performance of
analytical procedures. In practice it is common for the auditor to use a combination of tests of detail and
analytical procedures when conducting substantive tests.

11.6.2.2 Timing of substantive procedures


Most substantive testing takes place at or after year-end. This is logical as these tests are aimed primarily at
gathering evidence about the account balances and disclosures in the financial statements. In practice,
however, there is often an audit deadline (a date by which the audit must be completed) that forces the
auditor to carry out extensive substantive (and other) testing at an interim date, say two months prior to
year-end. In the context of this cycle, the auditor may choose to conduct substantive procedures to verify
the balance on the trade payables account at the 10-month period and then “update” this work for the year-
end trade payables account by conducting tests on the remaining two months, during the two months and
Chapter 11: Acquisitions and payments cycle 11/41

at year-end. These tests, that will be a mix of tests of controls and substantive tests, are termed “roll
forward tests”.

11.6.2.3 Extent of substantive testing


The extent of substantive testing is generally regarded as being a function of (determined by) the assessed
risk of material misstatement and the results of tests of controls. In general, the greater the risk of material
misstatement, and the less effective the controls appear to be, the greater the amount of substantive testing.
In the case of substantive testing of disclosure, qualitative materiality will be an important factor.
For example:
The substantive testing of the disclosures relating to director’s emoluments is likely to be both detailed
and extensive. The extent of testing is usually reflected in the size of samples used for testing as well as the
type of tests being carried out.
Overall the auditor is required to obtain sufficient appropriate evidence to satisfy himself that audit risk
has been reduced to an acceptable level.

11.6.3 Substantive procedures of transactions in the acquisitions and payments cycle


11.6.3.1 Purchases
The following example illustrates the substantive audit procedures (by assertion) that the auditor may
conduct on a purchase transaction. Assume that a purchase has been selected from the purchase journal of
a manufacturing company, ExWhy (Pty) Ltd.
• Occurrence (the recorded transaction has occurred and it pertains to ExWhy (Pty) Ltd)
– Inspect the supporting documentation (purchase order, supplier delivery note, GRN and invoice) to
confirm that:
o the (external) documents are made out to ExWhy (Pty) Ltd and are from an approved supplier
o all documents are correctly cross-referenced to each other
o each document is signed by the designated authority, for example, chief buyer, receiving clerk
o the goods purchased are of a type used by the company.
– Inspect the cash payments records/EFT schedules/bank statements to confirm that the goods were
appropriately paid for; payment authorised, correct payee, correct amount (see note (a)).
• Accuracy (the amount of the purchase has been recorded appropriately)
– Confirm the mathematical accuracy of the invoice by recalculating all extensions (quantity × price),
casts and discounts.
– Agree the quantity of items charged on the invoice, against the quantity on the goods received note.
– Confirm prices and trade discounts used on the invoice by inspection of the order or purchase
contract.
– Recalculate VAT, and by inspection of the invoice, confirm that discounts are taken into account
prior to the calculation of VAT.
– By inspection, confirm that the VAT number and details of the supplier as well as the supplier’s VAT
number are clearly presented on the supplier tax invoice (for a valid input credit to be recorded, a
valid supplier tax invoice is required).
• Cut-off (the purchase has been recorded in the correct accounting period)
– Inspect the dates on the supplier delivery note, goods received note, and invoice to confirm that the
goods were received during the accounting period under audit. (The date on these documents should
also coincide with the month in which the purchase is recorded in the purchase journal.)
• Classification (the purchase has been recorded in the proper accounts)
– Inspect the purchase order to determine the expense or asset account to which the purchase should be
allocated and posted (this should have been entered on the purchase order by the buyer) and trace the
posting from the purchase journal to the designated expense or asset account in the general ledger.
– Establish the description of the goods purchased (by inspection of the purchase documentation) to
confirm that the classification of the purchase is appropriate, for example, the purchase of a non-
current asset has not been written off as an expense.
11/42 Auditing Notes for South African Students

– Inspect the purchase journal (and invoice) to confirm that VAT has been correctly allocated and
posted.
– Inspect the supplier’s account in the creditors ledger to confirm that the purchase was correctly
posted from the purchase journal.
• Completeness (all purchases that should have been recorded have been recorded)
– To test the completeness of purchases, the auditor will test from a document recording the receipt of
the item purchased to the recording of the purchase in the records. The auditor may choose a random
sample of GRNs from the sequence of GRNs and trace them through to the corresponding invoices.
Tests of detail would then be carried out as described above. If there was no corresponding invoice,
the purchase may not have been recorded.
Note (a) Strong corroborative evidence for the occurrence assertion is obtained if a properly authorised
payment for the purchase is recorded. The auditor is likely therefore, to extend the testing of his
sample of purchases to include the testing of the corresponding payment.
Note (b) Some of the procedures described above may be regarded as “tests of controls”, for example,
inspecting the purchase order to confirm that it was made out to an approved supplier,
or checking for authorising signatures. This is not an issue as the auditor frequently carries
out “dual purpose tests” that provide some evidence of the effectiveness of controls and some
substantive evidence. In the context of the audit, this may be an efficient way of gathering
evidence.
Note (c) For some of the purchases made by the company, there may be no specific purchase order or
goods received note to tie to the invoice, for example, the purchase of a service or a non-physical
item that is not “delivered”, such as travel expenses or delivery charges. In these instances, the
auditor will still test the accuracy of the invoice but will seek alternative source documentation
to support the purchase.
11.6.3.2 Payments
Tests of detail on payments will again concentrate on the assertions relating to transactions. As indicated
earlier, a payment in the context of this cycle is normally linked directly to a purchase and the auditor may
extend his tests of detail on purchases to the corresponding payment. However, the auditor also wants
evidence that payments recorded in the cash book were in respect of actual valid purchases that occurred.
The auditor may therefore select a sample of payments from the cash payments journal and test as follows:
• Occurrence
– Obtain the invoice supporting the payment.
– Inspect the invoice to confirm that:
o it is made out to ExWhy (Pty) Ltd
o is for goods, services or other expenditures normally used or incurred by the company and is from
a supplier on the approved supplier list.
– Inspect the authority for the payment, for example:
o appropriately approved purchase order, GRN
o appropriately approved expenditure requisition or claim, for example, travel expenses authorisa-
tion
o approved payment requisition.
• Accuracy (the amount of the payment has been recorded appropriately)
– Re-perform the casts and calculations on the invoice.
– Agree the amount of the invoice to the payment in the cash payments journal.
• Cut-off (the payment has been recorded in the proper accounting period)
– Inspect the dates on the payment, the invoice and supporting documentation to confirm they fall
within the period under audit and are reasonable in relation to each other.
• Classification (the payment has been recorded in the proper accounts)
– Trace the payment to the general ledger and creditors ledger to confirm that the posting has been
made to the creditors control account and the correct creditor in the creditors ledger.
– Where “the purchase” has not gone through the purchase journal (not raised as a creditor), confirm
by inspection of the description on the invoice or payment requisition, that the payment has been
allocated and posted to the correct account in the general ledger, for example, travel expenses.
Chapter 11: Acquisitions and payments cycle 11/43

• Completeness (all payments that should have been recorded, have been recorded)
The situation where a payment has been made but has not been entered in the cash payments journal
should be revealed by inspection or re-performance of the bank reconciliation statement.
Note: The auditor may also wish to perform tests of detail on a sample of payments reflected in the
individual creditors’ accounts. Similar tests to those described above would be carried out.
Where payment was by EFT, the auditor will inspect the applicable schedule of EFT payments for
authorising signatures and will inspect the audit trail/bank statement/remittance advice, to confirm that
the EFT was made to the correct payee. The auditor will also consider the extent to which he can rely on
those senior officials who have the “authorise” and “release” privileges for EFTs to carefully check the pay-
ment details before the EFT is made.

11.6.3.3 Substantive analytical review procedures


• The auditor will supplement his tests of detail by conducting some analytical procedures. These may
include:
– comparisons of expenditure categories month to month or to prior periods, for example, purchases of
goods for resale, travel costs, advertising, repairs and maintenance, consumables, motor vehicle
expenses, etc.
– calculation of each expense as a percentage of say, gross profit or total expenses and comparison of
the percentages to prior periods, and
– comparison of actual expenses to budgeted expenses.
• Abnormal fluctuations would be followed up by:
– vouching material fluctuations by tracing entries to source documentation for investigation, for
example, valid expense, correct amount recorded, and
– discussion with management.

11.6.4 Substantive procedures on the trade and other payables balance


The main thrust of substantive testing in this cycle will be on the trade and other payables account balance
at year-end. Current liabilities on the statement of financial position will often be made up of other
balances that may include short-term borrowings, bank overdrafts, taxation payable, etc. The most material
balance is usually trade and other payables (often referred to as trade creditors), and the audit procedures
that follow relate primarily to the audit of trade and other payables. In practice, trade and other payables
are often referred to as trade creditors, accounts payable, etc., all of which are generally intended to mean
creditors arising out of trading activities. To an extent, we have used the terms interchangeably.

11.6.4.1 Assertion: Obligation – the trade payables represent obligations pertaining


to the company
The evidence for the obligation assertion is supplied by inspecting the supporting documentation, state-
ments, invoices, etc., to confirm that they are:
• made out in the name of the company, and
• in respect of purchase of goods (or services) that are used by the company.
This inspection will take place when creditors’ reconciliations are audited as a year-end valuation proced-
ure and when any tests of transactions are conducted.

11.6.4.2 Assertion: Existence – trade payables included in the balance actually exist,
they are not fictitious
The existence assertion for trade payables is usually a low risk assertion as companies do not normally wish
to overstate their liabilities, so in the absence of any contrary evidence, the auditor can assume that the
trade payables (and other liabilities) that appear in the statement of financial position, do actually “exist”.
The auditor will however, perform “cut off” tests at year-end, to confirm that purchases and creditors have
not been overstated and have not been prematurely raised. Bearing in mind that if management are intent
on overstating purchases/creditors to manipulate the financial statements, they would do it for material
amounts, the auditor should:
• record the number of the last GRN for the year (cut-off number)
11/44 Auditing Notes for South African Students

• select from the purchase journal, material purchases entered during the last two weeks of the year and
trace to the relevant GRN and supplier delivery note (via the invoice), and
• inspect these documents to confirm that the GRN number is lower than the cut-off number and that the
documents are dated prior to the year-end date.
These tests should reveal whether the company is holding the purchases journal “open” into the next
financial year in an attempt to manipulate the figures at financial year-end. (Note: The intention of these
tests is to determine whether the liability existed at year-end.)

11.6.4.3 Assertion: Accuracy valuation and allocation – trade payables are included
in the financial statements at appropriate amounts and related disclosures
have been appropriately measured and described
The carrying value of trade payables will in effect be the total amount of trade payables (and accruals)
because, unlike asset accounts, there is no need to write-down the balance (make allowances) for obsoles-
cence, depreciation, impairments or bad debts.
• Agree the list of individual creditor’s balances to the balance on the creditors control account.
• Agree a sample of individual creditor’s balances on the list to the individual creditor’s account in the
creditors ledger.
• Agree the total of the accrual and creditors control accounts in the general ledger to the trial balance.
• Re-perform casts of the creditors control account, and the creditors list.
• Identify any debit balances on the creditors list, establish the reason with the purchases manager and
consider whether the balances should be transferred to debtors.
• Select a sample of creditors (that includes the company’s major suppliers) from the creditors list and
obtain the year-end creditors reconciliations performed by the creditors clerks:
– re-perform the casts of the reconciliation
– agree balances on the reconciliation to the creditors statement and creditors listing
– test the logic of the reconciliation
– by inspection of the supporting documentation and by inquiry and confirmation, confirm the validity
of reconciling items
• If applicable, select a sample of foreign creditors from the creditors list and by scrutiny of the supporting
documentation (invoice), determine the amount owed to the creditor in the foreign denominated
currency.
• Obtain from a financial institution or suitable publication, the applicable currency exchange rate at the
financial year-end (spot rate), and
– using the spot rate, compute the amount owed to the creditor at the financial year-end in local cur-
rency (rand)
– compare this amount to the amount recorded for the creditor on the creditors list and, if necessary,
request adjustment. The foreign creditor will have been raised initially at the rate ruling at transaction
date i.e. the date on which the risks and rewards of ownership passed, and may require adjustment
for any change to the exchange rate.
Note: The creditors balance will be written up or down, and the corresponding entry will be to an
exchange loss or gain.
• Obtain a list of accruals from the client:
– Cast the list.
– Agree the total on the list to the account in the general ledger, the trial balance and the statement of
financial position (the amount will be included in creditors).
• Agree amounts recorded on the accrued list to invoices, statements, etc., and re-perform any calcula-
tions, for example, leave pay accrual.
Chapter 11: Acquisitions and payments cycle 11/45

11.6.4.4 Assertion: Completeness – all trade payables and accruals that should have been
recorded have been recorded, and all relevant disclosures that should have been
recorded have been recorded
It is generally considered that completeness is the assertion most at risk of material misstatement as the
company is more likely to understate its liabilities than overstate them. The auditor is therefore concerned
about what is not in the account but should be, so completeness tests are focused on identifying unrecorded
liabilities:
• Compare the list of creditors at the current year-end to the previous year-end, to identify:
– creditors on the previous list who do not appear on the current list
– creditors balances that are significantly smaller at the current year-end, and
– by enquiry and inspection, determine and evaluate the reason.
• Inspect the creditor’s correspondence file for correspondence relating to unsettled disputes with sup-
pliers, and by discussion with management, determine whether any adjustments to creditors are requir-
ed, for example, the audit client may be disputing the actual delivery or condition of the goods delivered
and may not have raised the liability.
• If available, inspect the list of GRNs that were unmatched to invoices at year-end. (This list should have
been obtained by the auditor at year-end when document cut-off numbers were taken.) Confirm, by
inspection, that a journal entry raising the corresponding creditors at year- end has been passed, and
that the amounts raised are correctly computed by:
– obtaining the price of the goods received (from the order or pricelist or corresponding invoice if it has
arrived), and
– recomputing the amount owed.
• Select a sample of material purchases from the purchase journal for the month following the year-end
and trace to the goods received note applicable to the purchase, to confirm that:
– the GRN number is greater than the GRN “cut-off” number (see 11.6.4.2)
– the dates on the GRN and supplier delivery note are after the financial year-end.
• Select a sample of large payments from the cash payments journal for the month(s) after the financial
year-end and, by inspection of the GRN and delivery note, confirm that if the payment relates to goods
or services received prior to year-end, the corresponding creditor had been raised at year-end.
• Inspect the work papers relating to creditors’ reconciliations to identify any instances of reconciling
items that result in understatement of the creditors balance, for example, a disputed amount pre-
maturely written off, and follow up with management.
• Inspect the work papers from attendance at the inventory count and investigate any instances of
physical inventory materially exceeding recorded inventory. This may indicate deliveries received prior
to year-end that have been included in physical inventory but for which no entries in the records have
been made (i.e. no goods received note or invoice from which to raise the liability).
• Inspect the general ledger accounts for periodic expenses to determine whether all amounts have been
correctly accrued, for example, rent, electricity, have 12 debits to the expense accounts.
• Perform analytical procedures and follow up on any material fluctuations, for example:
– current year purchases, creditors and accruals at year-end to prior years
– trade payables as a percentage of current liabilities
– trade payables days outstanding compared to prior years.
• Enquire of the financial accountant whether suppliers of services (as opposed to goods) who provided
the service prior to year-end, have been raised as creditors.
• Inspect the creditors control account for unusual debit entries.
• If necessary, obtain confirmation of balances direct from a sample of creditors (i.e. conduct a positive
creditors confirmation). It may be appropriate to obtain direct confirmations of:
– nil balances
– major creditors (to confirm that the balance is not understated despite being large)
– balances that have significantly reduced since the prior year
– creditors for whom there are no statements.
11/46 Auditing Notes for South African Students

• Include reference to the completeness assertion for trade payables and accruals in the management
representation letter.

11.6.4.5 Assertion: Classification


By enquiry of management and reference to the audit documentation on purchases and scrutiny of the
trade payables account, confirm that:
• only amounts payable to trade creditors with in twelve months have been included in the account, and
• that the balance on the account does not include amounts that should not be included, for example,
short-term borrowings, provisions, bank overdraft.

11.6.4.6 Assertion: Presentation


By inspection of the notes to the financial statements, confirm that:
• disclosures are in terms of the applicable reporting framework, for example, trade payables are
presented on the face of the statement of financial position under current liabilities
• any aggregations or disaggregations are appropriate and relevant
• disclosures are accurate in terms of the audit documentation (amounts, details, facts)
• disclosures are clearly described and understandable in the context of IFRS, IFRS for SMEs as applic-
able, for example, accounting policy relating to currency translation for foreign creditors, and
• all disclosures pertaining to trade and other payables as required are included.

11.6.5 The use of audit software (substantive procedures)


If the company’s system is computerised and suitable software is available, it can be very useful to the
auditor. The use of audit software to audit the creditors’ masterfile is perhaps a little less effective than
when using software to substantively test asset accounts. This is because with asset accounts, the auditor is
concerned with what is included in the account, while with the creditors’ balance, the auditor is more
concerned with what is not in the records. However, the software can still be put to good use.
• The creditors masterfile can be cast (added) to obtain the total amount owing and a detailed list of
creditors and their balances can be printed. The aging of creditors can also be cast and cross cast to the
total.
• The masterfile can be scanned for “error” conditions:
– blank fields, for example, missing account numbers, and
– debit balances.
• The masterfile for the current year-end can be compared to the prior year masterfile to identify:
– significantly reduced balances, and
– creditors who no longer appear.
• The software can be used to extract samples, for example:
– amounts above a certain amount, and
– nil balances.
• The software can be used to extract lists of any creditors that can be identified by a particular field or
code, for example, a creditor with whom the company is in dispute may be identified by the addition of
a code to its record.
Note: The creditors masterfile will usually contain the following fields:
• account number
• name
• address and contact details
• total amount payable
• aging of total amount payable, and
• payment and discount terms.
Chapter 11: Acquisitions and payments cycle 11/47

11.6.6 Automated application controls in acquisitions and payments cycle


The auditor can also rely on automated application controls to test the acquisitions and payments cycle.
Automated application controls apply to the processing of individual applications. They are “automated”
or “automated with manual procedures” that operate at a business process level. Automated controls are
controls designed to confirm completeness, accuracy and validity of processed transactions with a financial
impact. For more details on automated application controls, please refer to chapter 8.
Depending upon the audit approach adopted (substantive or control based), the approach for automated
application control tests may vary.
For example:
Should the IT general controls environment have limited findings and the control environment is
considered effective, automated controls may be tested.
If the IT general controls environment is considered not effective, the auditor may still rely on automated
controls but will need to test the access and change management around the automated application control
embedded in the application.
The auditor should report on shortcomings identified in the existing processes as well as weaknesses
identified during the review with recommendations to improve.
Some automated application controls to consider when testing acquisitions and payments cycle:
Purchasing approval levels
• Determine whether the application has been configured to incorporate specific approval limits and
different authorisation levels when purchasing.
• Determine who has access to change the limits within the application.
• Have any changes been made to the limit configuration during the period under review?
• Have changes been authorised in the application?

Unmatched invoices
• Determine whether the application has been configured to match invoices to purchase orders when
purchasing.
• Determine who has access to change the configuration within the application.
• Have any changes been made to the configuration during the period under review”
• Have changes been authorised in the application?
• Review report for unmatched purchase orders for trends and inconsistencies.

Creditors masterfile
• Determine who has access to change the vendor masterfile within the application.
• Have any changes been made to the vendor masterfile during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one change to a vendor masterfile assess the authorisation process of adding
a new vendor.
CHAPTER

12
Inventory and production cycle

CONTENTS
Page
12.1 Accounting system and control activities ......................................................................... 12/3
12.1.1 Introduction ....................................................................................................... 12/3
12.1.2 Objectives of this section of the chapter................................................................ 12/3
12.1.3 Characteristics of the cycle .................................................................................. 12/3
12.1.4 Basic functions for any inventory and production cycle ........................................ 12/5
12.1.5 Documents used in the cycle ............................................................................... 12/5
12.1.6 Warehousing: Function, documents, risks and control activities ........................... 12/7
12.1.7 Production: Function, documents, risks and control activities ............................... 12/8
12.1.8 Inventory counts: Cycle counts and year-end counts............................................. 12/9
12.1.9 Computerisation of the inventory and production cycle ........................................ 12/12

12.2 Narrative description of the inventory cycle at ProRide (Pty) Ltd ..................................... 12/13
12.2.1 Introduction ....................................................................................................... 12/13
12.2.2 Segregation of duties ........................................................................................... 12/13
12.2.3 Approval and authorisation and isolation of responsibility.................................... 12/13
12.2.4 Access/custody controls...................................................................................... 12/14
12.2.5 Comparison and reconciliation ............................................................................ 12/15
12.2.6 Performance reviews and the use of logs and reports ............................................ 12/15
12.2.7 Conclusion ......................................................................................................... 12/16

12.3 Auditing the cycle ............................................................................................................ 12/16


12.3.1 Introduction ....................................................................................................... 12/16
12.3.2 Important accounting aspects of the inventory and production cycle ..................... 12/16
12.3.3 Financial statement assertions and the inventory and production cycle ................. 12/18
12.3.4 Fraud in the cycle ............................................................................................... 12/19

12.4 The auditor’s response to assessed risks .......................................................................... 12/20


12.4.1 The auditor’s toolbox .......................................................................................... 12/20
12.4.2 Overall responses to risks of material misstatement at financial statement level ..... 12/20
12.4.3 Responding to risks at assertion level ................................................................... 12/21

12/1
12/2 Auditing Notes for South African Students

Page

12.5 Audit procedures - Tests of controls and substantive procedures..................................... 12/21


12.5.1 Tests of controls .................................................................................................. 12/21
12.5.2 Substantive procedures........................................................................................ 12/21
12.5.3 Substantive procedures – Inventory count attendance ........................................... 12/22
12.5.4 Substantive procedures – Post inventory count ..................................................... 12/23
12.5.5 The use of audit software (substantive testing) ...................................................... 12/27

12.6 Automated application controls in inventory................................................................... 12/30


Chapter 12: Inventory and production cycle 12/3

12.1 Accounting system and control activities


12.1.1 Introduction
Now that the revenue and receipts cycle and the acquisitions and payments cycle have been covered (in
chapters 10 and 11 respectively), we move on to the inventory and production cycle. In practice, this cycle
is given a number of different names such as the conversion cycle, the inventory and warehousing cycle,
etc., so it is important to understand what happens in the cycle. The cycle deals with:
• the custody and safekeeping of inventory in whatever form it is, (i.e., goods held for resale or manufac-
ture, and finished goods), and
• the recording of costs where a production/manufacturing process occurs.
Because of the diversity of business activities, each organisation will have its own specific requirements in
relation to this cycle.
For example:
A wholesaler of consumer goods will be concerned only about sound controls over the receiving of in-
ventory, keeping it safe and secure for the time that it is in the warehouse, and issuing the inventory to the
retailer.
The physical form of the inventory is not altered; it comes in, is stored and it goes out when it is sold.
Another example:
A motor manufacturer, by contrast, has a far more complicated cycle to cope with. Component parts
must be received and stored; they must then be issued to the production department for the manufacturing
of the motor vehicle. Once this has occurred, the motor vehicle must be transferred to a finished goods
storage area, from where it will be removed (issued) when sold.
When a company manufactures an item, it will be necessary to accumulate the costs applicable to pro-
ducing that item. These consist of the costs of materials, wages incurred in manufacturing the items and
production overheads. Part of this cycle’s function is to control these costs. Broadly stated, production can
take place on a “process cost” basis or a “job cost” costing basis.
• Process costing takes place when a large quantity of like items are manufactured on a production line,
for example, hundreds of plastic chairs are being manufactured day after day.
• Job costing takes place when a unique item (an item with its own specifications) or a small number of
the same item is manufactured as a job.
You will also come across combinations of the above, but the principles of controlling costs remain the
same.

12.1.2 Objectives of this section of the chapter


The objective of this section of the chapter is to provide you with a basic understanding of how the cycle
fits into the company’s activities and why it is so important. We have also provided a broad description of
control activities when the cycle also includes a production element.

12.1.3 Characteristics of the cycle


12.1.3.1 Heart of the business
For most businesses, inventory is the most important part of the organisation. The entire organisation is
often shaped around the type of inventory in which the business deals, i.e., its plant and equipment will be
specific to its production; the warehouse will be designed to store its inventory safely and securely and all
the other cycles are dependent upon it. Obviously, it must be a product that has a market.

12.1.3.2 Effect on the financial statements


Inventory is usually the major component in the calculation of cost of sales, gross profit and net profit. It
plays a prominent role in the fair presentation of the financial statements and for this reason material
misstatement in inventory, in whatever form it comes, will often be pervasive to the financial statements.
For this reason and 12.1.2.1 above, the accounting system and related control activities within the cycle
must be well designed and strictly adhered to.
12/4 Auditing Notes for South African Students

For example:
A strong control environment must be maintained and physical access controls must be in place. Many
businesses have collapsed because they failed to control their inventory.

12.1.3.3 An internal cycle


This cycle has no direct interface with entities outside the company. The acquisitions cycle “puts in” the
inventory and the revenue cycle “takes out” the inventory. Therefore, control in the inventory cycle re-
quires good control within these two other supporting cycles.
For example:
If goods are not properly counted when they are received (part of the acquisitions and payments cycle),
the warehouse will not be able to maintain accurate records.

12.1.3.4 A physical asset


Because the cycle deals with physical assets (as opposed to “non-physical” book assets, e.g., debtors),
extensive physical controls are usually required. The reasons for this are obvious:
• inventory can be stolen for resale or use, a particular problem when the company deals in consumable
items, such as clothing, foodstuffs, electronic goods, and
• physical assets can be damaged, for example, glass products can be broken, paper products destroyed by
fire or water.
Many companies need to go to considerable lengths to protect their inventory and the list of physical
controls is endless. Guards, electronic alarms, surveillance, armoured glass (jewellery stores), restricted
access, air-conditioning, fire alarms and extinguishing systems are common methods. Eventually the
cost/benefit requirement for internal control comes into play, and companies have to decide on the most
effective manner of physically protecting their inventory while remaining within their budget.

12.1.3.5 Inventory fraud


Because inventory is so central to the fair presentation of the financial statements, directors of companies
who wish to manipulate the profits and assets they are reporting can do so very effectively by manipulating
the inventory balance at the year-end.

12.1.3.6 Diversity of inventory


The accounting system and related control activities must be able to deal with inventory that is diverse in
nature, location, permanence and stage of development:
• Nature : easy to identify, for example, fridge, cricket bat, vehicle
: hard to identify, for example, chemicals, precious stones
: growing or moving, for example, plants, chickens, game
• Location : multiple warehouses
: obscure locations
: in the possession of others for example, customs, on consignment
: in transit
• Permanence : fresh produce
: products with expiry dates, for example, medicine
: technological obsolescence
• Stage of development : raw materials
: work in progress
: finished goods
This diversity also has an effect on the auditor as the assertions relating to inventory are directly affected by
its characteristics, for example, how does the auditor gather evidence about the existence of gas, the net
realisable value (valuation) of products that are subject to rapid technological obsolescence, the rights to
inventory held in someone else’s possession or the completeness and existence of inventory held at multiple
and obscure locations?
Chapter 12: Inventory and production cycle 12/5

12.1.4 Basic functions for any inventory and production cycle


As indicated earlier, the inventory and production cycle is an internal cycle that must achieve three things.
It must:
• control the physical transfer (movement) of inventory (in its various forms)
• protect the inventory from damage, loss and theft, regardless of whether it is manufactured inventory or
inventory purchased for resale, and
• plan, control and record the costs of manufacture.
The diagram below represents the cycle in a simple format. It illustrates that goods received from suppliers
follow one of two paths, namely, to the raw material and component store, on to production and into the
finished goods warehouse, or direct to the “goods for resale” warehouse. The diagram also indicates where
a transfer takes place (arrow head) and where physical controls over inventory are required (C).

C C C
Raw material and Production Finished goods
component store warehouse

Receiving Despatch
manufactured goods

inventory purchased for resale goods for resale


warehouse C

12.1.5 Documents used in the cycle


This section outlines the commonly used documents used in the inventory and production cycle. This is
not an exhaustive list, but it highlights the conventional documents that may be found in the cycle.

12.1.5.1 Goods received note


On transfer of inventory items (of whatever kind) from the goods receiving bay into the warehouse, the
warehouse clerk will sign the goods received note that was made out when the goods were delivered by the
supplier.

12.1.5.2 Materials (components) requisition, materials (components) issue note


A materials (component) requisition is a documented request to the warehouse to release materials or
components to the production section, and a materials (components) issue note records the issue of materi-
als to production.

12.1.5.3 Manufacturing or production schedules


These documents are used to notify the production/manufacturing department as to what is to be pro-
duced. What is to be produced will be decided by an analysis of future sales (forecasts), current inventory
holdings of finished goods and specific orders or contracts that have been obtained. The analysis will be
committed to a production plan.

12.1.5.4 Job cards


A job card is a document that tracks the stages of production for a specific job. As costs are accumulated,
for example, raw materials used, labour hours expended, they are recorded on the job card. At a later stage,
an overhead allocation can be made to arrive at the total cost of production.

12.1.5.5 Production report


Production reports are documents that are used to report results of production, output, wastage loss, etc., at
identifiable stages or completion of production or for specific cost centres.

12.1.5.6 Costing schedule


A costing schedule is used to identify and quantify all the costs that it is anticipated will be incurred in
manufacturing the company’s products. It is in effect a “budget” against which actual production costs can
be measured.
12/6 Auditing Notes for South African Students

12.1.5.7 Transfer to finished goods note


This document records the transfer of manufactured goods from the production department into the fin-
ished goods stores.

12.1.5.8 Picking slip and delivery notes


You will recall from the revenue cycle that these documents are used to select goods ordered from the
warehouse and to assist in controlling the movement of goods once they have been sold.

12.1.5.9 Inventory sheet


This is a document that is used during an inventory count. The inventory sheet will usually contain a
description of each item of inventory, its location in the warehouse, and a column into which the quantity
of items actually counted, can be entered. The document will usually also contain a column for entering the
cost of the item and a column into which the extension of quantity × price can be entered, for example, 8
items × R40 cost = R320,00.

12.1.5.10 Inventory tag


An inventory tag is a small, numerically sequenced cardboard (or similar) tag, that is attached to the differ-
ent types of inventory before an inventory count. It will be in two distinct, but identical parts that will each
contain a tag sequence number, the inventory number and description, and an empty block into which the
quantity of inventory on hand will be entered as the inventory item is counted. When the first counting
team has counted the number of items for that particular inventory item, they will enter the number in the
quantity block of one part of the inventory tag. They will then remove that part of the tag and hand it to the
count controller. The second count team will perform a second count and follow the same procedure. The
count controller will match the two parts of the inventory tag and any discrepancies will be recounted. This
results in an accurate inventory count.
There are a number of variations of the tag system.
For example:
Some tag systems also contain a part that contains the tag number, inventory number and description
and remains with the inventory item for identification purposes until the count is completed and all prob-
lems have been resolved (the basic principle remains the same).

12.1.5.11 Inventory adjustment form


The inventory adjustment form is a sequenced document that is used to record adjustments that must be
made to correct the perpetual inventory records when actual inventory and theoretical inventory (per the
perpetual inventory records) do not agree.
For example:
An inventory item that has been stolen will result in the actual “quantity on hand” being less than the
“quantity on hand” recorded in the perpetual inventory records. When this is discovered, (by counting the
inventory), the perpetual inventory records must be corrected.
Sections 12.1.6 and 12.1 7 outline the description, with examples, of an inventory and production cycle
by function. The series of tables that follow expands on the functions, risks and control activities in the
cycle. For each function, the documents are identified that may be used. Further, the business risks are
described that may exist in each function.
Chapter 12: Inventory and production cycle 12/7

12.1.6 Warehousing: Function, documents, risks and control activities


Warehousing: goods for resale, components for manufacture and finished goods
Function Documents/records Business Risks
The purpose of this function is to: • Goods received notes • Goods received from suppliers are not trans-
1. Control the transfer of goods in • Material (components) ferred into the warehouse timeously or at all
and out of all warehousing facil- requisitions (stolen).
ities, for example, goods • Picking slip • Inventory (in whatever form) is stolen or lost.
received from “receiving” to the • Material (components) • Inventory deteriorates in value due to:
warehouse for storage or fin- issue note – inadequate physical controls, for example,
ished goods received from pro- gets wet, or
• Delivery note
duction into the finished goods
• Transfer to finished – its nature, for example, foodstuffs, chemi-
store.
goods note cals.
2. Physically protect inventory in
• Perpetual inventory • No record is created of goods or components
all warehouses. “Inventory” in
records physically moved.
production will also need pro-
tection but this is likely to be the • Inventory count docu- • The goods or components issued are incorrect
responsibility of production per- mentation resulting in lost sales or production delays.
sonnel. • The transfer of the materials may be recorded
inaccurately in terms of quantities and item
codes.
• Inventory shortages (including theft) are con-
cealed.
• Transfers are recorded that did not take place.

Control activities including brief explanatory comments


Controlling the movement of goods, components and finished goods
1. No movement of inventory should take place without an authorising document, for example, picking slip, material
requisition.
2. No movement of inventory should take place without the movement being recorded for example, a delivery note
and material issue note.
3. Whenever there is a transfer of inventory between sections, for example, receiving section to warehouse, produc-
tion to finished goods, both the deliverer and the receiver should acknowledge the transfer by, for example, signing
the transfer document after having checked the description, quality and quantity of the items being transferred
against the source documents. For example, warehouse personnel and production clerks to sign the material issue
note after checking the quality, quantity and description of goods being transferred (isolation of responsibilities).
4. Documents should be sequenced and filed numerically.
5. Documents must be sequenced checked and missing documents investigated, for example, a missing GRN in the
warehouse will probably indicate that the goods have not been transferred to the warehouse.
6. The recording of the inventory on the perpetual inventory system should be checked by the accountant to ensure it
has been accurately and completely recorded.
Controlling damage, theft and loss of inventory in all forms, i.e., in warehouses and during production
1. Physical controls (the nature and value of the company’s inventory will determine the physical controls that are put
in place)
• Entry and exit: minimum entry and exit points
• Controlled entry and exit: swipe cards, keypads, turnstiles, gate control, biometric readers, security guards,
X-ray (e.g., jewellery manufacturer)
• Restricted entry: for example, buying clerks not permitted to enter warehouse, unaccompanied, only production
employees allowed in production facility
• Secure buildings: minimum number of windows, solid structure
• Environmental: areas to be dry, clean, neatly packed, pest free and temperature controlled where necessary
• Surveillance: cameras/video recording over production (e.g., where items are easily stolen off the production
line), receiving and despatch areas.
continued
12/8 Auditing Notes for South African Students

2. Comparison and reconciliation


• Physical inventory (in all its forms) is compared to theoretical inventory per the perpetual inventory (see point 8
for a discussion of cycle counts and inventory counts).
• Actual production is compared to the manufacturing or production schedules.
• Actual production is compared to budgets.
• All material variances should be investigated.

12.1.7 Production: function, documents, risks and control activities


Production: planning, controlling and recording costs
Function Documents/records Risks
The purpose of production is to • Materials requisitions • Manufacturing of too much inventory for
manufacture the company’s prod- • Materials issue notes which there is no suitable demand.
ucts. Production is essentially a • Job cards • Manufacturing of insufficient inventory to
physical activity but in the context meet demands.
• Production schedules
of the inventory and production • Unauthorised requisitioning or issue of
cycle, the production department • Production reports
materials (theft).
will be required to: • Transfer to finished goods
notes • Requisitioning or issue of incorrect materials
1. Requisition and receive com- resulting in losses from wastage/ delays.
ponents from the warehouse.
• The transfer of the raw materials to produc-
2. Control costs during manu- tion may not be recorded.
facture.
• Invalid transfers of inventory (therefore the
3. Record actual costs. transfer is recorded but no actual transfer
4. Account for the items produced took place).
and transfer the items to a ware- • The transfer from the raw material to pro-
housing facility. duction may be recorded inaccurately (the
5. Compare actual and budgeted quantities and item codes).
costs. • Failure to budget costs properly resulting in
selling prices that are too low, and subse-
quent losses.
• Failure to monitor actual expenditures and
identify variances between actual and budget.
• Failure to control the transfer of finished
goods to the finished goods store (manu-
factured items stolen, damaged or lost).

Control activities including brief explanatory comments


1. A costing schedule (budget) must be prepared for all products to be manufactured whether on a “job cost basis” or
a “process costing basis”:
• These schedules should be carefully compiled by costing personnel and should contain detailed listings of all ma-
terials to be used, expected labour costs and an allocation of production overheads.
• The schedules should be sequenced, dated and approved by production personnel (signature).
• The schedules may be used as the source document for purchase requisitions.
2. For job orders (job costing) the details on the costing schedule:
• Should be transferred to “job cards” (job sheet) that:
– are sequenced and dated
– contain a list of materials to be used
– are cross-referenced to a customer order/quote
– are cross-referenced to a materials requisition and materials issue note
– are cross-referenced to the daily production schedule, and
– are authorised by the production manager.
continued
Chapter 12: Inventory and production cycle 12/9

• No materials should be issued from inventory without a materials requisition that has been checked against the
authorised job card.
• While the job is in production, the job card should be held in a pending file and updated for labour hours as they
are incurred.
• On completion of the job, a sequenced “transfer to finished goods form” should be made out. This will:
– accompany the goods to the finished goods store
– be cross-referenced to the job card
– be used to write up the finished goods perpetual inventory.
• The job cards for completed jobs should be removed from the pending file and “costed”, for example, material
prices and labour costs allocated and an overhead allocation made.
• All calculations should be checked by a second clerk.
• The job card should then be filed numerically.
• On a frequent and regular basis, supervisory staff or the production manager should sequence test the completed
job card file to confirm that:
– each card is cross-referenced to a “transfer to finished goods note” and to a sales invoice, and
– missing job cards are for jobs still in the production stage.
• Management should compare completed job cards to quotes and costing schedules, and investigate variances.
3. For process costing:
• All process runs must be recorded on manufacturing or production schedules that are:
– sequenced and dated
– cross-referenced to production plans
– cross-referenced to material requisitions, and
– authorised by the production manager.
• As items come off the production line, a sequenced “transfer to finished goods form” should be completed for
each day’s production or for every, say, 100 items produced. The “transfer to finished goods note” should:
– accompany the goods to the finished goods store
– be cross-referenced to the production schedule, and
– be used to write up the finished goods perpetual inventory.
• Performance reports should be used to measure performance by production shift, for example, wastage, quanti-
ties produced, damaged items.
• Completed production schedules and performance reports should be sent to “costing” for the allocation of la-
bour and overhead costs as well as for pricing of materials. (The normal method for doing this is by the alloca-
tion of standard material, labour and overhead costs.)
• On a frequent and regular basis, management should date and sequence test the costed production schedules to
confirm that:
– the full quantity of production has been cross-referenced to “transfer to a finished goods form”, and
– missing schedules are for goods still in production.
• Management should review performance reports to evaluate the production activity and should follow up on
inefficiencies, wastage.
• Actual costs should be compared to standard costs and variances should be evaluated.
• The following posting should be made from signed, costed production schedules:
– raw material costs, direct labour and manufacturing overheads to the debit of work-in-progress, and
– cost of goods manufactured to the credit of work-in-progress and the debit of finished goods.
• All casts, extensions and calculations should be checked before posting.
Note: Again, this may be a computerised system, but the principles described above remain the same.

12.1.8 Inventory counts: Cycle counts and year-end counts


12.1.8.1 Cycle counts
One of the common control activities that has been discussed a number of times is the frequent comparison
and reconciliation of actual assets with theoretical assets. The logic behind this is that differences can be
timeously identified and investigated. Preventive measures can then be put in place to reduce the possibility
of the problem that caused the differences from recurring.
12/10 Auditing Notes for South African Students

For example:
If the quantity on hand of a (physical) item of inventory does not agree with the perpetual inventory rec-
ords, there has either been a misplacement of the item, the item has been lost or stolen or the perpetual
inventory records are incorrect because a receipt of goods has not been recorded. A follow-up may reveal
that inventory is being stolen by sending out additional items when official orders are dispatched. Addi-
tional supervisory checks will then have to be put in place.
Companies that have large quantities and numerous items of inventory will normally perform what are
referred to as cycle counts. Cycle counts amount to the ongoing comparison of physical quantities of inven-
tory on hand, to theoretical quantities in the perpetual inventory records. It is essential that the company
operates a perpetual inventory system of quantities of inventory so that actual inventory can be compared
to theoretical inventory. The procedures to be adopted to conduct cycle counts are as follows:
• The timing of each count should be planned at the start of the year, for example, two days every three
weeks, or at the end of every third month. (In very large companies, such as motor manufacturers, cycle
counting can be almost a daily exercise.)
• The items to be counted must be identified. There are a number of ways in which this selection can be
done:
1. Random samples can be selected from the perpetual inventory records.
2. Items that are susceptible to theft or have some other identifying characteristic can be chosen.
3. High-value items can be selected, or
4. The entire inventory population can be divided into sections so that all items are counted at regular
intervals during the year.
5. A particular section of the warehouse may be chosen.
• Once these matters have been settled, the physical inventory will be counted using an acceptable method
of counting and sound count controls (see 8.2 below).
• The physical count quantity (actual) for each item counted will be compared to the theoretical quantity
on the perpetual inventory records and all count discrepancies will be entered onto a sequenced inven-
tory adjustment form.
• All discrepancies must be thoroughly investigated preferably by internal audit and the inventory control-
ler.
– Results of the investigations should be recorded on the inventory adjustment form.
– The warehouse manager should review the forms and authorise the adjustments by signing the form.
– Inventory adjustment forms should be filed numerically and should be sequenced checked regularly.
• The adjustment to the records should be made by a clerk who is independent of inventory custody,
receiving and issue.
• Senior warehousing personnel should review the perpetual inventory records periodically and adjust-
ments to the records traced back to the authorised inventory adjustment form.
• An overall analysis of the discrepancies over a period should be conducted to identify any trends, for
example, frequent discrepancies in a particular section of the warehouse, so that suitable preventive
measures can be put in place.

12.1.8.2 The year-end inventory count


For companies that do not operate perpetual inventory systems, the only way of ascertaining a closing inven-
tory figure is to physically count the inventory and then to price it. Thus, the inventory count becomes a very
important activity, as mistakes in establishing the quantity and pricing of inventory can have a material effect
on the financial statements (the closing inventory figure affects profit, tax, current assets, etc.). Companies
that perform cycle counts will also conduct a year-end count and pricing exercise (perhaps to a lesser degree)
also to establish an actual inventory valuation. As explained earlier in this chapter, there is an endless number
of inventory types, and no two inventory counts are likely to be the same. However, there are some basic
principles that should be adhered to in order to conduct a successful count. They are as follows:
Chapter 12: Inventory and production cycle 12/11

Planning and preparation – this must take place timeously and should cover:
• date and time of the count
• method of counting: how the inventory will be counted and recorded, for example, tag system, all items
counted twice
• staff requirements: how count teams are made up, for example, one person from the warehouse, one
person independent of the warehouse (e.g., accounting department), how many teams are necessary as
well as how many people are necessary
• supervision: who will act as count controller
• preparation of the warehouse: tidying racks, packing out half empty boxes onto racks, marking dam-
aged goods, stacking like goods together, etc.
• drafting of warehouse floorplan to identify count areas for count teams, and
• identifying all locations and categories of inventory.
Design of stationery – various documents are used, and they should be designed along standard stationery
design principles:
• inventory sheets: printed, numerically sequenced, reflect the inventory item number, category and loca-
tion of the inventory in the warehouse, and have columns for first count, second count, discrepancies,
and columns for prices and extensions (In many companies, counters may need to insert descriptions,
etc., particularly where there is no form of perpetual inventory)
• in theory, quantities per the perpetual inventory should not be entered on the inventory sheet prior to
the count (this forces counters to actually count to arrive at a quantity) but it may not be practical due to
time constraints
• inventory tags: see explanation under “documents” earlier in this chapter, and
• inventory adjustment forms.
Written instructions – count information and instructions should be provided (in writing) for all members
directly and indirectly involved in the count. The written instructions should cover:
• the identification of count teams and the responsibilities of each member of the team
• the method of counting to be used, for example, tags, double counts, marking counted inventory in two
colours with chalk (reflecting the double count)
• identification of slow moving or damaged inventory as well as consignment inventory
• controls over issues to and returns of inventory sheets to the count controller
• procedures to be adopted if problems arise during count, for example, particular inventory items cannot
be found, deliveries of inventory during the count, and
• detailed instructions concerning dates, times, locations.
Conducting the count – there are a number of variations on how the inventory count should be conducted
but the following procedures should be followed:
• The count staff should be divided into teams of two, with one member of the team being completely
independent of all aspects of inventory.
• All teams should be given a floor plan of the warehouse that should clearly demarcate the inventory
locations for which they are to be held accountable.
• All inventory should be counted twice. One of the following methods can be adopted:
– one member of a team counts and the other records, swapping roles thereafter and performing a
second count in the same section to which they were assigned, or
– count teams complete their first counts, hand their inventory sheets back to the count controller and
sign for the inventory sheets of another section, thereby doing their second counts on a section al-
ready counted by another count team.
• As items are counted, they should be neatly marked by the counters, for example, second counters
should use a different coloured marker. Alternatively, the tag system described under “documentation”
can be used.
12/12 Auditing Notes for South African Students

• Where count teams identify damaged inventory or inventory in an area of the warehouse that appears
unused/excessively dusty, these inventory items must be marked as such on the inventory sheets (poten-
tial write-downs):
– the contents of boxes where the packaging appears to have been tampered with, should be counted
and the details noted on the inventory sheet.
• A few boxes should be selected at random in each section and the contents compared with the descrip-
tion on the label to confirm that the contents have not been changed/removed and the seal replaced.
• The count controller (and assistants) should:
– walk through the warehouse once the count is complete and make sure all items have been marked
twice or that the detachable portions of all tags have been removed
– examine the inventory sheets to make sure that first and second counts are the same and agree to the
quantities recorded on the perpetual inventory if there is one, and
– instruct the count teams responsible for sections where discrepancies are identified to recount the
inventory items in question.
• The count controller should obtain the numbers of the last goods received note, invoice, delivery note
and goods returned note used up to the date of the inventory count.
• No despatches of inventory should take place on the date of the inventory count.
• Any inventory received after the count has begun should be stored separately in the receiving bay, until the
count is complete and must not be put into the warehouse. This inventory must be counted and added to
the inventory sheets after the count is complete.
• The counters responsible for the count sheets should:
– draw lines through the blank spaces on all inventory sheets, and
– sign each count sheet and all alterations.
• The inventory controller should check that this procedure has been carried out and should sequence test
the inventory sheets to ensure that all sheets are accounted for.
• Count teams will only be formally dismissed once the count is complete and all queries have been
attended to.

12.1.9 Computerisation in the inventory and production cycle


• In most companies the systems that interface with the inventory and production cycle will be computer-
ised and will directly affect and be affected by the inventory masterfile, for example, purchase orders
will be influenced by reorder levels held on the inventory masterfile. The actual creation of the purchase
order will also depend on the data held on the masterfile, for example, only items listed on the invento-
ry masterfile can be included in the purchase order. The quantity field on the inventory field will be au-
tomatically updated by the entry of purchases or sales transactions to provide up to date information
pertaining to inventory.
• The inventory masterfile is a key requirement for the effective implementation of cycle counts as dis-
cussed previously.
• Many of the control activities pertaining to the production of a manufacturing company’s products, for
example, creating production schedules, costing schedules, accumulating and allocating costs can be
done on the system using suitable software.
• The various functions in the cycle are likely to be on the company’s local area network and the basic
principles applicable to computerised systems will apply, for example, access control based upon the
least privileged/need to know basis.
• Barcode scanning is also applied in the inventory and production cycle. Barcode scanners are connected
to a company’s software application. Therefore, the employees will not have to capture information for
inventory items being moved. The barcode appearing on the inventory items can be scanned and the
data read by the scanner is fed into the entity’s accounting system in order to update these records for
the movement of inventory.
Chapter 12: Inventory and production cycle 12/13

12.2 Narrative description of the inventory cycle at ProRide (Pty) Ltd


12.2.1 Introduction
As ProRide (Pty) Ltd is a wholesaler of bicycles and accessories, it has a conventional inventory cycle, for
example, goods are delivered to a designated receiving depot, subjected to various checks and transferred to
the storage areas. The goods are suitably protected while in storage until they are sold. Goods to fill sales
orders are selected using picking slips, placed in a picking area once picked, checked and transferred to
despatch. Internal control at ProRide (Pty) Ltd is taken very seriously and the control over inventory is no
exception. The company has in excess of a thousand different inventory items that range from complete
bicycles (in boxes) to small individual bicycle parts. There are also expensive items such as top quality
cycling helmets, gearing systems and bicycle computers for measuring speed, distance, etc. Most of the
inventory items held by the company can be easily disposed of if stolen, so theft is a major risk that the
company has to respond to.
The control activities that are described below are supported by a very strong control environment in the
company as a whole.
For example:
All employees working in the cycle are properly trained and have good product knowledge (commitment
to competence). There is a clear reporting structure within the cycle and individual employees are held
accountable for their actions (organisational structure and assignment of responsibility). Senior manage-
ment not directly involved in the cycle are frequently in the warehouse and will, from time to time, observe
the various activities that go on in the cycle, such as the unpacking of a container of imported bicycles
(management philosophy and operating style) that sets a good example and enhances control awareness.
Theft of inventory results in dismissal that emphasises the integrity and ethical values expected of all
employees.

12.2.2 Segregation of duties


1. The cycle is “broken down” into the following functions: receiving goods, custody of goods, picking of
goods and despatch. In the overall context of the company, the inventory cycle is separated from the
functions of initiating sales orders or purchase orders.
2. The overall responsibility for all functions rests with Reg Gaard, the warehouse manager. He is sup-
ported by Patrick Adams (warehouse foreman) who is responsible for the team of pickers.
3. As the function of receiving does not warrant the appointment of a full-time receiving clerk, the des-
patch controller fills both roles. He has a number of assistants who report to him, and he in turn
reports directly to Reg Gaard (warehouse manager).
4. There are a relatively large number of pickers whose duties are to:
• receive goods from the receiving depot
• pack goods into bins, boxes and onto shelves
• pick goods to fill orders
• pack goods into boxes for delivery (after goods have been checked), and
• keep the storage areas neat and tidy and shelves properly labelled, etc.
5. Pickers are not allowed to assist with receiving goods from suppliers or despatch to customers, and
receiving/despatch employees are not allowed to pick goods.
6. Patrick plays a supervisory role over the pickers and is responsible for checking the items picked once
they are placed in the picking area.
7. Both Reg and Patrick Adams have read access to the inventory masterfile but do not have write access
(segregation of custody and record keeping).
8. Reg does not have sole responsibility for authorising an inventory adjustment; final authority must come
from the financial manager, Johan Els.

12.2.3 Approval and authorisation and isolation of responsibility


1. All movements of inventory must be supported by an authorised document, for example, the picking
slip can only be generated off the (computer) system from an approved sales order, whereas delivery
notes can only be generated from an approved (signed) picking slip.
12/14 Auditing Notes for South African Students

2. All adjustments to the masterfile arising out of the cycle counts must be approved by the warehouse
manager and the financial manager.
3. The responsibility for receiving and despatch is isolated to the despatch controller as nobody else has
access to the necessary applications and by the requirement that all relevant documentation be signed
by him.
4. All employees are required to sign the document related to the procedure they have carried out to
acknowledge having done so, thus isolating their responsibility for the procedure.
For example:
• pickers must sign the picking slip for the goods they have picked so any mistakes or problems can be
tied back to the picker, and
• the warehouse foreman must also sign the picking slip to acknowledge (isolate his responsibility) for
checking what has been picked before it is packed and transferred to despatch.

12.2.4 Access/custody controls


Layout and design features of the warehouse

D = Despatch area
D1 = Roadline office (delivery company)
R = Receiving depot
P = Picking area
S = Storage areas
EG = Expensive goods store
U = Stairs to upper level
O = Warehouse staff offices

• The ProRide (Pty) Ltd warehouse is located in one large structure adjoining (by controlled access) the
administration building. As can be seen from the diagram, the warehouse has distinct areas for both
“despatch” (D) and “receiving” (R) of inventory. Access to and from the outside is controlled by large
steel roller doors that remain locked at all times other than when despatching or receiving takes place.
The keys to these doors are under the control of Reg Gaard (warehouse manager) or Patrick Adams
(foreman) at all times.
• The “despatch” and “receiving” areas are physically separated from the picking area and stores by one-metre
high walls with glass to the ceiling. (This method of construction, that also applies to the warehouse staff of-
fices, enables warehouse management to see what is going on within all areas of the warehouse at all times.)
Access to the despatch section is from the picking area, not from the storage area, which makes it far more
difficult to steal inventory by “sneaking” it from stores onto a delivery van.
• The picking area (where picked goods are placed prior to final checking and despatch) is separated from
the storage area by brick and glass walls but the access between the two is not controlled. This is simply
for practical purposes as pickers move from one area to another throughout the day.
• The expensive goods store is completely secure and is locked at all times. When expensive goods need
to be “picked”, Patrick Adams (warehouse foreman) will unlock the store and observe the picking.
Only he and Reg have access to the keys.
Chapter 12: Inventory and production cycle 12/15

• The upper level is used exclusively for storing bicycles (in their boxes). A forklift is used to move boxes
to and from this level. Storage of bicycles on the upper level has been done deliberately as it makes it
extremely difficult for anyone to steal a boxed bicycle.
• Access to the warehouse for warehouse staff is via the controlled access (key pad) from the main
administration building. Other employees are not allowed in the warehouse.
• The warehouse is not air-conditioned (the inventory does not require it!) but it is protected against fire
by smoke detectors and sprinkler systems.
• Windows are kept to a minimum and are protected by grids and bars (so items cannot be thrown out of
the warehouse). There is no camera surveillance as it is not considered necessary.
• Inventory is kept in clearly designated areas, for example, tyres, saddles, clothing and the various items
are placed in suitably designated bins or boxes or on shelves. The item’s inventory code is entered on
the bin, box or shelf to facilitate accurate picking and inventory counts.

12.2.5 Comparison and reconciliation


12.2.5.1 Cycle counts
A very important control mechanism is the company’s inventory cycle count system. The cycle counts take
place every three months including year-end. The counts take place on a Saturday (no interferences, deliv-
eries, despatches). All warehouse staff, certain administration staff, the financial manager, Johan Els, and
Brandon Nel, the financial director, make surprise visits.
• The external auditors are required to be present for the entire count and to submit a full report on how
the inventory count was conducted and how problems were resolved, directly to Brandon Nel during the
subsequent week. (The company does not have an internal auditor.)
• Every single item is counted. Where a discrepancy arises, it is immediately investigated by a team under
the control of Reg Gaard (warehouse manager). This may include determining whether the item has
been misplaced or checking receipts and issue records for that item since the last count.

12.2.5.2 Adjustments to the inventory masterfile


• If a discrepancy is not resolved and an adjustment is required to correct the perpetual inventory (theo-
retical inventory), a sequenced “cycle count adjustment form” is completed, and signed by Johan and
Reg. Details of the investigation into the discrepancy are noted on the form.
• As indicated above, Reg does not have write access to the inventory masterfile. The adjustment to the
inventory masterfile is made by Dalene Burger (accounting supervisor) and a log of all adjustments is
presented to the financial director (Brandon Nel) during the week subsequent to the cycle count. He will
scrutinize this log, reconcile the adjustments to the supporting documentation and try to identify any
trends in the discrepancies, for example, regular adjustments to tyre inventories.
Note 1: The same adjustment procedure will take place for any inventory items found to be damaged.
Note 2: The effectiveness of cycle counts depends to a great extent on the accuracy of the perpetual in-
ventory records. We have emphasised in the other cycle chapters that ProRide (Pty) Ltd goes
to great lengths to ensure that the information in its accounting system is correct. Because they
achieve this, their cycle counts are very effective in the overall control of inventory.

12.2.6 Performance reviews and the use of logs and reports


As inventory is very much the heart of this business, the financial director (Brandon) spends a great deal of
time analysing and interpreting inventory information.

12.2.6.1 Targets
To be in a position to review performance, targets are set by Brandon and Reg on an ongoing basis for
activities in the inventory cycle. These include:
• Setting time limits for the despatch of goods from the time the sales order is put on the system. As the
sales system is a real-time system, management can access the sales order file at any time to determine
the status of a sales order. Complaints from customers are also closely monitored.
• Setting an “acceptable” margin for incorrectly picked goods (tracked through reports on the number of
and reason for credit notes being issued).
12/16 Auditing Notes for South African Students

• Setting “acceptable” margins for goods lost, stolen or damaged (tracked through logs on inventory
adjustments).

12.2.6.2 Information
In addition to the information extracted to determine whether targets are being met, Brandon Nel will also
extract a number of reports that help with the general management of inventory, including:
• total inventory holding
• details of inventory in transit
• actual inventory levels for any item
• actual gross profit margins made on sales, per inventory item, per inventory category
• anticipated gross profit margins on inventory held, per inventory item per category
• quantity of items sold to date including a breakdown of those sales by distinguishing feature, for exam-
ple, make and model, colour (red bicycles may sell better than blue bicycles), and
• aging of inventory on hand, highlighting inventory that has been on hand beyond predetermined limits
(say 90 days).

12.2.6.3 Meetings
As we have mentioned on many occasions, reports and logs are not much use if there is no follow-up on
the information they contain. A weekly meeting between Brandon Nel (financial director), Johan Els
(financial manager) and Reg Gaard (warehouse manager) is held to discuss any queries that Brandon might
have arising out of the inventory information that is available to him.

12.2.7 Conclusion
The success of the control activities implemented can partially be measured in terms of the percentage of
total inventory lost as a result of theft or damage and the efficiency of filling and despatching orders. At
ProRide (Pty) Ltd this percentage is reasonably constant at less than half a percent of the total inventory
value. Goods are despatched within 24 hours of a sales order being received.

12.3 Auditing the cycle


12.3.1 Introduction
An important part of the audit of a company’s inventory cycle will be the procedures carried out to identify
and assess the risk of misstatement at assertion level. This risk identification and assessment process is
facilitated by carrying out procedures to obtain a thorough understanding of the client and the environment
in which it operates. These procedures have been covered in some depth in chapter 7 and will not be
addressed in this section of chapter 12. Once risk assessment has been carried out, the auditor will be able
to “assign” a level of risk to the individual assertions applicable to the account balance and thereafter plan
the nature, timing and extent of further audit procedures. The objective is to devise an audit strategy and
plan that reduce audit risk to an acceptable level.

12.3.2 Important accounting aspects of the inventory and production cycle


The International Accounting Standard on Inventories (IAS 2) is very important, as it provides the compa-
ny and the auditor with definitions and the basic requirements for the methods with which inventory can
be valued and how it should be presented and disclosed in the financial statements.

12.3.2.1 Definitions
• Inventories consist of:
– assets held for sale in the ordinary course of business (finished goods and goods purchased for resale)
– assets held in the process of production (work-in-progress), and
– materials or supplies to be consumed in the production process (raw materials).
• Net realisable value is the estimated selling price in the ordinary course of business less the estimated
costs of completion and the estimated costs necessary to make the sale.
Chapter 12: Inventory and production cycle 12/17

12.3.2.2 Inventory should be presented at the lower of cost and net realisable value
This acknowledges the important principle that the asset (inventory) should not be carried at an amount
greater than is expected to be realised from the sale of the asset. Such a situation could arise where:
• inventory has been damaged
• inventory has become obsolete, or
• the selling price has declined to below the cost of the asset due to a drop in demand.
This has a direct effect on the auditor, who will need to perform procedures to determine whether inventory has
been written down adequately to reflect any or all of the above.

12.3.2.3 Cost of inventories


The cost of inventories should consist of:
• all costs of purchase, including import duties and transaction costs that are not reclaimable (VAT is a
reclaimable transaction cost), transport costs incurred in the acquisition of materials, goods for resale, etc.
• costs of conversion, for example, direct labour and production overheads, and
• costs incurred in bringing the inventory to its present location and condition, for example, costs incur-
red in designing a product for a specific customer.
It is also important to note that the following should be excluded from the cost of inventory:
• storage costs (unless these costs are necessary in the production process before a further production
stage)
• administrative costs (other than those incurred in bringing inventory to its present location and condi-
tion), and
• selling costs.
The auditor will need to be satisfied that these three categories of cost have been written off as expenses
and not included in the cost of inventory.

12.3.2.4 Cost of manufactured goods


• The allocation of overheads to the cost of manufactured inventory must:
– include only fixed and variable production overheads
– be based on normal capacity, and
– must be allocated on a systematic basis that is reasonable.
• Abnormal amounts of wasted material, labour or other (abnormal) production costs should be exclud-
ed.
Note: The three exclusions listed in 12.3.2.3 also apply to manufactured inventory.

12.3.2.5 Cost formulae


IAS 2 permits the adoption of three cost formulae:
• specific identification
• weighted average, or
• FIFO.
It is important that the auditor understands the application of the cost formula adopted by the company as
it directly affects the measurement of cost of sales and the valuation of inventory at the financial year-end,
for example, the use of the FIFO formula assumes that the items that were purchased first are sold first.
Hence those that remain in inventory at year-end will be valued by working backwards from the most
recent price. Using weighted average, the valuation of the remaining inventory would be based on a
weighted cost for that inventory.
Note: In addition to measuring the cost of inventory in terms of the actual cost incurred, IAS 2 also allows
the use of standard costs and the retail method. However, the value of inventory arrived at by using these
methods will only be acceptable for use in the financial statements where the cost determined approximates
actual costs. Where standard costs are used, the company will end up with inventory valued at standard as
well as some variances. It stands to reason that if the standard is wrong, the carrying value of inventory will
12/18 Auditing Notes for South African Students

either be understated or overstated. The principle that inventory be presented at the lower of cost and net
realisable value still holds, and if there is a problem with the “standard” cost, it must be addressed by
scrutiny of the variances relating to the inventory. The following points are relevant:
• only variances that relate to inventory actually on hand at year-end can affect the value of that invento-
ry (some of the variances will relate to inventory already sold), and
• variances that are a result of incorrect standard setting should be debited or credited to inventory and
cost of sales to approximate actual cost (to comply with the requirements of IAS 2).
For example:
If, at reporting date, a company has an adverse material price variance (i.e., goods purchased at a price
higher than standard), must the variance be written off as an expense or can it be added to the cost of
inventory (that is at standard)? Any portion of the variance pertaining to inventory that has been manufac-
tured or sold must be written off. If the remaining portion of the variance arises because the standard was
incorrectly set, the cost of inventory should be adjusted to arrive at the true cost.
What about a situation where the standard is correct, but a variance has arisen as a result of an abnormal
price having been paid for material?
For example:
Assume that a shortage of the material has temporarily pushed up the price and that such material was
purchased just before year-end and will only be used in the new year. In terms of IAS 2, the standard cost
can be used if it approximates actual costs. It would seem therefore that the price variance arising from this
abnormal cost would have to be added to the cost of inventory at standard for financial reporting at the
year-end.

12.3.2.6 Pricing of imported inventory


• The exchange rate at which purchased inventory must be recorded is the rate at transaction date (not
payment date).
• Even if the exchange rate is different at the financial year-end, no change is made to the value of inven-
tory at year-end.
Before moving onto the second part of the audit of the cycle, (i.e., the response to assessed risk), it is neces-
sary to remind ourselves of the assertions relating to the transactions in the cycle and the related balance,
(i.e., inventory balance).

12.3.3 Financial statement assertions and the inventory and production cycle
The auditor’s main concern with this cycle is that the asset (various categories of inventory) associated with
the cycle is fairly presented in the financial statements. Earlier in the chapter we indicated that any material
misstatement in the inventory balances will have a significant effect on fair presentation of both the state-
ment of comprehensive income and the statement of financial position.

12.3.3.1 The assertions that apply to the inventory account balances and related disclosures
Inventory
Existence: Inventories exist at year-end.
Rights: The company holds the rights to the inventories.
Completeness: All inventories that should have been recorded have been recorded and all related
disclosures that should have been included in the financial statements, have been
included.

Accuracy, valuation
and allocation: Inventories have been included in the financial statements at appropriate amounts
and any resulting valuation or allocation adjustments, for example, impairment
losses have been recorded, and related disclosures have been appropriately meas-
ured and described.
Classification: Inventories have been recorded in the proper accounts.
Chapter 12: Inventory and production cycle 12/19

Presentation: Inventories are appropriately aggregated or disaggregated and clearly described,


and related disclosures are relevant and understandable in the context of the appli-
cable financial reporting framework.

12.3.4 Fraud in the cycle


12.3.4.1 Fraudulent financial reporting
As mentioned earlier in the chapter, inventory presents the directors with an effective opportunity for
reporting fraudulently by manipulating the inventory balance. The inventory balance is used in the calcula-
tion of profit and in the statement of financial position and therefore its manipulation can have a pervasive
effect, for example, on profits, important ratios and earnings per share. The directors may:
• Include fictitious inventory (existence). This will increase profit and current assets and improve related
ratios.
• Understate the write-downs of inventory for obsolescence, damage, etc., (valuation). This will have the same
effect as above.
• Exclude inventory that should be included and/or overstate inventory write-downs (existence and valuation).
This will have the opposite effect, and will only arise when the directors are attempting to make the
company look less “valuable” than it is, for example, if they are planning a management buyout. This
approach could also be part of an overall scheme to evade taxation.
There are hundreds of different ways of including fictitious inventory. As all directors know that the audi-
tor will conduct physical tests on inventory, many inventory frauds require quite intricate planning and a lot
of deception to create the “illusion” of inventory.
Generations of auditing students have learnt about the “Great Salad Oil Swindle” that, although it occurred
over 50 years ago, illustrates how simple it is to hoodwink intelligent people (including auditors!) with schemes
and scams to falsify inventory, and to what lengths directors might go to overstate inventory.
In this fraud, Tino De Angelis, founder of Allied Crude Vegetable Oil Refining Corporation of New Jer-
sey, built up a huge edible oil empire. By the late 1950s, the company supplied more than 75% of the
USA’s edible oil exports (over 100 million dollars per annum). The company used existing inventories as
security for the finance necessary to fund future deals, and to effectively control world prices. Existing oil
inventories were counted weekly and the finance for the future deals was advanced by the banks on the basis
of documents certifying that the oil inventories existed. The financiers, who were present at the inventory
counts, were misled in a number of ways, including:
• Interconnecting of oil tanks so that oil could be pumped from one tank to the next as the count proceed-
ed.
• Some tanks had a thin “pipe” full of oil below the inspection hatch at the top of the tank, with the
remainder of the tank being empty. When the measuring rod was inserted to check the level of oil in the
tank, it obviously measured “full” as it had been inserted into the thin pipe of oil.
• Some tanks contained seawater, with only a small false chamber welded to the top of the tank contain-
ing oil.
These fraudulent activities were eventually discovered after oil prices collapsed due to De Angelis’ over-
manipulation of the futures market. The financiers called in the credit extended for the futures deals and,
when the company could not pay, they sought to liquidate the inventory that was certified as their security,
only to find that most of it did not exist!
As pointed out earlier, employees who misappropriate inventory usually need to hide the theft from the
management, internal auditors and the external auditors.
Likewise, where management are attempting to report fraudulently, they will probably need to get the
inventory records and physical inventory to agree. Where inventory that has been stolen or never existed
has been included in the inventory records, it can be “reconciled” with physical inventory by:
• including empty containers, for example, boxes, in the count
• hollow stacking, such as surrounding empty containers with full containers (hoping those testing
physical inventory will not “unstack” the containers to check the contents)
• attaching an empty container to the shelf to make it appear heavy and thus appear to be full
• packaging bricks, etc., in proper inventory packaging
12/20 Auditing Notes for South African Students

• re-packing defective or second-hand goods to look like new inventory


• altering (increasing) the “quantity on hand field” inventory count sheets after the count
• including inventory that is not what the records indicate it is, for example, stealing genuine Nike T-
shirts or Oakley sunglasses and substituting them with cheap “lookalikes”
• borrowing inventory from a related party just for the inventory count
• having recently sold goods returned under false pretences for the purpose of the inventory count, for
example, a motor vehicle
• double counting, for example, inventory in transit, multiple inventory locations
• obtaining false third-party confirmations from agents or related parties
• including consignment inventory belonging to others as company inventory
• manipulating year-end “cut-off” of purchases and sales
• including goods received in the physical inventory count but not in the records, and
• pre-invoicing and including the goods sold in the physical count as well.

12.3.4.2 Misappropriation of assets


In this cycle this normally simply amounts to straightforward theft! This presents the perpetrator with two
challenges; firstly, how to get the goods and, secondly, how to hide the theft.
How to get the goods will depend on the following:
• The nature of the goods, for example, it is much easier to steal a small valuable item than a large “diffi-
cult to move” item.
• The physical control over inventory, for example, limited exits, surveillance cameras, etc., all make it
more difficult.
• The extent of division of duties, for example, if a warehouse employee prepares documentation for
despatch and picks and packs the goods for despatch, theft becomes much easier.
• The frequency of physical and theoretical reconciliations of inventory, (i.e., inventory counts). The
more frequent and thorough these counts are, the harder it is to steal without being caught.
• The controls in the other cycles that directly affect the inventory cycle, for example, controls over
receiving goods (acquisition cycle) and controls over despatching goods (revenue cycle).
As indicated earlier, hiding the theft is also part of misappropriating inventory. There are numerous ways
of doing this, but the best opportunity is presented when there is a lack of division of duties between record
keeping for inventory and custody of inventory. If the perpetrators of the theft are able to amend the inven-
tory records or issue documents such as goods returned notes, it will be simple for them to cover the theft.
The situation will be exacerbated where the control environment is weak.

12.4 The auditor’s response to assessed risks


12.4.1 The auditor’s toolbox
As we discussed in chapter 5, in terms of ISA 500, the auditor has the following types or categories of audit
test available to him:
• Inspection • Re-performance
• Observation • Analytical procedures
• External confirmation • Inquiry
• Recalculation
These tests are not specific to a particular phase of the audit and can be used as risk assessment procedures,
tests of controls or substantive tests.

12.4.2 Overall responses to the risk of material misstatement at the financial statement
level
In terms of ISA 315 (revised), the auditor shall identify the risks of material misstatement at the overall
financial statement level and at the assertion level for transactions, account balances and disclosures.
Chapter 12: Inventory and production cycle 12/21

Further, a significant risk is an identified and assessed risk that, in the auditor’s judgement, requires special
audit consideration. This does not mean that the auditor needs to be familiar with a whole new range of
audit procedures (have additional tools in his toolbox), but it does mean he will look closely at the nature,
timing and extent of the further audit procedures as well as the skills and experience of the audit team.
In the context of this cycle, significant risks may include:
• the risks of fraudulent practices as discussed in point 12.3.4 above
• the risk that inventory is not valued correctly, and
• the risk of the overstatement of inventory balance at year-end.
In terms of ISA 330, the auditor must implement overall responses to address the assessed risk of material
misstatement at the financial statement level.
For example:
• Assigning more experienced staff to the audit. This could be a response to the risk of manipulation of
the financial statements by overstatement of the inventory balance.
• Emphasising to the audit team the need to maintain professional scepticism, for example, to be alert to
the possibility that inventory may not exist as it is stored at various locations.
• Providing more supervision.

12.4.3 Responding to risks at the assertion level


The auditor’s further audit procedures will be a mix of tests of controls and substantive tests. When
assessing risk at the assertion level, there is an underlying expectation on the part of the auditor that the
controls are operating effectively and essentially that they provide a foundation from which the substantive
tests can be developed. Simply expressed, if the controls are very strong, the auditor can place more reli-
ance on the totals and amounts produced by the accounting system and will be able to perform less sub-
stantive testing and possibly substantive tests of a different nature. Timing of substantive testing could be
also affected.

12.5 Audit procedures – Tests of controls and substantive procedures


12.5.1 Tests of controls
The auditor’s main focus is normally on substantive testing of the inventory balance. However, some tests
of controls will be carried out and will centre on the following:
• observation of the inventory count
• inspection of reconciliations and cycle count amendment forms for cycle counts carried out during the
year, to determine frequency and materiality of discrepancies and how they were resolved, and for au-
thorising signatories
• observation of warehouse controls to determine the effectiveness of:
– access control (custody and safekeeping), and
– controlling inventory movement
• inspection of records controlling inventory movement.
For example:
– a sample of requisitions and materials issue notes for:
o authorising signatures, and
o cross referencing to job cards
– a sample of inventory movements per the perpetual inventory records to “transfers to finished goods
notes”, and
• inquiry of production and warehousing as to what control procedures they actually perform.

12.5.2 Substantive procedures


Many of the tests that are carried out as tests of controls will be dual-purpose tests and will supply some
evidence relating to the accuracy of the inventory records. The auditor’s objective is to satisfy himself that
the quantities of inventory at year-end are correct, and that the cost formula has been correctly applied. In
12/22 Auditing Notes for South African Students

addition, the reasonableness of any write-downs of inventory must be evaluated. All of this will be
achieved by the application of substantive audit procedures on the year-end inventory account balances.
The performance of year-end procedures is usually broken down into two distinct phases, namely:
• attendance at the year-end inventory count (mainly existence, but some evidence of completeness and
valuation is gathered), and
• the subsequent audit of the carrying value (accuracy, valuation and allocation, rights to the inventory and
the presentation of inventory).
(a) Attendance at the inventory count is both a test of controls and a substantive procedure. The auditor
will be gathering evidence about the effectiveness of the control procedures put in place to establish the
quantity of inventory actually held (test of controls). At the same time, the auditor will be gathering
substantive evidence about:
• the existence of the quantity of inventory recorded, by testing from the records to the physical inventory
• the condition of inventory (valuation) by inspecting and looking for damaged/obsolete items, as well
as evidence of slow-moving inventory, and
• the completeness of inventory by testing from the physical inventory to the inventory records.
(b) The subsequent audit procedures, (i.e., after the inventory count), will be substantive in nature.
(c) Another important procedure that is carried out at the inventory count will be the recording of the last
document numbers for all documents used, for example, goods received notes, issue notes, delivery
notes, etc., to facilitate “cut-off” testing. From an inventory perspective, it is important that the recorded
movement of inventory matches the physical movement of inventory up to reporting date.
(d) A list of goods received notes numbers that have not been matched to suppliers’ invoices at the year-
end should be obtained. This will be used later for testing the completeness of creditors.

12.5.3 Substantive procedures – Inventory count attendance


As attendance at the inventory count is an important procedure, we will deal with it separately:
(a) Prior to the inventory count. the auditor should do the following:
• Liaise with the client about date and times of the inventory count.
• Confirm all locations at which the client holds inventory (by enquiry, reference to prior year work-
papers) and if necessary, visit the locations.
• Perform administrative planning, for example, organise audit staff to attend.
• Obtain and review a copy of the written instructions given to the client’s count teams (see “inventory
counts” on page 12/9).
• Enquire whether the client has any inventory that should not be included in the count, for example,
consignment inventory, inventory already invoiced but not yet delivered or collected. Establish how
this inventory is physically identified.
• Brief the audit staff allocated to the count on their responsibilities.
(b) During the inventory count, the auditor should:
• Observe inventory-taking procedures to ensure that the client’s written instructions are adhered to.
• Walk through the warehouse and identify inventory that is obsolete or damaged or appears to be
slow-moving, for example, dusty, old packaging, etc. The inventory number, description, location
and quantity should be recorded on a workpaper and traced to the inventory sheets to confirm that
these items have been marked as damaged/obsolete.
• Conduct test counts on the inventory in the warehouse in both directions, making sure all sections
and categories are tested, that is:
– from inventory sheets to physical inventory (existence), and
– from physical inventory to inventory sheets (completeness).
• Resolve discrepancies in test counts before conclusion of the count by recounting with the client
staff and confirming that amendments are made to the inventory sheets where necessary.
Chapter 12: Inventory and production cycle 12/23

• Test the numerical sequence of the inventory sheets both before and at the conclusion of the count
to ensure that all inventory sheets are accounted for.
• Confirm by enquiry of inventory counters and inspection of the inventory sheets that inventory that
should not be included in the client’s inventory has been excluded.
(c) At the conclusion of the count, the auditor should do the following:
• Inspect inventory sheets to confirm that:
– lines have been drawn through blank spaces (so that items cannot be added)
– alterations/corrections have been signed, and
– inventory sheets have been signed by the counters responsible.
• Create audit records in respect of the inventory count attendance by:
– taking copies of all inventory sheets (hardcopy or digital)
– recording observations as to the client’s count procedures
– recording results of all test counts performed by the audit team, and
– recording any damaged, obsolete or slow moving inventory.
• Record cut-off numbers for all documents used in the inventory and production cycle.
• Compile a list of goods received notes that have not been matched to supplier invoices.
The next stage in the year-end audit of inventory can commence at any time depending on the reporting
deadline for the audit. The important point is that the inventory count must have provided sound evidence
that the quantities and description of inventory that was on hand at reporting date are accurate. The client
will now be in a position to make any adjustment necessary to the perpetual inventory records and “price”
the inventory on hand.

12.5.4 Substantive procedures – Post inventory count

12.5.4.1 Assertion: Rights – the company holds or controls the rights to the inventory
• Enquire of management as to whether any inventory is held on consignment for other parties.
• Obtain a listing of inventory of goods in transit at the financial year-end and inspect relevant
orders/contracts to determine whether ownership has passed to the client by scrutiny of the terms of
purchase, for example, FOB, CIF.
• Establish whether inventory is in any way encumbered (e.g., offered as security) by:
– discussion with management
– inspection of bank confirmations
– review of directors’ minutes, and
– review of correspondence/contracts with suppliers and credit providers.
• When performing the pricing procedures for the valuation assertion (see below), inspect invoices to
ensure that they are made out to the client (this will also have been done when testing purchase transac-
tions).

12.5.4.2 Assertion: Accuracy, valuation and allocation – inventory is included in the financial
statements at appropriate amounts
To establish the value of inventory, the client will have to multiply the quantities confirmed at the invento-
ry count by the cost price of the item, using the correct cost formula. Once this is done the allowance for
inventory obsolescence must be established.

Arithmetic accuracy
• Compare the quantities of inventory items on the auditor’s copies of the inventory sheets to the client’s
priced inventory sheets (to confirm that the client has not altered the quantities).
• Test the arithmetical accuracy of the inventory sheets by re-performing all extensions (quantity × cost)
and casting the extension column (total inventory value).
12/24 Auditing Notes for South African Students

• Review inventory sheets for any negative “inventory item values” (should not be any).
• Compare the total inventory value per the inventory sheets to the general ledger and trial balance.

Pricing inventory purchased locally


• Using the sample selected for inventory items that were test counted at the inventory count (or another
sample):
– trace to relevant suppliers invoices to establish whether the correct purchase prices have been used in
obtaining the cost in terms of the cost formula used by the company,
For example:
For FIFO, if there are 10 items on hand, and the most recent invoice was for 8 items at R200 each
and the invoice prior to that was for 12 items at R190 each, the 10 items on hand would be valued at
8 × R200 – R1600
2 × R190 – R380
– re-perform the weighted average calculation (if this basis is used by the client) and compare result to
the weighted average price used by the client, and
– by enquiry of the costing clerk and inspection of invoices from transporters, establish that relevant
carriage costs have been included in unit cost calculations.

Pricing imported inventory purchases


For a sample of imported high-value items, obtain the relevant suppliers invoices/shipping contracts and
costing schedule, and re-perform the unit cost calculations for the sample of imported items and verify that:
• the correct exchange rate was used to convert the foreign currency to rand (rate at date of transaction
should be used. This rate should be confirmed by enquiry of a financial institution)
• the appropriate import and customs duties and shipping charges were included (obtained from shipping
agents invoices), and
• the allocation of the above costs to the individual inventory items purchased is reasonable, and accu-
rately performed.
Note: A company that imports inventory will usually have a “costing schedule” that provides the details of
how the cost of the imported goods was arrived at. The auditor would use this as the basis for audit-
ing unit cost. Amounts used in the calculation would be traced to supporting documentation, for
example, shipping agent’s invoice, supplier’s invoice.
Note: For the performance of pricing tests, it may be necessary to trace suppliers’ invoices, etc., prior to the
most recent ones. The goods actually on hand may have been purchased on two or three occasions
at different prices.

Pricing manufactured goods


• Enquire of appropriate personnel and inspect documentation used in the costing exercise to gain an
understanding of the costing method used.
• Determine whether it is consistent with prior years and remains appropriate for the business.
• Where a standard costing system is used:
– determine the appropriateness of the standard setting process (including adjustments to standards) by
discussion with management and inspection of budgets, historical records, and
– evaluate the treatment of variances at year-end to confirm in particular that the value of inventory
has not been inappropriately increased.
• By inspection of the costing schedules and supporting documentation:
– agree description of materials used and prices thereof
– agree labour costs to payroll records (rates and hours charged)
– confirm that the allocation of overheads includes only fixed and variable production overheads
– confirm that the allocation of overheads is based on normal capacity, and
– confirm that the allocation of overheads is on a systematic basis that is reasonable.
Chapter 12: Inventory and production cycle 12/25

• Confirm that costs that do not qualify as costs of conversion have not been included, for example:
– administration overheads
– selling expenses, and
– abnormal amounts of wasted material, labour or other production costs.
• Confirm that under and over recoveries of production overheads are correctly treated in terms of IAS 2
(through the statement of comprehensive income).
• Re-perform all casts and calculations.
Note: The same procedures will need to be adopted to value work-in-progress at reporting date. However,
there is the additional problem of establishing the stage of completion of the goods being produced. It is
possible that there will be numerous items still in production and at various stages in production. Consider
a motor assembly line that may have 500 vehicles on the production line at the “close of business” on
reporting date. For financial reporting purposes, the value of materials, labour and overheads expended on
those cars in their various stages of completion, for example, engine assembly, trim, paint shop, etc., at
reporting date will have to be calculated. It is the client’s responsibility to produce a schedule of work-in-
progress and the audit thereof will be performed using conventional tests of controls (to test the way in
which the client “puts the figure together”), and substantive tests.
In addition, complex work-in-progress may require that reliance be placed by the auditor on the work of
an expert or internal audit. This is covered in chapter 16.

Lower of cost/net realisable value


• Using a sample (possibly one already extracted), verify the selling price of inventory items by:
– reference to sales lists, and
– reference to the most recent sales invoice for the particular item.
• Compare sales prices on invoices for a small sample of sales made in the post reporting date period to
the cost prices on the inventory sheets. This provides evidence of the most up to date realisable value.

Inventory obsolescence allowance


• Discuss with management:
– the process used to determine the obsolescence allowance and evaluate the process for reasonable-
ness and consistency with prior years, for example, is a fixed percentage used each year (only accept-
able if there is strong historical evidence to support it) or is a detailed analysis carried out?
– any procedures in place for the approval of the final allowance, for example, is the allowance
approved by the financial director after consultation with the warehouse manager?
– any specific events that may have occurred during the year that may have an impact on the allow-
ance, for example, a flood may have damaged some inventory items, and
– any specific inventory items that may already be obsolete (or soon will be) and how this has been
recognised in calculating the allowance for obsolescence.
• Perform analytical procedures to give a general overview as to the reasonableness of the allowance by
comparison of current year figures and/or ratios to prior year figures/ratios, for example:
– the allowance itself
– the allowance as a percentage of total inventory
– inventory turnover ratio, and
– days’ inventory on hand.
• Assess indicators of obsolescence problems such as no recent sales or purchases of particular items,
products that have reached their sell by dates in the post reporting period, or correspondence relating to
inferior products supplied to customers.
• Re-perform the aging of inventory by tracing back to source documents.
• Compare allowances raised in prior years to actual write-offs in subsequent years (to determine “accur-
acy” of management’s allowances).
• Review working papers from year-end test counts to ensure that inventory items identified as damaged/
obsolete/slow-moving have been included in the allowance.
• Re-perform any calculations of the inventory obsolescence allowance and discuss the reasonableness of
the allowance in terms of evidence gathered with management.
12/26 Auditing Notes for South African Students

12.5.4.3 Assertion: Completeness and existence (all inventory that should have been recorded,
has been recorded, and inventory included in the statement of financial position actually
exists, i.e. is not fictitious)
The primary evidence for these two assertions is gathered when attending the inventory count as described
earlier. Additional but superficial evidence will be provided by analytical review. “Cut-off” tests performed
when auditing the revenue and receipts cycle and the acquisitions and payments cycle will provide evi-
dence that all inventory that was purchased has been included and inventory that had been sold, has been
excluded.

12.5.4.4 Assertion: Classification


By enquiry of management and inspection of inventory (at the count) and/or observation of the manufac-
turing process, confirm that inventory included in the account balance, satisfies the definition of inventory,
i.e., the asset is held for sale in the ordinary course of the company’s business or in the process of produc-
tion for such sale in the form of materials or supplies to be consumed in the production process.

12.5.4.5 Assertion: Presentation


• The auditor must inspect the financial statements to confirm that:
– inventories appear as a separate line item under current assets on the face of the statement of finan-
cial position net of impairments, and
– the disclosure in the notes reflects inventories before and after impairment allowances, as well as any
other required information.
For example:
o encumbrances
o accounting policy
o cost formula
o reversals of any previous inventory write-downs, and
o cost of inventories recognised as an expense and included in cost of sales.
• By inspection of the AFS and reference to the applicable reporting standards, for example, IAS 2, and
the audit documentation, confirm that:
– disclosures are consistent with the evidence gathered (amounts, facts, details)
– any disaggregation of the balance reflected in the statement of financial position is relevant and
accurate, for example, inventories have been correctly broken down into raw materials, WIP and fin-
ished goods as applicable
– the wording of disclosures is clear and understandable, for example, inventory accounting policy note, and
– all required disclosures have been included.

12.5.4.6 General: All assertions


• Perform an overall analytical review of inventory by comparing current year figures and ratios with the
corresponding figures of prior years.
For example:
– total inventory
– total inventory by category or location or source (local/imported), and
– inventory as a % of current assets, total assets.
• Include reference to inventory, particularly the allowance for obsolescence, in the management repre-
sentation letter.
Chapter 12: Inventory and production cycle 12/27

12.5.5 The use of audit software (substantive testing)


When the client has a computerised system and suitable audit software is available, extensive use can be
made of it to enhance the audit of inventory. What can actually be done by the software will depend on the
information that is available on the masterfile. Normally the inventory masterfile will contain, at least, the
following fields:
• inventory item number • quantity on hand
• inventory description • unit selling price
• category • unit cost
• location • date of last receipt and GRN number
• imported/local • date of last issue and document number
• approved suppliers • inventory item value (quantity × unit cost)
The following appendices provide a simple illustration of how audit software can be used to assist in the
audit of inventory:
Appendix 1. Inventory masterfile
2. Procedures using audit software
12/28

A SCHEDULE OF INDIVIDUAL INVENTORY ITEMS EXTRACTED FROM THE INVENTORY MASTER FILE OF DO-IT (PTY) LTD AT 31 MAY 0003

Unit cost Value Selling Date of last


Item Date of last sale Quantity sold
Description Supplier code Quantity price purchase
code month/year year to date
R R R month/year
T0101 Bosch electric drill DR649F 18 320 5760 975 5/0003 2/0003 36
T0301 De ker router PQ417 14 425 5950 1025 8/0002 6/0003 2
G041 Wheelbarrow LG7 104 108 11232 196 5/0003 4/0003 712
H415 Metal ladder CL413 – 140 –420 392 3/0003 11/0002 47
H436
436 Ba set BR200 14 490 6860 740
62 545 33790 740 5/0003 3/0003 226
T0491 Flatbed planer PQ472F 8 4320 34560 6500 11/0002 6/0002 1
G093 Trimmer WP293 32 1140 36480 1000 1/0002 4/0002 0
H481 Geyser 200L CG321 –45 –630 28350 1960 3/0003 1/0003 40
T461
1 Ar welder YP731F 4 8209 65672 12450 6/0002 3/0001 2
G126 Irrigator WW373 0 1299 0 1850 2/0003 4/0003 10
T = Tools
G = Garden
H = Household
F after Supplier Code = Foreign Supplier
Unit cost is Fifo (Master file has been simplified)
Auditing Notes for South African Students
PROCEDURES THAT MAY BE CONDUCTED ON THE INVENTORY MASTER FILE OF DO-IT (PTY) LTD USING AUDIT SOFTWARE

Procedure Assertion Example/Notes


1. Stratify population by item category and value General Can be used for:
(The same stratification could be done for imported/local items.) planning inventory counts
analytical procedures, and
selecting samples
2. Scan the entire master file and produce reports of “error conditions” for follow up:
2.1 blank fields –
2.2 duplicate item codes Existence Nil
2.3 negative quantities or negative unit costs Valuation cost H415
2.4 negative quantities and negative unit costs Valuation cost H481 (note value field)
Chapter 12: Inventory and production cycle

2.5 quantity field is zero but date of last purchase is more recent than date of last sale Completeness/valuation cost G126
2.6 items with amounts in the value field but 0 in the quantity field, and Valuation cost Nil
2.7 date of last sale or last purchase is after year-end Existence/completeness T0301
3.. Selec samples:
3.1 pricing, and Valuation cost 1.. ndom
3.2 inventory count Existence, valuation (cost and 2.. H h value
write down) 3. High quantity
4.. ported
5.. Old invent y
4. Re-perform
4.1 quantity × unit cost calculation and compare to value field for each item (report of differences), and Valuation cost T461
4.2 cast of value field for entire file
5. Analyse inventory master file by extracting listings of:
5.1 inventory items for which unit cost exceeds selling price 5.1 to 5.4 provide evidence for G093
5.2 inventory items for which date of last sale is, say, 9 months prior to year-end and date of last determining write-downs TO301
purchase is within two months of year-end (valuation)
5.3 inventory items for which date of last sale and date of last purchase are, say, 9 months prior to year- G093, T461
end
5.4 inventory items where quantity on hand is, say, 5 times greater than “quantity sold to date” T0491, G093
12/29
12/30 Auditing Notes for South African Students

12.6 Automated application controls in inventory


The auditor can also rely on automated application controls to test inventory. Automated application
controls apply to the processing of individual applications. They are “automated” or “automated with
manual procedures” that operate at a business process level. Automated controls are controls designed to
confirm completeness, accuracy and validity of processed transactions with a financial impact. For more
details on automated application controls, please refer to chapter 8.
Depending upon the audit approach adopted (substantive or control based), the approach for automated
application control tests may vary.
For example:
Should the IT general controls environment have limited findings and the control environment is consid-
ered effective, automated controls may be tested.
If the IT general controls environment is considered not effective, the auditor may still rely on automated
controls, but will need to test the access and change management around the automated application control
embedded in the application.
The auditor should report on shortcomings identified in the existing processes as well as weaknesses
identified during the review with recommendations to improve.
Some automated application controls to consider when testing inventory:
Inventory formulae
• Determine the cost formulae and whether the rules have been configured in the application.
• Determine whether the inventory formulae/rules align with the policy.
• Determine who has access to the inventory formulae configuration in the application and whether the
access is limited to authorised personnel only.
• Have changes been made to the inventory formulae/rules in the application during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the inventory formulae/rules are accurate.

Master data
• Determine who has access to the inventory masterfile/cost price.
• Have changes been made to the masterfile in application during the period under review?
• Have changes been authorised in the application?
• Perform a comparison test to compare inventory prices year on year and review significant discrepan-
cies.

Inventory ageing
• Stratify the age analysis through analytics.
• Review the inventory age analysis for inconsistencies and aged inventory.

Inventory impairment
• Perform analysis of inventory listing and determine inventory that should be classified as “obsolete” or
slow moving.
• Assess whether the application has been configured to perform inventory impairment.
• Determined whether the inventory impairment rules align with the policy.
• Determine who has access to the inventory impairment configuration in the application and whether
the access is limited to authorised personnel only.
• Scrutinize the write-off report to determine whether inventory was written off by authorised individuals
and whether there are inconsistencies with the write-offs.
• Have changes been made to the configured impairment rules in the application during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether impairment rules are working
Chapter 12: Inventory and production cycle 12/31

Impaired inventory
• Determine what the inventory write-off process is. Is there a possibility that the inventory can be written
off and sold for own profit?

Journals
• Determine who has authorisation to process journals relating to inventory within the application.

Foreign inventory
• Foreign/imported inventory has been captured at the correct forex rate, at spot on the first day the
recognition should have occurred.
• Determine whether the application has been configured to receive daily currency exchange rates that
would have been applied to imported inventory.
• Who has access to change the currency rate configuration in the application?
• Have any changes been made to the configuration during the period under review?
• Perform a walkthrough of one inventory item to determine whether the forex calculation is accurate.
CHAPTER

14
Finance and investment cycle

CONTENTS
Page
14.1 The accounting system and control activities ................................................................... 14/3
14.1.1 Introduction ....................................................................................................... 14/3
14.1.2 Characteristics of the cycle .................................................................................. 14/3
14.1.3 Compensating controls........................................................................................ 14/4

14.2 Narrative description of the finance and investment cycle at ProRide (Pty) Ltd ................ 14/5
14.2.1 Introduction ....................................................................................................... 14/5
14.2.2 Planning ............................................................................................................. 14/5
14.2.3 Authorisation and implementation ...................................................................... 14/5
14.2.4 Review and approval .......................................................................................... 14/5
14.2.5 Other controls..................................................................................................... 14/5
14.2.6 Investment of surplus funds ................................................................................. 14/6
14.2.7 Long-term loans ................................................................................................. 14/7

14.3 Auditing the cycle ................................................................................................................... 14/7


14.3.1 Introduction ....................................................................................................... 14/7
14.3.2 Fraud in the cycle ............................................................................................... 14/7
14.3.3 Overall responses to risk of material misstatement at financial statement level ....... 14/7
14.3.4 Responding to risk at assertion level .................................................................... 14/7

14.4 ISA 540 Auditing accounting estimates and related disclosures ....................................... 14/8
14.4.1 Assessment of inherent risk ................................................................................. 14/9
14.4.2 Responding to the assessed risk ........................................................................... 14/10

14.5 Audit procedures – The finance cycle............................................................................... 14/12


14.5.1 Introduction ....................................................................................................... 14/12
14.5.2 Share capital ....................................................................................................... 14/12
14.5.3 Debentures ......................................................................................................... 14/13
14.5.4 Long-term loans ................................................................................................. 14/15
14.5.5 Leases ................................................................................................................ 14/16
14.5.6 Provisions, contingent liabilities and contingent assets.......................................... 14/19

14/1
14/2 Auditing Notes for South African Students

Page
14.6 Audit procedures – The investment cycle ........................................................................ 14/23
14.6.1 Property, plant and equipment ............................................................................ 14/23
14.6.2 Investments in shares .......................................................................................... 14/32
14.6.3 Long-term loans made by the company ............................................................... 14/34
14.6.4 Intangible assets .................................................................................................. 14/35
Chapter 14: Finance and investment cycle 14/3

14.1 The accounting system and control activities


14.1.1 Introduction
This cycle essentially deals with those transactions a company enters into to raise finance, for example, by
issuing shares, or borrowing money from a bank or investment company. The cycle also deals with the
investments the company makes, whether it be in property, plant and equipment, making long-term loans
or investing surplus funds. The transactions in this cycle will usually result in the creation or alteration of
an account balance, for example, investment in property, plant and equipment may also result in cash
inflows and outflows, that are written off at the end of the financial year, for example, interest or dividends
received on investments or interest paid on borrowings.
In a general sense the audit of the capital employed section of the statement of financial position is linked
to the finance side of the cycle, and the audit of non-current assets to the investment side of the cycle.

14.1.2 Characteristics of the cycle


14.1.2.1 Frequency of transactions
The number of transactions in this cycle is considerably smaller than for “everyday” transactions, such as
purchases and sales, salaries and wages, etc.

14.1.2.2 Size of transactions


Transactions in this cycle are usually material. Generally, when a company raises finance or purchases
non-current assets, the amounts are large.

14.1.2.3 Legal and regulatory requirements


Transactions in this cycle are frequently governed by statute and by the company’s Memorandum of Incor-
poration (MOI).
For example, if the company chooses to issue shares, it must comply with the requirements of the Com-
panies Act. If the directors wish to declare a dividend to shareholders, they must comply with the com-
pany’s MOI and with section 46 of the Companies Act, which deals with distributions (as defined) to share-
holders.

14.1.2.4 Non-routine internal controls


Due mainly to the three characteristics identified above, transactions in the cycle will not be subjected to
the routine every day controls relating to transactions. However, it is still very important that strict controls
are exercised over these transactions and what might be termed “compensating” controls should be put in
place. These are discussed below (para 3).

14.1.2.5 Non-standard documentation


Because of the “uniqueness” of transactions in this cycle, it is unlikely that the documentation relating to
them will be the standard everyday documentation, for example, goods received notes, invoices, etc. Cer-
tainly, there will be occasion when these documents are used but more often than not, documents specific
to a particular type of transaction will be used, such as contracts and lease agreements.

14.1.2.6 Major risks within the cycle


Although the risk of material misstatement must always be evaluated in terms of the specific circumstances
at the client, generally the major risks would be that the client understates completeness of the long-term
liabilities or overstates existence and valuation of the investments that have been made whether these are
investments in plant and equipment, etc., or in other private or public companies. Due to the legal and
regulatory requirements, there is also a risk that invalid transactions have occurred, for example, long-term
loans raised in contravention of the MOI, or the issue of shares to a director without the appropriate
approval in terms of the Companies Act.
14/4 Auditing Notes for South African Students

14.1.3 Compensating controls


4.1.3.1 Planning
Transactions in this cycle, for example, investment in plant and equipment, should be carefully planned by
senior experienced management. This normally involves:
• the formation of specific committees, for example, a capital expenditure committee, that will evaluate
the need for capital expenditures and how they will be financed, or an investment committee, that may
look at alternative forms of investment for surplus funds
• the preparation of capital expenditure budgets and cash flows, for example, is adequate funding avail-
able to settle the purchase consideration
• exhaustive consideration of alternatives, for examples best method of raising finance, and
• regular comparison of actual performance to budgeted performance to assist in ongoing planning.
Note: Decisions will often be prompted by strategies adopted by these committees to respond to risk.
Controls over the purchasing of these items should be in place, such as obtaining multiple quotes from pre-
approved suppliers.

14.1.3.2 Authorisation
• Authorisation of material finance and investment transactions should be at the highest level. This could
be by way of resolutions of a fixed asset committee, a steering committee, an investment committee or
the board of directors.
• The resolutions should be minuted.
• The resolutions may be subject to authorisation requirements in
– – the company’s MOI
– – the company’s policies, and
– – the Companies Act where applicable.
• Legal advice should be obtained to consider the implications for the entity before concluding any mater-
ial agreement.
• Signed agreements should be entered into and should include all relevant terms and conditions.

14.1.3.3 Implementation
Where the implementation of the transaction is other than straightforward, it should be carried out by com-
petent staff and properly controlled. For example, the installation of a new production line should be
regarded as a project and sound project controls must be implemented. If a public share issue is to be
undertaken, merchant bankers, lawyers and other experts should be involved.

14.1.3.4 Review and approval


Transactions in this cycle should be subjected to:
• progress reporting
• comparison to plans and budgets, and
• independent scrutiny by internal audit particularly for compliance with legal and regulatory require-
ments.

14.1.3.5 Controls after asset is on hand


Once the asset is on hand, it can be lost, stolen or damaged and therefore inappropriately recorded in finan-
cial statements.

Security
• All material tangible assets should be physically secured to avoid theft of assets and loss to the entity.
• A detailed fixed assets register should be kept and at least once a year a physical count should be per-
formed where the physical condition is assessed for any indication of impairment.
• The assets should be serviced regularly in order to maintain their functionality.
Chapter 14: Finance and investment cycle 14/5

14.2 Narrative description of the finance and investment cycle at ProRide (Pty) Ltd
14.2.1 Introduction
As with many businesses of the size of ProRide (Pty) Ltd, not many “finance and investment” decisions are
made in a single year. However, this does not mean that controls are weak in the cycle – on the contrary.
Finance and investment decisions are subject to a full range of compensating controls and other controls.

14.2.2 Planning
14.2.2.1 Budgets
All transactions in this cycle are carefully planned. The annual budget forms the basis of planning. In put-
ting together their annual budgets, department heads (e.g. Reg Gaard, warehouse manager, Gary Powell,
IT manager) must indicate and motivate for any new capital expenditures they require. As part of their
motivation, they must obtain estimates (quotes) from various suppliers on price, and any service contract
costs, for example, should Reg Gaard require a new forklift, he must present quotes from three suppliers.
All capital expenditure is subjected to the same budgetary process regardless of the value, i.e. department
heads are not given permission to make acquisitions up to, say, R10 000 without committee consent.

14.2.2.2 Capital expenditure committee


This committee consists of Brandon Nel, Johan Els and Peter Hutton, the financial director, financial man-
ager and managing director respectively. All motivations from department heads are evaluated in the
presence of the department head so that alternatives can be discussed, and queries resolved.
The decision as to whether or not to go ahead with the expenditure is minuted along with the full detail
of the proposed expenditure. The minutes are signed by the committee members and become the authority
for the acquisition.

14.2.2.3 Financing
All three members of the committee have financial qualifications and are quite capable of deciding on the
best method of financing the purchase. Where they require any particular expertise with an asset financing
decision, they will obtain assistance from their bankers and external auditors.

14.2.3 Authorisation and implementation


The acquisition of the asset becomes the responsibility of the department head working with Brandon Nel,
the financial director, who is solely responsible for negotiating final prices, terms and finance arrange-
ments. Any contracts entered into are signed by Brandon Nel. No material purchase agreement/financing
contract is drawn up without it being scrutinised by the company’s legal advisors.

14.2.4 Review and approval


As the incidence of capital expenditures is low, there is limited review and approval. However, about once
every three months the committee will meet to discuss whether:
• acquisitions scheduled in the capital budget have actually been acquired and are functioning as required
• business circumstances, that necessitate a change to the budget have occurred, for example, capital
expenditure should be delayed because cash flow has not been as expected, or an expected increase in
inventory holding has given rise to a need for new warehousing facilities, and
• equipment, etc., is being adequately maintained.

14.2.5 Other controls


• The department heads are responsible for the maintenance of assets in their section – for example,
ensuring that, where applicable, they are serviced at the appropriate time.
• Company assets may not be used by employees for personal purposes.
• Payments, whether they be by instalment or “one off” payments, are subject to the same control proced-
ures as all other payments (see chapter 11).
• A fixed asset register is kept and once a year a physical asset count is undertaken. Every fixed asset is
inspected and traced to the fixed asset register, and its condition assessed.
14/6 Auditing Notes for South African Students

14.2.6 Investment of surplus funds


As ProRide (Pty) Ltd is a private company, decisions on how profits that are surplus to business require-
ments should be treated are resolved by a meeting of the shareholders. Both Brandon Nel and Peter Hutton
are shareholders. As a policy, the company does not make investments in listed or private companies;
shareholders prefer to declare dividends and make investments in their private capacities.

14.2.7 Long-term loans


The company has a policy that no long-term loans will be made to anyone other than the directors. Loans
to directors are made very seldom and are only made:
• up to specified limits (a percentage of the director’s annual remuneration)
• on the strength of a written motivation, and
• if all shareholders agree.

14.3 The audit of the cycle


14.3.1 Introduction
As for all other cycles, ISA 315 (revised) requires that the auditor identify and assess the risk of material
misstatement at the financial statement level and at the assertion level for classes of transactions, account
balances and disclosures. The risk assessment procedures will be those that are carried out in any cycle and
will hinge around the auditor gaining a thorough understanding of the entity and its environment. In the
context of this cycle, the auditor will need to evaluate whether there is anything in the assessment of risk at
financial statement level that may filter down into the audit of the cycle and whether there are any specific
risks pertaining to the various balances and transactions in the cycle.
For example:
• At financial statement level: if the auditor has concerns about the “accounting” competence of man-
agement, there may be a risk of material misstatement in a number of balances relating to the cycle, for
example, management may not even be aware of matters such as impairment requirements to establish
fair value, or how intangible assets should be measured.
• At account balance level: risk assessment procedures may have revealed that a number of machines
may have become technically obsolete.
• At transaction level: risk assessment procedures may reveal that long-term loans are being made to
directors and other related persons without considering the requirements of the Companies Act.

14.3.2 Fraud in the cycle


14.3.2.1 Fraudulent financial reporting
This cycle presents the directors with a fair number of opportunities for fraudulent reporting, as there are
numerous account headings that can be manipulated. Of particular concern for the auditors would be the
manipulation of allowances, provisions, impairments, and fair values. Working on the assumption that the
directors’ motive would be to improve the financial statements through fraud, the following methods could
be adopted:
• Creating unjustified reserves with a corresponding increase in fixed assets (valuation), for example, obtaining
an inflated property valuation from an estate agent.
• Omitting long-term liabilities (completeness), for example, failing to record a new loan and disguising the
inflow of cash as income, or failing to capitalise leases.
• Undervaluing long-term liabilities (valuation), for example, failing to amortise debentures redeemable at a
premium.
• Overstating property, plant and including fictitious assets or assets that the company does not own (existence
and rights), for example, including the assets of a related party.
• Overstating plant and equipment, understating depreciation allowances and impairments (valuation), for
example, failing to write down obsolete/impaired machinery.
• Overstating investments in listed and/or private companies, for example, failing to write down the cost of
investments in private companies, where the fair value of the investment has fallen.
Chapter 14: Finance and investment cycle 14/7

• Understating or omitting provisions/allowances, for example, not providing for long-term environmental
damage that the company has an obligation to rectify.
• Omitting or inadequately disclosing contingent liabilities, for example, the company makes no mention in
the notes of a pending lawsuit that may have grave consequences for the company.
Note that any manipulation of the statement of comprehensive income by the directors will also affect the
capital section of the statement of financial position.

14.3.2.2 Misappropriation of assets


This cycle does not present any unique opportunities to management or employees to misappropriate
assets, other than:
• Making unauthorised use of the company’s assets for personal use, for example, using the company’s com-
puter processing facilities to run private accounting jobs, taking company vehicles or equipment home
for weekends for private use, using company assets as security for personal loans, or the directors mak-
ing (unauthorised) long-term loans to themselves.

14.3.3 Overall responses to risk of material misstatement at financial statement level


In terms of ISA 330, the auditor must implement overall responses to address the risk of material misstate-
ment at the financial statement level.
For example:
• assigning more experienced staff to the audit team, for example, in response to an assessed risk that
management may lack “accounting” competence. The auditors will assign staff who have a high level of
technical competence relating to the account headings in this cycle
• providing more supervision of audit work as well as more frequent and comprehensive review
• the engagement of an expert to assist with the audit of complex transactions.

14.3.4 Responding to risk at assertion level


There is no change in principle here. The auditor will still need to decide on the nature, timing and extent
of tests that will reduce audit risk to an acceptable level. As was explained in chapter 6, the best mix of tests
of controls and substantive tests, that is, observation, re-performance, inspection, etc., must be decided
upon and executed. Particular considerations for these cycles include:

14.3.4.1 Nature of substantive procedures


• As there are normally only a few transactions (relatively) in this cycle, the auditor may limit tests of
controls (not ignore them!) and concentrate on performing substantive tests of detail, often on each of
the transactions that have occurred, and the account as a whole.
• A common approach is to verify the opening balance on the account, vouch the transactions that make
up the movement on the account including adjusting journal entries, and verify that the closing balance
agrees with and is appropriately reflected in the financial statements.
For example:
SpendIt Ltd has raised two long-term loans and repaid one. Broadly it will be audited as follows:
Opening balance : compare to prior years’ closing balance in working papers
Two new loans : vouch as transactions (occurrence, accuracy, cut-off, classification and complete-
ness)
Repayment : vouch as a transaction (occurrence, accuracy, cut-off classification and complete-
ness)
Closing balance : cast account and confirm that appropriate presentation and disclosure have been
achieved (presentation).
Where a subsequent measurement adjustment has been passed, for example, for the amortisation of a
debenture redeemable at a premium, the adjusting journal entry will be vouched.
If there are numerous and frequent transactions in this cycle, for example, lots of purchases of
machinery and other equipment, then tests of controls would be carried out as with any other cycle.
14/8 Auditing Notes for South African Students

The same broad approach would be adopted, but the extent of substantive testing would be influ-
enced by the outcome of the tests of controls, and samples of transactions relating to the account head-
ing would be extracted for audit.

14.3.4.2 Extent of substantive procedures


As indicated, there are frequently few transactions in the cycle and each one can be audited individually.
When there are numerous transactions, for example, in very large organisations, the normal principles of
sampling would be adopted, and the extent of substantive testing would be influenced by the risk assess-
ment and effectiveness of controls.

14.3.4.3 Timing of substantive procedures


There is nothing about the cycle itself that makes the timing of tests particularly critical so they may be
conducted at the interim or final stage. Quite often the external auditor may be asked for input at the time
the transactions are taking place, for example, the auditor may be consulted on Companies Act or JSE
listing requirements for a share issue and some audit work may be done at this stage. Where a tight audit
deadline is in place, early verification and roll forward procedures can take place quite conveniently, for
example, physical asset inspections, statutory work, and scrutiny of finance leases raised at an interim date
two months prior to year-end.

14.4 ISA 540 Auditing accounting estimates and related disclosures


It is quite possible that in this cycle “fair values” will be used extensively. In some cases, for example, for
investments in listed shares, auditing fair value is straightforward. The auditor can use share price listings
that are widely available, but for other account headings relating to this cycle, establishing fair value may
be far more complex. Complex accounting estimates have become more prevalent in financial statements
as businesses themselves become more complex, and need the auditor to consider management’s estimate
of financial statement items based on various factors.
ISA 540 – Auditing accounting estimates, including fair value accounting estimates and related disclo-
sures: Accounting estimates vary from amounts arising from depreciation (useful lives), contingent events,
warranties, provisions, to allowances, etc. Fair value accounting estimates are those estimates relating
specifically to “fair values” such as estimating the “fair value” of shares that are not in a listed company.
Accounting estimates also include the disclosures made in the financial statements, if any, related to the
monetary estimate made. There are inherent risks in the estimation of a financial statement item. ISA 540
requires that inherent risk factors be identified and addressed. Because the shares are not traded in an active
market, the estimation of the fair value will have an inherent degree of imprecision because they cannot be
precisely measured. This type of inherent risk, where no instrument will measure an item precisely, is
called estimation uncertainty. Secondly, the complexity of the estimate will need to be considered. The estima-
tion of the useful life of typical property, plant and equipment will be less complex than the estimation of a
pension plan liability for a pension fund, that will require actuarial knowledge, an actuarial valuation
model that uses probabilities to predict outcomes, and needs to use appropriate internal and external data
that may be difficult to attain or understand. Such complexities can increase the risk of misstatement with
varying degrees, and may require management to engage a management expert. Thirdly, the subjectivity of
the accounting estimate relates to the judgments that management are required to make in the estimate.
These can include management deciding what information to disclose, which valuation technique to use,
the assumptions used in the estimate, the data used (management using their judgment on whether internal
or external data should be used and where there are various sources of data and management determines
the source), where there are various possible outcomes to be measured in the estimate and management
decisions on the weighting of those outcomes. Although these inherent risk factors are required to be
addressed by the auditor, any relevant inherent risk factors in an estimate should be identified and
addressed. Other inherent risk factors can be the susceptibility of the estimate to management bias or fraud,
and a change in the nature of the financial statement line item necessitating a change in the estimation
process. The impact of ISA 540 on the audit process is described below, based on the stages of the audit –
illustrated in chapter 6 of this textbook. A diagram representing the process to the audit of an estimate is
shown at the end of this section.
Chapter 14: Finance and investment cycle 14/9

In the planning stage, when conducting risk assessment procedures and planning further audit procedures,
the auditor will perform the following at an assertion level:
• Obtain an understanding of the entity and its environment as follows:
– the transactions or events that give rise to the estimate
– the requirements of IFRS in relation to the estimate
– the requirements of regulations related to the estimate, for example, in the financial services industry,
the actuarial valuation of a pension fund is required at least once every three years by the Pension
Funds Act of 1956, and
– the disclosures made in the financial statements regarding the estimate.
• Obtain an understanding of the IFRS requirements for the fair value measurement and disclosure of the
accounting estimate. Accounting estimates will be audited at the assertion level.
• Obtain an understanding of the entity’s internal control as follows:
– the nature and extent of supervision over management’s process for accounting estimates
– how management identifies and addresses risks related to accounting estimates, including the need to
use a management expert
– how risks related to accounting estimates are addressed by the entity, and
– how management reviews previous accounting estimates made.
Where information technology or systems are used, an understanding of the following is necessary:
– the financial statement items that relate to the information systems
– how management determines the methods, assumptions and sources of data used in the information
system
– identify if any change to the method, assumptions and sources of data is necessary
– how management understands and addresses estimation uncertainty for the estimate
– control activities covering the process to make an estimation by management.
• Perform analytical procedures and inquire with management about prior year accounting estimates as
compared to the related current actual amounts (or “outcome” as it is referred to in the Standard).
Where there are differences between the estimate and the outcome or actual amount, the guidance of
the financial reporting framework will determine whether there is a misstatement. For example, the dif-
ference between what is paid to a pensioner, and the amount that was expected to be paid to a pension-
er (the estimate), is an actuarial gain or loss per IAS 19. Where the difference arises from information
that was reasonably obtainable as at the prior year reporting date, this could indicate a misstatement.
• Determine whether specialised skills or knowledge is required to perform these risk assessment proced-
ures, in which case an expert may be engaged.

14.4.1 Assessment of inherent risk


Based on the above, the auditor will identify the risks of material misstatement at an assertion level and
assess them. This assessment must be done separately for inherent risk and control risk. For the principles
relating to the assessment of control risk, refer to chapter 7. The assessment of inherent risk depends on the
extent to which the inherent risk factors affect the likelihood of misstatement and varies on a scale that is
referred to by ISA 540 as the spectrum of inherent risk.
For example:
A warranty liability estimate could have a high degree of subjectivity (where management chooses which
data it is to be based on, among various sources, and determines how to measure the liability) but a low
degree of complexity (where an entity uses the number of goods per year multiplied by a specified percent-
age, and no specialised skills are needed in order to calculate it).
However, there are no rules for inherent risk factors; they have to be assessed based on information
obtained in understanding the entity. It is therefore possible to have a warranty liability with a higher
degree of subjectivity and a high degree of complexity, depending on the inherent risks of an entity. There
could also be other inherent risk factors that need to be taken into account, such as the susceptibility of the
estimate to management bias or even fraud, and changes in the nature of the estimate (such as a big change in
how the estimate was made in prior years compared to the current year).
14/10 Auditing Notes for South African Students

14.4.2 Responding to the assessed risk


An auditor may respond to the assessed risk of an estimate in three ways, as will be explained by means of
the following example: A company buys a building and starts renting it out for rental income, and therefore
meets the requirements of IAS 40 for investment property. In accordance with IAS 40, a fair value estimate
is required at initial measurement. Because of investment property not being an observed price, the fair
value will need estimation. In this example, the value that the investment property is sold for can be a good
estimation of its fair value. If it is sold soon after the year-end of the entity, ISA 540 paragraph 21 may
apply, as that provides strong evidence of its estimated fair value at year-end – this is the first alternative. In
the case where management does not want to sell the building (more likely), it may decide to value the
investment property itself. ISA 540 paragraphs 22–27 require that the auditor tests how management made
the accounting estimate in the following manner (this is the second alternative):

Methods
Selection Influenced by
Assumptions inherent risk
Application factors
Data

The auditor would need to address the selection of the valuation method, the assumptions implied in the
method and the selection of the data. The auditor would also be required to assess the application of meth-
ods, assumptions and data used in the in the valuation. If management had used an expert in the valuation,
the auditor would need to comply with both ISA 540 and the requirements of ISA 500 in order to rely on a
management expert. The third alternative is for the auditor to estimate an amount or a range of amounts.
For this, the auditor could use a variety of acceptable methods.
For example:
The auditor could use recent selling prices of investment property in the immediate area around the
building to calculate a “selling price per square metre” (selling price of property divided by the number of
square metres of the property), then use this estimated selling price per square metre multiplied by the
square metres of the property being valued. The auditor has therefore calculated a point estimate. In esti-
mating a range, the auditor may take the lowest selling price per square meter of a recently sold investment
property in the area, and the highest selling price per square meter of a recently sold investment property in
the area, and use that as a reasonable range for estimating the investment property’s selling price per square
metre.
Diagrammatical summary of ISA 540
This diagram is based on guidance issued by the IAASB on the ISA 315 (Revised) Exposure Draft in 2018.

Through the performance of risk assessment procedures, obtain an understanding of: The stand back requirement is
para. 13–15 an overall evaluation of risks
identified and how they were
assessed and responded to (i.e.
The entity and its Entity’s system of internal after all relevant evidence has
environment control been obtained). This evaluation
could lead to the identification
of more risks (represented by the
Identify risks of material misstatement (ROMM) at the assertion level dotted arrow) or to additional
para. 16 responses to the risks already
identified (represented by the
Chapter 14: Finance and investment cycle

solid arrow).
Stand back
para. 33–36 Inherent risk and control
required must be assessed
separately. Only inherent risks
Assessing inherent risk Assessing control risk
that are on the higher end of the
by assessing likelihood and If plan to test operating effectiveness – control risk less than
spectrum of inherent risk can
magnitude of inherent risk factors on maximum. If not planning to test OE – control risk at
lead to significant risks.
spectrum para. 16 maximum Based on ISA 315 (Revised)

Significant risks ROMM for which substantive Other assessed risks of


para. 20 & 21–30 procedures alone do not provide material misstatement
appropriate audit evidence para. 21–30
para. 19 & 21–30

Either of these responses, or a


Responses to risk of material misstatement: combination thereof, can be
1. para. 21 Obtaining audit evidence from events occurring up to the date of the auditor’s report used to address a specific risk. A
2. para. 22–27 Testing how management made the accounting estimate combination of them may be
3. para 28–29 Developing an auditor’s point estimate or range more persuasive.
14/11
14/12 Auditing Notes for South African Students

14.5 Audit procedures – The finance cycle


14.5.1 Introduction
Note 1: The audit of the finance and investment cycle can be very difficult and will require a technically
proficient and experienced member of the audit team to be responsible for it. This is due mainly to the fact
that virtually all aspects of the cycle are strongly influenced by extensive and complicated financial report-
ing statements that substantially increase the risk of material misstatement with regard to relevant trans-
actions and events, balances and disclosures.
What has been included in this text is a considerably simplified version of auditing in this cycle designed
to give you a general idea of what is required.
Note 2: The procedures for auditing presentation and disclosure follow a general pattern. By inspection of
the financial statements including the notes, reference to the applicable financial reporting standards and
current audit documentation, the auditor confirms that:
1. Amounts are presented and positioned in the statement of financial position/statement of comprehen-
sive income as required by the applicable financial reporting standard, for example, trade receivables
under current assets.
2. The disclosures relevant to the account heading
2.1 are accurate in terms of amounts, facts and detail
2.2 include specific disclosures required by the applicable financial reporting standards for that account
heading.
3. Any disaggregation or aggregation in the notes, the statement of financial position or statement of com-
prehensive income, is accurate and relevant.
4. The wording of disclosures is clear and understandable.
5. All required disclosures have been made.
Simplified examples have been provided for share capital, finance lease liabilities, provisions, contingent
liabilities and contingent assets, property, plant and equipment.

14.5.2 Share capital


We will only consider the issue of share capital by private companies, as the statutory and JSE require-
ments relating to public and listed companies are fairly onerous and a description of these requirements is
beyond the scope of this text.

14.5.2.1 Opening balance


Inspect prior year work papers and prior year financial statements to confirm that the opening balance
agrees with the prior year closing balance.

14.5.2.2 Occurrence
• Inspect the MOI and any relevant shareholder resolutions:
– for any conditions with which the issue must comply,
– to establish that the company has the necessary authorised (but unissued) share capital to make the
issue (note, the board may resolve to issue shares at any time, but they must be authorised shares and
the MOI may include conditions).
• If any shares were issued to the directors (or a person related to the director or a nominee of such direct-
or), inspect the minutes of meetings of shareholders for a special resolution approving the issue to the
director. Note that in certain circumstances this authority is not required, for example:
– where the director is exercising a pre-emptive right
– the issue is made in proportion to existing holdings on the same terms and conditions as has been
offered to all shareholders of the company or to all shareholders of the class of shares being issued.
• Confirm by inspection of the minutes of the meetings of shareholders, communications with the share-
holders, or inquiry of the directors that the requirements relating to any pre-emptive rights (to the new
shares) were satisfied.
Chapter 14: Finance and investment cycle 14/13

• Inspect the minutes of meetings of directors to confirm that:


– the resolution to issue shares was approved
– the issue price of the shares was for an “adequate consideration” determined by the board (s 40).
Note: In terms of the Companies Act 2008 par value shares cannot be issued.
Note: Meetings must be quorate and approval must be in terms of the Companies Act 2008 (and
MOI) for ordinary and special resolutions.
• Inspect the register of shareholders and agree details to the share capital account in the general ledg-
er/statement of financial position, noting that the addition of new shareholders and changes to existing
shareholdings agree with the minutes.
• Trace the receipt of payment for the shares to the cash receipts journal and bank statement or inspect
appropriate evidence of value received by the company if the consideration received for shares was
other than cash.

14.5.2.3 Completeness
Confirm with the directors that no other share issues have taken place during the current year.

14.5.2.4 Accuracy, cut-off, classification


• Re-perform the calculations to verify that the consideration received for the shares is in accordance with
the issue price as authorised (accuracy).
• Confirm by inspection of dates on the supporting documentation that the issue took place during the
accounting period under audit (cut-off).
• Cast the capital account and all related documentation.

14.5.2.5 Closing balance


Agree the closing balance on the share capital account to the financial statements (balances will be reflected
in the statement of financial position and “changes in equity” note).

14.5.2.6 Presentation
• The auditor must inspect the financial statements to confirm that:
– share capital appears as a separate line item on the face of the statement of financial position
– the disclosure in the notes include, for example, for each class of share:
o its description, number of shares authorised and issued
o the rights preferences and restrictions attaching to that class of share
o details of authorised but unclassified shares, and
o movements in the share capital balance (statement of changes in equity)
• By inspection of the annual financial statements (AFS) and reference to the application financial report-
ing standards and the audit documentation, confirm that:
– disclosures are consistent with the evidence gathered (amounts, facts, details)
– any disaggregation of the balance reflected in the statement of financial position is relevant and
accurate, for example, share capital may have been broken down in the notes into different classes of
shares, for example, A shares and B shares, and
– the wording of disclosures is clear and understandable, and all required disclosures have been included.

14.5.3 Debentures
The audit of debentures, which are regarded as loan capital, attracts a mix of procedures similar to the
audit of share issues and long-term liabilities. Again, we deal only with the issue of debentures in a private
company. If debentures are offered to the general public, they are almost like shares issues and are con-
trolled by the relevant Companies Act sections, including the issuing of a prospectus.
14/14 Auditing Notes for South African Students

14.5.3.1 Important accounting aspects


IFRS 9 – Financial Instruments: IFRS 9 requires that debentures are held at amortised cost. An auditor
should bear this in mind when, for example, auditing a debenture that is redeemable at a premium. IFRS 9
requires the use of an effective interest rate in order to correctly reflect the value of the debenture at each
reporting date and the finance cost associated with it.
In terms of IFRS 9, the effective interest rate is the rate that “exactly discounts estimated future cash pay-
ments through the life of the financial instrument”. Transaction costs may be included in this calculation.
In effect the true finance cost (interest plus premium) is calculated and spread over the life of the debenture.

Basic example: compulsory redeemable debentures


An entity issues 100 R10 par value debentures on 1 January 0001
Coupon rate 10%, redeemable at R12 on 1 January 0004
Effective interest rate is 15,72% (given)

Working Effective int. Interest payment Capital


R R R
1 Jan 0001 1000
31 Dec 0001 157 (100) 1057
31 Dec 0002 166 (100) 1123
31 Dec 0003 176 (100) 1200
Based on this working:
• at 31 December 0001, the debenture will be reflected at R1057 and the journal entry to record the
finance charges would be:
Dr Finance Costs R57
Cr Debenture account R57
• at 31 December 0002 the debenture would be reflected at R1 123, and
• at 31 December 0003 at R1 200 (the amount to be repaid the next day).
Note 1: The interest payment of R100 and premium will give a total finance cost of R157 in year 1, R166 in
year 2 and R176 in year 3.
Note 2: This example is kept simple for the purposes of explaining the principles of auditing a straightfor-
ward compulsory redeemable debenture (see below). An auditor may be required to audit more advanced
transactions, for example, compulsory convertible debentures. The important thing to remember is that the
transaction/account heading being audited must be tested for compliance with all relevant financial report-
ing standards. However, conventional auditing procedures, for example, inquiry, recalculation and inspec-
tion will still be used.

14.5.3.2 Opening balance


Inspect prior year work papers and prior year financial statements to confirm that the opening balance
agrees with the prior year closing balance.

14.5.3.3 Occurrence existence


• Inspect the MOI to determine whether:
– the company is authorised to issue debentures
– the issue has in any way contravened the company’s borrowing powers, for example, authority require-
ments.
• Inspect the minutes of the meeting of directors at which the decision to issue debentures was made and
note:
– to whom the issue was to be made
– the number and amount of the debentures to be issued
– the interest rate, date and manner of payment, and
– any particular characteristic of the debenture, for example, repayable at a premium, convertible to
shares.
Chapter 14: Finance and investment cycle 14/15

Note: The directors do not need shareholder approval to issue debentures, except where the directors
intend to issue debentures convertible into shares, to themselves. If this is the case, section 41 of the Com-
panies Act will apply (basically special resolution from shareholders unless exceptions apply).
• Inspect the register of debenture holders to confirm that the addition of new debenture holders and
adjustments to the holdings of existing debenture holders have been made according to the authority
granted for the issue.
• Inspect the cash receipts journal, deposit slip/bank statements for evidence of the receipt of the correct
amount.

14.5.3.4 Accuracy, cut-off, classification


(a) Initial recognition (on issue)
• Re-perform the calculations and casts to confirm that the cash received from the issue of the debentures
is in accordance with the debenture agreement, for example, 100 debentures of R1 000 = R100 000
received (accuracy).
• Trace the receipt of cash from the cash receipts journal to the general ledger to confirm that it was
posted to the debenture liability account (classification).
• Inspect the dates on all documentation to confirm that they fall within the accounting period under
audit (cut-off).

(b) Subsequent measurement


• Recalculate the effective interest rate based on the terms of the debenture agreement and compare to the
effective interest rate used by the client in the amortisation calculation.
• Inspect the journal entry raising the finance cost and increasing the debenture liability account and
agree the amounts to the amortisation calculation.

14.5.3.5 Completeness
Confirm by inquiry of the directors and scrutiny of the minutes that no other debenture issues have taken
place during the year.

14.5.3.6 Closing balance


• Agree the closing balance on the debenture account (after the finance charge/amortisation adjustment)
to the trial balance.
• If necessary, obtain a third-party confirmation from the debenture holders (confirm amount of deben-
ture, interest rates, redemption premium and conditions of redemption). This relates to all assertions.

14.5.3.7 Presentation
See Notes 1 and 2 on page 14/12.

14.5.4 Long-term loans


Borrowing long term is a common form of financing. The audit plan will be to audit substantively the
opening balance, movement on the account including any adjusting journal entries, and the closing bal-
ance. Ultimately the auditor seeks evidence about the assertions relating to the balance on the long-term
liabilities account and its related disclosures (i.e. obligation, existence, accuracy valuation and allocation, classifi-
cation and completeness as well as presentation). This is achieved by auditing the transactions making up the
account for accuracy, cut-off, classification, completeness and occurrence, and supplementing these with proced-
ures relating to the final balance. Generally speaking the dominant risk is completeness so the auditor will be
concerned about any long-term loans not recorded.

14.5.4.1 Important accounting aspects – Long-term loans


Long-term loans should be reflected at amortised cost using the effective interest rate. For a normal long-
term loan, for example, fixed term, no premium on repayment, etc., the effective interest rate will be the
annual interest rate charged per the agreement. There may be a situation where the company raises a long-
term loan that has a low annual interest rate (to assist with cash flow) but must be repaid at a premium at
14/16 Auditing Notes for South African Students

the end of the loan term. Such a loan would have to be amortised at the effective interest rate to spread the
full cost of the loan over the term of the loan (very similar to a debenture redeemable at a premium).

14.5.4.2 Audit procedures


As the audit procedures are so similar to those for debentures, as discussed above, they have not been
repeated here. However, additional procedures pertaining to the completeness assertion have been included
below as this is an assertion for which there is potential for material misstatement, i.e. understatement of
liabilities.

14.5.4.3 Completeness of long-term loans procedures


• Obtain specific representations from management that all long-term loans have been included.
• Review financial records, minutes of directors, audit committee and capital expenditure committee
meetings and correspondence for evidence of unrecorded loans.
• Obtain third-party confirmations from all long-term loan creditors from the prior year, who are no
longer reflected as long-term liabilities, or whose balances are significantly lower in the current year.
• Enquire and confirm as to the source of funding for any major acquisitions identified during the audit of
non-current assets.
• Match interest payments to long-term loans to confirm the loan to which the interest payment relates
has been raised.
• Perform analytical review, for example, compare current year balances on loan accounts and interest
paid to the prior year.

14.5.5 Leases
Leasing is another very common form of “acquiring” an asset. The distinction between operating and
finance leases is eliminated for lessees (previous IAS 17 standard), and a new lease asset (representing the
right to use the leased item for the lease term) and lease liability (representing the obligation to pay rentals)
are recognised for all leases. A lessee should initially recognise a right-of-use asset and lease liability based
on the discounted payments required under the lease, taking into account the lease terms as determined
according to the new standard. The audit of a lease is therefore difficult and requires that both the asset
raised and the corresponding liability be audited. The assertions that pertain to assets and liabilities as well
as to transactions all apply, sometimes overlapping with each other.

14.5.5.1 Important accounting aspects


• The auditor must be aware of the guidance contained in IFRS 16 – Leases.
The core of the new requirements means that lessees have to take almost all leases, with some cost-
benefit driven exceptions on balance. The lessee has to recognise a right-of-use asset, measured at the
lease liability at initial recognition. The lease liability is measured by discounting the future lease pay-
ments with the rate “implicit” in the lease, if that rate can be readily determined or by using the lessee’s
incremental borrowing rate. The future lease payments are the fixed lease payments (including
in-substance fixed payments) over the lease term. The lease term has to be determined considering
extension and termination options if the lessee is reasonably certain to exercise that option.
• Where a lease is to be capitalised as lease, an asset and corresponding liability must be recognised in the
statement of financial position.

Initial recognition and measurement


Lease liability
Lessees are required to initially recognise a lease liability for the obligation to make lease payments and
a right-of-use asset for the right to use the underlying asset for the lease term.
The lease liability is measured at the present value of the lease payments to be made over the lease term.
The lease payments shall be discounted using the interest rate implicit in the lease, if that rate can be
readily determined. If that rate cannot be readily determined, the lessee shall use the lessee’s incremen-
tal borrowing rate.
Chapter 14: Finance and investment cycle 14/17

Lease asset
The right-of-use asset is initially measured at the amount of the lease liability, adjusted for lease prepay-
ments, lease incentives received, the lessee’s initial direct costs (e.g. commissions) and an estimate of
restoration, removal and dismantling costs.
Lessees are permitted to make an accounting policy election, by class of underlying asset, to apply a method like
IAS 17’s operating lease accounting and not recognise lease assets and lease liabilities for leases with a lease term of
12 months or less (i.e., short-term leases). Lessees also are permitted to make an election, on a lease-by-lease basis, to
apply a method similar to current operating lease accounting to leases for which the underlying asset is of low value
(i.e., low-value assets).
The lessee shall recognise the lease payments associated with the “short term” and “low-value assets” leases as an
expense on either a straight-line basis over the lease term or another systematic basis. The lessee shall apply another
systematic basis if that basis is more representative of the pattern of the lessee’s benefit.

Subsequent measurement
Lease liability
• Lessees accumulate (accrete) the lease liability to reflect interest and reduce the liability to reflect
lease payments made.
• Lessees remeasure the lease modification (i.e., a change in the scope of a lease, or the consideration
for a lease that was not part of the original terms and conditions of the lease) that is not accounted for
as a separate contract, that is generally recognised as an adjustment to the right-of-use asset.
• Lessees are also required to remeasure lease payments upon a change in any of the following, which
is generally recognised as an adjustment to the right-of-use asset:
– the lease term
– the assessment of whether the lessee is reasonably certain to exercise an option to purchase the
underlying asset
– the amounts expected to be payable under residual value guarantees, and
– future lease payments resulting from a change in an index or rate.

Lease asset
• The related right-of-use asset is depreciated in accordance with the depreciation requirements of
IAS 16 Property, Plant and Equipment.
– If the lease transfers ownership of the underlying asset to the lessee by the end of the lease term, or
if the cost of the right-of-use asset reflects that the lessee will exercise a purchase option, the lessee
depreciates the right-of-use asset from the commencement date to the end of the useful life of the
underlying asset. Otherwise, the lessee depreciates the right-of-use asset from the commencement
date to the earlier of the end of the useful life of the right-of-use asset or the end of the lease term.
• Lessees apply alternative subsequent measurement bases for the right-of-use asset under certain
circumstances in accordance with IAS 16 and IAS 40 Investment Property.
• Right-of-use assets are subject to impairment testing under IAS 36 Impairment of Assets.

Presentation
• Right-of-use assets are either presented separately from other assets on the balance sheet or disclosed
separately in the notes. Similarly, lease liabilities are either presented separately from other liabilities
on the balance sheet or disclosed separately in the notes.
• Depreciation expense and interest expense cannot be combined in the income statement.
• In the cash-flow statement, principal payments on the lease liability are presented within financing
activities; interest payments are presented based on an accounting policy election in accordance with
IAS 7 Statement of Cash Flows.
Lessor accounting is substantially unchanged from current accounting. Lessors will classify all leases
using the same classification principle as in IAS 17 and distinguish between operating and finance leases.
14/18 Auditing Notes for South African Students

14.5.5.2 Assertion – Occurrence/obligation and existence


• Inspect the lease agreements for pertinent details:
– name of lessor and lessee (i.e. client)
– amount of minimum lease payments
– term of lease, and
– other salient conditions, for example, penalties for late payment of lease rental.
• Inspect the minutes of directors and capital expenditure committee’s meetings authorising the lease
agreement.
• Before the resolution is passed, the following should be done:
– specific consideration must be given to the statutory requirement as the Companies Act
– inspect the MOI to confirm that it has been complied with, in particular that the borrowing powers/
conditions have not been breached, and
– specific consideration must be given to the projected cash requirements of the entity, as evident from
entity budgets and necessary cash-flow forecasts.
• Enquire of management and refer to prior working papers to confirm that new finance will not breach
contracts in respect of existing finance arrangements.
• Properly signed agreements should be entered into.

14.5.5.3 Assertion – Completeness


• Obtain specific representations from management that all leases have been included.
• Review financial records, minutes of directors, audit committee and capital expenditure committee
meetings and correspondence for evidence of unrecorded liabilities, for example, use of leases to pro-
vide “off-balance sheet finance”, when in fact they should be classified and treated as leases.
• Enquire and confirm as to the source of funding for any major acquisitions identified during the audit of
fixed assets.
• Obtain a schedule of all leased assets and by inspection and enquiry, determine whether any leases that
have not been recognised as a lease asset and lease liabilities are for either:
– leases with a lease term of 12 months or less (i.e., short-term leases), and
– leases for which the underlying asset is of low value.
• Obtain a schedule of all lease payments, and match to lease agreements to confirm that all leases have
been identified. Confirm by scrutiny of the agreements that all leases have been identified and capital-
ised.
• Perform analytical procedures, for example, compare current year balances on lease accounts and lease
payments paid to the prior year.

14.5.5.4 Assertion – Accuracy, cut-off, classification


(a) Initial recognition
• Obtain independent confirmation of the fair value of the right-to-use asset that has been leased by
enquiry of the supplier, inspection of trade journals, etc. (the fair value is unlikely to appear in the lease
agreement).
• If any direct lease costs have been capitalised, confirm by enquiry and inspection of the supporting
documentation that the costs are valid lease costs applicable to the leased asset and were incurred by the
lessee.

(b) Depreciation – leased asset


• By enquiry of management and evaluation of the terms of the lease agreement, determine whether the
right-to-use asset should be depreciated over its useful life or the term of the lease.
• Determine by enquiry of the directors whether the residual value applicable to the leased asset, is
reasonable.
Chapter 14: Finance and investment cycle 14/19

• Determine by enquiry of the directors whether the “significant part” method of depreciation is applic-
able and if so, whether the allocation of costs of the components is appropriate (independent enquiry of
the supplier may be required).
• Enquire of the directors as to whether the depreciation method, for example, straight line, units pro-
duced, is appropriate, and confirm by reference to the minutes that the method has been reviewed by
the directors (must be done annually).
• Re-perform the depreciation calculation.
• Enquire of production director as to whether any impairment of the right-to-use asset is required.
(c) Lease payments
• Re-perform the implicit interest rate calculation.
• Re-perform the apportionment calculation of the leased payments and trace the posting of the amounts
apportioned to the liability account (and finance cost account).
• Re-perform the “current portion of the lease liability calculation” and trace the reclassification to the
general ledger/trial balance/financial statements.
(d) General
• Cast the lease liability account.
• By scrutiny of dates on documentation confirm that the leases, repayments, etc., relate to the account-
ing period under audit.

14.5.5.5 Assertion – Presentation


• The auditor must inspect the financial statements to confirm that:
– the non-current portion of the lease liability is reflected on the face of the statement of financial
position under non-current liabilities, and
– the current portion of the lease liability is reflected under current liabilities.
• By inspection of the AFS and reference to the applicable reporting standard IFRS 16 and the audit
documentation, confirm that:
– disclosures are consistent with the evidence gathered (amounts, facts, details)
– all required disclosures have been included, for example:
o accounting policy
o encumbrances on any right-to-use assets, and
o reconciliation between the total of the future minimum lease payments at the end of the reporting
period, and their present value, and
– the wording of the disclosures is clear and understandable, for example, accounting policy note.

14.5.6 Provisions, contingent liabilities and contingent assets


To achieve fair presentation, companies are obliged to make adjustments for certain anticipated events or
to disclose them. The former is termed a provision and the latter is termed a contingent liability/asset.
In common accounting language, the term “provision” is frequently used in connection with bad debts,
inventory obsolescence and depreciation, for example, provision for bad debts. This is not theoretically the
correct terminology as these “provisions” do not fit the provision definition in IAS 37. The term that is
being used more and more is “allowance”, for example, allowance for bad debts or impairment allowance
for accounts receivable, or allowance for inventory obsolescence. Situations that might give rise to provi-
sions (should the definition be satisfied) include a provision for:
• the cleaning up of environmental damage caused by the company
• refunds to dissatisfied customers, and
• damages arising out of a court case.
Contingent liabilities are similar to provisions but not as “certain”. Provisions and contingent liabilities
(and contingent gains) are, however, treated differently in the financial statements. Provisions are recog-
nised as liabilities provided the amount can be measured with sufficient reliability. They are included in the
statement of financial position whereas contingent liabilities are only disclosed in the notes.
14/20 Auditing Notes for South African Students

14.5.6.1 Important accounting aspects


(a) Definitions (IAS 37)
• Provision – a liability of uncertain timing or amount.
• Liability – a present obligation of an entity arising from past events, the settlement of which is expected
to result in an outflow of resources from the entity.
• Contingent liability – a possible obligation that arises from past events, and the existence of which will be
confirmed only by the occurrence or non-occurrence of an uncertain future event not wholly in the con-
trol of the entity.

(b) Recognition of provisions and contingent liabilities


• Provisions – a provision must be recognised when:
– the company has a present obligation as a result of a past event
– it is probable that an outflow of resources will be required to settle the obligation, and
– a reliable estimate can be made of the amount of the obligation.
If these conditions are not met, no provision shall be recognised but the matter will still be disclosed in
the notes as a contingent liability.
• Contingent liabilities – contingent liabilities are not recognised but must be disclosed.

(c) Contingent assets


A contingent asset is a possible asset that arises from past events and whose existence will only be con-
firmed by the occurrence or non-occurrence of an uncertain future event not wholly within the control of
the entity, for example, successful outcome of a court case where the company is awarded damages.
Contingent assets are not recognised in the financial statements but, where the inflow of economic bene-
fit is probable, are disclosed. If the economic benefit is “virtually certain”, the asset is not regarded as
“contingent” and should be recognised. The auditor should satisfy himself on the basis of all the evidence
available whether a contingent asset exists at reporting date, and whether the economic inflow is probable
(disclosure) or virtually certain (recognition).

(d) Commitments
Companies are also required to make disclosures pertaining to “commitments”. To identify any commit-
ments that should be disclosed, the auditor will perform very similar procedures to those conducted for
provisions and contingent liabilities, for example, enquiry of the directors and scrutiny of the minutes of
directors’ meetings may reveal commitments for capital expenditure, contracted and approved, that must
be disclosed. The assertions applicable to presentation and disclosure will apply to commitments.

14.5.6.2 Implications for the auditor


As indicated earlier, the provisions and contingent liabilities that are being discussed here are not as
straightforward as the normal allowances for bad debts, inventory obsolescence, etc. They may be varied in
nature and may be unique to particular industries.
Provisions are recognised and therefore there will be a “provisions” account in the general ledger, the
assertions applicable to which will be:
completeness – all provisions have been included in the account balance
existence – the provisions included are not fictitious
accuracy valuation – the provisions are included at an appropriate amount
obligation – the provisions represent an obligation of the entity, and
classification – provisions have been recorded in the proper accounts, for example, correctly
classified as a provision, not a liability.
In addition the auditor must satisfy himself that the provisions are appropriately presented and described in
the financial statements and that related disclosures in the notes are clearly expressed, accurate and under-
standable.
Chapter 14: Finance and investment cycle 14/21

Contingent liabilities are not recognised in the statement of financial position but are disclosed in the
notes. The applicable assertions relating to this disclosure are:
completeness – all contingent liabilities have been included in the notes
obligation – the contingent liabilities disclosed pertain to the entity
occurrence – the event giving rise to the contingent liability has actually occurred (it is not
fictitious)
presentation – the disclosures pertaining to the contingent liabilities are appropriately
described, understandable and clearly expressed in the context of the applic-
able financial reporting framework, for example, IFRS, and
accuracy valuation – information provided in the disclosure is fair and accurate and values included
are appropriate.

14.5.6.3 Audit procedures – provisions and contingent liabilities


The audit procedures for provisions and contingent liabilities are very similar as they are themselves, very
similar in nature.

14.5.6.4 Existence/classification
Under normal circumstances a company will not wish to include provisions and contingent liabilities that
are fictitious. However, there is the possibility that provisions that do not meet the definition criteria are
included in the account heading, or that the directors wish to manipulate the financial statements by the
inclusion of fictitious provisions or contingent liabilities. Procedures to test the existence of provisions and
contingent liabilities are as follows:
• Evaluate the company’s procedures for identifying provisions and contingent liabilities.
• Inspect the supporting documentation that management provides for each provision recognised, and
– evaluate whether there is a legal or constructive present obligation arising out of a past event that
actually occurred
– evaluate the probability that an outflow of resources will be required to settle the obligation, and
– evaluate the basis on which the amount of the obligation was determined to decide whether a reliable
estimate could be made
• Inspect the documentation that management supplies in support of contingent liabilities disclosed and
evaluate whether there is a possible obligation whose existence will only be confirmed by the occurrence
or non-occurrence of an uncertain future event.
• Consider the process used to authorise the recognition/disclosure of provisions and contingent liabilities
(authority minuted by the Board may reduce the risk of invalid provisions).
• Discuss any uncertainties or concerns arising out of the above evaluations with the directors.
• If necessary, seek legal counsel or the advice of an expert (e.g. in industry-specific matters, such as
provisions for environmental damage).

14.5.6.5 Valuation
The value at which the provision is recognised is the “reliable estimate of the amount of the obligation”.
The auditor is thus auditing an estimate. ISA 540 – Auditing accounting estimates, including fair value
accounting estimates and related disclosures, provides guidance. The auditor should assess the risk of
material misstatement of the entity’s accounting estimates (in the normal manner) and design and perform
further audit procedures to obtain sufficient appropriate evidence as to whether the accounting estimates
are reasonable in the circumstances and, where necessary, appropriately disclosed.
The statement requires the following:
• The auditor must identify and assess the risk of material misstatement of accounting estimates.
• When performing risk assessment procedures (at the understanding the entity phase), the auditor should
obtain an understanding of:
– the requirements of the applicable accounting framework relevant to accounting estimates (e.g.
IFRS/IAS 37)
– how management identifies transactions, events and conditions that may give rise to the need for
accounting estimates, and
14/22 Auditing Notes for South African Students

– how management makes the estimate, for example, use of a model, use of an expert, the assumptions
underlying the estimate and the effect of estimation uncertainty (this is defined as “the susceptibility
of an accounting estimate and related disclosures to an inherent lack of precision in its measure-
ment”).
• The auditor must review the outcome of prior year accounting estimates (in effect this provides infor-
mation as to the effectiveness of the company’s estimate setting procedures).
The auditor should
• review and test the process used by management to develop the estimate including the approval/author-
isation procedure (internal controls over the procedure)
• evaluate the data on which the estimate is based for accuracy, completeness and relevance
• evaluate the reasonableness and consistency of any assumptions that have been used in developing the
estimate:
– reasonable in the light of actual prior performance, and
– consistent with the assumptions used for other similar estimates
• re-perform any calculations pertaining to the estimate
• compare the amount of the estimate to similar estimates, and
• compare the amount of the estimate made in prior periods with actual results for that period, i.e.,
estimates of warrantee claims compared to actual warrantee claims.
The auditor may also make his own estimate or obtain an independent estimate from an expert. In this case
any differences with the client’s estimate should be discussed with management and resolved if possible.
The value at which the contingent liability is disclosed would have to be evaluated by reference to the
supporting documentation and enquiry of management supplemented by evidence gained when conducting
the procedures above.

14.5.6.6 Obligation
As with the existence assertion, under normal circumstances it is unlikely that the company will include
provisions or contingent liabilities that are not obligations of the company itself. If the auditor considers
that there is a risk of this occurring, he would need to satisfy himself, by enquiry of the directors, experts or
legal counsel, and inspection of the supporting documentation, that the provisions recognised are obliga-
tions of the company, and not of the directors, related parties or anyone else.

14.5.6.7 Completeness
As indicated earlier, this assertion probably represents the most significant risk for the auditor – the risk
that the company will understate/omit provisions either intentionally or unintentionally. Material inten-
tional understatement by the directors would amount to fraudulent financial reporting (as would material
overstatement, but this is generally a lesser risk) and may be very difficult to uncover. The following pro-
cedures should be carried out:
• Evaluate the company’s processes and procedures for identifying the need for provisions.
• Compare the schedule of provisions for the current year to that of the prior year and follow up on any
that are not included on the current year’s list or that have reduced significantly.
• Compare the contingent liabilities currently disclosed to those disclosed at the prior year-end and follow
up on the status of contingent liabilities disclosed at the prior year-end.
• Enquire of the company’s legal advisers as to whether the company is involved in any disputes/defend-
ing any legal action and request them to provide details of the probable or possible losses arising from
such actions and also of the legal costs involved.
• Inspect the minutes of directors and shareholders’ meetings for evidence of the need for provisions, for
example
– warrantee claims
– guarantees
– environmental damage
– refund policies, and
– closure of a division of the company.
Chapter 14: Finance and investment cycle 14/23

• Inspect correspondence, returns, etc., relating to taxation matters/SARS.


• Inspect the cash payment records subsequent to year-end for unusual material payments and follow up
to determine whether they are in respect of an obligation that should have been provided for at year-
end.
• Obtain a confirmation certificate from the company’s bankers detailing
– guarantees for loans, and
– discounted bills, etc.
• Discuss the completeness of the provisions with management and request specific reference to com-
pleteness of provisions in the management representation letter.

14.5.6.8 Presentation
• The auditor must inspect the financial statements to confirm that:
– provisions have been presented as a separate line item in the statement of financial position under
current liabilities or non-current liabilities as appropriate
– contingent liabilities have been disclosed (only) in the notes, and
– contingent assets have been disclosed (only) in the notes.
• By inspection of the AFS, and reference to the applicable financial reporting standard, IAS 37 and the
audit documentation, confirm that:
– the disclosures are consistent with the evidence gathered (amounts, facts, details)
– for each class of provision the following has been disclosed:
o amount and nature of the obligation
o expected timing of outflows and any uncertainties relating to amount or timing
o major assumptions concerning future events, for example, interest rates, and
o a reconciliation between the opening carrying amount and the closing carrying amount for each
provision.
– the disaggregation of the amount reflected for provisions in the statement of financial position for dis-
closure in the notes is relevant and accurate
– for each contingent liability the following has been disclosed:
o description of its nature
o estimate of the financial effect
o uncertainties relating to the amount of timing of outflows
o possibility of any reimbursements
– for each contingent asset the following has been disclosed:
o description of its nature, and
o an estimate of its financial effect
• the wording (of all disclosures, provisions, contingent liabilities and gains) is understandable, and
• all disclosures have been made.

14.6 Audit procedures – The investment cycle


14.6.1 Property, plant and equipment
In terms of IAS 16 Property, Plant and Equipment, assets falling into this category include:
• land and buildings
• plant and machinery
• vehicles, and
• furniture and equipment.
The audit procedures for each of these categories are very similar and therefore will be described collectively,
rather than individually. The assertions pertaining to the balance of the property, plant and equipment
(PPE) account and related disclosures that the auditor is concerned about are existence, completeness, rights
14/24 Auditing Notes for South African Students

and accuracy valuation and allocation, and classification. In addition, the auditor must consider the presentation
of property, plant and equipment.
Remember that when the movement (additions and disposals) on the account is audited, you will be au-
diting the assertions relating to transactions, primarily occurrence and accuracy, classification and cut-off. Pro-
cedures for auditing the carrying value of the asset will include procedures relating to the depreciation
allowance and any impairment.
For example:
Most clients will present the auditor with schedules for the asset accounts and related accumulated de-
preciation accounts, that reflect:

Cost:

Opening balance Additions disposals closing balance


R1 641 900 4 21 816 243 804 1 819 912

Accumulated depreciation and impairments:

Provision/
Opening balance disposals closing balance
impairment
R542 813 274 601 113 816 703 598

The example contains only totals. Each column will be broken down into the individual assets making up
the total. For example: the “additions” column may be made up of the cost price of six new assets, and the
“disposal” column may be made up of the cost of three assets disposed of.
The schedules may also contain columns that deal with adjustments, for example, revaluations.
The auditor’s task is essentially to audit these schedules. Companies are also obliged to keep fixed asset
registers that are very useful to the auditor when gathering evidence about fixed assets.

14.6.1.1 Important accounting aspects – Property, plant and equipment


IAS 16 Property, Plant and Equipment, governs the accounting treatment of property, plant and equip-
ment.
The auditor should be aware that IAS 16 offers two possible methods of valuing PPE, (i.e., the cost
model and the revaluation model). As per IAS 16, the model chosen must apply to the entire class of PPE,
for example, the company cannot decide to use the cost model for some of its machinery but not for other
pieces of machinery. The company may, however, use the cost model for machinery and the revaluation
model for land.

14.6.1.2 Cost model


After recognition as an asset, an item of PPE must be carried at its cost, less any accumulated depreciation
and any accumulated impairment losses.
The cost of an item of PPE normally comprises:
• its purchase price including import duties, etc.
• costs directly attributable to bringing the asset to the location and condition necessary for it to operate in
the intended manner, for example, cost of site preparation, cost of employee benefits relating directly to
the production or acquisition of the item, installation and assembly costs, related professional fees, for
example, engineers.

14.6.1.3 Revaluation model


After recognition as an asset, an item of PPE, whose fair value can be measured reliably, shall be carried at
a revalued amount, being its fair value at the date of the revaluation, less any subsequent accumulated
depreciation or subsequent accumulated impairment losses. Revaluation must be made with sufficient
regularity, so as to ensure that the carrying amount does not differ materially from that which would be
determined using fair value at reporting date.
Chapter 14: Finance and investment cycle 14/25

14.6.1.4 Depreciation
IAS 16 requires that “each part of an item of property, plant and equipment with a cost that is significant in
relation to the total cost of the item shall be depreciated separately”. Expressed differently this means that the
directors should allocate the cost of the item to its significant parts and depreciate each part separately. This
should happen where:
• the cost of the part is significant in relation to the total cost of the item
• the part and the remainder of the unit have different useful lives, or
• different residual values.
For example:
Ultrasize Ltd, a large manufacturing company, uses a steel press it originally purchased as one piece of
machinery, but which consists of two components, namely a hydraulic power press and a steel pressing
platform. Both parts of the machine are in themselves very expensive, but the hydraulic power press has a
useful life of 10 years, while the pressing platform will last for 30 years. Total cost of the machine is
R10 million with the press as a separate unit costing R4 million and the platform R6 million. Instead of
depreciating the steel press as a single item, the two components are depreciated separately.
Note that if the points above apply, the “significant parts” policy must be applied. There are however
difficulties. For example, how is the residual value of each significant part established, particularly if there
is no market in which to sell the significant part? Should the company use a residual value of nil? Can the
useful life of the “significant part” and the remainder be separately determined?
From a practical point of view, this kind of problem is only likely to occur in large companies with huge
investments in PPE. However, this does have implications for the audit, as the auditors are required to
assess whether IAS 16 has been applied and that it has been applied correctly.
Where the item has been broken down into significant parts, each part will be recorded in the fixed asset
register separately.
IAS 16 states that the depreciable amount of an asset shall be allocated on a systematic basis, over its
useful life. IAS 16 provides the following definitions:
• depreciable amount is the cost/revalued amount, less the residual value
• residual value of an asset is the estimated amount that an entity would currently obtain from the disposal
of the asset, after deducting the estimated costs of disposal, if the asset were already of the age and in
the condition expected at the end of its useful life, and
• useful life:
– the period over which an asset is expected to be available for use by an entity, or
– the number of units expected to be obtained from the use of the asset, by the entity.
IAS 16 requires that the depreciation method used must reflect the pattern in which the assets future eco-
nomic benefits are expected to be consumed, for example, straight-line method, diminishing balance, unit
of production method.
IAS 16 states that the residual value and useful life shall be reviewed at least at the end of each financial
year-end, and, if expectations differ, changes should be accounted for, as per IAS 8 – Accounting Policies,
Changes in estimates and Errors.

14.6.1.5 Audit procedures – Property, plant and equipment


(a) Existence
• Extract a sample of assets from the fixed asset register that includes (all or some) additions for the year.
If the client’s fixed asset register is computerised, audit software can perform this task.
• Physically inspect the assets selected, matching them to the description (e.g. serial numbers) obtained
from the fixed asset register.
• If an asset cannot be physically verified for existence, for example, it is a large piece of mobile equip-
ment being used in a remote area, seek corroborating evidence, for example, drivers’ wages, licence,
correspondence with customer, repairs and maintenance records.
14/26 Auditing Notes for South African Students

• Conduct a search of unrecorded disposals (mainly for plant and equipment):


– Analyse the sundry revenue account/cash receipts journal for cash receipts from disposals of fixed assets;
confirm that the item for which the cash has been received, is included on the list of disposals.
– During physical inspection of assets, take note of any evidence of “fixed” equipment that has obvi-
ously been removed and follow up to determine whether a disposal has taken place and is recorded.
– Enquire of senior personnel (factory manager) whether major equipment acquired has replaced old
equipment; if so, follow up to determine whether old equipment was disposed of and recorded as a
disposal.
– Inspect correspondence with insurance company to identify any fixed assets that have been removed
from the list of insured items. Follow up to determine whether such items have been disposed of and,
if so, that they appear on the list of disposals.
– Look for evidence of expenses related to property, plant and equipment that are no longer being paid
or are significantly reduced, for example, a vehicle licence, rates on a property, significant decline in
motor vehicle costs. Confirm that the asset to which the expense relates has been treated as a disposal
if it no longer “exists”.
• Reconcile disposals per the capital budget with client’s list of disposals.

(b) Completeness
• Inspect repairs and maintenance and similar accounts for material items that may represent acquisitions
of plant and equipment, but that may have been erroneously charged as an expense.
• When physically verifying the assets for existence, select a sample of fixed assets and trace to the fixed
asset register agreeing description, asset number, etc.
• Review payments for fixed asset purchases and confirm that they are recorded as fixed assets in the
register.
• Review all lease agreements and enquire of senior personnel for evidence of any assets that have been
leased, but that have not been capitalised.

(c) Rights
• For assets owned at the beginning of the financial year (opening balance), determine whether there has
been any change in the rights to the asset, for example, sale and leaseback, by
– enquiry of management, and
– inspection of directors’ minutes.
• For additions, inspect purchase documentation and documents of title to confirm that they are in the
name of the client:
– for motor vehicles, inspect the registration document and licence renewal receipt to confirm that they are
in the name of the client
– for land, inspect the title deeds/deeds of transfer, mortgage bonds and sale agreements, and
– for other assets, inspect sales agreements and invoices.
• Where assets are still being paid for, confirm that the client is not behind with payments, (thus jeopard-
ising rights), by inspection of payment records and supplier statements and enquiry of the financial
manager (if appropriate the supplier can be contacted).
• Where leased assets have been capitalised, inspect the lease agreements.
• Inspect the lease agreements by enquiry of management and inspection of
– prior year working papers
– minutes
– loan agreements, and
– bank and other third-party confirmations.
• Obtain evidence of any encumbrances on fixed assets, for example, offered as security.
Chapter 14: Finance and investment cycle 14/27

(d) Accuracy valuation and allocation – Cost


• Agree the opening balances on the summary schedules to prior year work papers/general ledger.
• Re-perform all casts and extensions in the fixed asset register, the summary schedules and the support-
ing lists of additions and disposals.
• Re-perform the reconciliation of the fixed asset register to the fixed asset accounts and accumulated
depreciation accounts in the general ledger, following up on all reconciling items.
• Agree by inspection, the closing balances on the summary schedules to the general ledger and financial
statements.
(e) Cost of additions
Occurrence
• Select a sample of additions from the fixed asset register and trace to capital budget, minutes of direc-
tors’ meetings and purchase requisitions for evidence of authority for the acquisition.
• Inspect the asset itself and cross-reference description, serial number, etc., to purchase documentation.
• Inspect the purchase documentation (invoice, contract) to confirm that it is made out to the client, is for
the selected fixed asset and is signed.
• Inspect payment records to confirm that payment was made for the asset.
Accuracy, classification, cut-off
• By inspection of the purchase documentation, confirm that the cost of the asset includes:
– the correct cost price
– correct shipping charges, import duties, insurance (if applicable), and
– costs of installation and commissioning of the fixed asset (if applicable).
• If the asset is imported, by re-performance, confirm that:
– it has been raised in the company’s records at the spot rate on transaction date, and
– all relevant shipping costs, import charges have been included in the cost and, where appropriate,
converted from the foreign currency at the correct rate (transaction date).
• Where the company has allocated the total to “significant parts” of the item of PPE, confirm that the
allocation is fair by enquiry of the directors and inspection of relevant documentation, for example,
from supplier.
• If the asset has been installed, obtain a schedule of installation costs and:
– agree it to the cost calculation for the asset
– inspect the supporting documentation in respect of materials and wages used in installation for valid,
accurate and complete inclusion, particularly that there is no inclusion of non-relevant expenses, for
example, repairs, and
– discuss the reasonableness of any other expenses included, with the financial director, for example,
any allocation of overheads.
• By inspection of purchase documentation and the relevant ledger account, ensure that VAT has not
been included in the cost (unless client is not a vendor).
• Inspect the dates on all documentation, for example, invoice, to confirm that the transaction has been
recorded in the correct accounting period (cut-off).
• Trace the postings from source to the general ledger to confirm that the transaction has been recorded in
the proper accounts (classification).
(f) Disposals
Occurrence
• Inspect the supporting documentation used to approve the disposal for an authorising signature.
• By reference to the capital budget, confirm authority for the disposal.
• Trace the proceeds of the sale to the receipts records/bank stamped deposit slip/bank statement.
14/28 Auditing Notes for South African Students

Accuracy, classification, cut-off


• Obtain the original cost/revalued cost of the asset disposed of, dates of acquisition and disposal, from
the fixed asset register and:
– recalculate accumulated depreciation to date of disposal
– recalculate the profit/loss on sale*
– inspect the dates on all documentation to confirm that the disposal has been recorded in the correct
accounting period (cut-off), and
– confirm by inspection that the asset account and accumulated depreciation accounts in the general
ledger have been correctly amended and that the disposal has been correctly and completely recorded
in the fixed asset register (accuracy and classification).
*Note: If a fixed asset is sold at an amount below its carrying value, its selling price may have been arrived
at as a result of an impairment assessment. If so, in theory the asset should be written down to reflect the
impairment. This means that there would not be a loss on sale but rather an impairment loss. If the asset is
sold without an impairment assessment, the loss would be recorded as a loss on sale.

(g) Valuation – Depreciation allowance


• Confirm by enquiry of the directors that the accounting policy for depreciation is consistent with prior
years.
• Where the “component” (significant part) method of depreciation has been adopted, confirm that the
allocation total of cost to the components is fair and reasonable by:
– enquiry of management
– scrutiny of purchase documentation, or
– enquiry of the supplier.
• Obtain a representation letter from management, confirming that they have reassessed the useful life
and residual value of the assets (as required by IAS 16) including those of separate “components” where
applicable.
• Review the changes (if any) to the useful life and residual values, and assess the reasonableness of the
changes. Obtain reasons from management and, if necessary, consult an expert with regard to the resid-
ual value/useful life.
• When physically inspecting fixed assets inspect for, and enquire about, any damaged or “not in use”
assets and establish whether such items should be written down.
• Extract a sample of assets that were acquired (say) four years previously, and compare their physical
condition to their depreciated value.
• By inspection and analysis of any profits/losses on disposals of fixed assets, consider whether the
depreciation method is reasonable, i.e. estimates of useful life and residual value are appropriate.
• Re-perform the depreciation calculations for the year to ensure accuracy and compliance with the
depreciation policy, and that amounts have been correctly posted.
• Discuss the reasonableness of the depreciation allowance with management and enquire into the ap-
proval procedures adopted, for example, does the financial director review the allowance.
• Perform analytical procedures on the allowance, for example, comparing to prior years, by asset group-
ing, and in relation to the additions and disposals for the year.
• Discuss with senior personnel, for example. factory manager, whether there has been anything that may
affect useful life, for example, machinery running on double shift for the first time.

(h) Valuation – Impairment


In terms of IAS 36 – Impairment of Assets, a company must assess at each reporting date whether there is
any indication that an asset may be impaired. If any such indication exists, the entity shall estimate the
recoverable amount of the asset so that any impairment loss can be calculated. An impairment loss is the
amount by which the carrying amount of an asset exceeds its recoverable amount (i.e., an asset will be
impaired if the amount that could be recovered through the use or sale of the asset, is exceeded by its
Chapter 14: Finance and investment cycle 14/29

carrying value). The auditor will probably be largely dependent on the directors to identify and quantify the
impairment and there may well be a fair amount of subjectivity involved. The auditor should do at least the
following:
• Evaluate the process by which the company itself identifies and quantifies impairments.
• Inspect and evaluate any documentation that might support the directors on impairments with regard to:
– assumptions made
– methods or bases of quantification
– rates or percentages used.
• Discuss with management:
– any assets whose market value has declined significantly more than would be expected as a result of
the passage of time or normal use
– any significant changes that might have taken or might be about to take place that would adversely
affect the entity in the technological market, economic or legal environments in which the company
operates
– any evidence obtained on the obsolescence or physical damage to assets identified during the audit
– assets lying idle, plans to discontinue certain operations, etc.
– evidence from internal reports, for example, monthly management reports that suggest that economic
performance of an asset is worse than expected.

(i) Revaluations
A company can choose the cost model (i.e. the asset is carried at its cost, less any accumulated depreciation
and any accumulated impairment losses) or the revaluation model (i.e. any item of property, plant and
equipment whose fair value can be measured reliably) shall be carried at a revalued amount, being its fair
value (the amount for which an asset could be exchanged between knowledgeable willing parties in an
arms-length transaction) at the date of the revaluation, less any subsequent accumulated depreciation and
impairment losses. Although the audit procedures relating to the substantive testing of property, plant and
equipment will basically be the same, the choice of the revaluation model will have some implications for
the auditor.
Frequently, particularly with land and buildings, the revaluation is determined from market-based evi-
dence evaluated by an expert, for example, a property valuator. Where this is the case, the auditor will
follow the guidance given in ISA 620 – Using the work of an Auditor’s Expert, which is covered in chap-
ter 16, to assist in the audit of the revaluation.
For other classes of PPE there may be reliable external sources to which the auditor can refer to gather
evidence about fair value of the asset. For example, there are numerous sources that provide the fair value
of used motor vehicles and heavy equipment, such as front-end loaders, etc.
Where the revaluation has been carried out internally (e.g. by the directors), the auditor would have to
audit the supporting documentation to evaluate the reasonableness of the methods used, the assumptions
made and the interpretations by the directors of any available data. Of course the auditor would need to
verify data used whenever possible.
In addition to the above, the auditor would pay careful attention to the treatment of accumulated depre-
ciation at the date of revaluation and subsequent thereto. All calculations would be checked as would the
treatment in the financial statements of any increases or decreases in the carrying value. If the asset’s
carrying value increases, the increase would first be recognised in profit or loss (as a credit to income) to the
extent that it reverses a previous decrease that was recognised in profit or loss. Any increase that does not
reverse a previous decrease recognised in profit or loss is recognised in other comprehensive income (as a
credit to revaluation surplus). If the asset’s carrying value is decreased, this decrease must first be debited to
the revaluation surplus account (if any) before being expensed as a revaluation expense in profit or loss.
The auditor would also confirm that all items in the class of assets (not only particular ones) had been
revalued, and that details of the revaluations had been properly disclosed.

(j) Assertion – Presentation


• The auditor must inspect the financial statements to confirm that:
– property, plant and equipment are reflected as a separate line item on the face of the statement of
financial position under current assets, and
14/30 Auditing Notes for South African Students

– depreciation, impairments and losses on disposals are reflected in the statement of comprehensive
income.
• By inspection of the AFS, and reference to the applicable reporting standard IAS 16 and audit docu-
mentation, confirm that:
– the disclosures are consistent with the evidence gathered (amounts, facts, details).
• The disaggregation of the balance reflected in the statement of financial position, for example, into the
different class of PPE, for example, land and buildings, plant and machinery, tools and equipment is
relevant and accurate.
• The note reflects for each class of PPE:
– a reconciliation between the net carrying amount at the beginning and end of the period including,
additions, disposals, depreciation, impairment losses, etc.
• The note reflects restrictions on title, capital commitments and accounting policies adopted.
• The wording is understandable.
• All required disclosures have been made.

14.6.1.6 The use of audit software (substantive procedures)


If the client’s fixed assets are computerised and suitable audit software is available, the auditor should use
it. The software may be put to the following uses:
• A sample of property, plant and equipment can be selected randomly or after stratification of the popula-
tion by amount, location or class of asset, for physical verification.
• Lists of all additions and disposals can be extracted (using date acquired/disposed fields) to be compared
with client summary lists. Samples can be extracted for transaction vouching.
• The entire fixed asset masterfile (asset register) can be scanned for “error” conditions:
– missing or duplicated assets if asset numbers are sequenced
– blank fields, for example, no asset number, no description
– anomalies, for example, current depreciation exceeds accumulated depreciation or cost (none should
be found), and
– negative book value (none should be found).
• All casts and calculations can be recomputed and compared to client calculations for accuracy, for exam-
ple, depreciation calculations, net book value calculations.
• The masterfile can be extensively sorted and summarised for analytical procedures, depending upon the
fields that are available on the masterfile, for example, asset class, location, current depreciation by class,
etc. Once sorted and summarised, comparisons can be made to prior years, etc.
Note: The greater the amount of information on the masterfile, the greater the use to which the software
can be put. Fixed asset masterfiles will usually contain at least the following, which gives the auditor plen-
ty to work with:
• asset number • depreciation rate and method • date of disposal
• description • current year depreciation • disposal price
• date of purchase • accumulated depreciation • impairment details
• cost • book value • revaluation details

14.6.1.7 Automated application controls for the fixed asset register


(a) Depreciation
• Test whether the depreciation rate documented in the policy aligns with the depreciation rate configured
in the system.
• Have changes been made to the fixed asset register configuration setting embedded in the system during
the period under review?
• Have changes been authorised in the application?
Chapter 14: Finance and investment cycle 14/31

• Inspect whether the access to the fixed asset register configuration settings in the system is limited and
only authorised personnel have access.
• Perform a walkthrough of one of each asset class/category to determine whether the calculation is accu-
rate.

(b) Componentisation
• Assess whether the system has been configured for componentisation rules for assets.
• Access to the componentisation rules configuration settings in the system is limited and only authorised
personnel have access.
• Have changes been made to the componentisation rules embedded in the system during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the calculation is accurate.

(c) Disposal of assets


• Ascertain who had access to dispose of assets during the period under review.
• Ascertain whether specific criteria are configured in the system to dispose of assets.
• Determine whether the disposal of asset calculation has been configured correctly in the system and
includes the data trails to the capital gains calculation should profit be made.
• Perform a walkthrough of one to determine whether the calculation is accurate.
(d) Authorisation for purchase of assets
• Ascertain who had access to add new assets during the period under review.
• Ascertain whether specific criteria are configured in the system to add new assets.
• Determine whether the depreciation of new assets have been calculated correctly if purchased during the
period.
• Perform a walkthrough of one to determine whether the calculation is accurate.
(e) Impairment
• Ascertain who has access to write off or impair assets.
• Ascertain whether there are specific criteria configured in the system to impair assets at a certain point.
(f) Impaired assets
• Determine what the asset impairment process is. Is there a possibility that the assets can be written off
and sold for own profit?
(g) Journals
• Determine who has authorisation to process journals relating to asset entries within the application.
(h) Capital gains
• Inspect if the capital gains tax configuration is correct in the system.
• Inspect that the access to the capital gains configuration settings in the system is limited and only author-
ised personnel have access.
• Inspect if any changes have been made to the capital gains configuration settings embedded in the system
during the period under review.
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the calculation is accurate.
(i) Wear-and-tear allowance
• Inspect whether the wear-and-tear allowance configurations are correct in the application.
• Inspect that the access to the wear-and-tear tax configuration settings in the system is limited and only
authorised personnel have access.
• Inspect if any changes have been made to the wear-and-tear configuration settings embedded in the system
during the period under review.
14/32 Auditing Notes for South African Students

• Have changes been authorised in the application?


• Perform a walkthrough of one of each asset class/category to determine whether the calculation is accu-
rate.

14.6.2 Investments in shares


In today’s business environment there are numerous kinds of investments that a company can make, such
as bonds, derivatives and the like. The audit of these types of investment is beyond the scope of this text
and could almost be regarded as specialist audit knowledge. IAS 32 Financial Instruments – Disclosure and
Presentation, and IFRS 9 Financial Instruments, deal extensively with the topic and would be required
reading for any auditor whose clients hold such investments.
This section deals with the audit of simple investments of shares in listed and non-listed companies and
we have assumed that the audit client does not trade in shares and investments. The assertions that the
auditor will be concerned with will be rights, existence, accuracy valuation and allocation and completeness and
classification. Attention will also be given to presentation. Again, as it is generally unlikely that there will be
numerous transactions, the audit plan will be to audit the opening and closing balances on the account and
(a sample of) the transactions (purchase and sale) for occurrence and accuracy, cut-off and classification.
The major risk will be overstatement of the investment account either by the inclusion of fictitious invest-
ments or overstatement of the value of the investment.
As with property, plant and equipment, the client will usually prepare a schedule of investments, reflecting:
• the breakdown between listed and unlisted investments
• details of each investment, i.e. name, number and class of shares and percentage holdings
• cost and fair value, and
• current year movements.

14.6.2.1 Rights and existence


• Inspect and count the share certificates held by the client, in the presence of a client official, ensuring:
– descriptions, name of company, number of shares, agree to the schedule of investments
– they are in the name of the client, or if they are in the name of a nominee, that there are blank transfer
forms signed by the nominee to testify to his/her status as nominee in respect of these shares, and
– the share certificates appear to be authentic.
• If listed shares are held and no share certificates are issued (electronic ownership), obtain, with client
permission, confirmation of ownership direct from the client’s brokers.
• If any doubt exists about the existence of a non-listed company in which the client holds shares, contact
such company or the Companies and Intellectual Property Commission to establish existence.
• Obtain direct confirmation from any bank or other third party that may hold the client’s share cer-
tificates as security or in safe custody. This confirmation certificate should:
– confirm all relevant details on the client schedule, and
– provide details of the investments pledged as security for the overdrafts or loans.
• Ascertain through enquiry and discussion with management that the intention with regard to invest-
ments is to hold them for the long term rather than speculate with them. (If the intention is to speculate,
the “investment” becomes a trading asset.)

14.6.2.2 Accuracy valuation – Opening balances


Inspect prior year work papers and financial statements to confirm opening balance agrees with prior year-
end balance.

Current-year movements
Occurrence
• Inspect minutes of directors and investment committee meetings for authority to purchase or sell in-
vestments.
• Inspect brokers’ notes for evidence of purchase and sale of listed investments, noting descriptions of
shares and that brokers’ notes are addressed to the client.
Chapter 14: Finance and investment cycle 14/33

• Inspect contracts and correspondence in respect of purchase or sale of investments in non-listed compa-
nies noting description of shares and that contracts are between client and investee and are duly
authorised.

Accuracy, cut-off, classification


• Confirm details of cost, selling price and brokerage fees/commissions from brokers’ notes and sale
agreements for both purchases and sales.
• Re-perform all casts and calculations, particularly where there have been sales, to confirm profit or loss
on sale.
• Inspect the dates on the documentation to confirm that the transaction has been accounted for in the
correct accounting period.
• Trace postings to the general ledger from source to confirm that the transaction has been posted to the
proper investment account.

14.6.2.3 Accuracy valuation – Closing balance (note in terms of IAS 32, shares in other companies
must be valued at “fair value”)
• For listed shares, confirm the market value at the financial year-end of the client by inspection of rele-
vant stock exchange publications.
• Re-perform the client’s calculation of number of shares × market price.
• Determine by inquiry of the financial director, scrutiny of minutes and/or inspection of the prior year
working papers whether the shares have been categorised as financial assets at fair value through profit
and loss, or financial assets at fair value through other comprehensive income.
• If the company has elected recognition through other comprehensive income, confirm that the directors
have taken and minuted the decision that the share investment is not held for trading.
• Where there have been gains or losses, confirm by inspection that they have been taken to profit or loss
(fair value through profit or loss) or to other comprehensive income (fair value through other compre-
hensive income) according to the categorisation adopted by the company and that the treatment is con-
sistent with prior years. (Note: If the company chooses to adopt the other comprehensive income route,
it is an irrevocable decision.)
• For unlisted investments, discuss with the directors the possibility of obtaining an independent “fair
value”. Failing this, request that directors provide a “fair value” and assess the reasonableness of their
valuation by:
– inspection of and enquiry about their valuation method and assumptions
– re-performance of their calculations, and
– inspection of latest financial statements of the investee company
Note: If an independent fair value is provided, the evidence will be audited in terms of ISA 620 – Using
the work of an auditor’s expert (see chapter 16).
• Re-perform the casts on the investment schedule as well as the general ledger accounts and register of
investments.

14.6.2.4 Completeness
• Compare the current year-end schedule to the prior year-end schedule and for any decreases in hold-
ings, confirm that there is a disposal recorded under “movement for the year”.
• Obtain a representation from management in respect of the completeness of investments.
• Match any dividends received during the year to the list of investments.
• Obtain a summary of dealings in listed shares for the year from the company’s brokers.

14.6.2.5 Presentation
See Notes 1 and 2 on page 14/12 and 14.5.2.6 on 14/13
14/34 Auditing Notes for South African Students

14.6.3 Long-term loans made by the company


Long-term loans made by the company are very similar to debtors and, as expected, the audit procedures
will be reasonably similar. The assertions the auditor is interested in will be rights, existence, accuracy valua-
tion and allocation, completeness and classification. Attention will also be paid to presentation. The major risk is
overstatement brought about by the inclusion of “fictitious” loans, or the failure to write down a loan
where repayment is doubtful and security is inadequate. Again any movement on the loan account should
be audited as “transactions”, for example, advancing new loans or receiving repayments, in which case
occurrence and accuracy, cut-off and classification will be the major assertions to be audited. It is again likely
that the client will supply a schedule of loans reflecting each loan holder, the opening balance, movements
during the year and closing balance. In effect the auditor will audit this schedule.
As with long-term loans owed by the company, the loan should be measured at amortised cost using the
effective interest rate. Where the loan is straightforward, for example, fixed term, no premiums on repay-
ment (by the borrower), the effective rate will be the annual interest rate charged on the loan.

14.6.3.1 Accuracy valuation – Opening balances


By inspection of prior year working papers, agree opening balances to prior year closing balances.

14.6.3.2 New advances (loans)


Occurrence, accuracy, cut-off and classification
• Inspect directors’ minutes for authority to make the loan.
• Inspect MOI for powers to make loans (including to directors).
• Where the loan is made to a director (or related person, etc.), confirm by reference to minutes, loan
agreement, correspondence that section 45 of the Companies Act has been complied with:
– the liquidity solvency test has been satisfied, and
– a special resolution was obtained within the previous two years authorising the loan (specific or
general).
• If the loan is to a related party, for example, subsidiary or holding company, consider whether it is fair
and an “arm’s-length” transaction.
• Inspect EFT/bank statement/payment records to confirm that the loan was actually made.
• Inspect the loan agreement to confirm the following:
– name of borrower
– client is the lender
– amount of loan
– interest rates and repayment terms
– purpose of loan
– details of security offered for loan, and
– other salient features, for example, penalties for late payment/any loan covenants.
• Confirm by inspection that the amount of the loan reflected in the agreement has been correctly raised
in the general ledger.
• Inspect the dates on the EFT to confirm that the transaction has been recorded in the correct accounting
period.

14.6.3.3 Repayments
Occurrence, accuracy, cut-off and classification
• Inspect cash receipt records/bank statements/deposit slips for evidence of repayments received.
• By inspection of the dates on the receipts, confirm that the repayment has been recorded in the correct
accounting period.
• Re-perform calculations of allocation of repayments into capital and interest portions.
• Re-perform posting to confirm correct allocation.
Chapter 14: Finance and investment cycle 14/35

14.6.3.4 Accuracy valuation – Closing balance


• Re-perform casts of the loan summary and general ledger accounts.
• Agree the loan summary to general ledger.
• Obtain confirmation of the balance owing directly from the party to whom the loan was made and
request confirmation of interest rates and any security offered.
• By discussion with the directors, establish whether there is any reason to write down the value of the
loan, such as:
– late payment of capital instalment and/or interest, and
– notification that the recipient of the loan is in financial trouble, for example, under business rescue, in
liquidation.
• Recompute the portion of the long-term loan asset that is repayable in the ensuing year and, by inspec-
tion, confirm that it has been reflected as a current asset.
Note: If there are numerous loans, the client may make an allowance for “bad debts”. If this is the case,
the provision should be audited in the normal manner (see revenue and receipts chapter 10).

14.6.3.5 Completeness
• Review payment records, minutes and correspondence for any evidence of loans advanced that may
have been misclassified, particularly in respect of loans to directors.
• Send a written request to all directors asking them to confirm details of any loans they or any person/
company "related" to them may have received (even if repaid) during the year.
• Obtain a written management representation on the completeness of loans advanced.

14.6.3.6 Presentation
See Notes 1 and 2 on page 14/12 and 14.5.2.6 on 14/13.

14.6.4 Intangible assets


IAS 38 – Intangible Assets defines an intangible asset as an “identifiable non-monetary asset without
physical substance . . .” Businesses frequently expend resources on acquiring or researching and developing
intangible assets, such as computer software, patents, copyrights and franchises. The question arises as to
how these “investments” in intangibles should be accounted for. IAS 38 is long and detailed and is beyond
the scope of this text, but it is important that you have a general idea of how intangibles should be audited.
The assertions relating to the “intangibles” balance are the same as for any asset, (i.e. rights, existence, accur-
acy valuation and allocation, completeness and classification). Attention will be paid to presentation.

14.6.4.1 Important accounting aspects


IAS 38 – Intangible assets, states that an intangible asset may only be recognised if, and only if:
• it is probable that the expected future economic benefits are attributable to the asset, will flow to the
entity, and
• the cost of the asset can be measured reliably.
Simplistically, an intangible asset will either be purchased or internally generated. While the cost of a
purchased intangible asset is easier to measure (based on purchase price), the auditor needs to be aware of
the guidelines for the recognition of the cost relating to an internally generated intangible asset. With
regard to internally generated intangible assets, IAS 38 does not allow any costs incurred in the research
phase, to be capitalised. Costs incurred in the development phase may only be capitalised if the following
criteria are satisfied:
• It is technically feasible to complete the intangible asset so that it will be available for use or sale.
• The company intends to complete the intangible asset and use or sell it, and has the ability to use or sell
it.
• The intangible asset will generate probable future economic benefits (e.g. market research could provide
this evidence).
• There are adequate technical, financial and other resources available to complete the development of the
asset and to sell or use it.
14/36 Auditing Notes for South African Students

• The company has the ability to reliably measure expenditure attributable to the intangible asset during its
development.
IAS 38 also provides guidance on the amortisation of the intangible asset. An intangible asset should be
amortised in a manner that reflects the asset’s economic benefits to the entity. If this is not readily deter-
minable, the straight-line method may be used. Both the amortisation period and the amortisation method
must be assessed at each reporting date and any changes must be accounted for as a change in accounting
estimate. Only intangible assets with finite lives are amortised. Intangible assets with indefinite useful lives
are not amortised; however, these assets must be reviewed annually for impairment and whether the assess-
ment that they have indefinite useful lives is appropriate.
Note: While IAS 38 does permit intangible assets to be carried under the revaluation model, they seldom
are. This is due mainly to the fact that one of the criteria for use of the model is “an active market” that will
often not exist. Further guidance on this can be found in IAS 38.
The following procedures provide guidelines for the audit of intangible assets. As there are many differ-
ent types of intangible assets, the procedures deal with principles.

14.6.4.2 Rights and existence


• Where possible, inspect documentation that reflects the client’s right to the asset, for example, letters,
patent, and Certificates of Registration for trademarks, licences.
• Inspect documentation for registration in the name of the client and for any endorsements that may
impinge on rights.
• If the “intangible” has a “physical” representation, for example, computer software, or a franchise, it
should be inspected by the auditor.

14.6.4.3 Completeness
The risk of understatement is reasonably low so completeness tests may be limited to:
• enquiry of management about research and development projects underway
• review of minutes, correspondence and disbursement records to identify expenditure on intangibles, and
• obtaining written representation from the directors.

14.6.4.4 Occurrence, accuracy, cut-off, classification


• The cost of an acquired intangible asset consists of:
– its purchase price, and
– any directly attributable costs of preparing the asset for its intended use, for example, professional
fees.
• The auditor would:
– Inspect the directors’ minutes, capital budgets for authority for the purchase.
– Inspect the purchase agreements, invoices and payment records pertaining to the purchase to confirm
that:
o they are in the name of the company
o amounts and descriptions agree with what has been recorded
o the transaction has been recorded in the correct accounting period (dates), and
o all costs included qualify as directly attributable costs, for example, they are not promotional costs,
or general administration costs.
• The cost of an internally generated intangible asset consists of expenditure incurred during the developmen-
tal stage of the asset.
• The auditor would:
– conduct procedures similar to those shown above for acquired intangible assets, and
– confirm, by inspection of the supporting documentation for capitalised cost, that the costs were not
research costs that should have been excluded (based on the criteria shown under important accounting
aspects).
Chapter 14: Finance and investment cycle 14/37

14.6.4.5 Valuation – Amortisation


Intangible assets have a finite or indefinite useful life. If the company assesses that the intangible asset’s
useful life is finite, then the intangible asset must be amortised. If its useful life is considered to be indefinite, it
is not amortised. Therefore, the auditor must do the following:
• Discuss and evaluate the grounds on which the useful life of the intangible asset was determined.
• Where the useful life is classified as finite:
– confirm that the method of amortisation reflects the pattern in which the intangible asset’s economic
benefits are consumed by the enterprise, or if this method of amortisation is not possible, the straight-
line method has been used, and
– re-perform all amortisation calculations.
• Where the useful life was classified as indefinite, confirm, by discussion with directors or inspection of
supporting schedules or documentation, that the intangible assets have been tested for impairment and
that their useful life has been re-assessed.

14.6.4.6 Presentation
See Notes 1 and 2 on page 14/12 as well as 14.5.2.6 on 14/13.
CHAPTER

15
Going concern and factual insolvency

CONTENTS
Page

15.1 Going concern – ISA 570 (revised) .................................................................................... 15/2


15.1.1 Introduction ......................................................................................................... 15/2
15.1.2 The auditor’s interest in the going concern ability of the client ................................ 15/2
15.1.3 The audit plan for going concern ........................................................................... 15/3
15.1.4 Mitigating factors and management plans .............................................................. 15/6
15.1.5 Audit conclusions ................................................................................................. 15/7
15.1.6 The auditor’s report (assuming there are no other reporting issues) ......................... 15/7
15.1.7 Key audit matters and going concern ..................................................................... 15/9
15.1.8 Reporting summary .............................................................................................. 15/9
15.1.9 Going concern and disclaimers of opinion ............................................................. 15/10

15.2 Factual insolvency ........................................................................................................... 15/13


15.2.1 Introduction ......................................................................................................... 15/13
15.2.2 The irregularities which may arise when a factually insolvent company
continues to trade ................................................................................................. 15/13
15.2.3 Factual insolvency and section 45 of the Auditing Profession Act
(reportable irregularities) ....................................................................................... 15/14
15.2.4 Subordination agreements (also called back-ranking agreements) ............................ 15/14
15.2.5 Auditing a subordination agreement ...................................................................... 15/15

15/1
15/2 Auditing Notes for South African Students

15.1 Going concern – ISA 570 (revised)


(Effective for audits of financial statements for periods ending on or after 15 December 2016)

15.1.1 Introduction
If a company is trading as a “going concern”, it means that the company can continue its operations for the
foreseeable future.
(a) Under normal circumstances, the company's directors will present the financial statements on the
“going concern basis”. This means that assets and liabilities are recorded on the assumption that the company
will continue its operations for the foreseeable future. Accordingly, assets and liabilities are recorded on the
basis that the entity will realise its assets and discharge its liabilities in the normal course of business.
(b) The responsibility for the preparation of the financial statements lies with the directors through
management. It follows that management should assess the entity’s ability to continue as a going
concern when preparing the annual financial statements and in terms of International Accounting
Standard IAS 1, management is actually required to make this assessment.
(c) Management’s assessment of the entity’s ability to continue as a going concern requires that judge-
ment must be made about the future of the company and the multitude of factors that can affect its
operations. In other words, judgement must be made about inherently uncertain future outcomes.
(d) The extent of management's assessment of “going concern” will vary considerably from entity to
entity. Many entities are historically sound and suffer no short-term threat to their continued
existence. Many others face uncertain futures and extensive assessment of their ability to continue as a
going concern may be necessary. This is not to assume that large companies are immune to
uncertainties concerning their futures. The financial crises (of 2007–2008), which devastated many
successful international companies and the global COVID-19 pandemic in 2020, which has
contributed to the woes of many industries, is testimony to this. So, the message is clear; while it is
acceptable that judgements about the future are based on information available when the judgement is
made, directors cannot assume that because the company is “strong today” it will be “strong
tomorrow”. In reality, most large companies (and many other companies) will be very aware of
sustainability issues and there will be risk committees that will monitor “going concern” on an on-
going basis.

15.1.2 The auditor’s interest in the going concern ability of the client
15.1.2.1 The going concern assumption
As stated above, the going concern assumption is fundamental to the preparation of the financial state-
ments. While the going concern itself is not stipulated as an assertion in ISA 315 (revised 2019), the
assumption of going concern in preparing the financial statements directly affects many assertions.
For example:
Jonas Ltd is being liquidated. The company's inventory is being sold at below cost to create a cash flow
(forced sale). The value of inventory presented on the going concern basis will thus differ from the value of
the same inventory presented on the liquidation basis.
The product that West Ltd manufactures and sells has become obsolete in the market place and as such,
West Ltd is no longer a going concern. Since it is no longer useful, the plant and equipment which manu-
factures the product can no longer be valued on the going concern basis.
In both of the above examples, the valuation assertion is directly affected.

15.1.2.2 Audit risk


The risk that the auditor faces is the expression of an unmodified audit opinion where the going concern
concept (including the treatment of material uncertainties) has been or may have been, applied inappro-
priately. As mentioned in (d) above, the possibility of this occurring will vary significantly from client to
client. Generally, in large listed companies, there is less risk that the company is not a going concern, but it
can be a real risk in other under-resourced companies. Regardless of the auditor’s initial impressions of the
client’s going concern ability, sufficient appropriate evidence will still have to be gathered to support the
adoption, by the client, of the going concern assumption in the preparation of the financial statements.
Chapter 15: Going concern and factual insolvency 15/3

However, it must also be understood that the auditor does not have special powers which enable him to
predict the future. The same uncertainties which affect management’s ability to predict the future, affect the
auditor. The auditor carries out the procedures he considers necessary, adopting the appropriate level of
professional scepticism, to be in a position to form an opinion on the entity’s ability to continue as a going
concern. It should be noted that an unmodified audit report is not a guarantee provided by the auditor that
the company will continue as a going concern.

15.1.2.3 Auditor’s objectives


The auditor’s objectives with regard to going concern are:
• to obtain sufficient appropriate evidence regarding, and to conclude on, the appropriateness of manage-
ment’s use of the going concern assumption in the preparation of the financial statements
• to conclude, based on the evidence obtained, whether a material uncertainty exists related to events or
conditions that may cast significant doubt on the entity’s ability to continue as a going concern, and
• to report in accordance with ISA 570 (revised).

15.1.2.4 When does the auditor consider the appropriateness of “going concern”?
Throughout the audit, the auditor should remain alert to evidence, events or conditions which may cast
significant doubt on the entity’s ability to continue as a going concern. The audit is an ongoing evidence
gathering exercise and pieces of evidence relating to going concern will be obtained at all stages of the
audit:
• During planning (risk assessment procedures): In terms of ISA 570 (revised) – Going Concern, the auditor
must carry out risk assessment procedures specifically relating to the going concern ability of the entity.
This will be part of identifying and assessing the risk of material misstatement (ISA 315 (revised 2019)).
In particular, the auditor should consider any material uncertainties regarding events or conditions and
related business risks that may cast significant doubt upon the entity's ability to continue as a going
concern.
An important risk assessment procedure will be to determine whether management has performed a
preliminary assessment of the company’s “going concern” ability and:
– if so, to discuss the assessment with management including any plans to address any significant
doubts about the company’s going concern ability, and
– if not, to discuss with management whether conditions or events which cast doubt about the
company’s ability to continue as a going concern do exist.
• During the performance of further audit procedures: if the risk assessment procedures have raised concerns
about “going concern”, the auditor will carry out specific further audit procedures to respond to the
risk. In addition, when carrying out further audit procedures not specific to going concern, the auditor
should be alert to events or conditions that provide evidence (negative or positive) relating to going
concern. For example, when auditing accounts payable, the auditor might notice increasing complaints
from creditors about slow or erratic payment from the client. This suggests cash flow/liquidity
problems. It does not mean there is a going concern problem, it simply provides an additional piece of
evidence that may cause the auditor to reassess the risk relating to going concern.
• As part of the review of subsequent events: The auditor will identify and evaluate the effect, if any, which
subsequent events may have had on going concern. For example, if the client’s primary market
collapses during the post reporting period, it will certainly influence the auditor’s opinion on whether
the going concern basis is appropriate. The post-reporting period may also provide further evidence of
events or conditions affecting going concern, identified prior to year-end.
• At the evaluating and concluding stage: The auditor considers all the individual pieces of evidence
gathered relating to going concern, collectively.

15.1.3 The audit plan for going concern


The directors, through management, are charged with the responsibility of assessing their company’s ability
to continue as a going concern at reporting date. In making their assessment, management must consider
all available information about the future, which is “at least, but not limited to, twelve months from the
reporting date”. The assessment may be made for a longer period, but the degree of uncertainty associated
15/4 Auditing Notes for South African Students

with future events increases, the further management looks into the future. Management’s assessment will
play a central role in the audit plan for going concern.
Essentially the audit of going concern follows the established process (i.e. risk assessment procedures
followed by further audit procedures to respond to the assessed risk and other procedures which may be
required to comply with the ISAs).

15.1.3.1 Risk assessment procedures – Nature, extent, timing


• Nature: The procedures will be conventional, (i.e. inquiry, analytical procedures and inspection) and
will centre on management’s assessment of going concern.
• Extent: The extent of risk assessment procedures will depend upon many factors but will be most
affected by the perceived future uncertainties that face the company and may affect its going concern
ability. There is no “one size fits all” when assessing risk, the circumstances and level of uncertainty will
vary considerably from company to company.
• Timing: Although the auditor may do some work on going concern at interim visits to the client, the
major thrust of the risk assessment procedures will be centred on the financial year-end audit. The most
current and up to date information is required to make an appropriate assessment.

15.1.3.2 Risk assessment procedures – Objective


Essentially, in conducting the risk assessment procedures, the auditor is on the look out for events or
conditions which, individually or collectively, may cast doubt about the company’s ability to continue as a
going concern. The explanatory notes to ISA 570 (revised) – Going Concern, provide a framework,
including examples of such events or conditions, which may be used to analyse the company’s going
concern ability. The events or conditions are categorised as financial, operating and other events or condi-
tions. In a situation where these events or conditions suggest that going concern is at risk, mitigating factors
(factors that reduce the risk) should also be considered.
• Financial
– the company is in a net liability or net current liability position
– fixed-term borrowings are approaching maturity (.e. they must be repaid) without realistic prospects
of renewal or repayment
– excessive reliance on short-term borrowings to finance long-term assets
– indications of withdrawal of financial support by suppliers and other creditors
– adverse key financial ratios
– negative operating cash flows
– substantial operating losses or significant deterioration in the value of assets used to generate cash
flows
– arrears or discontinuance of dividends
– inability to pay creditors on due dates
– difficulty in complying with the terms of loan agreements
– change from credit to cash-on-delivery transactions with suppliers, and
– inability to obtain financing for essential new product development or other essential investments.
• Operating
– management intentions to liquidate the entity or to cease operations
– loss of key management without replacement
– loss of a major market, franchise, licence or principal supplier
– labour difficulties, for example, strikes, go-slows, lack of skills
– shortage of important supplies, for example, raw materials
– technological obsolescence of products
– threats from cheap imported goods, and
– emergence of a highly successful competitor.
Chapter 15: Going concern and factual insolvency 15/5

• Other
– pending legal proceedings against the entity, which may, if successful, result in judgements that
cannot be met, for example, extensive damages awarded against the client
– changes in legislation or government policies, for example, withdrawal of tax concessions, banning
of client’s product
– negative perceptions about the company’s product in the marketplace (reputational damage), and
– negative publicity due to social media which may cause lasting damage to an organisations’ reputa-
tion (also refer to chapter 8),
– failure to satisfy Black Economic Empowerment requirements leading to the loss of contracts.
• Mitigating factors
– plans made by management to counterbalance the effects of negative events or conditions, for
example, detailed, achievable cash flows reflecting a return to profitable trading, the planned sale of
redundant assets to create a cash flow, other methods of maintaining cash flows by alternative means
– potential support from a holding company or fellow subsidiary
– a record of managing going concern crises successfully, and
– the availability of alternative sources of supply.

15.1.3.3 Further audit procedures:


• Nature: This will be a substantive evaluation of management’s assessment of the entity’s ability to
continue as a going concern, predominantly the application of analytical procedures, confirmation of
evidence provided by management, and enquiry of personnel. The “audit” of going concern is not
necessarily simple, as it requires the auditor to evaluate not only historical data but also, where going
concern is in doubt, a client's survival strategy and forecasts must be evaluated. Strategies and forecasts
are by their nature, subjective. Where the going concern has been assessed by management for the
following twelve months (normally the case), the auditor should still enquire whether management is
aware of anything beyond the twelve months which may cast significant doubt on the entity’s ability to
continue as a going concern.
ISA 570 (revised) refers to “additional” audit procedures to be conducted when events or conditions
which cash doubt about the company’s ability to continue as a going concern are identified. Obviously,
these procedures are a response to identified risk and would fall under the definition of further audit
procedures. The appendix to ISA 570 (revised) lists these procedures as follows:
– Analyse and discuss cash flow, profit and other relevant forecasts with management.
– Analyse and discuss the entity's latest available interim financial information.
– Review the terms of debentures and loan agreements to determine whether they have been and can
be met (have not been breached).
– Read minutes of meetings of shareholders and those charged with governance (directors and the
audit committee) for reference to financial difficulties.
Enquire from the entity's lawyers regarding litigation and claims and the reasonableness of manage-
ment’s assessment of any financial implications for the company.
– Confirm the existence, legality and enforceability of arrangements to provide or maintain financial
support with related and third parties and assess the financial ability of such parties to provide
additional funds.
– Consider the entity's position concerning unfilled customer contracts/orders, for example, penalties
for failure to perform.
– Confirm the existence, terms and adequacy of the company’s borrowing facilities, for example, the
state of the relationship with its bankers/borrowings providers.
– Obtain and review reports of any regulatory actions, for example, SARS investigation, investigations
by industry controlling bodies.
– Review events after year-end for transactions or events which either mitigate or aggravate conditions
affecting the entity's ability to continue as a going concern.
15/6 Auditing Notes for South African Students

• Extent: The extent of testing will vary directly with the "certainty" of the company’s ability to continue
as a going concern. Little detailed going concern audit work will be required for a sound, liquid and
solvent company, whereas a great deal of going concern audit work may be required where the com-
pany is facing an uncertain future, and where there are material uncertainties. The extent of going
concern procedures will be directly influenced by the outcome of the risk assessment procedures. As a
general rule “the greater the risk, the greater the extent of testing” holds true.
It is also important to remember that even if the assessment of the risk of material misstatement is low,
some further audit procedures will need to be conducted. These may be very simple and quick but in
terms of the auditing standards, sufficient appropriate evidence must be gathered to support the “low
risk” assessment.
• Timing: The timing of testing will of necessity centre on the financial year end and the post reporting
date period. This is due to the fact that the auditor in interested in the most current up to date
information about the company’s going concern ability.
Note: In terms of ISA 300 – Planning an audit of financial statements, the auditor must plan, in addition
to risk assessment procedures and further audit procedures, other procedures that are required to be
carried out so as to comply with the ISAs. Other procedures are not a response to the risk assess-
ment they are a response to the requirement of compliance with the ISAs. In the case of “going
concern” an other procedure may be “communicating with those charged with governance” to
comply with ISA 260 (revised), or “obtaining written representations” pertaining to going concern
to comply with ISA 580.

15.1.4 Mitigating factors and management plans


When faced with a material uncertainty regarding their company’s ability to continue as a going concern,
the directors will attempt to implement plans to resolve the problem. Standard “management plans” are:
• the disposal of assets to generate a cash flow
• raising of additional capital or restructuring debt
• cost cutting, and
• increasing sales.
The auditor must consider any plan that management offers, as the plan is, in effect, a mitigating factor. In
this regard the auditor:
• Should gather sufficient appropriate evidence that the plans are specific and feasible, for example, a plan
to “increase sales volume by 25%” would have to be supported by specific detail as to how this is going
to be achieved. The auditor will need to “audit” the detail and consider whether, in the light of the
evidence gathered, the plan can be achieved (feasible). For example, a manufacturing company that is
going to “increase sales volume by 25%” will need sufficient production capacity to meet the increased
sales. If it does not have the capacity, the plan is not feasible.
• Should pay careful attention to the underlying assumptions which management use in their plans. By
their nature, assumptions are subjective, so the most that the auditor can do, is to evaluate whether the
assumptions are appropriate, reasonable, suitably supported and not vague generalities. Increasing sales
by 25% sound good, but how does the entity do it!
• Must realise that most plans will have a negative side to them which could increase the going concern
problem; for example, most plans which create a cash inflow, create a cash outflow as well; if a new loan
is negotiated (inflow), interest and ultimately the capital sum must be paid to the loan provider
(outflow). Another example might be where retrenchments are planned as a cost-cutting exercise; not
only does this create an outflow (retrenchment packages), but the company’s ability to service its
customers may also be negatively affected, resulting in customers taking their business elsewhere.
• Should ensure that the directors provide written representation regarding their intentions to commit to
the plan, and that the directors have approved it and are committed to it.
Chapter 15: Going concern and factual insolvency 15/7

Read the example below and see if you can identify events or conditions (financial, operation or other) that
may indicate a going concern risk. Read the scenario again and try to identify mitigating factors (which
reduce the risk.):

Alpha (Pty) Ltd is experiencing cash flow difficulties. In order to alleviate the pressure, the managers of
Alpha (Pty) Ltd has changed its debtor repayment policy from 30 days to 15 days. Unfortunately, the
company’s customers did not take well to this change, and this, combined with a steep increase in
competitors that have entered the market, has caused sales to drop by nearly 15%. To make matters
worse, two of the company’s largest suppliers have indicated that they are no longer willing to provide
credit to Alpha (Pty) Ltd, as the company has fallen into arrears with its payments. As Alpha (Pty) Ltd
is struggling to obtain further finance from its bank, it is considering factoring its debtor’s book. The
cash generated from the factoring would mainly be applied to pay increases to employees to avoid
further strike action. Management is also hoping that this would stop the exodus of some of Alpha
(Pty) Ltd’s most skilled employees (who have left to join competitor companies, due to their
unhappiness with the company’s inability to pay market-related salaries.) Besides generating cash from
debtor factoring, management has also put aggressive cost cutting plans into place, which should
significantly decrease overheads. The company is also closing down its loss-making KZN branch, and
the disposal of the related assets would also bring some financial relief.

15.1.5 Audit conclusions


After sufficient appropriate evidence has been obtained relating to the going concern assumption, the
auditor must decide whether a material uncertainty exists that may cast significant doubt upon the entity’s
ability to continue as a going concern. A material uncertainty exists when the magnitude of its potential
impact and its likelihood of occurrence is such that in the auditor’s judgement, appropriate disclosure of the
nature and implications of the uncertainly is necessary for the financial statements to achieve fair presen-
tation.
Expressed another way, if a material uncertainty exists, it must be adequately disclosed in the financial
statements otherwise the financial statements will not fairly present the state of the company's affairs.
Proper disclosure requires that the financial statements:
• adequately describe the principal events or the conditions that give rise to the significant doubt about
the entity's ability to continue in operation for the foreseeable future and management's plans to deal
with these events or conditions;
• state clearly that there is a material uncertainty related to events or conditions which may cast signifi-
cant doubt about the entity's ability to continue as a going concern, and therefore, that it may be unable
to realise its assets and discharge its liabilities in the ordinary course of business; and
• the disclosure may also include management’s evaluation of the significance of the events or conditions
relating to the entity’s ability to meet its obligations and/or significant judgements made by manage-
ment as part of its assessment of the company’s ability to continue as a going concern.

15.1.6 The auditor’s report (assuming there are no other reporting issues)
Note: To be able to understand “reporting on going concern”, you will need to understand the statements
which deal with forming an opinion and reporting on financial statements. These are covered in chap-
ter 18.
Essentially in assessing the implications of the company’s “going concern status” on the audit report, the
auditor must consider three situations.
Situation 1 The use of the going concern basis of accounting is appropriate.
Situation 2 The use of the going concern basis of accounting is not appropriate.
Situation 3 The use of the going concern basis of accounting is appropriate but a material uncertainty
exists.

Situation 1
This situation presents no complications and an unmodified audit report will be given.
15/8 Auditing Notes for South African Students

Situation 2
This situation will give rise to an adverse opinion. It arises when the client has prepared the financial
statements on the going concern basis, but this basis is inappropriate in the auditor’s judgment. An adverse
opinion is a clear statement by the auditor that the financial statements do not “fairly present”. The auditor
is reporting that by using the going concern basis of accounting the financial statements are materially
misstated and the effect thereof is material and pervasive. If, based on the procedures carried out and all the
information obtained, including the effect of management's plans, the auditor's judgment is that the entity
will not be able to continue as a going concern, the auditor must express an adverse opinion, regardless of
whether or not the disclosure of the going concern problem has been made.

Situation 3
This situation is a little more complicated and requires the auditor to decide on whether the material uncer-
tainly has been adequately disclosed before he can decide on the appropriate report.
• If the disclosure is adequate the auditor will express an unmodified opinion (remember that the auditor
has decided that the going concern basis is appropriate) but will add a separate paragraph to the audit
report headed “Material Uncertainty Related to Going Concern”. This additional paragraph will:
– draw attention to the note in the financial statements which deals with the material uncertainty
– state that the events or conditions described in the note indicate that a material uncertainty exists that
may cast significant doubt on the company’s ability to continue as a going concern, and that
– the auditor’s opinion is not modified in respect of the matter.
The intention of including this additional paragraph is to bring an important matter (the material
uncertainty) to the attention of users of the financial statements.
• If the disclosure is not adequate the auditor is required to express either a qualified opinion (except for) or
an adverse opinion and in the basis for qualified (adverse) opinion paragraph of the auditor’s report,
state that a material uncertainty exists that may cast significant doubt on the company’s ability to
continue as a going concern and that the financial statements do not adequately disclose this matter.
This situation amounts to a disagreement with the directors resulting in material misstatement of the
financial statements, and only an “except for” or “adverse” opinion can be given (a disclaimer of
opinion will not be suitable).
A difficulty which the auditor may encounter when the inadequacy of the disclosure of the material
uncertainty is the problem is the decision as to whether the effect of the inadequate disclosure is (only)
material (an except for qualification) or is material and pervasive (adverse). Neither ISA 570 (revised) or
ISA 705 (revised) are particularly forthcoming on how the auditor distinguishes between material and
material and pervasive in this situation, but the following “points” are relevant:
– the decision is a matter of professional judgement and will be the responsibility of a senior member of
the audit team
– the except for qualified opinion will be given wherein the auditor’s judgement, the effect of the
inadequate disclosure on the financial statements is not so material and pervasive as to require an
adverse opinion
– the adverse opinion will be given when the effect of the failure to disclose or adequately disclose the
going concern problem is so material and pervasive that the auditor concludes that an “except for”
qualification is not adequate to reflect the misleading and incomplete nature of the financial state-
ments
– by definition, a material uncertainty gives rise to significant doubt about the company’s going concern
ability, and it would seem reasonable that the complete omission of disclosure of the material
uncertainty would warrant an adverse opinion. A significant piece of information has been omitted,
which means that fair presentation has not been achieved, and
– the extent of the disclosure may be relevant. If say, 60% of the relevant facts about the going concern
problem have been disclosed, an “except for” qualification could be given, whereas, if say only 20%
of the facts have been disclosed, an adverse is given. The reasoning here is that 60% disclosure, while
inadequate, alerts the user to the problem, but 20% disclosure results in financial statements which
are incomplete and misleading, and therefore should not be relied upon because the seriousness of
the going concern problem has not been adequately conveyed to the user.
Chapter 15: Going concern and factual insolvency 15/9

15.1.7 Key audit matters and going concern


In terms of ISA 701, key audit matters are matters that, in the auditor’s professional judgement, were of
most significance in the audit of the financial statements for the current period. Key audit matters are
selected from matters communicated with those charged with governance and will be matters which
require significant auditor attention in performing the audit. Key audit matters must be communicated in
the audit report. This requirement applies to listed companies.
Although the adoption of the going concern assumption is fundamental to the preparation of the finan-
cial statements, the going concern audit will not automatically be a key audit matter. However, where a
company is experiencing going concern problems, it is likely to give rise to a key audit matter. The more
complicated and subjective the issues around whether the going concern basis of accounting is appropriate,
the greater the audit input (time, resources and skill/experience of audit personnel) required, to the extent
that the audit of going concern may be a key audit matter of “most significance”.
If it is deemed to be a key audit matter, how it is treated in the audit report will depend on whether or
not an unmodified opinion, a qualified opinion or an adverse opinion has been given, and whether a
material uncertainty related to going concern section is required in the audit report.
• Unmodified opinion. If going concern has been identified as a key audit matter (although an unmodified
opinion has been given), the matter will be dealt with in the key audit matter section of the audit report.
• Unmodified opinion but a “material uncertainty related to going concern” section has been added. Although
the going concern matter has been identified as a key audit matter, it will not be dealt with in the key
audit matter section of the report because it will be dealt with in the material uncertainty related to
going concern section. However, in the key audit matter section, a reference to the material uncertainty
related to going concern section, along with any other key audit matters which are communicated, will
be included.
• Qualified opinion or adverse opinion. The same principle as above will be followed. Although the going
concern matter has been identified as a key audit matter, it will not be dealt with in the key audit matter
section because it will be dealt with in the basis for qualified (adverse) opinion section. However, in the
key audit matter section, a reference to the basis for qualified (adverse) opinion section will be included.

15.1.8 Reporting summary


(See Appendix 1 and 2 on pages 15/11 and 15/12.)
The audit report requirements can be summarised as follows:

15.1.8.1 Unmodified opinion


This report is given when no doubt exists relating to the appropriateness of presenting the AFS on the
going concern basis.

15.1.8.2 Unmodified opinion – Material Uncertainty Related to Going Concern section added
This report is given when:
• the going concern basis of presentation is appropriate, but
• a material uncertainty that may cast significant doubt about the company’s ability to continue as a going
concern exists, and
• the material uncertainty is properly (adequately) disclosed (see 15.1.6 Situation 3 above).

15.1.8.3 Qualified opinion or adverse opinion based on disclosure problems


This report is given when:
• going concern basis of presentation is appropriate, but
• a material uncertainty that may cast significant doubt about the company’s ability to continue as a
going concern exists, and
• the material uncertainty has not been disclosed or has been inadequately disclosed.
15/10 Auditing Notes for South African Students

15.1.8.4 Adverse opinion – Inappropriate basis


This report is given when:
• the financial statements are presented on the going concern basis, but
• in the opinion of the auditor, this basis is not appropriate regardless of whether or not proper disclosure has
been made of the material uncertainties.

15.1.9 Going concern and disclaimers of opinion


ISA 570 (revised) – Going concern (para A33) recognises that there may be “extreme” cases where there
are multiple material uncertainties, which have all been adequately disclosed, but the auditor is unable to
decide whether “going concern” is the appropriate basis of presentation. In this instance, ISA 570 (revised)
states that the auditor may give a disclaimer of opinion.
ISA 570 (revised) (para A35) suggests that there may be situations where the auditor is limited in his
scope when auditing going concern. For example, management may not co-operate in supplying relevant
information or may refuse to provide its assessment of the company’s going concern ability. This situation
(which would also be considered “rare”) essentially means that the auditor would be unable to gather
sufficient appropriate evidence to support the presentation of the financial statements on the going concern
basis, i.e., the auditor is unable to form an opinion on the fair presentation of the financial statements. An
except for qualification or a disclaimer based on insufficient evidence would be required.
In terms of ISAs 701 and 705 (revised), where a disclaimer of opinion is given (regardless of the circum-
stances), the key audit matter section is not included in the audit report. If a disclaimer is to be given arising
from the auditor’s inability to form an opinion on going concern, the basis of the disclaimer will be
described in the basis for disclaimer of opinion section.
Chapter 15: Going concern and factual insolvency 15/11

Appendix 1: The going concern decision


15/12 Auditing Notes for South African Students

Note: The following examples deal only with the wording directly related to the going concern modi-
fication/qualification. The standard wording required in the various reports refers to ISA 570
(revised) and ISA 705 (revised).

Appendix 2: Examples of the going concern related sections in the applicable audit reports
1. Example 1 – Unmodified opinion but a material uncertainty, which has been properly disclosed
1.1 Included in a section headed: Material Uncertainty related to Going concern.
We draw attention to note 10 in the financial statements, which indicates that the company incur-
red a net loss of R7,3 million for the financial year ended 31 March 202x due primarily to the
collapse of the company’s major supplier and the difficulties the company continues to experience
in finding a suitable replacement supplier. As stated in note 10, this situation indicates that a
material uncertainty exists that may cast significant doubt on the company’s ability to continue as a
going concern.
2. Example 2 – Qualified opinion: material uncertainty inadequately disclosed, the effect of which is
considered to be material only
2.1 Included in the qualified opinion section
In our opinion, except for the incomplete disclosure of the information referred to in the basis for
qualified opinion section of our report, the accompanying financial statements present fairly in all
material respects, the financial position of the company as at 31 March 202x and its financial
performance and its cash flows for the year then ended in accordance with International Financial
Reporting Standards.
2.2 Included in the basis for qualified opinion section
As discussed in note 10, most of the company’s long-term financial obligations must be settled on
31 May 202x. The directors have been unable to renegotiate (extend) these loans or obtain replace-
ment financing. This situation indicates that a material uncertainty exists that may cast significant
doubt on the company’s ability to continue as a going concern. The financial statements do not
adequately disclose this matter.
3. Example 3 – Adverse opinion: No disclosure of material uncertainty, the effect of which is considered to
be material and pervasive
3.1 Included in the adverse opinion section
In our opinion, because of the omission of the information mentioned in the basis for adverse
opinion section of the report, the accompanying financial statements do not present fairly, the finan-
cial position of the company at 31 March 202x and its financial performance and its cash flows for
the year then ended in accordance with International Financial Reporting Standards.
3.2 Basis for adverse opinion section
During the period between the financial year-end (31 March 202x) and the date of our report, the
company continued to make significant losses because the directors have been unable to replace the
company’s liquidated major supplier of components used in the manufacture of its products. The
directors are considering placing the company in liquidation. This situation indicates that a
material uncertainty exists that may cast significant doubt on the company’s ability to continue as a
going concern. This situation has not been disclosed in the financial statements.
4. Example 4 – Disclaimer of opinion: Disclosure of material uncertainties, including the directors’ plans to
address the going concern issues, but the auditor denied access to necessary information relating to the
material uncertainties and the directors’ plans.
4.1 Included in the disclaimer of opinion section
We do not express an opinion on the financial statements of the company at 31 March 202x.
Because of the significance of the matter described in the basis for the disclaimer of opinion section
of our report, we have not obtained sufficient, appropriate audit evidence to provide a basis for an
audit opinion on these financial statements.
4.2 Basis for disclaimer of opinion
As stated in note 15 of the financial statements, the company is facing material uncertainties that
may cast significant doubt on the company’s ability to continue as a going concern. The note also
indicates that the directors have plans to address these uncertainties. However, we were not
Chapter 15: Going concern and factual insolvency 15/13

allowed access to any documentation relating to the material uncertainties themselves or to any
documentation or information supporting the directors’ plans to address these uncertainties. As a
result, we cannot form an opinion on whether the presentation of the financial statements on the
going concern basis is appropriate.

15.2 Factual insolvency


15.2.1 Introduction
For this topic, there are two categories of insolvency to consider:
• Commercial insolvency arises when an undertaking cannot pay its debts as they fall due as a result of illi-
quidity, even though its assets may exceed its liabilities.
• Factual insolvency arises when the liabilities of an undertaking exceed its assets, fairly valued (also
referred to as technical insolvency).
Commercial insolvency would clearly indicate going concern problems and would be taken into consid-
eration by management and the auditor in assessing the appropriateness of presenting the AFS on the going
concern basis. The auditor would be particularly interested in management’s plans to address the situation.
Factual insolvency also clearly indicates going concern problems but, in addition, has much more severe
implications for the auditor. Where a company continues to trade when its liabilities exceed its fairly
valued assets, a situation is created where certain irregularities may occur. If such irregularities are taking
place, a duty on the auditor's part to report a “reportable irregularity” as contemplated by section 45 of the
Auditing Profession Act 2005, may arise. The fact that the company continues to trade while factually
insolvent is not in itself, an irregularity, but a situation is created that may give rise to certain irregularities.

15.2.2 The irregularities which may arise when a factually insolvent company
continues to trade
15.2.2.1 Common law fraud
The crime of fraud includes unlawfully making, with intent to defraud, a misrepresentation that causes actual
prejudice to another. In the context of this topic, the directors of a factually insolvent company may be guilty
of fraud, if, for example, they enter into a contract with a supplier of goods knowing that the goods
supplied will not be paid for.

15.2.2.2 Reckless trading – Companies Act 2008 section 22


In terms of section 22, “a company must not carry on its business recklessly, with gross negligence, with
intent to defraud any person or for any fraudulent purpose”. When a company is factually insolvent, is it
“reckless” for the directors to continue trading? Obviously, there is a fair amount of subjectivity in
determining whether the directors have been reckless but the key will be to determine whether the directors
have acted as reasonable people. The question to be answered is whether a reasonable person would have
acted in the same manner under a situation of factual insolvency.
For example:
Better-Days (Pty) Ltd is factually insolvent. However, its directors have decided to enter into a lease
agreement for a very expensive fleet of company vehicles for their personal use. Furthermore, they have
approved an extensive overseas trip for five of the directors (first-class airfare and five-star hotels), to attend
a conference relating to the industry they operate in. The directors have also voted to grant themselves
large bonuses and substantial salary increases, as a reward for “making it through” the tough year that the
company has faced. Lastly, the directors have incurred a substantial amount of debt on behalf of the
company, to finance the expenses as discussed above.
Regarding the scenario above, do you think it is reasonable for the directors to have entered into the lease
agreement while the company is factually insolvent? Is it reasonable for five directors to undertake the
overseas trip instead of only one director? Is it reasonable for the directors to fly first class and stay in luxury
hotels while the company is factually insolvent? What about the large bonuses and salary increases? Would
a reasonable person have incurred debt on behalf of the company when there is no reasonable prospect of
the creditors ever receiving payment for those debts? All these issues would probably result in a breach of
section 22 of the Companies Act.
15/14 Auditing Notes for South African Students

15.2.2.3 Summary
Where a company is factually insolvent, there is a greater risk that common law fraud, recklessness or
gross negligence could occur. If any of the above have occurred (or are occurring) an unlawful act will have
taken place. If the other requirements for a reportable irregularity are present (s 1 – definitions. Auditing
Profession Act 2005) a duty in terms of section 45 will have arisen. The auditor must report accordingly to
the IRBA.

15.2.3 Factual insolvency and section 45 of the Auditing Profession Act


(reportable irregularities)
As indicated above, trading while factually insolvent may give rise to a reportable irregularity. In terms of
the AP Act section 1 – definitions, to be a reportable irregularity the matter must be:
• An unlawful act or omission – the mere fact that a company is trading while factually insolvent is not
itself unlawful. However, if fraud or any Companies Act section 22 contraventions are underway, an
unlawful act will have occurred.
• Committed by management – if fraudulent/reckless acts are being committed in this context, it will be a
result of decisions taken by those responsible for the company's management.
• The section goes on to say that the unlawful act must:
– have caused or be likely to cause financial loss, or
– be fraudulent or amount to theft, or
– represent a material breach of fiduciary duty by the person committing the unlawful act.
Note the use of the word “or”. Although there will usually be financial loss if fraud, recklessness or gross
negligence has taken place, financial loss is not a requirement that has to be satisfied before the matter
becomes a reportable irregularity. Regardless of financial loss, if the act is fraudulent, the requirements for
a reportable irregularity are satisfied. In addition, it should be noted that to commit fraud, or to intend to
commit fraud, is likely to represent a material breach of fiduciary duty on the part of the directors.
Thus if a company continues to trade while its liabilities exceed its assets fairly valued, and in doing so
the directors act fraudulently or recklessly in carrying on the business of the company (regardless of
financial loss), a duty for the auditor to report in terms of section 45 of the AP Act arises.
Once the auditor has made the first report to the Regulatory Board (IRBA), the matter must be discussed
with the directors “as soon as possible”. Essentially, the directors will have to provide the auditor with
evidence that they have not carried on the company's business fraudulently or recklessly.
In deciding whether the directors have acted unlawfully, the auditor will need to evaluate the evidence
presented by the directors to refute the allegations and will probably need to obtain legal opinion. Remem-
ber that from a going concern perspective, the auditor will certainly take the insolvency into account, but
from a reportable irregularity perspective, the auditor is more concerned about whether the directors have
acted fraudulently, recklessly (with gross negligence) or have breached their fiduciary duty. Should the
auditor fail to obtain the necessary evidence (to refute this), he must report to the IRBA that the reportable
irregularity is continuing. The second report to the IRBA must be made within 30 days of the first report.

15.2.4 Subordination agreements (also called back-ranking agreements)


15.2.4.1 Back-ranking agreement
A common step that is taken by directors of factually insolvent companies in an attempt to get their
companies back to health, is to obtain a back-ranking agreement. This is defined as:
An agreement by a substantial creditor(s) whereby that creditor binds itself either indefinitely or for a
limited period, conditionally or unconditionally not to claim or accept payment of the amounts owing to it until
the happening of a particular event.
The idea is that the factually insolvent company is given a "breathing space" during which time it can get
itself back to a satisfactory level of financial stability. While a back-ranking/subordination agreement does
not create an inflow of funds, it delays outflows, which may assist the company’s liquidity.
Chapter 15: Going concern and factual insolvency 15/15

15.2.4.2 Subordinating the amount owed by the factually insolvent company


Why would a creditor subordinate (back rank) the amount the factually insolvent company owes it?
Remember, we are dealing with a company whose liabilities exceed its assets and whose creditors will
therefore not be paid in full if the company is liquidated. A creditor may believe that, in the long run, it will
be a better business decision to keep the insolvent company functioning in the hope of ultimately being
paid in full, than to allow liquidation to take place. There may be other reasons why the creditor company
may wish to keep the insolvent company alive, for example, the insolvent company may be part of a group
or may possess some unique characteristic, such as a non-transferable license to manufacture a particular
product.

15.2.4.3 Audit considerations with respect to subordination agreements


• A subordination agreement is an important piece of evidence for the auditor. A valid subordination
agreement may be significant in determining whether the going concern basis of presentation is appropriate.
Indeed, the agreement may be the very reason that the company is able to continue in operational
existence. For example, a holding company may subordinate its loan to its subsidiary until the
subsidiary returns to profitable trading. Other creditors will be more inclined to continue supplying the
subsidiary and trading can continue. However, the presence of a subordination agreement does not
automatically mean that the factually insolvent company will be a going concern, it is simply a
mitigating factor – financial, operating and other factors must still be considered in deciding whether the
adoption of the going concern basis for the presentation of the financial statements is appropriate.
• In relation to the situation where the auditor considers whether a reportable irregularity is taking place,
the subordination agreement has no specific significance other than if it is presented as part of the
evidence produced by the directors to prove they have not acted fraudulently or recklessly. The directors
may contend that they are not being fraudulent, negligent or reckless in their actions, but are acting
responsibly and fulfilling their fiduciary duty by acting in the company's best interests by obtaining a
subordination agreement.

15.2.5 Auditing a subordination agreement


The following considerations should be taken into account when auditing a subordination agreement:

15.2.5.1 The contract


The auditor must be satisfied that the contract:
• is in writing in the format recommended by SAICA
• is signed by the creditor (with due authority)
• is between the client and the creditor
• is accepted by the client (signed by the directors), and
• complies with all legal formalities.

15.2.5.2 Size
The auditor must be satisfied that the claim that is backranked (subordinated) is sufficient to create a
situation where an exception cannot be taken to a continuation of trading. Remember: Backranking intends
to give the company a realistic chance to recover – not simply to get the “accounting” right. The back-
ranking creditor (the amount back ranked) must be large enough for this concession to have some effect.

15.2.5.3 Financial substance of the back-ranking creditor


The auditor must consider whether the back-ranking creditor is (financially) of sufficient substance:
• should the back-ranking creditor go insolvent, every disposition of property not made for value may be set
aside by the liquidator of that company if, immediately after the disposition, the liabilities of the
insolvent (creditor company) exceed its assets, and
• the auditor must therefore assess the possibility of insolvency of the creditor giving the back-ranking
agreement, and whether value has, in fact, been received by the creditor. If there is a possibility of the
subordination agreement being set aside, the auditor will be concerned about its suitability as acceptable
evidence supporting the adoption of the going concern basis by the audit client.
15/16 Auditing Notes for South African Students

Note: We are dealing here with the insolvency of the party, which is subordinating (back ranking) its claim.
In effect by subordinating its claim, this party is “disposing” of its right to one of its assets and if no
value is received in return, the disposition may be set aside under the circumstances outlined above.
(This is a principle in insolvency law.)

15.2.5.4 Creditors right to back rank


The auditor must also determine by written enquiry whether the back-ranking creditor is entitled to back
rank the debt (amount owed by the audit client), for example, the back-ranking creditor may have already
offered the debt as some form of security to another party.

15.2.5.5 Reversal of the back-ranking agreement


The auditor must be aware of the possibility of the reversal of the subordination agreement after it has been
presented as evidence in support of the adoption of the going concern assumption and should therefore give
consideration to the integrity of the parties to the agreement and be quite clear about their intentions. Is it a
genuine attempt to save the company or is it just an agreement of convenience to satisfy the auditor?

15.2.5.6 Third-party acceptance


The auditor should determine by inspection of correspondence and discussion with the directors as to
whether any creditors (third parties) of the audit client company have accepted the benefit of the subordina-
tion agreement. For example, a supplier may have agreed to supply goods to the insolvent company
because of the existence of the subordination agreement. A third party having accepted the benefits of the
agreement gives more credibility to the subordination agreement as it cannot simply be legally reversed
without the third party's (creditor) consent.

15.2.5.7 Documentation
The original of the subordination agreement should be retained by the provider of the agreement and a true
copy by the client company. The auditor should also retain a copy in the audit documentation.

15.2.5.8 Disclosure
The entire matter should be fully disclosed by way of note and suitably described in the statement of
financial position. Usually this will mean that the back-ranked creditor will be shown as a separate long-
term liability (non-current liability) in the company whose creditor is back ranked, and as a separate “long-
term” debtor in the company which is back ranking its claim. As the subordination agreement relates to
going concern, failure to make proper disclosure of the situation, will result in a qualified or adverse
opinion.

15.2.5.9 Audit report


If the auditor accepts that the going concern basis of presentation is appropriate by virtue of the sub-
ordination agreement, a material uncertainty that causes significant doubt about the going concern ability
of the company will still exist. (We are dealing with a factually insolvent company.) Therefore, to achieve
fair presentation, the company will need to make adequate disclosure, including details of the sub-
ordination agreement. If this is achieved to the satisfaction of the auditor an unmodified audit opinion may
be given, but an additional paragraph headed “Material Uncertainty Related to Going Concern” must be
added to the report.
If adequate disclosure or no disclosure is made, the auditor will qualify the audit opinion or give an
adverse opinion based on material misstatement of the financial statements, which he may assess as either
material (only) or material and pervasive.
CHAPTER

16
Reliance on other parties

CONTENTS
Page
16.1 Introduction .................................................................................................................... 16/2

16.2 ISA 600 – Special considerations – audits of group financial statements


(including the work of component auditors) .................................................................... 16/2
16.2.1 Introduction ...................................................................................................... 16/2
16.2.2 Responsibilities of the group engagement partner with regard
to the component auditor ................................................................................... 16/3
16.2.3 Reporting considerations .................................................................................... 16/5

16.3 ISA 610 (revised) – Using the work of internal auditors with reference to
the King IV Report ........................................................................................................... 16/5
16.3.1 Introduction ...................................................................................................... 16/5
16.3.2 Definition of the Internal Audit Function – ISA 610............................................ 16/6
16.3.3 External auditor’s objectives ............................................................................... 16/6
16.3.4 External auditor’s responsibility ......................................................................... 16/6
16.3.5 Evaluating the internal audit function ................................................................. 16/6
16.3.6 Determining the nature and extent of work of the internal audit function
that can be used ................................................................................................. 16/8
16.3.7 Using the work of the internal audit function ...................................................... 16/8
16.3.8 Determining whether, in which areas and to what extent, internal auditors
can be used to provide direct assistance............................................................... 16/9
16.3.9 Using internal auditors to provide direct assistance.............................................. 16/10
16.3.10 Documentation.................................................................................................. 16/10

16.4 ISA 620 – Using the work of an auditor’s expert ............................................................... 16/10
16.4.1 Introduction ...................................................................................................... 16/10
16.4.2 Definition of an auditor’s expert ......................................................................... 16/11
16.4.3 Determining the need for an auditor’s expert ...................................................... 16/11
16.4.4 Determining the need to use an auditor’s expert when management has used a
management’s expert in the preparation of the financial statements ..................... 16/11
16.4.5 Nature, timing and extent of audit procedures ..................................................... 16/12
16.4.6 Reference to the auditor’s expert in the auditor’s report ....................................... 16/13

16/1
16/2 Auditing Notes for South African Students

16.1 Introduction
There are many instances where an auditor appointed by a client to provide audit assurance will find it
effective and efficient to engage other parties to gather evidence on which he can rely when forming the
audit opinion. However, it is important to remember that the auditor has sole responsibility for the audit
opinion, and that responsibility is not reduced because another party was involved in obtaining evidence.
Therefore, the auditor needs to take certain precautions and perform specific procedures when relying on
the work of such a party. Common examples of parties on which an auditor may rely are:

• Other firms of auditors


This is most common where a group engagement partner (the partner responsible for the audit of a group
of companies), relies on the work of another firm of auditors who have audited a component of the group,
for example a subsidiary within the group. Another typical example is where the auditor of the company
engages another auditor (or firm) to observe an inventory count or conduct a physical asset verification at a
branch or division of the company which is in a distant location (but close to the other audit firm), because
it is more cost-effective and efficient than sending his own audit team to that location.

• Internal auditors
Many companies, particularly large companies, have highly competent internal audit departments that
operate independently of management and carry out functions that can be of real assistance to the external
auditor. For example, modern internal audit is risk-based which requires that internal audit has a detailed
knowledge of the risks faced by the company. External audit is also risk-based, so although internal and
external audit does not have exactly the same objectives, there is plenty of common ground between the
two. It makes sense that if the external audit strategy can justifiably include some reliance on internal audit,
a more effective and efficient audit may result.

• An auditor’s expert
In some situations, an auditor may need the expertise of another individual to assist him in gathering
sufficient appropriate evidence pertaining to a particular assertion relating to the financial statements. For
example, the valuation of inventory in a chemical company, or the legal interpretation of a contract, may
be beyond the auditor's expertise and may require that the auditor rely on the expertise of a chemical engin-
eer or a lawyer.
Remember, the auditor does not escape responsibility for assessing the suitability of the evidence provided
by another party (other auditor, internal auditor or auditor’s expert), he/she must therefore assess both the
party and the evidence provided. In effect, the other party can be regarded as an extension of the audit team
and must possess the same professional attributes as the auditor. The evidence gathered by the other party
must be sufficient and appropriate.
This means that the work carried out by the other party, for example, an auditor’s expert, must be
performed or supervised by a person having adequate skills and competence and who meets the professional
requirements of independence, objectivity, confidentiality and professional behaviour. This also means that the
evidence gathered must be sufficient, relevant and reliable.
The three International Standards on Auditing relevant to reliance on other parties are dealt with below.

16.2 ISA 600 – Special considerations – audits of group financial statements


(including the work of component auditors)
16.2.1 Introduction
ISA 600 does not deal exclusively with reliance by an auditor on other auditors. As the title indicates, the
statement deals with special considerations regarding the audit of group financial statements. One of those
special considerations is the reliance by the group engagement partner (i.e., the auditor responsible for
giving the opinion on the group financial statements), on other auditors who may have audited a “compo-
nent” of the group financial statements.
For example:
HoldFin Ltd is a company listed on the JSE. The company has three subsidiaries, FinTech (Pty) Ltd,
EcoFin (Pty) Ltd and FinPlus (Pty) Ltd. HoldFin (Pty) Ltd and FinTech (Pty) Ltd are audited by Molefe
Inc, while Lakota and Partners audit EcoFin (Pty) Ltd and FinPlus (Pty) Ltd. As HoldFin Ltd is required
to present consolidated annual financial statements in terms of IAS 27 (i.e., the company does not qualify
Chapter 16: Reliance on other parties 16/3

for the exemption in terms of paragraph 10), Molefe Inc is required to pass an audit opinion on the fair
presentation of the consolidated financial statements. Thus, Molefe Inc (the group engagement partner) has
to rely on the work of Lakota and Partners (the component auditor), which is the subsidiary company
auditor in this case.
Note that a component will not necessarily be a subsidiary company, as in the example above. It could
be any entity or business activity for which financial information is incorporated into the group financial
statements, for example, a joint venture, or separate division.
Despite concentrating on component auditors in a group situation, ISA 600 makes the point that the
statement “may be useful” when the auditor involves “other auditors” in the audit of financial statements
that are not group financial statements, for example, where an auditor involves another auditor to observe
an inventory count at a location which is convenient to the “other auditor” but not to the auditor himself.
The following summary will consider the principles of reliance on other auditors in the context of a
group engagement partner and a component auditor. However, you should recognise that these principles
apply equally to other situations where an auditor who has been assigned a responsibility, relies on the
work of another auditor to assist in meeting that responsibility.
The principle here is simple. If an auditor relies upon other auditors, he is entitled to assess the other
auditors and their performance to the extent he considers necessary, much in the same manner that the
auditor would assess his audit team. The other auditors are simply an extension of the audit team. The
auditor is not entitled to assume that the other auditor has the necessary technical ability and competence, or
fulfils the necessary professional requirements.

16.2.2 Responsibilities of the group engagement partner with regard to the component
auditor
16.2.2.1 Overall responsibility
The group engagement partner is responsible for the direction, supervision and performance of the group
audit engagement in compliance with the auditing standards and any legal/regulatory requirements. It is
the responsibility of the group engagement partner to obtain sufficient appropriate evidence on which to
base his opinion.

16.2.2.2 Overall audit strategy and audit plan


Determining the overall audit strategy and developing the audit plan for the group audit is the respon-
sibility of the group audit engagement team and the group audit engagement partner. Frequently, in group
audit situations, the audit strategy will include reliance on component auditors and the audit plan will need
to accommodate this.
Where the use of a component auditor is included in the audit strategy, the engagement partner (team)
must obtain an understanding of:
• whether the component auditor understands and will comply with the ethical requirements of the group
audit, for example independence, confidentiality
• the component auditor’s professional competence, for example has the necessary skills, knowledge and
experience
• whether the group engagement team will be able to be involved in the work of the component auditor,
and
• whether the component auditor operates in an environment where auditors are actively regulated (note:
the component auditor may be from another country).
This understanding may be acquired by:
• discussion with the component auditor
• requesting written submissions from the component auditor relating to the matters listed above
• requesting the component auditor to complete questionnaires designed to obtain this information
• discussing the component auditor with colleagues or a reputable and knowledgeable third party, and
• obtaining information from the component auditor’s professional body.
16/4 Auditing Notes for South African Students

16.2.2.3 Risk assessment procedures and response


Where the component auditor performs an audit on a significant component (a component that is of indi-
vidual financial significance to the group, or is likely to include significant risks of material misstatement),
the group audit partner (team) must be involved in the component auditor’s risk assessment procedures.
This will include as a minimum:
• discussing with the component auditor the susceptibility of the component’s financial information to
material misstatement due to fraud or error, and
• reviewing the component auditor’s documentation of identified risks of material misstatement.
Where significant risks of material misstatement of the group financial statements have been identified in a
component on which the component auditor performs the work, the group engagement partner (team) shall
evaluate the appropriateness of the further audit procedures to be performed to respond to the risks.

16.2.2.4 Communication with the component auditor


The group engagement partner (team) must convey its requirements to the component auditor on a timely
basis. The communication must set out:
• the work to be performed, the use to be made of that work and the form and content of the component
auditor’s communication with the engagement team
• a request that the component auditor confirms that the component auditor will co-operate with the
group engagement team
• the ethical requirements relevant to the group audit, particularly independence
• component materiality and the threshold above which misstatements cannot be regarded as clearly
trivial to the group financial statements
• identified significant risks of material misstatement due to fraud or error which are relevant to the
component auditor, and
• a list of related parties, and a request to the component auditor to communicate knowledge of any
related parties not on the list.

16.2.2.5 Communication by the component auditor


Regarding communication by the component auditor with the group engagement team, the engagement
partner (team) should request the component auditor to communicate the following (in writing):
• whether the component auditor has complied with the ethical requirements including independence and
professional competence
• whether the component auditor has complied with the group engagement team’s requirements in
respect of the work to be performed
• identification of the financial information on which the component auditor is reporting
• information on instances of non-compliance with laws and regulations that could give rise to material
misstatement of the group financial statements
• a list of uncorrected misstatements (excluding those below the “trivial” threshold)
• any indication of (component) management bias at the component entity
• a description of significant internal control deficiencies at a component level
• significant matters identified, for example, suspected fraud at the component
• any other matters to which the component auditor wishes to draw the attention of the group engage-
ment partner, and
• the component auditor’s overall findings, conclusions or opinion.

16.2.2.6 Evaluating the sufficiency and appropriateness of audit evidence obtained


The group engagement partner (team) must evaluate the component auditor’s communication and the
adequacy of his work:
• conventional “evaluation of work papers” techniques will be used, for example, review, discussion,
checking for consistency, analytical procedures
Chapter 16: Reliance on other parties 16/5

• any significant matters arising from the evaluation of the component auditor’s communication will be
discussed with the component auditor, and
• if the group engagement team concludes that the component auditor's work is insufficient, the team
must determine what further work must be done and who will do it.

16.2.2.7 Communication with those charged with governance


The group engagement partner (team) must communicate with those charged with governance of the
group, any important matters relating to the component auditor’s work, for example:
• an overview of the type of work to be performed on the financial information of the component
• an overview of the nature of the group engagement team’s planned involvement in the work to be per-
formed by the component auditors on the financial information of significant components
• instances where the group engagement team’s evaluation of the component auditor’s work gave rise to
concern relating to the quality of the work (and responses to that concern)
• instances where access to component information may have been restricted, and
• fraud or suspected fraud at the component.

16.2.3 Reporting considerations


Where an auditor has relied on the work of another auditor when forming his opinion, no mention of this
fact will be made in the audit report. The responsibility for giving the opinion rests with the auditor and
making reference to the fact that the auditor has relied on other auditors may give the impression to users
of the report that the auditor is attempting to shift responsibility to the other auditor.

16.3 ISA 610 (revised) – Using the work of internal auditors with reference
to the King IV Report
16.3.1 Introduction
The practice of internal auditing has been around for many years, but its scope, nature, form and import-
ance have evolved considerably. Before this evolution, internal audit departments were frequently under-
staffed, ill-equipped and more of a “general assistance” department to be called upon for help when the
accounting department was short-staffed or very busy. However, modern-day internal audit is a different
story. In most large companies, internal audit is respected and effective. Internal auditors are well qualified
(many are chartered accountants with extensive external audit experience), well-supported resource-wise,
and regulated by their own professional body, the Institute of Internal Auditors.
It is perhaps true to say that the focus on improving corporate governance drove the evolution of the
internal audit. As part of a large company’s overall assurance model, internal audit, along with external
audit (and other external regulatory inputs), is ideally placed to make a significant contribution to sound
corporate governance. This idea has been recognised in the King IV Report on corporate governance and
calls for company boards to ensure an effective internal audit function.
ISA 610 (revised 2013) – Using the work of internal auditors, deals with the external auditor’s
responsibilities when using the work of internal auditors, including using the work of internal auditors in
obtaining audit evidence, and using internal auditors to provide direct assistance under the direction, super-
vision and review of the external auditor.
For example:
• Limbo Ltd has an effective internal audit department. The company has recently purchased a new
inventory system and the internal auditors have compiled a report on their findings regarding the
controls over the implementation of the new system. Arendse Inc (Limbo Ltd’s external auditors) is
considering placing reliance on the report compiled by the internal auditors of Limbo Ltd.
• Arendse Inc also contemplates using Limbo Ltd’s internal audit department to assist with assessing the
controls over inventory counts.
The first example above relates to the external auditor using the work of the internal auditors, while the
second is an example of the internal auditors providing the external auditor with direct assistance.
Note that the ISA does not require the external auditor to use an internal audit in any way. The external
auditor will make this decision when establishing the overall audit strategy and audit plan, and it will be
based on whether it would be efficient and effective. Of course, the independence and competence of the
16/6 Auditing Notes for South African Students

internal audit department would also be very important in making the decision, and ISA 610 requires that
the internal audit function be carefully evaluated.

16.3.2 Definition of the Internal Audit Function – ISA 610


The objectives and scope of internal audit functions typically include assurance and consulting activities
designed to evaluate and improve the entity’s governance processes, risk management and internal control.
• Governance. The internal audit function may assess the governance process regarding whether objectives
relating to ethics, performance, management and accountability, communication with stakeholders,
etc., are being met.
• Risk management. The internal audit function may assist by identifying and evaluating significant
exposures to risk and contributing to the improvement of risk management (response) and internal
control. Internal audit assists in the detection of fraud.
• Internal control. The internal audit function may be assigned to review controls, evaluate their operation
and recommend improvements. It may also examine financial and operating information, including
detailed testing of transactions, balances and procedures.
In addition, internal audit may be assigned to review the economy, efficiency and effectiveness of operating
activities, including non-financial activities. It may also be assigned to review compliance with laws,
regulations and management policies and directives.

16.3.3 External auditor’s objectives


The objectives of the external auditor are to determine whether:
• the work of the internal audit function and/or
• direct assistance from internal auditors, can be used, and in which areas and to what extent.
Note: “Using the work of the internal audit function” means using work that has been carried out by the
internal audit department under its own direction, for example, the external auditor may use a report
on a risk assessment conducted and compiled by external audit. “Direct assistance” from internal
auditors means using internal auditors to perform audit procedures under the direction, supervision
and review of the external auditor.

16.3.4 External auditor’s responsibility


It is important to remember that the sole responsibility for the audit opinion remains with the external
auditor. Neither using the internal audit function’s work, nor direct assistance from internal auditors,
reduces the external auditor’s responsibility for the audit opinion.

16.3.5 Evaluating the internal audit function


The first step in deciding on whether the work of the internal audit function can be used will be for the
external auditor to evaluate the internal audit function itself in respect of the objectivity and competence of
the internal auditors and whether the internal audit function applies a systematic and disciplined approach,
including quality control, to its work.

16.3.5.1 Objectivity of the internal auditors


Primarily the objectivity (the extent to which the internal auditors can act independently) will be deter-
mined by the following factors:
• the status of the internal audit function, i.e. is the department accorded a status or level of importance,
authority and accountability that enables it and its members to be objective. In other words, does its
status support the function’s ability to be free from bias, conflict of interest or undue influence to
override professional judgements
• whether the internal audit function reports directly to those charged with governance, for example, the
audit committee, and not to a functional manager such as the chief accountant
• whether the internal audit function is free of conflicting responsibilities, for example, members of the
department are not drawn into “everyday accounting responsibilities and procedures”
• whether there are restrictions placed on the function by management, for example, denial of access to
certain information, prohibiting communication with external audit
Chapter 16: Reliance on other parties 16/7

• whether those charged with governance (not management) oversee employment decisions relating to
the internal auditors, for example, appointment, dismissal, remuneration, and
• whether the internal auditors are members of a professional body which requires its members to adhere
to the principle of objectivity.

16.3.5.2 Competence of the internal auditors


Competence of the internal audit function refers to the attainment and maintenance of knowledge and
skills of the function as a whole to enable assignments to be performed diligently and following applicable
professional standards. The external auditor’s determination of the internal auditor’s competence will be
influenced by whether the internal auditors:
• have adequate training and proficiency in auditing
• have the required knowledge relating to financial reporting and the necessary industry-specific know-
ledge to perform work related to the entity’s financial statements
• possess a relevant professional qualification
• are members of a professional body which requires that they comply with professional standards,
including continuing professional development requirements
• are supported by adequate and appropriate resources necessary to perform their function, and
• are subject to sound policies concerning hiring, training and assignment to internal audit engagements.
Note (a): Objectivity and competence must be viewed collectively and high levels of both are required. For
example, internal auditors who are highly competent but cannot be objective are not of much use to the
external auditor!

16.3.5.3 A systematic and disciplined approach, including quality control


The external auditor must determine whether the internal audit function applies a systematic and disci-
plined approach to planning, performing, supervising, reviewing and documenting its activities. Factors
that may affect the external auditor’s evaluation include:
• the existence and use of documented internal audit procedures or guidance covering such areas as risk
assessment, work programmes, documentation and reporting, and
• whether the internal audit function has appropriate quality control procedures and policies related to
leadership responsibilities within the function, ethical requirements, assignment performance, super-
vision and review, etc.
Note (b): Concerning the objectivity, competence and discipline of internal audit, the King III and IV
Reports make the following recommendations/observations:
• the internal audit function should adhere to the Institute of Internal Auditors’ Standards for the Profes-
sional Practice of Internal Auditing and Code of Ethics
• the internal audit function should be independent of management. The board and management should
defend and promote the independence of internal audit
• the head of internal audit should be designated as the Chief Audit Executive (CAE) or similar, to
convey his status in the company
• the CAE should report functionally to the audit committee
• the CAE should have a standing invitation to all executive (or similar) committee meetings and should
be given direct access to the chairman of the company
• the audit committee should ensure that the internal audit function is appropriately resourced and
funded
• only properly qualified and experienced staff with high ethical standards should be appointed to internal
audit
• the internal audit function should be seen as an integral part of the entity’s combined assurance frame-
work, and
• the CAE will set the tone of the internal audit function and should have (at least) the following
attributes:
– strong leadership
– respect for his competence and ethical standards, and
– good communication skills.
16/8 Auditing Notes for South African Students

16.3.6 Determining the nature and extent of work of the internal audit function
that can be used
There is no magic formula that tells the external auditor exactly which work of the internal audit function
can be relied upon and to what extent the work can be used. It is a matter of professional judgement which
will be influenced by the following “principles”:
• The external auditor must make all significant judgements in the audit engagement and therefore should
perform more work directly (i.e. performed by the audit team) rather than using the internal auditor's
work. Significant judgements include:
– assessing the risks of material misstatements
– evaluating the sufficiency of tests performed
– evaluating significant accounting estimates, and
– planning and performing relevant audit procedures.
Certainly the external auditor will consider information from, or work carried out by, the internal auditors
pertaining to risk assessment, but will not rely greatly on this as a primary source of evidence. The external
auditor must plan and perform an appropriate range of his/her own risk assessment procedures (one of
which may be to review any internal audit risk assessment reports):
• the higher the assessed risk of material misstatement at assertion level, the greater the extent of work
done directly by the external auditor
• the lower the objectivity and competence of the internal audit function, the greater the extent of work
done directly by the external auditor. Exactly the same principle will apply where a risk of material
misstatement is identified as a significant risk, and
• the external auditor must be satisfied that he has been sufficiently involved in the audit, particularly the
gathering of sufficient appropriate evidence, to fulfil his sole responsibility for expressing the audit
opinion.
Note: Examples of work of the internal audit function that the external auditor can use include:
• testing of the operating effectiveness of controls
• substantive procedures involving limited judgement
• observations of inventory counts
• physical verification of the existence of plant and equipment, and
• testing compliance with regulatory requirements.

16.3.7 Using the work of the internal audit function


16.3.7.1 Discussion and co-ordination with the internal audit function
The external auditor should discuss the planned use of the internal audit function’s work with the internal
auditors. This improves the efficiency of the audit and enables both parties to coordinate their activities. If
the work to be used has yet to be performed, matters to be discussed may include the nature, timing and
extent of the audit procedures to be performed, any materiality considerations, methods of selecting items
for testing, documentation to be produced, etc. If the work to be used has already been performed, the
external auditor will need to plan the procedures he intends to conduct on the reports/documentation
produced by the internal audit.

16.3.7.2 Procedures to determine the adequacy of the work of internal audit


When the external auditor intends to use work conducted by internal audit, the external auditor should
evaluate and perform audit procedures on that work to confirm its adequacy for the external auditor’s
purposes.
• The evaluation of work done by internal audit involves considering the adequacy of the scope of work
conducted, and whether or not the evaluation of internal audit (see 16.3.5 above) remains appropriate.
This evaluation may include consideration of whether or not:
– the work has been performed by internal auditors who have adequate competence as internal audit-
ors and the work was properly planned, performed, supervised, reviewed and documented, (similar
to the external audit team evaluation)
Chapter 16: Reliance on other parties 16/9

– sufficient, appropriate audit evidence has been obtained to be able to draw reasonable conclusions
– conclusions reached are appropriate in the circumstances and any reports prepared are consistent
with the results of the work performed, and
– any exceptions or unusual matters disclosed by internal audit, are properly resolved.
• The nature, timing and extent of the audit procedures to be performed on the work of internal audit,
will depend on the external auditor's judgement as to the risk of material misstatement and materiality
of the area concerned, as well as the evaluation of internal audit. Such procedures may include
examining items already examined by the internal audit, examining other similar items, and observing
internal audit procedures.
• Evaluation of internal audit work would take place in a similar manner to the evaluation of the external
audit team's performance, for example, discussion with/enquiries of the personnel involved, review of
working papers or completion of questionnaires.
• The external auditor should record conclusions regarding the internal audit work that has been
evaluated and tested in a work paper to be kept in the audit file.

16.3.8 Determining whether, in which areas and to what extent, internal auditors
can be used to provide direct assistance
Perhaps the primary distinction between the work of the internal audit function and the internal audit
function providing direct assistance is the level of objectivity (independence) that the internal audit function
has. Of course, the competence of the internal auditors is important, but in the evaluation of the internal
audit function (see point 16.3.5 above), a little extra attention will be paid to the objectivity of the internal
auditor. The external auditor will consider carefully:
• the extent to which the internal audit function’s organisational status and relevant policies and proced-
ures support the objectivity of the internal auditors (see point 16.3.5)
• whether the internal auditor has any family or personal relationships with an individual working in, or
responsible for, any aspect of the entity to which the (audit) work relates, for example, the external
auditor would not obtain direct assistance from an internal auditor on work relating to accounts receiv-
able if the internal auditor’s spouse was the credit controller
• whether the internal auditor has any other association with the division or department to which the
(audit) work relates, and
• whether the internal auditor has any financial interest in the entity other than remuneration on terms
consistent with other employees at a similar level of seniority.
Note: The external auditor must be satisfied that the internal auditor can perform the proposed work with-
out allowing bias, conflict of interest or undue influence of others to override professional judge-
ments. It should be fairly obvious that the external auditor may not use internal audit to provide
direct assistance if there are significant threats to the internal auditor’s objectivity or if the internal
auditor lacks the required level of competence.
As indicated in point 16.3.6 above, there is no magic formula for the external auditor to decide on the
nature and extent of the work that can be assigned to internal auditors providing direct assistance. The
following “principles” will be applied by the external auditor in making the decision:
• the internal auditor must have the necessary competence to carry out the procedures properly and with
an appropriate level of objectivity
• the external auditor must not use internal auditors to provide direct assistance to perform procedures
that:
– involve making a significant judgement
– relate to situations where there is a high risk of material misstatement
– relate to work with which the internal auditors have been involved (i.e. internal auditors cannot audit
their own work), and
– relate to fraud risk (external auditors may make inquiries of internal auditors as a risk assessment
procedure, but would not use internal audit to provide direct assistance when following up on a fraud
risk)
• the extent of involvement (direct assistance) by internal auditors in the external audit, must not create
the perception that the external audit lacks independence, and
16/10 Auditing Notes for South African Students

• where there is an audit committee, the external auditor should communicate to the committee the
nature and extent of the planned use of internal auditors to provide direct assistance. This is so that a
“mutual understanding” that the use is not excessive can be reached.

16.3.9 Using internal auditors to provide direct assistance


Bearing in mind that the internal auditors are employed by the client and not the external auditor, the
external auditor should, before using the internal auditors for direct assistance:
• obtain written agreement from the client (CAE and/or audit committee) that the internal auditors will
be allowed to follow the external auditor’s instructions, and that the client will not intervene in the work
the internal auditor performs for the external auditor
• obtain written agreement from the internal auditors, that they will:
– maintain confidentiality, and
– inform the external auditor of any threats to their objectivity.
The external auditor must plan, direct, supervise and review the work performed by the internal auditors:
• the nature, timing and extent of planning, directing, etc must take into account that the internal auditors
are not independent of the client. Thus these procedures are likely to be:
– more extensive, and
– must include some checking back to underlying evidence by the external auditor, and
• during these activities (directing, supervising etc), the external auditor must be alert to any indications
that the evaluation of the internal control function previously conducted (objectivity, competence,
disciplined approach), is still appropriate.

16.3.10 Documentation
If the external auditor uses the work of the internal audit function, the following must be included in the
audit documentation:
• the evaluation of whether the function’s organisational status and relevant policies and procedures
adequately support the objectivity of the internal auditors
• the evaluation of the level of competence of the function
• the evaluation of whether the function applies a systematic and disciplined approach including quality
control
• the nature and extent of the work used and the basis for that decision, and
• the audit procedures performed by the external auditor to evaluate the adequacy of the work used.
If the external auditor uses internal auditors to provide direct assistance, the following must be included in
the audit documentation:
• the evaluation of threats to the objectivity of the internal auditors and the level of competence of the
internal auditors used in the direct assistance
• the basis for the decision regarding the nature and extent of the work performed by the internal auditors
• who reviewed the work and the date and extent of that review
• the written agreements obtained from the client (CAE or audit committee) and the internal auditors
(confidentiality and threats to objectivity), and
• the working papers prepared by the internal auditors who provided direct assistance.

16.4 ISA 620 – Using the work of an auditor’s expert


16.4.1 Introduction
There are many instances where an auditor may find that he does not have the expertise required to obtain
sufficient appropriate evidence of some aspect of the financial statements on which he is expressing an
opinion. Such situations may include:
• the valuation of complex financial instruments, land and buildings, plant and machinery, jewellery,
works of art, intangible assets, etc.
• actuarial calculations of liabilities relating to employee benefit plans
Chapter 16: Reliance on other parties 16/11

• estimation of mineral resources


• the valuation of environmental liabilities
• interpretation of contracts/laws, or
• tax compliance issues.
If such situations arise, the auditor will usually be obliged to engage an expert to assist in obtaining the
evidence he requires, for example, a geologist (estimation of mineral reserves); an attorney (interpretation
of a contract), or an actuarial scientist (used to provide pension fund information).

16.4.2 Definition of an auditor’s expert


“Auditor’s expert” means an individual or organisation possessing expertise (skills, knowledge and
experience) in a particular field other than accounting and auditing, whose work in that field is used by the
auditor to assist the auditor in obtaining sufficient appropriate evidence. An auditor’s expert may be an
auditor’s internal expert, for example, a partner or staff member in the auditor’s firm, an auditor’s external
expert, or an independent geologist or attorney.
An auditor’s expert must also be distinguished from a management’s expert who is defined as an
individual or organisation possessing expertise in a field other than accounting or auditing, whose work in
that field is used by the client entity to assist the entity in preparing the financial statements, for example,
the client engages a property valuer to provide a fair value for the company’s property.

16.4.3 Determining the need for an auditor’s expert


The decision to use an auditor’s expert will hinge on whether the auditor decides that it is not possible to
obtain sufficient appropriate evidence without using the work of an expert.
An auditor’s expert may be needed to assist the auditor in one or more of the following:
• obtaining an understanding of the entity and its environment
• identifying and assessing the risks of material misstatement
• determining and implementing overall responses to assessed risks at financial statement level
• designing and performing further audit procedures to respond to assessed risks at the assertion level
(further audit procedures), and
• evaluating the sufficiency and appropriateness of audit evidence.

16.4.4 Determining the need to use an auditor’s expert when management has used
a management’s expert in the preparation of the financial statements
Where management has used a management’s expert, the auditor will need to determine whether he will
need to engage an auditor’s exert (to assist in obtaining sufficient appropriate evidence) or whether he can
rely on the work of the management’s expert or example, BeeBop Ltd has a large portfolio of properties
and management have engaged a property valuer to value the properties for financial year end reporting
purposes. Bearing in mind that the valuer is not independent of the client, the external auditor will need to
decide whether he can use the work of management’s expert or engage his own expert to provide evidence
of the valuation of the client’s property portfolio. This decision will be based on such factors as:
• the nature, scope and objectives of the management’s expert’s work, and how these align with the
requirements of the external auditor
• the extent to which management was able to control or influence the work of the management’s expert
(independence)
• the management’s expert’s competence and capabilities
• whether the management’s expert is subject to technical performance standards or other professional or
industry requirements, and
• any controls within the entity over the management’s expert’s work.
Note: A management’s expert could be an employee of the client or be engaged by the client. Where the
management’s expert is an employee, the expert's objectivity will be an even more important issue
for the external auditor and a strong encouragement to engage his own expert.
16/12 Auditing Notes for South African Students

16.4.5 Nature, timing and extent of audit procedures


The nature, timing and extent of procedures that the auditor must carry out in respect of the matters dealt
with in 16.4.5.1 to 16.4.5.3 below will vary depending on the circumstances of the audit. In determining
the nature, timing and extent of procedures, the auditor will consider:
• the nature (complexity and subjectivity) of the matter to which the expert’s work relates, for example, a
difficult valuation of manufactured chemicals
• the risks of material misstatement in the matter to which the expert’s work relates, for example, high
risk of overstatement of inventory due to the inadequate allowance for chemical impairment
• the significance of the expert’s work in the context of the audit, for example, company holds significant
quantities of inventory, the valuation of which is fundamental to fair presentation, and
• whether the expert is subject to the auditor’s firm’s quality control policies and procedures, for example,
if the auditor’s expert is an external expert, he is not a member of the engagement team. He therefore
will not necessarily be subject to the quality control procedures adopted by the audit firm.

16.4.5.1 The competence, capabilities and objectivity of the auditor’s expert


To be in a position to contemplate relying on the work of an auditor’s expert, the auditor must be satisfied
with the competence, capabilities and objectivity of the auditor’s expert. This may be judged by:
• having personal experience of the expert’s “expertise”
• discussions with the expert
• discussions with other auditors who have experience of the expert
• obtaining knowledge of that expert’s qualifications, membership of a professional body or industry
association, licence to practice, etc.
• knowledge of published papers or books by the expert
• whether the expert is subject to technical performance requirements such as ethical standards and other
membership requirements of a professional body, accreditation standard or industry association
• the recognition that the expert is afforded by his peers and/or in the industry, and
• discussion with the expert as to his objectivity and independence concerning the client, for example,
financial interests in the client company or relationships with (relevant) client personnel (the auditor
needs to establish whether there are any self-interest threats, advocacy threats, familiarity threats, self-
review threats or intimidation threats, and, if so, whether there are adequate safeguards in place).

16.4.5.2 Obtaining an understanding of the field of expertise of the auditor’s expert


The auditor is required to obtain a sufficient understanding of the expert’s expertise to be in a position to:
• determine the nature, scope and objectives of the expert’s work, and
• evaluate the adequacy of the expert’s work for the auditor’s purposes.
The auditor may already possess sufficient understanding from previous experience with the expert or
similar situations. Suppose the auditor needs to acquire the knowledge. In that case, it can be obtained
from such activities as discussion with the expert, attending relevant professional development courses, the
internet and other searches of relevant databases, and discussion with other experienced auditors.

16.4.5.3 Agreement with the auditor’s expert


The auditor must agree, generally in writing, on the following matters with the auditor’s expert. Where the
auditor’s expert is an external expert, the agreement may be in the form of an engagement letter:
• Nature, scope and objectives
– the nature and scope of the procedures to be performed by the auditor’s expert
– the objectives of the auditor’s expert’s work in the context of materiality and risk considerations
– any relevant technical performance standards or other professional or industry requirements the
expert will be following, for example, a specific valuation model
– the assumptions and methods the expert will use, and
– the effective date of the subject matter of the expert’s work, for example, financial year and inventory
valuation.
Chapter 16: Reliance on other parties 16/13

• The respective roles and responsibilities of the auditor and the auditor’s expert
– relevant auditing and accounting standards and relevant regulatory or legal requirements which must
be complied with
– the auditor’s expert’s consent to the auditor’s intended use of the expert’s report, including any
reference to it or disclosure of the report
– the nature and extent of the auditor’s review/evaluation procedures
– whether the auditor will test source data
– the expert’s access to the client’s records and personnel
– procedures for communication between auditor and expert
– access to each party’s working papers
– ownership and control of work papers about the expert’s work
– the responsibility of the expert to perform the work with due skill and care
– agreement on the expert’s competence and capability to perform the work
– any agreement for the auditor to inform the expert of the auditor’s conclusions on the expert’s work,
and
– the need for the expert to observe all confidentiality requirements.
• Communication and reporting
– methods (written, oral) and frequency of communication (e.g. progress reports) and identification of
the individual on the engagement team to whom the expert will report
– deadline dates
– the expert’s responsibility to communicate promptly on:
o potential delays
o potential reservations/limitations on the expert’s findings
o any restrictions imposed by the client on the expert, and
o any circumstances that may create threats to the expert’s objectivity.

16.4.6 Reference to the auditor’s expert in the auditor’s report


Where a standard audit report is given, no mention of the expert is necessary, and no mention should be
made. (Note: The use of an auditor’s expert does not in any way reduce the responsibility of the auditor.)
Suppose the auditor refers to the work of an auditor’s expert in the auditor’s report because such
reference is relevant to understanding a modification to the auditor’s opinion. In that case, the auditor must
indicate in the report that such reference does not reduce the auditor’s responsibility for that opinion.
CHAPTER

17
Sundry topics

CONTENTS
Page
17.1 Initial audit engagements – Opening balances – ISA 510 .................................................. 17/3
17.1.1 Introduction ......................................................................................................... 17/3
17.1.2 Auditor’s objective ................................................................................................ 17/3
17.1.3 Procedures to be adopted ...................................................................................... 17/3
17.1.4 Reporting considerations ....................................................................................... 17/3

17.2 Subsequent events – ISA 560 ........................................................................................... 17/4


17.2.1 Introduction ......................................................................................................... 17/4
17.2.2 Applicable statements ........................................................................................... 17/4
17.2.3 Definitions ........................................................................................................... 17/4
17.2.4 Types of subsequent event ..................................................................................... 17/5
17.2.5 Events occurring between the date of the financial statements and the date
of the auditor’s report ............................................................................................ 17/6
17.2.6 Facts that become known to the auditor after the date of the auditor’s report
but before the date the financial statements are issued............................................. 17/7
17.2.7 Facts that become known to the auditor after the financial statements
have been issued ................................................................................................... 17/8
17.2.8 The decision on whether amendments are necessary .............................................. 17/8
17.2.9 Action to prevent further reliance on the audit report ............................................. 17/9

17.3 Related parties – ISA 550 ................................................................................................. 17/11


17.3.1 Introduction ......................................................................................................... 17/11
17.3.2 Auditor’s concern about related party transactions ................................................. 17/11
17.3.3 Definitions ........................................................................................................... 17/11
17.3.4 Requirements ....................................................................................................... 17/12

17.4 Audit documentation – ISA 230 ....................................................................................... 17/13


17.4.1 Compliance with standards ................................................................................... 17/13
17.4.2 General points and basic requirements ................................................................... 17/15

17.5 Specific types of audit evidence ....................................................................................... 17/15


17.5.1 External confirmations – ISA 505 .......................................................................... 17/15
17.5.2 Enquiries regarding litigation and claims – SAAPS 4.............................................. 17/16
17.5.3 External confirmations from financial institutions – SAAPS 6 ................................ 17/18
17.5.4 Written representations – ISA 580 ......................................................................... 17/20
17.5.5 Analytical procedures – ISA 520............................................................................ 17/22

17/1
17/2 Auditing Notes for South African Students

Page
17.6 Audit considerations relating to an entity using a service organisation – ISA 402 ............. 17/23
17.6.1 Introduction ......................................................................................................... 17/23
17.6.2 Understanding of the audit client and its environment ............................................ 17/24
17.6.3 Reports from the auditor (service auditor) of a service organisation on its
internal controls (Type 1 or Type 2) ....................................................................... 17/24
17.6.4 User auditor’s responsibility .................................................................................. 17/24
Chapter 17: Sundry topics 17/3

17.1 Initial audit engagements – Opening balances – ISA 510


17.1.1 Introduction
ISA 510 establishes standards and guides opening balances where:
• financial statements for the prior period were not audited, or
• where the financial statements for the prior period were audited by a predecessor auditor (i.e, a new
audit engagement).

17.1.2 Auditor’s objective


To obtain sufficient, appropriate evidence that:
• the opening balances do not contain misstatements that materially affect the current period's financial
statements, and
• appropriate accounting policies reflected in the opening balances have been consistently applied in the
current period’s financial statements, or changes in accounting policies have been properly accounted
for and adequately presented and disclosed.

17.1.3 Procedures to be adopted


ISA 510 presents a very general approach to the audit procedures necessary concerning opening balances.
The previous year’s audit was conducted by a predecessor auditor. The current auditor will generally have
access to prior year work papers and the predecessor auditor to refer to, providing sufficient, appropriate
evidence about the opening balances. Where the prior period was not audited, a “mini-audit” must in effect
be conducted to obtain the necessary evidence about the opening balances for the current period.
The procedures to be adopted may vary for each situation, although the objectives remain the same. Be-
low is a list of audit procedures that the auditors should consider:
• Consider significance of each opening balance
• Obtain an understanding of accounting policies adopted and test for correct application and consistency
• Agree prior year closing balances through to current year opening balances
• Conduct common audit procedures on specific opening balances until reasonable assurance is obtained,
for example:
– test subsequent receipt of payments made by debtors
– test subsequent payments made to creditors
– conduct analytical procedures, and
– carry out a physical inspection, for example, an inventory count and “roll back” procedures.
• Review predecessors audit work papers (NB Professional Conduct)
• Consider the professional competence and independence of the predecessor auditor, and
• If not satisfied, revert to the “prior period not audited” procedures.

17.1.4 Reporting considerations


It is possible that the auditor is not satisfied with the opening balances and may believe that the current
year's audit report on the financial statements should be modified. The report can be modified based upon:
• The inability to obtain sufficient appropriate evidence relating to an opening balance.
Example 1: The auditors were appointed halfway through the current financial year and not having
observed the physical counting of inventory at the end of the prior year, were unable to obtain sufficient
evidence regarding the opening balance of inventory. If the possible effects of this were considered to be
material but not pervasive, a qualified opinion “except for” would be appropriate. If the possible effects
of this were considered material and pervasive, the auditor would issue a disclaimer of opinion. (Note:
The qualification/ disclaimer would relate to the statements of comprehensive income and cash flows,
but not to the statement of financial position.)
17/4 Auditing Notes for South African Students

• Disagreement with an opening balance (see para 12 ISA 510)


Example 2: The auditors were appointed halfway through the current financial year. The financial
statements had not been previously audited. The auditor is satisfied that the accounting policies applic-
able to certain opening balances had been incorrectly applied. The directors are not prepared to make
adjustments. If the effect of the misstatements is material but not pervasive, a qualified opinion “except
for” would be appropriate. If this effect was material and pervasive, an adverse opinion would be issued
(probably an unlikely situation!).
If the above situations arise, the normal rules for modifying audit reports must be followed. See chapter 18
and refer to ISA 700 (revised) and ISA 710.

17.2 Subsequent events – ISA 560


17.2.1 Introduction
Although the auditor reports on the financial statements as at the financial year-end, audit evidence is not
simply gathered up to that date and no further. When evaluating and concluding, the auditor is obliged to
consider whether all material events occurring after the date of the financial statements and up to the date
of the auditor’s report, which may indicate the need for adjustment to, or disclosure in, the financial infor-
mation on which the opinion is being issued, have been identified. ISA 560 – Subsequent Events takes this
a step further by identifying not only the auditor’s duty concerning events occurring between the date of the
financial statements and the date of the auditor’s report, but also a duty should certain situations arise after
the date of the auditor’s report. (Note: The date of the auditor’s report is the date on which the auditor
signs the report.)

17.2.2 Applicable statements


There are two applicable statements; IAS 10 – Events after the Reporting Period, which defines and deals
with the treatment of events after the reporting period, and ISA 560 – Subsequent Events, which covers the
procedures to be adopted by the auditor concerning events occurring after the date of the financial state-
ments.
Note: ISA 720 (revised) which deals with other information, i.e. financial and non-financial information
other than the annual financial statements, is also relevant. The implications of other information
which the auditor obtains after the date of the auditor’s report must be considered. See chapter 18.

17.2.3 Definitions
• Date of the financial statements – the date of the end of the latest period covered by the financial state-
ments, normally the financial year-end date, for example, 30 June 0001.
• Date of approval of the financial statements – the date those with the recognised authority (normally the
directors) assert that they have taken responsibility for the financial statements. (This is usually the date
on which the directors sign the financial statements).
• Date of the auditor’s report – the date the auditor selects to date the audit report on the financial state-
ments. This date can only be when the auditor has obtained sufficient, appropriate evidence, including
evidence that a complete set of financial statements have been prepared. This date cannot be before the
directors have asserted that they have taken responsibility for the financial statements.
• Date that the financial statements are issued – the date the auditor’s report and audited financial state-
ments are made available to third parties.
• Subsequent events
– events occurring between the date of the financial statements and the date of the auditor’s report, and
– facts that become known to the auditor after the date of the auditor’s report.
Note (a): IAS 10 – Events after the Reporting Period, defines events after the reporting period as those
events, both favourable and unfavourable, that occur between the end of the reporting period
and the date when the financial statements are authorised for issue.
Chapter 17: Sundry topics 17/5

Note (b): ISA 560 – Subsequent Events, deals with the period between the date of the financial statements
and the date of the auditor’s report and splits the period after the date of the auditor’s report into
two. The two time periods are:
(i) after the date of the auditor’s report but before the date the financial statements are issued,
and
(ii) after the financial statements have been issued to users.
The reason for this is that the auditor may react differently to facts that become known to him after the date
of the auditor’s report, depending on whether the financial statements have been issued or not.

Tip: When considering subsequent events (as part of your studies or in practice), it may be useful to
draw a timeline, setting out all the applicable dates discussed above.

17.2.4 Types of subsequent event


17.2.4.1 Adjusting events
Events requiring adjustment in the financial statements. Adjustment must be made where the subsequent
event provides evidence of conditions that existed at the end of the reporting period.
IAS 10 states that in respect of such events “an entity shall adjust the amounts recognised in its financial
statements to reflect adjusting events after the reporting period”.
For example:
During the financial year under review, MonkeyBars (Pty) Ltd was sued by the parents of a child who
fell from a piece of playground equipment installed by the company. Shortly after year-end, it was deter-
mined that the injury was indeed due to MonkeyBars (Pty) Ltd’s negligence and that the company would
have to pay an amount of R185 000 to cover the medical costs incurred by the parents of the injured child.

17.2.4.2 Non-adjusting events


These are events that are indicative of conditions that arose after the reporting period. If non-adjusting
events after the reporting period are material, non-disclosure could influence the economic decisions of
users taken based on the financial statements. Accordingly, the following should be disclosed:
• nature of the event
• estimate of the financial effect of the event, or
• a statement that such an estimate cannot be made, if this is the case.
Many companies, particularly listed companies, will include further information about matters which
might have arisen after the reporting period in the financial statements, simply to improve the quality of the
statements and not specifically to comply with international accounting standards. The auditor’s responsi-
bility to this information is to satisfy him/herself that it does not contain misstatements of fact and that it is
not misleading. (See chapter 18.)

17.2.4.3 Dividends
If a company declares a dividend after the reporting period, the entity shall not recognise those dividends as
a liability at the date of the financial statements (end of the reporting period).
Dividends are usually approved at the AGM by the shareholders and therefore at the reporting date, the
dividend payment is not a “present obligation”.

17.2.4.4 Going concern


If management determines after the reporting date, that either:
• it intends to liquidate the company or to cease trading, or
• they have no alternative but to do so, the financial statements may not be prepared on the going concern
basis.
The reasoning for this is that if the company is no longer a going concern, the effect is so pervasive that a
fundamental change in the basis of accounting is necessary.
17/6 Auditing Notes for South African Students

For example:
Blizzards Ltd presented its financial statements on the going concern basis at 28 February 0001, because
management had a reasonable expectation that the company would be awarded a large contract for which
they had tendered. Appropriate disclosures were made. However, in the post-reporting-date period, the
company was officially informed that it had not been awarded the contract. As such, the company is no
longer a going concern at reporting date, although this fact was only confirmed after reporting date.
Even though the event in the scenario above relates to a matter that occurred after year-end, the users of
the financial statements may make decisions based on the financial statements (if left as is), as they would
be unaware that the company is no longer a going concern.

17.2.5 Events occurring between the date of the financial statements and the date
of the auditor’s report
17.2.5.1 Duty of the auditor
Essentially the auditor has to do two things. Firstly, subsequent events must be identified, and secondly, the
treatment thereof in the financial statements must be audited to determine whether the treatment complies
with IAS 10.
In terms of ISA 560, the auditor shall request management and, where appropriate, those charged with
governance, to provide a written representation that all events occurring after the date of the financial
statements which require adjustment or disclosure have been adjusted for or disclosed.

17.2.5.2 Identification of subsequent events


The auditor should:
• gain an understanding of and review procedures adopted by management to identify subsequent events
• review minutes of meetings of directors, management, executive and audit committees held after the
date of the financial statements
• obtain an update from the client’s legal representative on outstanding legal matters
• review the company's latest financial information:
– cash flow forecasts
– budgets
– monthly management reports, and
– interim financial statements.
• scrutinise (inspect) the financial records for the post reporting date period
• scrutinise (inspect) prior year work papers to identify types of events that have occurred previously
• obtain a management representation in respect of subsequent events
• make specific enquiries of management about:
– the status of items accounted for on tentative/preliminary/inconclusive data, for example, bad debt
allowance
– new commitments/borrowings or guarantees
– planned sale/disposal/abandonment of assets
– realisation/recoverability of assets at less than financial statement values
– share issues, mergers, liquidations
– assets destroyed, impaired or appropriated
– developments in risk areas previously identified
– unusual accounting adjustments which have been made or are contemplated
– any event which may affect the appropriateness of accounting policies adopted at year-end, and
– going concern ability of the company.
These enquiries are intended to gather the “latest” information about audit matters.
Chapter 17: Sundry topics 17/7

17.2.5.3 Auditing the treatment of the subsequent events


The auditor should:
• determine whether the subsequent event is an adjusting or non-adjusting event. The key issue is whether
the event provides evidence of conditions that existed at reporting date; the client’s interpretation can-
not be relied upon without the auditor gathering sufficient appropriate evidence to support the client’s
interpretation
• evaluate the evidence supporting the subsequent event, for example, notification from the liquidator of
one of the company’s major debtors
• re-perform any casts or calculations which may be applicable to the event, for example, it may be
necessary to calculate an accrual for a decision based upon a legal judgment given after reporting date,
which requires the backdating of a new set of pay rates
• where an adjustment must be made, determine by inspection, whether the adjustment has been correct-
ly accounted for (i.e. the debits and credits are correct), and
• where disclosure is required, inspect the notes for compliance with IAS 10:
– nature
– estimate of financial effect, or
– a statement that such an estimate cannot be made, if this is the case.
Note: The “event” should be audited in terms of the assertions for “transactions and events” and/or
“presentation and disclosure”.

17.2.6 Facts that become known to the auditor after the date of the auditor’s report
but before the date the financial statements are issued
17.2.6.1 Duty of the auditor
There is no duty on the auditor to perform procedures to identify subsequent events after the date of the auditor’s
report, but, during this period if the auditor becomes aware of a fact which had it been known to the auditor
at the date of the auditor’s report, he should consider whether the fact will affect the financial statements
which have already been reported on, and if so whether the effect will (at least) be material. Essentially the
auditor must decide on whether the audit report needs amendment (i.e. modification in some form).
Note (a): ISA 720 (revised), which deals with the auditor’s responsibilities relating to other information,
contains guidance and requirements concerning other information obtained after the date of the
auditor’s report. This might include other information obtained after the date of the auditor’s re-
port, but before the date, the financial statements are issued. The point being made is that such
other information, although it is defined as information other than the financial statements, may
have consequences for the auditor and the audit report.

17.2.6.2 Potential difficulties


If the effect of the fact is (at least) material, potential difficulties arise:
• Firstly, a decision has to be taken by the directors on whether the financial statements should be amend-
ed. The auditor has already decided that the matter is (at least) material, which implies that users' deci-
sions could be influenced, so theoretically, the financial statements should be revised by adjustment or
disclosure, and if they are not, the audit report should be qualified.
• Secondly, the auditor’s report and financial statements are likely to be under the client's control (direc-
tors) as they have not yet been issued.
• Thirdly, how the auditor proceeds if the financial statements require amendment will depend upon
management’s willingness to amend the financial statements.

17.2.6.3 Management’s attitude


If management is willing to amend the financial statements, the auditor should:
• carry out the necessary audit procedures to confirm that the amendment (adjustment/disclosure) to the
financial statements is appropriate
• conduct further subsequent event procedures up to the date of the new auditor’s report date, and
• provide management with a new audit report on the amended financial statements, correctly dated.
17/8 Auditing Notes for South African Students

If management does not amend the financial statements, the auditor should:
• redraft the report expressing a qualified or adverse opinion.
Note: This is only possible if the auditor has not yet released the (original) report to the client, i.e. the
auditor still has control over its distribution.
If the client has the original report and intends to release it with the incorrect financial statements, the
auditor must inform the client that:
• the financial statements, including the audit report, should not be released, and
• that if they are, the auditor will take steps to prevent reliance on the audit report.

17.2.7 Facts that become known to the auditor after the financial statements
have been issued
17.2.7.1 Duty of the auditor
• After the financial statements have been issued, the auditor has no obligation to carry out any audit
procedures regarding these financial statements.
• However, if the auditor becomes aware of a fact which, had it been known at the date of the auditor’s
report, may have caused the auditor to amend the auditor’s report, the auditor should discuss with
management whether the financial statements need amendment (adjustment/disclosure) and if they do,
inquire how management intends to address the matter.
Note (b): Note (a) above is relevant to this situation as well.

17.2.7.2 Potential difficulties


• Firstly, the financial statements have (already) been issued to a potentially wide audience.
• Secondly, the directors may not be prepared to do anything about it.

17.2.7.3 Management’s attitude


• If management agrees to amend the financial statements, the auditor’s life will be much easier! The
auditor will:
– carry out procedures to ensure the amendment is appropriately implemented (adjustment/disclosure)
– conduct subsequent event procedures up to the date of the new auditor’s report
– issue a (new) revised audit report with an “emphasis of matter” or “other matter” paragraph which
refers to a note which explains the revision and reissue of the report, and
– review the steps taken by management to notify users that the original financial statements issued,
have been revised.
• If management will not agree to issue revised financial statements (i.e. make the necessary adjust-
ments/disclosures) or does not revise them adequately, or does not take proper steps to notify those
who receive the original (incorrect) financial statements, the auditor should:
– notify those charged with governance that the auditor will take action to prevent reliance on the
auditor’s report.

17.2.8 The decision on whether amendments are necessary


The auditor may experience some difficulty in deciding whether amendments to the financial statements
are absolutely necessary, particularly where the directors are unwilling to make amendments and the
financial statements have already been issued. In making this decision, the auditor will consider the follow-
ing:
• the reasons why the directors refuse to amend the financial statements (i.e. is there an intention to
deceive users?)
• the potential risk to which users may be exposed if they make decisions based on the original financial
statements
• the severity of the effect on the auditor’s report if the subsequent event or new fact is not dealt with, for
example, a material and pervasive qualification might be necessary
Chapter 17: Sundry topics 17/9

• the time elapsed since the audit report and subsequent management pronouncements. Audited financial
statements are “old news” very quickly and are unlikely to be used in decision making for very long af-
ter issue
• the imminence of issue of the next year’s audited financial statements. The matter could be dealt with
satisfactorily in these financial statements
• the practicality of communication with users; if, for example, the financial statements have not been
issued to users, a revised audit report could be attached to them. If, however, the financial statements
have been widely distributed, it will be far more difficult and possibly would not be cost-effective to reis-
sue the financial statements, and
• any legal advice that the auditor may have sought.
Note: The above considerations will be assessed cumulatively.

17.2.9 Action to prevent further reliance on the audit report


As can be seen from the diagram below, there are situations where the auditor needs to prevent reliance on
the audit report. The auditor can take the following measures to prevent reliance:
• make use of the auditor’s right to address the shareholders at any general meeting, Companies Act 2008
section 93. This is, of course, only possible if a general meeting is scheduled
• notify each person the audit firm knows has received the financial statements, such as shareholders or
the client's bank
• announce through the public media, for example, financial publications. This is probably only appro-
priate for large companies
• notify any regulatory agency which may have jurisdiction over the audit client, such as the JSE, and
• put into action the recommendantions of legal advisors who should be consulted before any action is
taken.
Confidentiality should be borne in mind when communicating with these individuals or entities (other than
under section 93 of the Companies Act). The notification should state that the audit report can no longer be
relied upon, and it is not appropriate to provide details of the matter in question. Any concerned user could
then contact the directors for an explanation.
See the appendix on the following page, which illustrates the amendment decision process.
17/10

original afs need


amendment

afs and afs and auditor’s report


auditor’s afs and
held by client
report held by auditor’s
(not yet issued) report issued
auditor

advise client not to issue

management management management management


management
management will amend will not amend agree to will notamend
will not
will amend before before issuing amend and and
amend
issuing afs afs re-issue afs re-issue afs

modify the take steps to take steps to


“audit” “audit” “audit”
report and prevent prevent
amendment amendment amendment
redate reliance reliance

re-perform re-perform re-perform


subsequent event subsequent event subsequent event
identification identification identification

issue new
issue new issue new report (date) include
report (date) report (date) emphasis of
matter (other matter)
Appendix – Responding to (original) financial statements which need amendment
Auditing Notes for South African Students
Chapter 17: Sundry topics 17/11

17.3 Related parties – ISA 550


17.3.1 Introduction
ISA 550 – Related Parties, places responsibilities on the auditor to perform audit procedures to identify,
assess and respond to the risks of material misstatement arising from the entity’s failure to appropriately
account for or disclose related party relationships, transactions or balances per international accounting
standards.

17.3.2 Auditor’s concern about related party transactions


There are essentially three reasons why the auditor is interested in related party transactions:

17.3.2.1 Inherent risk


Such transactions are inherently riskier because the transacting parties are not independent of each other.
• This may result in non-arms length transactions motivated by considerations other than sound business
practice. Related party transactions may not be conducted under normal market terms and conditions.
It should also be noted that this lack of independence will adversely affect the reliability of any evidence
presented to the auditor by the related parties in support of any related transactions. Thus, the risk of
material misstatement going undetected is greater where related parties are involved.
• Related parties may operate through an extensive and complex network of relationships and structures,
which may give rise to “difficult to audit” complex related party transactions.

17.3.2.2 Disclosure requirements


There may be disclosure requirements regarding the related party relationship or transaction; for example,
loans by subsidiaries to holding companies. The auditor is required to ensure that relevant disclosure
requirements are satisfied. IAS 24 – Related Party Disclosures.

17.3.2.3 Fraud
By understanding the entity’s related party relationships and transactions, the auditor is in a better position
to evaluate the possibility of fraud occurring at a client arising from the presence of related parties. For
apparent reasons, fraud may be more easily committed through related parties.

17.3.3 Definitions
• Arm’s-length transaction – a transaction conducted on such terms and conditions as between a willing
buyer and a willing seller who are unrelated and are acting independently of each other and pursuing
their own best interests.
• Related party:
– a person or entity that has control or significant influence, directly or indirectly through one or more
intermediaries, over the reporting entity (i.e. the company whose financial statements are being au-
dited)
– another entity over which the reporting entity has control or significant influence, directly or indirect-
ly through one or more intermediaries, and
– another entity under common control with the reporting entity through common controlling owner-
ship, owners who are close family members or common key management.
In terms of ISA 550, control is the power to govern an entity's financial and operating policies, and signifi-
cant influence is the power to participate in the financial and operating policy decisions of an entity, but
without control over those policies. Examples of situations where control or significant influence may be
present:
• direct or indirect equity holdings or other financial interests in the entity which is being audited, for
example, company A holds 55% of the shares in company B (company being audited)
• the entity which is being audited holds equity or other financial interests in other entities, for example,
company P holds 40% of the shares in company Q and 60% of the shares in company R
• being part of those charged with governance or key management, for example, the CEO controls the
board (exerts significant influence)
17/12 Auditing Notes for South African Students

• being a close family member of any person referred to in the point above, for example, the CEO’s wife
• having a significant business relationship with the person who is part of governance or key manage-
ment, for example, being a joint shareholder with the CEO in a private business venture.
It is submitted that the definition should not be taken too "technically"; from the audit perspective, the
questions that must be asked are whether the transactions with related parties are motivated by ordinary
business considerations, and correctly disclosed. Control and significant influence must be assessed realisti-
cally, regardless of preset levels or percentages. Has party A significantly influenced or controlled party B
in respect of the transaction? It must be borne in mind that related party transactions are considered an
ordinary feature of business and the vast majority are properly motivated and disclosed. However, the
potential for misstatement is present and the auditor must address this risk.
• Related party transactions – A transfer of resources, services or obligations between related parties
regardless of whether a price is charged.

17.3.4 Requirements
• When performing risk assessment procedures and related activities in compliance with ISA 315 (revised)
and ISA 240 (Responsibilities to fraud), the auditor must obtain an understanding of the entity’s related
party relationships and transactions:
– inquire of management regarding the identity of the entity’s related parties
– establish and understand the relationship between the entity and the related party, for example, close
family relationship, equity, common business venture
– determine from management whether any transactions were entered into during the period under
audit with related parties and if so, the nature and purpose thereof
– understand and evaluate the controls, if any, that are in place at the entity to:
o identify, account for and disclose related party relationships and transactions
o authorise and approve such transactions, and
o authorise and approve significant transactions outside the normal course of business (these may be
related party transactions), and
– enquire of others within the company as to the existence of related parties and related party transac-
tions, for example, internal audit, in-house legal counsel, risks and ethics committee members, audit
committee.
• In the discussions which are held with the engagement team, the susceptibility of the entity’s financial
statements to material misstatement due to fraud or error arising from the related party relationships
and transactions should be specifically discussed, and the team should be provided with and share rele-
vant information relating to related parties/transactions on an ongoing basis.
During the engagement team discussions on related parties, the following matters should be considered:
– the nature and extent of the entity’s relationships and transactions with related parties
– the importance of maintaining professional scepticism throughout the audit regarding the potential
for material misstatement associated with related parties
– the circumstances or conditions of the entity that may indicate the existence of related party relation-
ships or transactions that management has not specifically identified or disclosed to the auditor (e.g.
a complex organisational structure) and how they may be fraudulently exploited
– the records or documents that may indicate the existence of related party transactions, for example,
register of directors’ interest in contracts, minutes of directors’ meetings, lease agreements
– how related party transactions could be “hidden” by management, for example, management over-
ride of controls and
– how transactions between the entity and related parties could be arranged to accommodate manipu-
lation of the financial statements or misappropriation of assets.
• During the audit, the audit team must remain alert for evidence of the existence of related party rela-
tionships or transactions, that have not been previously identified or disclosed to the auditor. In partic-
ular, the audit team should:
– inspect bank and legal confirmations obtained for audit purposes
– inspect minutes of meetings of shareholders and those charged with governance
– inspect other relevant documents (see note 1 below), and
Chapter 17: Sundry topics 17/13

– be alert to significant transactions outside the normal course of the entity’s business and, in doing so,
establish the nature of the transaction and whether related parties could be involved (see note 2
below):
o consider the transaction's business rationale (logic) (arm’s-length, designed to conceal misappro-
priation, etc.)
o consider whether the terms of the transaction are consistent with the explanation for the (abnor-
mal) transaction, and
o consider whether the transaction has been appropriately accounted for and disclosed.
Note 1: Other documents or records which the auditor may inspect:
• other third-party confirmations
• income tax returns
• information supplied by the entity to regulatory authorities, for example, the JSE
• declarations of conflict of interest from management or directors
• shareholders’ register
• life insurance policies (may be taken out on “key” personnel and may give light to a related
party relationship)
• internal auditor’s reports, and
• records of the company’s investments.
Note 2: Transactions outside the normal course of business may include:
• complex equity transactions such as mergers, restructuring, etc.
• transactions with offshore entities operating in countries with weak corporate laws
• leasing of premises, rendering management services, but no charge is levied
• sales made with unusually generous terms, for example, large discounts, extended payment
periods, and
• sales with a commitment to repurchase (circular arrangements).
• The auditor must evaluate the accounting for and disclosing of identified related party relationships and
transactions (IAS 24).
• The auditor must obtain written representation from management, and those charged with governance
that:
– they have disclosed to the auditor the identity of the entity’s related parties and all the related party
relationships and transactions of which they are aware, and
– have appropriately accounted for and disclosed such relationships and transactions.
• The auditor must communicate with those charged with governance on any significant matters arising
during the audit in connection with the entity’s related parties.
• The auditor must include the names of the identified related parties and the nature of the related party
relationships in the audit documentation.

17.4 Audit documentation – ISA 230


17.4.1 Compliance with standards
There are two auditing statements (ISA 230 and ISQC 1) that are directly relevant to audit documentation,
commonly referred to as work papers.
ISA 230 requires that:
• the auditor should prepare, on a timely basis, audit documentation that provides:
– a sufficient and appropriate record of the basis for the auditor’s report, and
– evidence that the audit was performed per International Standards on Auditing and applicable legal and regula-
tory requirements.
The preparation of appropriate audit documentation enhances the quality of the audit and provides the
auditor with the means of proving that the audit was properly conducted should this be challenged, for
example, where the auditor is accused of negligence.
17/14 Auditing Notes for South African Students

The audit documentation also:


• assists the engagement team to plan and perform the audit
• facilitates direction, supervision and review on the audit per ISA 220 (quality control)
• makes members of the engagement team accountable (i.e. their performance is reflected in their work
papers)
• facilitates the audit quality control reviews of various kinds, for example, peer review by SAICA, part-
ners from other firms etc., and external inspections if required, and
• provides a record of matters of continuing significance to future audits.
• That an experienced auditor, having no previous connection with the audit, should be able to understand:
– the nature, timing and extent of audit procedures performed to comply with the ISAs
– the results of the audit procedures performed, and the audit evidence obtained, and
– significant matters and conclusions thereon.
• That in documenting the nature, timing and extent of audit procedures, the auditor should record the identifying
characteristics of the item/matters tested, for example:
– document description and number (sales invoice number 2173)
– name of the person who performed the work, date work was performed and the subject matter of
enquiries
– journal entry numbers, dates, cycle
– the starting point for samples and sampling interval, and
– subject matter being observed, for example, goods receiving activities.
A reviewer must be able to tie the working paper to specific documents, dates, people, functions, etc.
• That significant matters identified on the audit must be documented, in particular:
– significant risks (and the audit response)
– the auditor’s determination of key audit matters (or that there are no key audit matters)
– results of audit procedures which indicate that the financial statements could be materially misstated,
or which indicate the need to revise a previous assessment of material misstatement
– responses to risks
– circumstances that cause the auditor significant difficulty in applying the necessary audit procedures
– findings that could lead to modification of the auditor’s report
– any departures from basic principles or essential procedures, for example, the ISAs, and reasons for
the departure.
• That the names of the preparer and reviewer and the dates on which they conducted their procedures, should be recorded
on the work paper.
ISQC 1 Quality control for firms that perform audits, requires that:
• the firm must establish policies and procedures for engagement teams to put together finalised engagement files on
a timely basis, for example, set deadlines, review and sign off files
• the firm must establish policies and procedures designed to maintain confidentiality, safe custody, integrity (not
allow tampering or contamination), accessibility and retrievability of engagement documentation, for example:
– use of passwords to access computerised work papers
– back-up routines
– controls over the distribution of work papers, for example, sign a register, and
– physical controls over hard copy and electronic work papers, for example, library routines, in a
physically secure area, and
• the firm must establish policies and procedures for the retention of engagement documentation for as long as
they are needed, ensuring that the laws on retention of documents are adhered to.
Chapter 17: Sundry topics 17/15

17.4.2 General points and basic requirements


• Audit documentation may be in various media, for example, written, digital, recorded.
• Audit documentation is the firm's property, and the firm is in no way obliged to make it available to the
client or any other party unless required to do so by law.
• Work papers should:
– be correctly headed regardless of their form, for example:
Client: Knaves (Pty) Ltd Schedule No. FA1.
Financial year-end: 31 December 0001
Date: 15 February 0002
Section of Audit: Non-current Assets – Physical Verification
Prepared By: Phil Collins
Reviewed By: ................ Date ...............
– contain sufficient information concerning the matter to which the working paper relates to enable the
person reviewing the working paper, to judge whether the tests have been performed satisfactorily
and to agree or disagree with the conclusion reached as a result of the tests
– contain explanation and commentary on any unusual or exceptional matters and how they were
dealt with
– contain the conclusions of the preparer of the working paper
– include adequate legends (keys) to symbols on the working paper, and
– display adequate cross-referencing to other work papers.

17.5 Specific types of audit evidence


17.5.1 External confirmations – ISA 505
ISA 505 – External confirmations, guides the principles relating to the auditor’s procedure of obtaining
external confirmations as part of gathering sufficient appropriate evidence. ISA 505 is a general statement,
whereas SAAPS 4 – Enquiries regarding litigation and claims, and SAAPS 6 – External confirmations
from financial institutions, are far more specific.

17.5.1.1 Introduction
In terms of ISA 500 – Audit evidence:
• Audit evidence is more reliable when it is obtained from independent sources outside the entity.
• Audit evidence obtained directly by the auditor is more reliable than audit evidence obtained indirectly
or by inference.
• Audit evidence is more reliable when it exists in documentary form, whether paper or electronic.
Thus external confirmations provide potentially “good” (reliable) evidence, provided that the requirements
set out below are satisfied.

17.5.1.2 Requirements
In terms of ISA 505, when carrying out external confirmation procedures, the auditor should
• maintain control over the process (not make use of the client to control the procedure)
• determine the information to be confirmed, for example, debtors balance at a particular date
• select the appropriate confirming party (e.g. must be an individual, competent and authorised to provide
the confirmation)
• design the confirmation request to effectively obtain the evidence which is the objective of the confirma-
tion request
• include specific instructions that the response details be sent directly to the auditor, and
• send (retain control over sending) the requests to the confirming party.
17/16 Auditing Notes for South African Students

If the client refuses to allow the auditor to send a confirmation request:


• the auditor should establish the reason for the refusal and seek evidence to support the validity and
reasonableness of the client’s explanation
• evaluate the implications of the refusal on his assessment of the risk of material misstatement including
the risk of fraud, and
• perform alternative procedures to obtain sufficient appropriate audit evidence.
If the auditor concludes that the refusal is unreasonable, the auditor should communicate with those
charged with governance.
If this does not succeed, the auditor will need to consider whether there has been a limitation of scope
which affects the auditor’s opinion. This will certainly be the case where alternative audit procedures
cannot provide the necessary evidence.
If the auditor has doubts about the reliability of a response to a confirmation request, or no response is
received (after following up), the auditor should consider:
• the impact of this on his assessment of the risk of material misstatement (including the risk of fraud)
• perform alternative procedures to obtain the evidence, and
• if the necessary evidence cannot be obtained, consider the implications on the audit opinion.
The auditor will evaluate the confirmations received to determine whether sufficient, reliable and relevant
evidence has been obtained (usually as part of other evidence). It should be borne in mind that:
• negative confirmations – i.e. confirmations which only request a response if there is a problem, are not
particularly useful as the auditor does not know whether there is "no problem", or whether the confirm-
ing party did not receive the confirmation, or just didn’t bother to respond, or whether the non-response
was because there was an error but in favour of the confirming party!
• positive confirmations – i.e. confirmations which require the confirming party to respond whether they
“agree” or “disagree”, or to provide information, are far more valuable as they provide tangible and
reasonably reliable evidence (always ensuring that the basic requirements of external confirmations
have been satisfied).

17.5.2 Enquiries regarding litigation and claims – SAAPS 4


17.5.2.1 Introduction
Auditors frequently require information about the legal matters of their clients. For example, certain provi-
sions arising from legal matters may need to be recognised, or contingent liabilities may need to be dis-
closed.
SAAPS 4 requires that the auditor obtain sufficient, appropriate evidence regarding:
• whether all material litigation and claims have been identified
• the probability of any material revenue or expense arising from such matters, and the estimated amount
thereof, and
• the adequacy of the accounting treatment of such matters, including their disclosure in the financial
statements.

17.5.2.2 Management responsibility


It is the responsibility of management to adopt policies and procedures to identify, evaluate, record and
report on all material litigation and claims.

17.5.2.3 Audit procedures to identify claims and litigation


To identify litigation and claims affecting the company, the auditor would perform the following audit
procedures:
• review and discuss management’s procedures for identifying and recording litigation and claims
• review and discuss management’s procedures for identifying, controlling and recording legal expenses
and associated revenues and expenses in appropriate accounts
• obtain and discuss with management:
– a list of litigation and claims, including a description of the matters and an estimate of their likely
financial consequences, and
– an analysis of legal expenses.
Chapter 17: Sundry topics 17/17

• review relevant documents, for example, correspondence with attorneys


• obtain written representation regarding the completeness of material outstanding litigation and claims
from management
• examine contracts, loan agreements, leases, insurance policies and claims and other correspondence
• inspect minutes of meetings of the directors, the audit committee, shareholders and appropriate com-
mittees
• obtain information from bank confirmations concerning guarantees, etc., and
• develop a knowledge of the essential characteristics of the entity’s business operations, including an
understanding of the potential involvement in litigation and claims, for example, environmental haz-
ards.

17.5.2.4 Requests for attorney’s representation letter


Where material litigation and claims have been identified, the auditor should seek written representation
from the company’s attorneys. This written representation is designed to:
• assist the auditor in evaluating the reasonableness of management’s estimates, and
• corroborate the completeness of the litigation and claims identified.
As with all third-party confirmations, the auditor should send the representation letter (not management,
although they prepare it), and the attorney should be requested to return it directly to the auditor. The
request for the representation letter will be on the client’s letterhead.

17.5.2.5 Contents of the client’s request to the attorneys to provide a representation letter
The matters included in the letter are as follows:
• identification of the name, and the end of the reporting period, of the company(ies) to which the
enquiry relates, for example, the holding company and its subsidiaries and the year-end date
• a list prepared by management which names each company that is a party to material litigation or claims
and describes the nature of such litigation and claims, the amount claimed and its status
• management’s estimate of the financial exposure (inclusive of costs) for each litigation and claim in
respect of which the company has engaged the attorney
• a request that the attorney advise whether the items are properly described and whether management’s
evaluations are reasonable
• a request for comment on those litigation matters and claims on which the attorney disagrees with
management
• a request for a list of any other litigation and claims dealt with by the attorney concerning the company
(completeness)
• an indication of the amount below which litigation and claims are not considered to be material for the
enquiry regarding litigation and claims. (These claims need not be considered when attorneys take the
opportunity of bringing further litigation and claims, of which they are aware, to the attention of the
auditor.)
• a request that the response address events as at, and after, the financial year-end of the company(ies) as
close as possible to the expected date of the audit report, and
• a request that the nature of, and reasons for, any limitation on the response, be communicated.
17/18 Auditing Notes for South African Students

17.5.2.6 Example of a schedule sent to the attorney with the letter (see above) requesting
an “attorney’s representation letter”
Name of entity: Crackerjac (Pty) Ltd
Financial year-end: 28 February 0001

Litigation and Claims


Name of entity (subsid- Management’s description Management’s estimate of the Attorney’s remarks
iary or division) of matter (including financial exposure
current status and amount (inclusive of costs and dis-
claimed as well as attor- bursements)
ney’s reference if known)
Crackerjac (Pty) Ltd Attorney Ref C/341 No exposure. Claim by em- This is the first claim against
Claim by a former em- ployee is groundless the company of this nature and
ployee for unfair dismissal Legal costs R15 000 it is difficult to predict the
outcome.
Damages of R1 000 000
Historically 70% of these cases
result in a favourable outcome
for the plaintiff with a settle-
ment of 40% of the amount
claimed

We confirm that we are acting for Crackerjac (Pty) Ltd concerning the claim mentioned above and that
management’s description and estimates of the amounts of the financial exposure (including costs and
disbursements) which might arise about those matters, are in our opinion, over-optimistic as detailed
above.
In addition to the above matters, we wish to bring to your attention the following litigation and claims
exceeding R100 000 of which we are aware, in relation to the company:
Case reference C/914
A customer of Crackerjac (Pty) Ltd is suing the company for R150 000. The claim arises from the
customer having suffered a severe laceration to his leg while using a garden tool manufactured by
Crackerjac (Pty) Ltd. We have advised the company to settle out of court for R50 000. We believe that
the plaintiff would accept this settlement. Legal costs amount to R10 000.
Attorneys: Doogood and Deefend Dated: 15 April 2022

17.5.3 External confirmations from financial institutions – SAAPS 6


17.5.3.1 Introduction
Virtually every business entity has dealings with a financial institution. The relationship may be simple, for
example, the entity has a single current account with a bank, or complex, for example, the financial institu-
tion provides overdraft facilities, assists the entity with foreign transactions, provides letters of credit and
makes loans to the entity. The bank may also assist with complicated transactions such as financial futures,
interest rate swaps, option contracts, etc. In general terms, the more extensive and complicated the entity’s
dealings with the financial institution are, the greater the impact on the balances and disclosures in the
financial statements will be. SAAPS 6 guides the auditor concerning obtaining external confirmations from
his client’s bank (financial institution), which provide primarily corroborative evidence about the balances
and disclosures reflected in the annual financial statements about the dealings between the client and the
bank.
SAAPS 6 provides an illustrative external confirmation request which includes nine “Form Types”.
Form types relate to the category of information about which the auditor is seeking confirmation/infor-
mation. The auditor will include only those “form types” in the confirmation request about which he seeks
information.
Chapter 17: Sundry topics 17/19

Form type Example


1. Assets : (Positive) balance on the current account, or a 30-day call account.
2. Liabilities : (Negative) overdraft balance on the current account, or short-term
loan.
3. Securities : Securities pledged or otherwise encumbered.
4. Contingent liabilities and Guarantees : Bills receivable discounted but not yet paid.
5. Derivatives : Forward rate agreements, option contracts.
6. Bills : Total of bills held for collection.
7. Letters of Credit : Letters of credit relating to foreign suppliers.
8. Cash Management Systems : Details of accounts are included in the cash management system.
9. Authorised transactions/Signatories list : EFT “dongle” holders, bank card PIN holders.
SAICA recommends that auditors adopt the format of the illustrative confirmation request in SAAPS 6.

17.5.3.2 Requirements
Theoretically, an external confirmation from a financial institution should be regarded as reliable evidence
because it is independent evidence from a reliable source. However, this will only be the case if the follow-
ing basic requirements are followed:
• The request for the confirmation certificate should be made by the auditor to the financial institution:
– the necessary authority must be given to the financial institution by the audit client to furnish the
information requested by the auditor
– the certificate must be sent directly to the auditor at the auditor’s address
– the request must be sent to the financial institution timeously, and
– it must be sent to the appropriate individual at the institution (most entities will have an individual at
the bank with whom they deal, or alternatively, the bank will have a designated person who deals
with issuing certificates of this nature).
• Obtaining the external confirmation certificate must be properly planned:
– the date by which the certificate is needed must be set
– the auditor must decide exactly what information he requires from the financial institution. this
may range from a simple confirmation of an account balance at year-end, to a request for extensive
confirmation of information relating to complex transactions such as those identified in the introduc-
tion paragraph
– the information to be provided to the financial institution to respond appropriately must be gathered.
for example, suppose a confirmation of balance is required. in that case, the account number must be
included, or if the auditor is seeking confirmation about debt covenants pertaining to loans made by
the financial institution to the client, the request must include details which the auditor wants con-
firmed. it is not a matter of the auditor requesting the financial institution to supply all the infor-
mation, the auditor supplies the information and the institution confirms if it is correct
– the validity of the authority given by the client to the financial institution must be confirmed, and
– the appropriate individual to whom the confirmation request must be sent must be identified.

17.5.3.3 completeness of financial institution accounts


The financial institution is under no obligation to advise an auditor that it holds an account or has other
arrangements that have not been listed in the certificate request from the auditor. SAAPS 6 states that
financial institutions usually include a disclaimer in the certificate regarding the completeness of the enti-
ty’s “bank” accounts included on the certificate supplied to the auditor.
If the auditor considers a that there is a risk (which could result in material misstatement) that the finan-
cial institution account balances may be incomplete, he will respond to the risk by conducting further
procedures. These procedures would concentrate on the inspection of documentation that relates to the
entity’s dealings with its financial institution. These procedures, which would be carried out before the
confirmation request is sent, may include the following:
• comparison of the list of financial institution accounts for the current year with the list at the end of the
previous financial year (differences to be followed up)
17/20 Auditing Notes for South African Students

• inspection of directors’ minutes for the year to determine whether, for example:
– new financial institution accounts were opened
– any financial institution accounts were closed
– the entity entered into agreements or covenants with the financial institutions
– any arrangements relating to securities, guarantees, derivations, etc., were undertaken, and
– changes were made to authorised account signatories.
• inspection of significant contracts for confirmation that any related financial matters were conducted
through financial institution accounts already listed, and
• obtaining management representation as to the completeness of financial institution accounts infor-
mation that management has supplied.

17.5.3.4 Use of electronic confirmations


SAAPS 6 points out that electronic confirmations are acceptable but that, compared to confirmations in
paper form received directly by the auditor, they do present additional risks relating to reliability because
the proof of source may be difficult to establish.
Similarly, the auditor must be aware that, when sending a confirmation certificate request electronically,
confidential information about the client’s financial dealings is being transmitted and that the integrity of
the transmission may be compromised. Therefore, the auditor must be satisfied that both transmission and
receipt of electronic confirmations are secure before sending a request or accepting a response from a finan-
cial institution as reliable audit evidence. Such controls may include electronic digital signatures, encryp-
tion and procedures to verify website authenticity.

17.5.4 Written representations – ISA 580


17.5.4.1 Introduction
ISA 580 – Written representations deals with the auditor’s responsibility to obtain written representations
from management and, where appropriate, those charged with governance in an audit of financial state-
ments. Written representations can be an important part of the evidence gathered but do not, in themselves,
provide sufficient, appropriate evidence, and they are corroborative in nature.

17.5.4.2 Objectives
The auditor’s objectives in obtaining written representations are, in terms of ISA 580:
• to obtain a written representation from management that it (management) has fulfilled its responsibility
for the preparation of the financial statements and the completeness of the information provided to the
auditor
• to support (corroborate) other audit evidence relevant to the financial statements or specific assertions in
the financial statements.

17.5.4.3 Requirements
The auditor should request written representations from individuals in management who have relevant
responsibilities and knowledge of the matters concerned:
• those responsible for the preparation of the financial statements, and
• the chief executive officer and chief financial officer.
In some instances, management may consult other parties to assist in making the written representation.
These will be individuals who have assisted in preparing the financial statements by providing specialist
knowledge, for example, in house actuaries, legal counsel or staff engineers.
The auditor must request management to specifically provide written representation that:
• it (management) has fulfilled its responsibility for the preparation of the financial statements
• it has provided the auditor with all relevant information and access, and
• all transactions have been recorded and are reflected in the financial statements.
Chapter 17: Sundry topics 17/21

In addition to the representations above, the auditor may consider it necessary to obtain other written
representations about the financial statements. These may include representations about:
• whether the selection and application of accounting policies is appropriate
• whether there has been appropriate recognition, measurement, presentation and disclosure of the
following in terms of IFRS or IFRS for SMEs:
– plans or intentions that may affect the carrying value of assets and liabilities, for example, intentions
to discontinue certain operations
– liabilities, both actual and contingent, for example, pending lawsuits
– title to assets, liens, encumbrances and assets pledged as security, for example, agreements to buy
back assets previously sold, and
– aspects of laws, regulations and contractual agreements that may affect the financial statements, for
example, unintentional foreign exchange contraventions, loans made to a director or related person
in contravention of the Companies Act
– related party transactions
– subsequent events, and
– intended changes to capital, for example, capitalisation issues, rights issues.
ISA 580 does not restrict the auditor in obtaining written representations. Although these representations
do not feature particularly high on the hierarchy of evidence, they force management to commit themselves
in writing and hopefully focus their minds on what they represent. In addition to the above, various ISAs
require that the auditor obtain management representations about the topic of that ISA, for example,
ISA 240 (fraud).
If the auditor doubts the reliability of the written representations of management or the requested written
representations are not provided, the auditor should:
• discuss the matter with management
• re-evaluate the integrity and diligence of management (is this a deliberate attempt to mislead or hide
information?)
• consider whether this unreliability or refusal affects other audit evidence gained on the audit (both its
reliability and sufficiency)
• extend testing (evidence gathering) if necessary, and
• consider the effect on the audit opinion.
Management should be quite prepared to make the necessary representations, and the auditor should be
sceptical (or suspicious) if management makes unreliable, incomplete representations or refuses to do so at
all. However, management representations are corroborative in nature and do not stand on their own;
unreliable representations or an absence of representations will not automatically result in a qualification or
disclaimer of the audit opinion.

17.5.4.4 Conclusion
To be of value, management representations should be:
• written, not oral
• corroborated by other evidence
• reasonable and consistent concerning other evidence obtained
• given by members of the management team who are sufficiently well informed on the particular matter
about which representations are being made
• addressed to the auditor
• contain specific information
• appropriately dated (preferably the same as the auditor’s report), and
• appropriately signed, for example, senior executive officer.
17/22 Auditing Notes for South African Students

17.5.5 Analytical procedures – ISA 520


17.5.5.1 Introduction
In terms of ISA 520, the term “analytical procedures” means evaluations of financial information through
analysis of plausible relationships among both financial and non-financial data. Analytical procedures also
encompass such investigation as is necessary of identified fluctuations or relationships that are inconsistent
with other relevant information or that differ from expected values by a significant amount.
The second part of this description of analytical procedures is perhaps the most important. Extracting
ratios or making comparisons does not in itself provide much useful information. The important part is the
interpretation and follow up of inconsistent fluctuations and unexpected outcomes. For example, establish-
ing that the gross profit percentage for the year has declined compared to the prior year is not in itself
particularly useful. Establishing the reason and following up on the reasons is the important part of the
procedure.

17.5.5.2 Nature of analytical procedures


Analytical procedures are substantive in nature. The major analytical procedure is the comparison of the
entity’s financial information with, for example:
• prior-year period information
• budgets and forecasts
• similar industry information (industry averages), and
• divisions/branches/cost centres within the entity.
The other major analytical procedure is the study of relationships:
• among elements of financial information, for example, sales commissions and sales
• among elements of financial information that would be expected to conform to a predictable pattern,
based on the entity’s experience, for example, gross profit percentages, and
• between financial information and non-financial information, for example, payroll costs and the num-
ber of employees.

17.5.5.3 Purpose of analytical procedures


Analytical procedures are used:
• as risk assessment procedures in obtaining an understanding of the entity and its environment and the
risk of material misstatement
• to substantiate an assertion when analytical procedures are more efficient or effective than tests of
detail, for example, a comparison of wages, period to period, by department, may provide sufficient
evidence about the fair presentation of the wage expense, and
• to provide corroborative evidence in the final review stage of an audit.

17.5.5.4 Analytical procedures as substantive procedures


When intending to use analytical procedures, the auditor will need to consider several factors before decid-
ing that their use is appropriate.

(a) Suitability of using substantive analytical procedures


The auditor must decide whether the analytical procedures are appropriate for producing sufficient, appro-
priate evidence of:
• the assessment of the risk of material misstatement, for example, the higher this risk, the more likely it is
that more tests of details will be appropriate, and
• the tests of detail already conducted (on the assertion), for example, analytical procedures may provide
good corroborative evidence where tests of detail have already been conducted.

(b) The reliability of the data on which the analytical procedures will be conducted
There is no point in performing analytical procedures on unreliable data – this gives unreliable results! The
auditor will consider:
• the source of the data, for example, external evidence is better than internal evidence
• comparability, for example, the auditor must compare “apples with apples” not “apples with oranges”;
ratios in a wholesale business will not be comparable with the same ratios in a retail business
Chapter 17: Sundry topics 17/23

• nature and relevance, for example, if a budget is being used for comparison, is the budget a well pre-
pared, thought out document or a “just going through the motions of putting a budget together” type
budget?, and
• controls over the preparation of the data, for example, poor control over validity, accuracy and complete-
ness, results in unreliable data.

(c) Whether the expectation is sufficiently precise to identify a material misstatement


The auditor needs to consider whether the results of the analytical procedures will be specific enough to
identify material misstatement. If the analytical procedure gives only a general indication of what the
auditor is testing, it will not be that worthwhile. If the result can be broken down further, it will be far more
useful. For example, the auditor wants to use analytical procedures when planning the audit of the occur-
rence of sales, i.e. whether there will be material misstatement arising out of the inclusion of fictitious sales:
• a straight comparison of the current year sales against the prior year sales will not be very useful, but
• if sales from the current and prior years can be broken down into sales by product, branch, salesperson,
month, region, category or purchaser, etc., the individual comparisons of the breakdowns become very
useful.
The auditor will consider the following factors:
• the availability of information, both financial and non-financial
• the extent to which the information can be broken down, and
• the inherent predictability of the information, for example, there is little point in conducting an exten-
sive analytical review on information that normally fluctuates and in no predictable/expected pattern.

(d) Acceptable fluctuations from expectations


When the auditor performs analytical procedures, there are likely to be deviations from what is expected,
for example, based on historical data, the auditor expects an increase of 10 days in the “days outstanding
ratio” for debtors due to newly introduced credit terms. Ratio analysis reveals that the increase is actually
15 days. Does the auditor accept 15 days? What if it is 11 days or 6 days? There is no simple answer or
magic cut-off point. The auditor will have to assess this piece of evidence in conjunction with other evi-
dence or may reassess his expectations. Yet another example of the importance of professional judgment.

17.5.5.5 Investigating results of analytical procedures


As discussed in the introduction, the actual computation of ratios and trends is, in itself, of little value. The
success of analytical procedures will depend upon how efficiently and effectively significant fluctuations
and inconsistencies are identified and followed up. In following up, the auditor will need to obtain corrobor-
ation of any explanations given by the client and may decide to perform additional audit procedures.

17.6 Audit considerations relating to an entity using a service organisation


– ISA 402
17.6.1 Introduction
A company may use other entities to carry out functions that would otherwise be carried out by the com-
pany itself. For example, a company may have its payroll processed by a computer bureau, or outsource its
entire invoicing and debtor management to another entity. Entities that offer these kinds of services are
referred to as service organisations in ISA 402.
When an audit client uses a service organisation, it becomes part of the client’s accounting system and
related internal controls. In terms of ISA 315 (revised), the auditor is required to obtain sufficient under-
standing of his audit client’s system of internal control, to be in a position to identify and assess the risks of
material misstatement arising from weaknesses in that internal control system. By implication therefore,
the auditor has to identify and evaluate the risks of misstatement arising from the use of the service organi-
sation.
17/24 Auditing Notes for South African Students

17.6.2 Understanding of the audit client and its environment


ISA 402 requires that in obtaining an understanding of the audit client and its environment, the auditor
should obtain an understanding of:
• the nature of the services provided by the service organisation
• the terms of the contract between the client and the service organisation
• the extent to which the client’s internal control interacts with the service organisation
• the client’s internal controls relevant to the service organisation, for example, controls over the flow of
source data to the service organisation, and how the risks of using a service organisation are managed
(e.g. the risk of a collapse of the service organisation)
• the service organisation’s capability and financial strength, and
• any available information about the service organisation’s information system, general controls and
application controls, including third-party reports on the service organisation by internal auditors, other
auditors or regulatory agencies.
The auditor of the client company making use of the service organisation (termed the user auditor) may
obtain the necessary information about the service organisation by:
• contacting the service organisation for specific information
• visiting the service organisation and performing procedures, and
• obtaining a type 1 or type 2 report.
17.6.3 Reports from the auditor (service auditor) of a service organisation on its internal
controls (Type 1 or Type 2)
A service organisation is itself a business entity and will want to satisfy its customers that the business is
well controlled, efficient and reliable. To this end, the service organisation may make available to its cus-
tomers, reports by auditors engaged by it (the service organisation) to evaluate and report on its internal
control. This report is potentially very useful to the customer’s auditors (user auditor), but will depend on
the type of evaluation and report which the service organisation’s auditor conducted. ISA 402 deals with
two types of report:
Type 1 A report on the description and design of internal control
Type 2 A report on the description, design, and operating effectiveness of the service organisation’s
internal control.
The Type 1 report will consist of:
• a description of the service organisation’s internal control, and
• an opinion on whether:
– the description is accurate
– the internal controls are suitably designed to achieve their stated objectives, and
– the internal controls have been implemented.
The Type 2 report will be the same as the Type 1 report but will in addition contain:
• information on whether the internal controls are operating effectively, and
• details of the tests performed by the service auditor and the results thereof.
The Type 2 report is more valuable to the (user) auditor, as it produces evidence about the effectiveness of
internal controls at the service organisation and hence will be helpful in the identification and assessment
of material misstatement. The Type 1 report is of some value in gaining an understanding of the client
(using the service organisation) but is limited as it produces no meaningful evidence.
Where the auditor chooses to rely on a Type 2 report, it will be necessary to evaluate the third party (e.g.
the service organisation’s service auditor) which provided the report. The independence and competence of
the service auditor would be particularly important.
It is also important that the auditor relying on the report consider whether the nature, timing, and extent
of the tests of controls conducted by the service auditor provide sufficient, appropriate evidence. It is not
just a matter of accepting the report at face value.
17.6.4 User auditor’s responsibility
An auditor who relies on the report of a service auditor engaged by the service organisation, should not
reference this fact in his report. The use of a service auditor does not alter the user auditor’s responsibility
to obtain sufficient, appropriate evidence to afford a reasonable basis to support his audit opinion.
CHAPTER

18
The audit report

CONTENTS
Page
18.1 Introduction .................................................................................................................... 18/3
18.1.1 Background .......................................................................................................... 18/3
18.1.2 The mechanics of reporting ................................................................................... 18/3
18.1.3 Changes to the layout of the audit report................................................................ 18/3
18.1.4 The audit objective and reporting .......................................................................... 18/3
18.1.5 The auditing statements relating to reporting.......................................................... 18/3
18.1.6 Objectives ............................................................................................................. 18/4
18.1.7 Form of opinion ................................................................................................... 18/4

18.2 Structure and content of the unmodified audit report – ISA 700 (revised)
and SAAPS 3 (revised May 2019) ..................................................................................... 18/5
18.2.1 Structure............................................................................................................... 18/5
18.2.2 Content ................................................................................................................ 18/5

18.3 Modifications to the opinion in the independent auditor’s report


– ISA 705 (revised) (effective 15 December 2016) ........................................................... 18/12
18.3.1 Introduction ......................................................................................................... 18/12
18.3.2 Determining the nature of the matter giving rise to the modification ....................... 18/13
18.3.3 Making a judgement about the pervasiveness of the effects or possible effects
of the matter on the financial statements ................................................................ 18/14
18.3.4 Types of modified opinions ................................................................................... 18/15

18.4 Compiling a report where the opinion is modified – Structure and wording
(form and content) .......................................................................................................... 18/16
18.4.1 Introduction ......................................................................................................... 18/16
18.4.2 Companies ........................................................................................................... 18/16
18.4.3 Additional points relating to structure and wording (form and content) ................... 18/17

18.5 Communicating key audit matters in the independent auditor’s report – ISA 701 ............ 18/24
18.5.1 Introduction ......................................................................................................... 18/24
18.5.2 Key audit matters: Definition and description ........................................................ 18/24
18.5.3 Determining key audit matters .............................................................................. 18/24
18.5.4 Diagram: Determination of key audit matters ........................................................ 18/27
18.5.5 Communicating key audit matters ......................................................................... 18/28
18.5.6 Modified opinions, going concern issues and key audit matters............................... 18/29

18/1
18/2 Auditing Notes for South African Students

Page
18.6 Emphasis of matter paragraphs and other matter paragraphs in the independent
auditor’s report – ISA 706 (revised) ................................................................................. 18/29
18.6.1 Introduction ......................................................................................................... 18/29
18.6.2 Emphasis of matter paragraphs.............................................................................. 18/29
18.6.3 Examples of where the use of an emphasis of matter may be necessary ................... 18/26
18.6.4 Emphasis of matter paragraphs and key audit matters ............................................ 18/30
18.6.5 Other matter paragraphs ....................................................................................... 18/31

18.7 The auditor’s responsibilities relating to other information – ISA 720 (revised)
(effective for audits of financial statements for periods ending on or after
15 December 2016) ......................................................................................................... 18/31
18.7.1 Introduction ......................................................................................................... 18/31
18.7.2 The auditor’s responsibilities ................................................................................. 18/32
18.7.3 Reading and considering the other information ...................................................... 18/32
18.7.4 The auditor’s response when a material inconsistency appears to exist or
other information appears to be materially misstated .............................................. 18/33
18.7.5 Other information and the audit report .................................................................. 18/33

18.8 Comparative information – Corresponding figures and comparative


financial statements – ISA 710 ......................................................................................... 18/34
18.8.1 Introduction ......................................................................................................... 18/34
18.8.2 Objectives and procedures ..................................................................................... 18/34
18.8.3 Reporting ............................................................................................................. 18/35

18.9 The effect of a reportable irregularity (s 45 – Auditing Profession Act 2005)


on the audit report .......................................................................................................... 18/35
Chapter 18: The audit report 18/3

18.1 Introduction
18.1.1 Background
In January 2015 the IAASB issued a set of revised reporting standards and a new standard (ISA 701 –
Communicating Key Audit Matters in the Independent Auditor’s Report), effective for audits of financial
statements for periods ending on or after 15 December 2016. Issuing this set of statements is to increase the
“value of auditor reporting” by making the auditor’s report more relevant to users. The primary means of
achieving this is the introduction of ISA 701, which requires that details of key audit matters (KAM) be
included in the audit reports of listed companies (see note below). Key audit matters are dealt with later in
this chapter are defined as “those matters that, in the auditor’s professional judgement, were of most
significance in the audit of financial statements”. By including any key audit matters in the audit report, it
is anticipated that users will gain a better understanding of the “inner workings” of the audit for example,
in relation to how areas of significant risk or significant judgement on the part of management and the
auditor, were handled.
Note: In terms of ISA 700 (revised) the inclusion of key audit matters applies only to listed companies, but
there is nothing to prevent the auditor from including the paragraph for other entities.

18.1.2 The mechanics of reporting


Suppose you have studied the previous reporting statements or are familiar with existing audit reports by
virtue of another experience. In that case, you need to realise that the mechanics of forming an opinion on
financial statements have not changed. The auditor is still required to evaluate uncorrected misstatements,
conclude on the nature of any matter giving rise to a modification of the audit opinion, and make a
judgement on whether the effect on the financial statements is material or material and pervasive. The
audit objective remains the same.

18.1.3 Changes to the layout of the audit report


In addition to requiring the inclusion of the section dealing with key audit matters, the layout of the audit
report has changed, the major change being that the report will open with the Opinion section and be
followed by the Basis for Opinion section and other sections as described later in this chapter. The Opinion
section itself is a combination of the previous Introductory paragraph (we have audited the financial
statements . . .) and the previous Opinion paragraph (in our opinion, the accompanying financial
statements fairly present in all material respects . . .).

18.1.4 The audit objective and reporting


The drafting and issuing of the audit report is the final stage in the audit process. In terms of ISA 200, the
objective of the audit of financial statements is to enhance the degree of confidence of intended users in the
financial statements. This is achieved by the auditor expressing an opinion on whether the financial
statements are prepared, in all material respects, following the applicable financial reporting framework
adopted by the entity, for example IFRS. To express it more simply (and to echo the opinion paragraph in
the audit report), the objective is
“to express an opinion on whether the financial statements present fairly in all material respects, the financial position of the
company at a specified date and its financial performance and cash flows for a specified period prior to that date, in
accordance with International Financial Reporting Standards and the requirements of the Companies Act of South Africa”.
The audit report is the auditor’s expression of this opinion, and in terms of ISA 200, an audit conducted in
accordance with the ISAs and relevant ethical requirements enables the auditor to form that opinion.

18.1.5 The auditing statements relating to reporting


Reporting the audit opinion on financial statements is governed by several International Standards on
Auditing statements (ISAs). The ISAs are as follows:
• ISA 700 (revised) – Forming an opinion and reporting on financial statements
• ISA 701 – Communicating key audit matters in the independent auditor’s report
• ISA 705 (revised) – Modifications to the opinion in the independent auditor’s report
• ISA 706 (revised) – Emphasis of matter paragraphs and other matter paragraphs in the independent
auditor’s report
18/4 Auditing Notes for South African Students

• ISA 710 – Comparative information – corresponding figures and comparative financial statements
• ISA 720 (revised) – The auditor’s responsibilities relating to other information in documents containing
audited financial statements.
In addition to the above, SAAPS 3 (revised May 2019) provides illustrative auditor’s reports for listed and
private companies for different situations which may arise on audit, for example, adverse opinion reports,
disclaimers, etc. The ISAs provide the basic “rules” and framework for reporting internationally. The
recommended wording applicable to audit reports for South African companies is as illustrated in
SAAPS 3 (revised May 2019). SAAPS 3 (revised May 2019) has been updated as a result of the
amendments to the International Ethics Standards Board for Accountants (IESBA) Code of Ethics for
Professional Accountants (now the IESBA International Code of Ethics for Professional Accountants
(including International Independence Standards) (IESBA Code)) and the amendments to the IRBA Code
of Professional Conduct for Registered Auditors (now the IRBA Code of Professional Conduct for
Registered Auditors (revised November 2018) (IRBA Code))

18.1.6 Objectives
In terms of ISA 700 (revised) the auditor’s objectives are to:
• form an opinion on the financial statements based on an evaluation of the conclusions drawn from the
audit evidence obtained and
• to express clearly that opinion through a written report.
To be in a position to form the opinion, the auditor must conclude on whether he has obtained reasonable
assurance as to whether the financial statements as a whole are free from material misstatement (arising
from fraud or error). In drawing this conclusion the auditor must consider:
• whether sufficient appropriate audit evidence has been obtained
• whether uncorrected misstatements are material (individually or in aggregate)
• whether the financial statements are prepared, in all material respects, in terms of an applicable
reporting framework, for example, IFRS or IFRS for SMEs
• whether significant accounting policies selected and applied have been appropriately disclosed
• whether these accounting policies are consistent with the applicable financial reporting standards and
are appropriate
• whether the accounting estimates made by management are reasonable
• whether the information presented in the financial statements is relevant, reliable, comparable and
understandable including whether:
– the information that should have been included has been included and is appropriately classified,
aggregated or disaggregated, and characterised
– the overall presentation has not been undermined by included information that is not relevant or
which obscures a proper understanding of the matters disclosed
• whether there is adequate disclosure to enable the intended users to understand the effect of material
transactions and events on the information conveyed in the financial statements
• whether the terminology used in the financial statements is appropriate.

18.1.7 Form of opinion


• If the auditor concludes based on the paragraph above, that the financial statements are prepared, in all
material respects, in accordance with the applicable reporting framework, the auditor must express an
unmodified opinion.
• If the auditor concludes that the financial statements as a whole are not free from material misstatement
or if the auditor is unable to obtain sufficient appropriate evidence to conclude that the financial
statements as a whole are free from material misstatement, the auditor must modify the auditor’s
opinion in accordance with ISA 705 (revised).
Chapter 18: The audit report 18/5

18.2 Structure and content of the unmodified audit report – ISA 700 (revised)
and SAAPS 3 (revised May 2019)
One of the consequences of the revised reporting standards, particularly ISA 701, is that some differences
in the basic structure and content of the audit report for a public company and a private company have
been introduced. Again, these differences do not affect the mechanics of reporting as described in para-
graph 2 of this chapter. The section headings and the wording of the audit report as described in this
chapter are taken from SAAPs 3 (revised May 2019) and will, in some minor instances, differ from the
wording in the ISAs. Remember that although the ISAs are international, they allow some variation within
different countries, so for reporting in South Africa, SAAPs 3 will be the authoritative guide.
In the description of the structure and content of the unmodified audit report given below, take note of the
comments on the differences between listed (public) and private company reports. The report is divided
into sections that deal with different aspects of the report.

18.2.1 Structure
• Title
• Addressee
Subtitle: Report on the audit of financial statements (see note (c) below)
• Opinion section
• Basis for Opinion section
• Key audit matters section (Note: Listed companies only)
• Other information section
• Responsibilities of the directors for the financial statements section
• Auditor’s responsibilities for the audit of the financial statements section
Subtitle: Report on other legal and regulatory requirements (see note (c) below).
• Signing off.

18.2.2 Content
Title: The report is headed Independent Auditor’s Report
Note (a): The report must be in “writing”, (i.e. hard copy or electronic). The auditor cannot just give a
verbal audit report at the AGM!
Note (b): The structure given above relates to unmodified audit reports. The report is modified in various
situations, for example where the audit opinion is qualified or an emphasis of matter is required,
and in such situations additional sections may be added as explained later in this chapter.
Note (c): Subtitles. The use of the two subtitles (see structure above) is only necessary when the auditor
has a duty to report on other legal and regulatory requirements in addition to reporting on the
financial statements. For example, when the auditor has reported a reportable irregularity to the
IRBA in terms of the Auditing Profession Act (s 44 of the APA), or when the auditor of a listed
company is fulfilling his duty to report on “auditor’s tenure” (the number of years the auditor’s
firm has been the auditor of the company) as required by the IRBA rules, the sub-titles must be
included.
Note (d): Including the word “independent” in the title adds to the credibility of the audit report by
emphasising that the auditor is reporting as an individual who is independent of the company
being reported on.
Addressee: To the shareholders of Jumpingjax Proprietary Limited
Note (e): • The audit report for a public company is addressed to the shareholders.
• An audit of a private company that is required to be audited because of its public interest
score or because its Memorandum of Incorporation requires it, will also be addressed to the
shareholders.
• When a Memorandum of Incorporation (MOI) for a company that is exempt from a
statutory audit requires the company to appoint an auditor, the auditor’s report is also
addressed to the shareholders or members, as appropriate. When an MOI for a company that
18/6 Auditing Notes for South African Students

is exempt from a statutory audit does not require the company to appoint an auditor, and the
company chooses to be audited (by means of a shareholders’, members’ or directors’
resolution), the addressee will depend on whether the requirement for an audit was by way of
a shareholders’ or members’ resolution (in which case the auditor’s report would then be
addressed to the shareholders or members, as appropriate) or a directors’ resolution (in that
instance, the auditor’s report would be addressed to the directors).
• The audit report for a close corporation is addressed to the members. (In terms of the
Companies Act 71 of 2008, some CCs must be audited.)
Public sector perspective
In the public sector there is a wide range of potential users of the auditor’s report, including the
general public. However, it is not deemed appropriate to address the auditor’s report to the
general public at large. The auditor’s report is thus addressed to parliament or the provincial
legislature as the bodies that represent the general public.
The auditor’s report may also be addressed to shareholders, trustees or other identified users
in addition to parliament or the provincial legislature where there are persons or classes of
persons for whom it has been prepared (not the board of directors or the accounting authority
that is responsible for preparing the financial statements). If the Public Finance Management
Act 1 of 1999 (PFMA) as amended by the PFMA 29 of 1999, is not applicable to an entity and
the financial statements are not required to be tabled in parliament or the provincial legislature,
the auditor’s report should then be addressed to the appropriate level of oversight, usually the
responsible executive authority.

Opinion section
We have audited the financial statements of Jumpingjax Proprietary Limited set out on pages 10–45, which
comprise the statement of financial position as at 31 March 0001, and the statement of profit or loss and
other comprehensive income, statement of changes in equity and statement of cash flows for the year then
ended, and notes to the financial statements, including a summary of significant accounting policies.
In our opinion, the financial statements present fairly, in all material respects, the financial position of
Jumpingjax Proprietary Limited as at 31 March 0001 and its financial performance and cash flows for the
year then ended in accordance with International Financial Reporting Standards and the requirements of
the Companies Act of South Africa.
Note (f): The opinion paragraph must:
(i) have a heading “opinion”
(ii) state that the financial statements have been audited
(iii) identify the company whose financial statements have been audited
(iv) identify the title of each statement comprising the financial statements
(v) refer to the notes, including the summary of significant accounting policies, and
(vi) specify the date of, or period covered by, each financial statement making up the financial
statement as a whole, for example the statement of financial position at 31 March 0001,
statement of cash flows for the year then ended.
Note (g): In South Africa, the phrase present fairly, in all material respects has been adopted. ISA 700
(revised) allows the phrase “give a true and fair view”, but it is not used in South Africa.
Note (h): The opinion paragraph must also identify the reporting framework and any other regulatory
requirements in accordance with which the financial statements have been presented. In South
Africa this (usually) means IFRS or IFRS for SMEs and the Companies Act 2008, which also
contains certain reporting requirements. The annual financial statements of South African
companies comprise a complete set of financial statements identified in accordance with the
applicable financial reporting framework and the disclosure requirements of the Companies Act.
A directors’ report, however, is not identified as forming part of a complete set of financial
statements under the disclosure requirements of the applicable financial reporting framework
Note (i): When the auditor gives a qualified or adverse opinion or disclaims an opinion, it will require
changes to the wording of the opinion paragraph. This is explained later in the chapter.
Chapter 18: The audit report 18/7

Note (j): Public sector perspective


When the Standards of Generally Recognised Accounting Practice (GRAP) are applicable, a
complete set of financial statements comprises the statement of financial position, the statement
of financial performance, the statement of changes in net assets, the cash flow statement, and the
statement of comparison of budget information to actual information and notes to the financial
statements, including a summary of significant accounting policies.

Basis for opinion section


We conducted our audit in accordance with International Standards on Auditing (ISAs). Our
responsibilities under those standards are further described in the Auditor’s Responsibilities for the Audit of the
[Consolidated and Separate] Financial Statements section of our report. We are independent of the [type of
entity] in accordance with the Independent Regulatory Board for Auditors’ Code of Professional Conduct for
Registered Auditors (IRBA Code) and other independence requirements applicable to performing audits of
financial statements in South Africa. We have fulfilled our other ethical responsibilities in accordance with
the IRBA Code and in accordance with other ethical requirements applicable to performing audits in South
Africa. The IRBA Code is consistent with the corresponding sections of the International Ethics Standards
Board for Accountants’ International Code of Ethics for Professional Accountants (including International
Independence Standards). We believe that the audit evidence we have obtained is sufficient and appropriate to
provide a basis for our opinion.
Note (k): The basis of opinion paragraph in the unmodified report presents the user with a broad outline of
the “background” to the audit and its ethical basis. Four matters are covered:
(i) a statement that the audit was conducted in accordance with the ISAs (background)
(ii) a reference to the section of the auditor’s report which describes the auditor’s respon-
sibilities in terms of the ISAs (background)
(iii) a statement that the auditor is independent of the client (as described by the IRBA Code),
and has fulfilled his ethical duties in accordance with the IRBA Code (which is consistent
with the International Code) (ethical basis).
In addition to the above codes, various laws and regulations may also contain independence and
ethical requirements. For example:
• The Companies Act contains restrictions on the non-audit services that may be provided by
the auditor to certain companies, and also contains requirements relating to the rotation of
the engagement partner.
• Directive 6/2008, issued in terms of the Banks Act contains requirements regarding the
rotation of the engagement partner(s).
• In compliance with section 10(1)(a) of the APA, the IRBA has published a Rule on Mandatory
Audit Firm Rotation that requires that an audit firm, including a network firm as defined in the
IRBA Code, shall not serve as the appointed auditor of a public interest entity for more than
10 consecutive years; and thereafter, the audit firm will only be eligible for reappointment as
the auditor after the expiry of at least five financial years. The requirement is effective for
financial years commencing on or after 1 April 2023. Therefore, if the audit firm has served
as the appointed auditor for a public interest entity for 10 or more consecutive years before
the financial year commencing on or after 1 April 2023, then the audit firm shall not accept
re-appointment and will be required to rotate.
The auditor should be familiar with all codes, laws and regulations containing ethical require-
ments that apply to the audit engagement.
As there are numerous codes, laws and regulations that the auditor is required to adhere to,
the statement included in the auditor’s report on independence and other ethical requirements,
in South Africa, makes reference to the IRBA Code and other independence and ethical
requirements applicable to performing audits of financial statements in South Africa
(iv) a statement that the auditor believes sufficient appropriate evidence to provide a basis for
the opinion, has been obtained (background).
Note (l): When the auditor gives a qualified or adverse opinion or disclaims an opinion, an explanation
thereof will be provided at the start of the Basis for Opinion paragraph.
18/8 Auditing Notes for South African Students

Key audit matters section


This section is included only in the audit reports of listed companies. The example we are using here to
illustrate the unmodified audit report is for a private company, Jumpingjax (Pty) Ltd, so (normally) there
would be no key audit matters section. Of course, the auditor of a private company may choose to include
a key audit matters paragraph. If so, the requirements of ISA 701 would be implemented. Key audit
matters are dealt with later in the chapter.
Public sector perspective
The Auditor-General of South Africa (AGSA) has determined that the communication of key audit matters
in the auditor’s report will be applicable to all audits of public sector entities. This will be phased in as
determined by the AGSA, except for those listed entities where the inclusion of KAM is mandatory

Other information section


The directors are responsible for the other information. The other information comprises the information
included in the document titled “ABC Proprietary Limited Annual Financial Statements for the year ended
31 December 20X1”, which includes the Directors’ Report as required by the Companies Act of South
Africa. The other information does not include the financial statements and our auditor’s report thereon.
Our opinion on the financial statements does not cover the other information and we do not express an
audit opinion or any form of assurance conclusion thereon.
In connection with our audit of the financial statements, our responsibility is to read the other informa-
tion and, in doing so, consider whether the other information is materially inconsistent with the financial
statements or our knowledge obtained in the audit, or otherwise appears to be materially misstated. If,
based on the work we have performed, we conclude that there is a material misstatement of this other
information, we are required to report that fact. We have nothing to report in this regard.
Note (m): The directors’ report forms part of the annual financial statements of both private and listed
companies prescribed by the Companies Act, and must be reported upon by the auditor.
However, the information in the directors’ report is not in the form of assertions and the subject
matter is not identifiable and capable of consistent evaluation or measurement against identified
criteria. Consequently the opinion expressed on the financial statements does not extend to the
information contained in the directors’ report as the auditor has no basis for concluding that the
information is properly stated. In other words, the auditor cannot say that the directors’ report
“fairly presents” because there is no standard on which to judge the fair presentation of
directors’ reports.
Therefore for audit reporting purposes, the directors’ report is considered to be “Other
information” as dealt with in ISA 720 (revised). The same will apply to the audit committee’s
report and the company secretary’s certificate, which are requirements for a public company, but
normally not for a private company.
Note (n): In South Africa, the corporate governance code, known as King IV, the JSE Limited Listings
Requirements (Listings Requirements) and the Companies Act require a listed entity to present
supplementary reports and information disclosures for various stakeholders.
The Companies Act does not require or address the preparation of an annual report and
therefore does not define the annual report.
The Listings Requirements prescribe certain disclosures that should be included in a listed
entity’s annual report, but also do not define the annual report. The JSE Limited (JSE) pre-
scribes the manner and form in which listed entities are required to announce their financial
results to the market. Registered auditors are therefore required to consider client-specific facts
and circumstances when determining the document(s) that comprise their client’s annual report.
For a South African company whose financial statements are audited, the annual report, for
purposes of ISA 720 (revised), includes:
• annual financial statements
• the integrated report (if prepared), and
• any other documents that are described within the company’s annual financial statements or
its integrated report as forming part of the company’s annual financial statements or its
integrated report.
Chapter 18: The audit report 18/9

Furthermore, in South Africa an entity’s integrated report will be its annual report for purposes
of ISA 720 (revised), irrespective of the following:
• its title (example.g., “Integrated report”; “Integrated annual report” or “Annual report”), and
• whether the annual financial statements and the auditor’s report thereon are contained
therein.
ISA 720 (revised) does not expand on the meaning of “accompanies” in the definition of an
annual report. The Standard does not, for example, indicate that a document would “accom-
pany” the financial statements only if it is issued at the same time or in close proximity to the
issuance of the financial statements. The IRBA’s reading of the Standard is that a document
could meet the definition of an annual report even if there was a significant time delay between
the issue date of the financial statements and that of the entity’s annual report.
The application material to ISA 720 (revised) explains that an annual report is different in
nature, purpose and content from other reports, such as a report prepared to meet the informa-
tion needs of a specific stakeholder group or a report prepared to comply with a specific
regulatory reporting objective (even when such a report is required to be publicly available). It
lists, among others, separate regulatory reports and sustainability reports1 as examples of reports
that, when issued as standalone documents, are not typically part of the combination of docu-
ments that comprise an annual report (subject to law, regulation or custom) and that, therefore,
are not other information within the scope of the Standard. The IRBA is thus of the view that
regulatory reports and sustainability reports that are issued as standalone documents, without,
for example, being described as forming part of the entity’s annual report, are not part of the
combination of documents that comprise an entity’s annual report.
Public sector perspective
The Directors’ Report,2 the Audit Committee’s Report,3 (when applicable) and the Company Secretary’s
Certificate4 (when applicable) form part of the annual financial statements prescribed by the Companies
Act. Where the entity is not a company, reference to these documents should be omitted.
In addition to King IV, the Listings Requirements and the Companies Act requirements that may be
applicable to certain public sector entities, the PFMA also includes requirements relating to these entities’
annual reports.
In the public sector, other information comprises financial and non-financial information, other than (i)
the financial statements; (ii) the auditor’s report thereon; and (iii) those objectives in the entity’s annual
report where its performance against predetermined objectives have been specifically audited and reported
on in the auditor’s report.
In terms of section 28(1)(c) of the Public Audit Act 25 of 2004 (PAA), the report of an auditor appointed
in terms of section 25(1)(b) of the PAA (i.e. section 4(3) registered auditors), must reflect such opinions and
statements as may be required by any legislation applicable to the auditee which is the subject of the audit,
but must reflect at least an opinion or conclusion on –
(c) the reported information relating to the performance of the auditee against predetermined objectives.

Responsibilities of the directors for the financial statements section


The directors are responsible for the preparation and fair presentation of the financial statements in accord-
ance with International Financial Reporting Standards and the requirements of the Companies Act of
South Africa, and for such internal control as the directors determine is necessary to enable the preparation
of financial statements that are free from material misstatement, whether due to fraud or error.
In preparing the financial statements, the directors are responsible for assessing the company’s ability to
continue as a going concern, disclosing, as applicable, matters related to going concern and using the going
concern basis of accounting unless the directors either intend to liquidate the company or to cease
operations, or have no realistic alternative but to do so.

______________
1 The Global Reporting Initiative (GRI) defines a sustainability report as “a report published by a company or organisation
about the economic, environmental, and social impacts caused by its everyday activities”.
2 S 30(3)(b) of the Companies Act, 2008.
3 S 94(7)(f).
4 S 88(2)(e).
18/10 Auditing Notes for South African Students

Note (o): Although ISA 700 (revised) stipulates that the heading of this paragraph should read
“Responsibilities of Management . . . ”, SAAPS 3 (revised May 2019) requires the heading to
read “Responsibilities of the Directors . . . ” This is perfectly permissible in terms of ISA 700
(revised) and is the preferred wording for South Africa.
Note (p): The inclusion of this paragraph is to emphasise (for users) that the directors are responsible for:
(i) preparing the financial statements (not the auditor)
(ii) implementing internal controls which underlie the financial statements
(iii) assessing the company’s going concern ability, and
(iv) using the going concern basis of accounting to prepare the financial statements (unless they
intend to liquidate, cease trading or have no option other than to do so).
Note (q) The Companies Act requires the annual financial statements to be approved by the board and
signed by an authorised director. As such, in the case of a South African company, the report
should state that the company’s directors are responsible for the preparation (and fair
presentation) of the financial statements.
In terms of the Close Corporations Act 68 of 1984, these requirements apply to the authorised
member(s) of a Close Corporation. As such, the reference to the directors’ responsibility
becomes a reference to the members’ responsibility.
ISA 700 (revised) also requires that this section of the auditor’s report should identify those
responsible for the oversight of the financial reporting process when they are different from those
who fulfil the responsibilities for the preparation of the financial statements. In such a case, this
section’s heading would also refer to “Those Charged with Governance” (TCWG). TCWG is
defined in ISA 260 (revised), Communication With Those Charged With Governance.
Since the company’s directors or the public entity’s accounting authority are responsible for
the oversight of the financial reporting process, as stated above, no reference to oversight
responsibilities is required in the auditor’s report of a South African company.
Public sector perspective
The auditor’s report in the public sector refers to the accounting authority’s responsibility, based
on the PFMA requirements, as follows:
• public entities – accounting authority, and
• public entities registered as a company – the board of directors, which constitutes the
accounting authority.
If the PFMA is not applicable to an entity, the name of the party responsible for the preparation
of the financial statements – in terms of the legislation that governs that entity – should be
inserted.

Auditor’s responsibilities for the audit of the financial statements


Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are
free from material misstatement, whether due to fraud or error, and to issue an auditor’s report that
includes our opinion. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit
conducted in accordance with ISAs will always detect a material misstatement when it exists. Misstate-
ments can arise from fraud or error and are considered material if, individually or in the aggregate, they
could reasonably be expected to influence the economic decisions of users taken on the basis of these
financial statements.
As part of an audit in accordance with ISAs, we exercise professional judgement and maintain profes-
sional scepticism throughout the audit. We also:
• Identify and assess the risks of material misstatement of the financial statements, whether due to fraud
or error, design and perform audit procedures responsive to those risks, and obtain audit evidence that
is sufficient and appropriate to provide a basis for our opinion. The risk of not detecting a material
misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve
collusion, forgery, intentional omissions, misrepresentations, or the override of internal control.
• Obtain an understanding of internal control relevant to the audit in order to design audit procedures
that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the
effectiveness of the company’s internal control.
Chapter 18: The audit report 18/11

• Evaluate the appropriateness of accounting policies used and the reasonableness of accounting
estimates and related disclosures made by the directors.
• Conclude on the appropriateness of the directors’ use of the going concern basis of accounting and
based on the audit evidence obtained, whether a material uncertainty exists related to events or condi-
tions that may cast significant doubt on the company’s ability to continue as a going concern. If we
conclude that a material uncertainty exists, we are required to draw attention in our auditor’s report to
the related disclosures in the financial statements, or, if such disclosures are inadequate, to modify our
opinion. Our conclusions are based on the audit evidence obtained up to the date of our auditor’s
report. However, future events or conditions may cause the company to cease to continue as a going
concern.
• Evaluate the overall presentation, structure and content of the financial statements, including the
disclosures, and whether the financial statements represent the underlying transactions and events in a
manner that achieves fair presentation.
We communicate with the directors regarding, among other matters, the planned scope and timing of the
audit and significant audit findings, including any significant deficiencies in internal control that we
identify during our audit.
Note (r): ISA 700 (revised) has expanded the auditor’s responsibility paragraph significantly. SAAPs 3
(revised May 2019) has responded to this with new and appropriate wording. The intention is
again to provide the user with a better understanding of what the audit is all about and what the
auditor’s responsibilities are as opposed to those of the directors. A number of general matters
are covered in this paragraph:
(i) the objectives of the auditor, i.e. obtain reasonable assurance and report
(ii) the meaning of reasonable assurance, i.e. a high level of assurance but not a guarantee
(iii) the meaning of material in the context of misstatements
(iv) professional judgement and professional scepticism, and
(v) the risk relating to fraud, as opposed to error.
These are followed by a broad description of what the auditor does:
(vi) identify, assess and respond to the risks of material misstatements
(vii) obtain sufficient appropriate evidence to provide a basis for our opinion
(viii) obtain an understanding of internal control but not for the purpose of expressing an opinion
on its effectiveness
(ix) evaluate the appropriateness of accounting policies and estimates
(x) conclude on the appropriateness of the use of the going concern basis of accounting
(xi) evaluate overall presentation, structure and content of the financial statements and whether
they fairly present the underlying transactions, and
(xii) communicate with the directors (see note (s).
Note (s): For a private company audit report, the auditor’s responsibility section concludes with a sentence
which deals with communicating with the directors on the planned scope, timing and significant
audit findings including if any, deficiencies in internal control. For a public company audit
report, the auditor’s responsibility section, in addition, explains that the auditor supplies the
directors with a statement that he has complied with “independence” requirements, and that he
will communicate with them on any relationships/matters that may affect his independence and
if applicable, any safeguards put in place to address any independence issues.
Note (t): Again for a listed (public) company only, the auditor states in the auditor’s responsibility section
(at the end) that from the matters communicated with the directors, those that were of most
significance to the audit were designated key audit matters and thus were described in the audit
report.
Note (u): In terms of ISA 700 (revised), the description section of the auditor’s responsibilities section
(essentially everything after and including Note (r) iv above may be omitted from the audit
report and included in an appendix to the audit report. ISA 700 (revised) also permits that the
audit report may contain reference to a specific website on which the description of the auditor’s
responsibilities can be found. However, there is no regulation in South Africa which permits
this.
18/12 Auditing Notes for South African Students

Signing off
In terms of the IRBA Code, section 150.6, if the audit report is presented on a firm’s letterhead, the
following signing off will be appropriate:
Tommy Tickitt
Thomas Tickitt: Partner or Director
Registered Auditor
1 May 0001
Note (v): If the report is not presented on a firm’s letterhead, the name and address of the registered
auditor’s firm must be added.
Note (w): The designation “director” is used when the auditor’s firm is incorporated. If the auditor is a
sole practitioner, neither “partner” nor “director” is required.
Note (x): The auditor’s report must be dated no earlier than the date on which the auditor has obtained
sufficient appropriate audit evidence on which to base the auditor’s opinion. By implication, this
means that the auditor has considered the effect of events and transactions on the financial
statements up to the date of signing. Before signing, the auditor must ensure that:
(i) a complete set of financial statements has been prepared, and
(ii) the directors have signed the financial statements (indicating that the board has taken
responsibility for them).

Report on other legal and regulatory requirements


As indicated in Note (c) on page 18/5 there are instances where the auditor has a responsibility to report to
the shareholders arising out of legislation/regulation other than legislation/regulation pertaining directly to
the audit of the financial statements. The most obvious example of this would be where the auditor has a
responsibility to report in the audit report, on “the status” of any reportable irregularities which he has
reported to the IRBA. This reporting responsibility is created by the requirements of sections 44 and 45 of
the Auditing Profession Act 2005.
Another example of this is the requirement that in terms of an IRBA rule (sanctioned by the Auditing
Profession Act) that all audit reports in respect of public companies which fit the definition of public interest
entities in the IRBA Code, must disclose the number of years which the audit firm has been the auditor of
the entity. This is termed “audit tenure” and the requirement will apply mainly to listed companies as they
are defined as public interest entities. The wording which will be included in the Report on Other Legal
and Regulatory Requirements section, will be “In terms of the IRBA Rule published in Government Gazette
No 39475 dated 4 December 2015, we report that Deloitte has been the auditor of Mars Ltd for five years”.
The Regulatory Board made the decision to require the mandatory disclosure of audit tenure in the context
of strengthening auditor independence, which is consistent with measures implemented in other juris-
dictions. This disclosure of audit tenure will lead to transparency of association between audit firms and
audit clients.

18.3 Modifications to the opinion in the independent auditor’s report


– ISA 705 (revised) (effective 15 December 2016)
18.3.1 Introduction
(a) This statement like its predecessors, explains the mechanics of reporting, i.e. how to decide on the
appropriate report in circumstances where a modified audit opinion is required. The two major
decisions which have to be made and which will determine the appropriate report are:
• the nature of the matter giving rise to the modification (see 18.3.2 below), and
• the pervasiveness of the effects or possible effects of the matter on the financial statements (see
18.3.3 below).
(b) These decisions will have to be made when:
• the auditor concludes, based on the audit evidence obtained, that the financial statements as a
whole, are not free from material misstatement (see 18.3.2 (a) below), or
• the auditor is unable to obtain sufficient appropriate evidence to conclude that the financial
statements as a whole are free from material misstatement (see 18.3.2 (b) below).
Chapter 18: The audit report 18/13

The first situation under (b) arises when the auditor is satisfied that there is material misstatement; and
the second arises when the auditor does not know whether or not there is material misstatement.
(c) When modifying the opinion, the auditor’s options are to (see 18.3.2 (d) below):
• express a qualified opinion (except for)
• express an adverse opinion (do not), or
• disclaim an opinion (unable to form an opinion).

18.3.2 Determining the nature of the matter giving rise to the modification
(a) The auditor concludes that, based on the audit evidence obtained, the financial statements as a
whole are not free from material misstatement
This situation arises when at the conclusion of the audit there is material uncorrected misstatement in the
financial statements. Note that ISA 450 – Evaluations of Misstatements Identified during the Audit, defines
a misstatement as a difference between the amount, classification, presentation or disclosure of a reported
financial statement item, and the amount, classification, presentation or disclosure that is required for the
item to be in accordance with the applicable financial reporting framework, for example IFRS.
Looked at another way, this situation arises when the auditor, based on the evidence gathered on the
audit, disagrees with one or more representations (assertions) made by the directors in the financial state-
ment being audited. Remember that the financial statements are the responsibility of the directors and that
the auditor’s responsibility is to determine whether the financial statements are fairly presented.
Material misstatement of the financial statements may arise in relation to:

The appropriateness of the selected accounting policies


Inappropriateness in this context means that the accounting policies are not consistent with the applicable
financial reporting framework, the accounting policy for a significant account heading/item in the financial
statements is not correctly described or the financial statements do not represent or disclose the underlying
transactions and events in a manner which achieves fair presentation:
For example, the audit client values its inventory at replacement cost instead of the lower of cost or net
realisable value – inappropriate policy, or
For example, the audit client has decided not to capitalise a major finance lease it entered into during
the financial year – inappropriate policy.

The application of the selected accounting policy


Concerning an application, material misstatement may arise when:
• the directors have not applied the policy consistent with the requirements of the financial reporting
framework including, consistency between reporting periods and consistency between similar trans-
actions and events
• the method of application of the accounting policy is incorrect:
For example, the audit client has appropriately selected to capitalise a finance lease but has not applied
the policy in terms of the applicable standard; the client has raised the asset in the plant and equipment
account and long term liabilities account at the amount which the company would have paid for the
asset had they purchased it for cash.
For example, the directors have not followed the same logic (have been inconsistent) in determining the
extent of disclosure of two material contingent liabilities.

The appropriateness or adequacy of disclosures in the financial statements


Appropriateness and adequacy in this context mean that material misstatement may arise when the
disclosure required by the reporting framework is incomplete or not presented in terms of the financial
reporting framework:
For example, a very important contingent liability arising from a court case has not been disclosed at
all.
For example, the disclosures about directors’ emoluments have not been presented in accordance with
IFRS and section 30 of the Companies Act 2008.
18/14 Auditing Notes for South African Students

(b) The auditor is unable to obtain sufficient appropriate evidence to conclude that the financial state-
ments as a whole are free from material misstatement. The auditor’s inability to obtain sufficient
appropriate audit evidence (often referred to as a limitation of scope) can arise from:
Circumstances beyond the control of the audit client
• For example, the client’s accounting records were destroyed by fire and were not adequately backed up.
• For example, ongoing physical danger; political unrest has prevented the auditor from visiting certain of
the audit client’s warehousing or manufacturing facilities to conduct audit procedures such as inventory
counts.
Circumstances relating to the nature or timing of the auditor’s work
• For example, the audit client is required to account for an associated company using the equity method,
but the auditor is not able to obtain sufficient appropriate evidence about the associated company’s
financial information to evaluate whether the equity method has been appropriately applied. (Remem-
ber that the auditor does not have the right to demand evidence from the associated company.)
• For example, the timing of the auditor’s appointment is such that the auditor is unable to observe the
counting of physical inventories.
Limitations imposed on the auditor by the client’s management
• For example, management refuses to give the auditor access to the accounting records relating to
directors’ emoluments.
• For example, the board will not allow the auditor to review the minutes of directors’ meetings.
Bear in mind that the inability to carry out a specific procedure does not constitute a limitation of scope if
alternative audit procedures provide the necessary, sufficient, appropriate evidence. Also, remember that a
lack of ability, competence or resources on the part of the auditor cannot be regarded as a limitation of the
scope of the auditor.

18.3.3 Making a judgement about the pervasiveness of the effects or possible effects
of the matter on the financial statements
18.3.3.1 Material and, material and pervasive
The second matter which the auditor considers is the extent to which the financial statements are affected,
or may possibly be affected by the matter which may give rise to a modification of the auditor’s opinion,
i.e. will the effect be material or will it be material and pervasive? Bear in mind that if the modification arises
out of a difference (misstatement), the auditor can clearly state the difference and quantify its effect on the
financial statements. If the modification arises because the auditor could not obtain sufficient appropriate
evidence, he can only judge the possible effect of the matter on the financial statements. He will not have the
necessary evidence to quantify the effect.
As discussed in chapter 7, the auditor will have given considerable thought to materiality, both in plan-
ning and performing the audit and in considering final materiality so he has a good indication of what is
material both quantitatively and qualitatively. The auditor has to measure the full effect or possible effect of
the matter giving rise to the modification of the audit opinion on the financial statements. He needs to
measure the misstatement against what he considers would be material in the eyes of users. Remember that
ISA 320 suggests that a matter will be material if it could reasonably be expected to influence the economic
decisions of a user taken based on the financial statements.
Think of it like this. The auditor’s final materiality level is R100 000. This means that in the auditor’s
judgement, misstatement in the financial statements of say, R105 000 would have at least a material effect
on the decisions users make based on the financial statements. 0But what about misstatement of R250 000
or more? The effect of misstatement of this size relative to his materiality limit is likely to be material and
pervasive. Measuring the effect of a disagreement is far easier than measuring the effect of a limitation of
scope. In the case of a modification arising from a limitation of scope, the auditor will still need to judge
how extensively the limitation affects the financial statements, but he does not have actual amounts to
work with. For example, if the limitation relates only to evidence relating to long-term loans the auditor
might consider the possible effect to be material only, but if the scope limitation spreads to evidence
relating to long term loans, creditors and capitalised leases and profit figures, the auditor is likely to
consider that the scope limitation “pervades” (spreads throughout) the financial statements as a whole. The
auditor still does not have exact amounts to work with and will have to rely on his professional judgement
to judge the pervasive effects.
Chapter 18: The audit report 18/15

ISA 705 (revised) defines “pervasive effects” as those that in the auditor’s judgement:
• are not confined to specific elements, accounts or items in the financial statements, or
• if they are so confined, represent a substantial proportion of the financial statements, or
• in relation to disclosures, are fundamental to a user’s understanding of the financial statements.
Some guidance was given in an earlier version of the reporting statement and although it is no longer
“current” it is still helpful. In terms of the former statement:
• a modification of the audit opinion arising from misstatement becomes material and pervasive when its
impact on the financial statements is so great that fair presentation as a whole has been undermined and an
“except for” qualification will not adequately convey the misleading or incomplete nature of the financial
statements
• a modification of the audit opinion arising from insufficient appropriate evidence (a scope limitation)
should be regarded as material and pervasive if the effect of the limitation has resulted in the auditor
being unable to obtain sufficient appropriate evidence to the extent that it is simply impossible to
express any opinion.

18.3.4 Types of modified opinions


At this stage, the auditor will have classified the nature of each matter giving rise to modification and will
have judged the extent of the effect or possible effect (pervasiveness) of each matter, individually and collect-
ively, on the financial statements. It is now time to match nature and effect to arrive at the appropriate
opinion. ISA 705 (revised) provides the (slightly adapted) chart below to guide this procedure:

Auditor’s judgement about the pervasiveness of the effects or possible effects


Nature of matter giving rise on the financial statements
to the modification
Material but not pervasive Material and pervasive
Financial statements are Qualified opinion (except for) Adverse opinion
materially misstated
(Disagreement)
Inability to obtain sufficient, Qualified opinion (except for) Disclaimer of opinion
appropriate audit evidence
(scope limitation)

We can deduce the following from the chart:


• All material but not pervasive modifications will be except for qualifications (but as you will see in the
next section, the wording of the report will be slightly different for modifications arising out of material
misstatements, and modifications arising out of the auditor’s inability to obtain sufficient appropriate
audit evidence).
• Where the effect of a misstatement is material and pervasive, only an adverse opinion can be given. An
adverse opinion is a clear statement that the financial statements do not fairly present.
• Where the effect of a scope limitation is material and pervasive, only a disclaimer of opinion can be
given. This is because the auditor is unable to form an opinion – he is not in a position to say that the
financial statements are fairly presented or that they are not fairly presented as he does not have
sufficient appropriate audit evidence to make the decision.
• The audit opinion can be modified “except for” in respect of two different matters and the matters may
be of different natures, for example in the auditor’s opinion long-term liabilities may be misstated, and
he may have had his scope limited in respect of the audit of accounts receivable. For “multiple” except
for qualifications to be appropriate, neither matter on its own can be material and pervasive.
• An adverse opinion cannot be mixed with a disclaimer of opinion – the auditor can’t say in the same
report that the financial statements do not fairly present and then say that he doesn’t know if they fairly
present!
• Similarly an “except for” modification cannot be included in an adverse opinion or with a disclaimer of
opinion even if the nature of the matters to which they relate are the same.
18/16 Auditing Notes for South African Students

18.4 Compiling a report where the opinion is modified – Structure and wording
(form and content)
18.4.1 Introduction
The intention of Appendix 1 and Appendix 2 is to illustrate how the wording changes when different types
of audit reports are given. We have compared the wording used in qualified reports to an unmodified
report (Appendix 1) and the wording in adverse opinion reports and disclaimer of opinion reports to the
same unmodified report. In Appendix 2 we have included an audit report for a listed company to illustrate
the inclusion of additional information required in a listed company report compared to a private company
report.
• You will notice immediately that a large portion of the wording does not change from report to report,
but you should also notice that there are some subtle (not so obvious) changes.
• SAAPS 3 (revised May 2019) requires that the full description of the company be used in audit reports.
For the purposes of illustrations we have used the abbreviations Ltd and (Pty) Ltd.
• We have chosen five companies, four private and one listed for the illustration. Use the information
below in conjunction with the appendices to gain an understanding of what is required.

18.4.2 Companies
• Riggs (Pty) Ltd’s audit report is used to illustrate an unmodified report. No problems were encountered
on the audit and there was no duty to report on other legal and regulatory requirements, for example
sections 44 and 45 of the Auditing Profession Act or audit tenure (IRBA Rules). Therefore it is not
necessary to include the subtitles (see page 18/5) in the report.
• Basix (Pty) Ltd’s audit report is used to illustrate a qualified opinion arising out of a material
misstatement (disagreement) which is considered by the auditor to be material but not material and
pervasive. The company has failed to capitalise a finance lease. Again there is no duty to report on
other legal and regulatory requirements, for example sections 44 and 45 of the Auditing Profession Act
or audit tenure (IRBA Rules).
• Millco (Pty) Ltd’s audit report is used to illustrate a qualified opinion arising out of an inability on the
part of the auditor to obtain sufficient appropriate evidence (scope limitation), the effect of which is
considered by the auditor to be material but not material and pervasive. In addition to selling its
products on credit, the company has opened a factory shop from which it sells its products for cash only.
As this is a new venture, the controls over cash sales are poor. The factory shop has been very successful
and turnover has increased. Cash sales are reflected at about 12% of total turnover. Again no other
reporting duties. In the illustrative report, take note of the inclusion of the word possible in the opinion
when comparing Millco (Pty) Ltd to Basix (Pty) Ltd.
• Markx Ltd’s audit report is used to illustrate an adverse opinion arising from a material misstatement
(disagreement), the effect of which is considered by the auditor to be material and pervasive. The
company is listed on the JSE. Due to competition in the market place for some of the company’s products
and damage to inventory caused by flooding, the net realisable value of some products has fallen below
cost. The directors have declined to recognise any impairment losses. Because the company is listed, the
report must include a Key Audit Matters section. In addition, because it is a public interest company
(by virtue of being a listed company), the auditor has an additional duty to report on audit tenure in
terms of the IRBA regulations.
Note (a): Although a qualified or an adverse opinion is by its nature, a Key Audit Matter, it is not treated
as such in the audit report. There is no point in duplicating a matter which has already been
communicated in the Basis for Qualified (Adverse) Opinion section. However, ISA 701 requires
that reference to the Basis for Qualified (Adverse) Opinion section be made in the Key Audit
Matter section as illustrated in Appendix 2.
Note (b): In terms of the Companies Act 2008, public companies are required to include, in addition to
the directors’ report, the audit committee’s report and the company secretary’s certificate in the
financial statements. These are deemed to be “other information” and reference to them must be
made in the other information section of the audit report. In addition the JSE Ltd listing
requirements require listed companies to provide supplementary reports, schedules etc. which
may be presented with the financial statements in the annual report but which do not form part
of the financial statements. These supplementary reports, schedules etc. must also be identified
in the Other Information section.
Chapter 18: The audit report 18/17

• Cheap (Pty) Ltd’s audit report is used to illustrate a disclaimer of opinion arising from the auditor’s
inability to obtain sufficient appropriate evidence (scope limitation), the effect of which is considered by
the auditor to be material and pervasive. Cheap (Pty) Ltd sells for cash only. During the year the
company experienced numerous breakdowns in the system of control over the recording of sales.
Again, there is no duty to report on other legal or regulatory requirements.
Note (c): When a disclaimer of opinion is given, some changes are made to the positioning of wording
and some wording is omitted:
(i) In the qualified and adverse reports the paragraph which refers to the ISAs, the auditor’s
responsibilities section, independence and sufficient appropriate evidence is located in the
Basis for Opinion section, but when a disclaimer is given, this paragraph is omitted from
the Basis of Opinion section but included in the auditor’s responsibilities section. In effect,
the auditor explains that he was unable to meet his responsibilities to conduct and audit in
terms of the ISA, but that he did meet his independence and ethical requirements.
(ii) In addition to (i) above, the detailed description of the auditor’s responsibilities, as
contained in the Qualified Opinion and Adverse Opinion reports, is omitted in the
Disclaimer of Opinion report. Only what is described in (i) above is included.

18.4.3 Additional points relating to structure and wording (form and content)
• Where the opinion is qualified “except for”, for more than one matter, an explanation will be included
for each matter in the Basis for Qualified Opinion section. If the nature of the matters giving rise to the
qualifications is different (i.e. one matter is based on misstatement and the other is based on a scope
limitation) the two explanations will need to be separately identified. This is because reference to each
explanation will have to be made in the Opinion section.
Example: Assume that the misstatement matter is explained in paragraph (a) and the scope limitation
matter is explained in paragraph (b). The opinion section will read
“In our opinion, because of the effects of the matter described in paragraph (a) of the Basis for Qualified Opinion
section and because of the possible effects of the matter described in paragraph (b) of the Basis for Qualified
Opinion section the financial statements present fairly in all material respects . . .”
• Theoretically, a situation could arise where the effect of misstatements is, in itself, material and
pervasive and the effect of a scope limitation is also material and pervasive. Obviously, it is not possible
to combine an adverse opinion and a disclaimer of opinion as mentioned earlier. What does the auditor
do? There is no clear answer, but the adverse opinion is the stronger modification, because it is an
actual opinion. The scope limitation could be raised in an “Other matter” section after the opinion
section, but with very clear and precise wording which makes it clear that an adverse opinion has been
given.
• Where an “Emphasis of matter” or “Other matter” paragraph is added, it must be placed below the
opinion section.
• The most desirable audit opinion is an unmodified opinion, as this sends a positive message to users. It
signifies that the financial information which they may use for decision making is fairly presented
– Although misstatements, etc., will already have been discussed with management at the time they
were discovered, any proposed modifications should be discussed with the individuals responsible for
the financial statements in order to give them the opportunity to provide further information or to
amend the financial statements in a way which will enable the auditor to express an unmodified
opinion. In a listed company this process will be part of communicating with the audit committee.
– Where, after following these steps, the auditor still believes that a modification is necessary, careful
consideration should be given to whether the lesser modification, i.e. “except for” can be given
instead of an adverse opinion or a disclaimer. In other words, the material/ material and pervasive
decision should be revisited.
– The above steps are taken with the intention of concluding a positive and constructive audit.
However, it must be emphasised that the auditor must not compromise his compliance with the reporting or
other standards in an attempt to arrive at an unmodified opinion.
18/18 Auditing Notes for South African Students

Appendix 1 – Comparison of the wording used in an unmodified opinion report and in qualified
opinion reports
Qualified
Section Unmodified Qualified – scope limitation
– material misstatement
Title Independent Auditor’s Report Independent Auditor’s Report Independent Auditor’s Report
Addressee To the Shareholders of Riggs To the Shareholders of Basix To the Shareholders of Millco
(Pty) Ltd (Pty) Ltd (Pty) Ltd
Subtitle: Not applicable: No other Not applicable: No other Not applicable: No other
Report on reporting duties reporting duties reporting duties
the audit of
the financial
statements
Opinion 1. Heading: Opinion 1. Heading: Qualified Opinion. 1. Heading: Qualified Opinion.
2. We have audited the 2. We have audited the financial 2. We have audited the financial
financial statements of Riggs statements of Basix (Pty) Ltd statements of Millco (Pty) Ltd
(Pty) Ltd . . . ... ...
3. In our opinion the financial 3. In our opinion, except for the 3. In our opinion, except for the
statements present fairly, in effects of the matter described in the possible effects on the matter
all material respects, the Basis for Qualified Opinion section described in the Basis for
financial position of Riggs of our report, the financial Qualified Opinion section of our
(Pty) Ltd . . . statement present fairly, in all report, the financial statements
material respects, the financial present fairly in all material
position of Basix (Pty) Ltd . . . respects, the financial
position of Millco (Pty) Ltd
...
Basis for 1. Heading: Basis for Opinion 1. Heading: Basis for Qualified 1. Heading: Basis for Qualified
opinion 2. Explanation: none required. Opinion. Opinion.
3. Standard content 2. Explanation. 2. Explanation.
3.1 Audit conducted in The company has excluded from Included in turnover is an
accordance with property, plant and equipment and amount of Rxxx in respect of cash
International Standards liabilities in the accompanying sales. The company did not have
on Auditing statements of financial position, a adequate internal controls to
lease obligation that should be record these sales. We were
3.2 Reference to the capitalised in order to conform unable to obtain sufficient
auditor’s responsibility with International Accounting appropriate evidence to satisfy
section Standard IFRS16 – Leases. If this ourselves as to the completeness of
3.4 Independence and obligation had been capitalised, the cash sales recorded. As a
ethical requirements. right of use asset would be consequence, we were unable to
increased by Rxxxx, tight of use determine whether or not any
3.5 Sufficient appropriate
liability by Rxxxx the current adjustments were required to the
evidence to provide a
portion of long-term liabilities by financial statements arising from
basis for the opinion.
Rxxx and retained earnings by the omission of cash sales.
(see detailed wording Rxxx at 31 March 0001. 3. Standard context
on page 18/7) Additionally net profit would be 3.1 Audit conducted in
increased by Rxxx for the year then accordance with Inter-
ended. national Standards on
3. Standard content Auditing.
3.1 Audit conducted in 3.2 Reference to the
accordance with Inter- auditor’s responsibility
national Standards on section.
Auditing.
3.3 Independence and ethical
3.2 Reference to the auditor’s requirements.
responsibility section.
3.4 Sufficient appropriate
3.3 Independence and ethical evidence to provide a
requirements. basis for our qualified
3.4 Sufficient appropriate opinion.
evidence to provide a basis
for our qualified opinion.
continued
Chapter 18: The audit report 18/19

Qualified
Section Unmodified Qualified – scope limitation
– material misstatement
Key audit This section is not included as This section is not included as it is This section is not included as it
matters it is not required for private not required for private company is not required for private
company audit reports audit reports company audit reports
Other Matters covered in this section: No changes to the wording as No changes to the wording as
information 1. Directors’ responsibility for used in the unmodified report. used in the unmodified report.
other information.
2. Identification of other infor-
mation (including Directors’
report).
3. Audit opinion does not
cover other information.
4. Auditor’s responsibility to
other information and
whether there is anything to
report arising from this
responsibility.
See detailed wording on
page 18/8–18/9
Responsibil- Matters covered in this section: No changes to the wording as No changes to the wording as
ities of the 1. Preparing financial used in the unmodified report. used in the unmodified report.
directors for statements in accordance
the financial with IFRS (IFRS for SMEs).
statements
2. Implementing internal
controls necessary to
prepare financial statements
that are free of material
misstatement.
3. Assessing going concern.
4. Using the going concern
basis to prepare FS.
See detailed wording on
page 18/9
Auditor’s Matters covered in this section: No changes to the wording as No changes to the wording as
responsibil- 1. Auditor’s objectives. used in the unmodified report. used in the unmodified report.
ities for the
2. Explanation of reasonable
audit of the
assurance.
financial
statements 3. Professional judgement and
scepticism.
4. Identify, assess and respond
to the risks of material
misstatement.
5. Obtain an understanding of
internal control but no opinion
given on internal control.
6. Evaluate accounting policies
and estimates.
7. Conclude on the appro-
priateness of going concern.
8. Evaluate overall
presentation, structure and
content of FS.
9. Communication with the
directors.
See detailed wording on
page 18/10
continued
18/20 Auditing Notes for South African Students

Qualified
Section Unmodified Qualified – scope limitation
– material misstatement
Subtitle: This subtitle is not required as This subtitle is not required as This subtitle is not required as
Report on there are no other reporting there are no other reporting there are no other reporting
other legal duties. duties. duties.
and
regulatory
requirements
Signing off 1. Terry Tickett. No changes. No changes.
2. Terence Tickett
Partner
Registered Auditor
1 May 0001
3. If the audit report is not
presented on a firm’s letter-
head, the name and address
of the auditor’s firm is
included in signing off.

Appendix 2 – Comparison of the wording used in an unmodified audit report and in an adverse opinion
report and a disclaimer of opinion report

Section Unmodified Adverse opinion Disclaimer of opinion


Title Independent Auditor’s Report Independent Auditor’s Report Independent Auditor’s Report
Addressee To the Shareholders of Riggs To the Shareholders of Markx To the Shareholder of Cheap
(Pty) Ltd Ltd (Pty) Ltd
Subtitle: Not applicable: Subtitle: Report on the audit Not applicable:
Report on No other reporting duties. of the financial statements No other reporting duties
the audit of
the financial
statements
Opinion 1. Heading: Opinion. 1. Heading: Adverse Opinion. 1. Heading: Disclaimer of
2. We have audited the financial 2. We have audited the financial Opinion.
statements of Riggs (Pty) Ltd statements of Markx Ltd . . . 2. We were engaged to audit the
... 3. In our opinion because of the financial statements of Cheap
3. In our opinion the financial significance of the matter dis- (Pty) Ltd . . .
statements present fairly, cussed in the Basis for 3. We do not express an opinion
in all material respects, the Adverse Opinion section of on the financial statements of
financial position of Riggs our report, the financial Cheap (Pty) Ltd. Because of
(Pty) Ltd . . . statements do not present the significance of the matter
fairly, in all material respects described in the Basis for Dis-
the financial position of claimer of Opinion section of
Markx Ltd . . . our report, we have not been
able to obtain sufficient appro-
priate audit evidence to provide
a basis for an opinion on these
financial statements.
continued
Chapter 18: The audit report 18/21

Section Unmodified Adverse opinion Disclaimer of opinion


Basis for 1. Heading: Basis for Opinion. 1. Heading: Basis for Adverse 1. Basis for Disclaimer of
opinion 2. Explanation: none required. Opinion. Opinion.
3. Standard content 2. Explanation. 2. Explanation.
3.1 Audit conducted in In terms of IAS 2 – Inventories, Revenue reflected in the
accordance with Inter- the company must value its statement of comprehensive
national Standards on inventory at year end at the income at Rxxxm consists
Auditing. lower of cost or net realisable entirely of sales made for cash.
3.2 Reference to the value. This requires that As a result of numerous break-
auditor’s responsibility inventories be tested for impair- downs in the system, there was
section. ments. Significant competition no system of control on which
in the market for some of the we could rely for the purpose of
3.3 Independence and ethical
company’s products and our audit. There were no satis-
requirements.
damage to inventory caused by factory procedures we could
3.4 Sufficient appropriate flooding have caused the net perform to obtain reasonable
evidence to provide a realisable value of inventories assurance that all sales were
basis for the opinion. of these products to fall below completely and accurately
(see detailed wording on their cost at 31 March 0001. recorded.
page 18/7) However, the directors have Consequently we were unable to
declined to make the necessary determine whether any adjust-
adjustments to the financial ments were necessary in respect
statements. Consequently of recorded or unrecorded sales.
inventories have been overstated Note 1: The explanation is all
by Rxxx, profit before tax by that is included in this section
Rxxx and shareholder’s equity for a disclaimer.
by Rxxx. These required
Note 2: The standard content of
adjustments are considered
3.1 to 3.4 used when an opinion
material and pervasive to the
(unmodified except for, or
financial statements as a whole.
adverse) is given is not included
3. Standard Content in this section for a disclaimer,
3.1 Audit conducted in but see the Auditor’s Respon-
accordance with Inter- sibility section.
national Standards on
Auditing.
3.2 Reference to auditor’s
responsibility section.
3.3 Independence and ethical
requirements.
3.4 Sufficient appropriate
evidence to provide a
basis for our adverse
opinion.
continued
18/22 Auditing Notes for South African Students

Section Unmodified Adverse opinion Disclaimer of opinion


Key audit Not applicable – private Heading: Key audit matters. Not applicable – private
matters company Besides the matter described in company
the Basis for Adverse Opinion
section, we have determined that
there are no other key audit
matters.
Note: The following would be
included if there were other key
audit matters to communicate in
the report. Key audit matters are
those matters that in our profes-
sional judgement were of most
significance in our audit of the
financial statements of the current
period. These matters were
addressed in our audit of the
financial statements as a whole,
and in forming our opinion
thereon and we do not provide a
separate opinion on these matters.
In addition to the matter described
in the Basis for Adverse Opinion
above, we have determined the
matters described below to be the
key audit matters to be
communicated in our report:
Matter 1…………
Matter 2 …………
Other 1. Heading: Other information 1. Heading: Other information 1. Heading changes to Other
information 2. Matters covered in this No change to the wording as matter – Reports required by
section. used in the unmodified report the Companies Act.
2.1 Director’s responsibility except that in the case of a listed 2. The annual financial
for other information. company, other information will statements include the
2.2 Identification of other include the Directors’ Report, Directors’ Report as required by
information (particularly the Audit Committee’s Report the Companies Act of South
director’s report). and the Company Secretary’s Africa. The directors are
Certificate and any other responsible for this other
2.3 Audit opinion does not
supplementary information. information.
cover other information.
3. We have read the other infor-
2.4 Auditor’s responsibility
mation and, in doing so,
to other information and
considered whether the
whether there is anything
Directors’ report is materially
to report arising from this
inconsistent with the financial
responsibility.
statements or our knowledge
For detailed wording, see obtained on the audit, or
page 18/8–18/9 otherwise appears to be mis-
leading. However, due to the
disclaimer of opinion in terms
of ISA 705 (revised), we cannot
report further on this
information.
continued
Chapter 18: The audit report 18/23

Section Unmodified Adverse opinion Disclaimer of opinion


Responsibil- Matters covered in this section: No changes to the wording as No changes to the wording as
ities of the 1. Preparing financial used in the unmodified report. used in the unmodified report.
directors for statements in accordance
the financial with IFRS (IFRS for SMEs).
statements 2. Implementing internal
controls necessary to prepare
financial statements that are
free of material misstatement.
3. Assessing going concern.
4. Using the going concern basis
to prepare FS.
Auditor’s Matters covered in this section: No changes to the wording as Note: This section is shortened
responsibil- 1. Auditor’s objectives. used in the unmodified report. considerably for a disclaimer by
ities for the 2. Explanation of reasonable omitting the wording used in all
audit of the assurance. other audit reports.
financial Only the following is included :
3. Professional judgement and
statements 1. Our responsibility is to conduct
scepticism.
4. Identify, assess and respond an audit of the company’s
to the risks of material financial statements in
misstatement. accordance with International
Standards on Auditing and to
5. Obtain an understanding of
issue an auditor’s report.
internal control but no opinion
However, because of the matter
given on internal control.
described in the Basis for Dis-
6. Evaluate accounting policies claimer of Opinion section of
and estimates. our report, we were not able to
7. Conclude on the obtain sufficient appropriate
appropriateness of going audit evidence to provide a
concern. basis for an audit opinion.
8. Evaluate overall presentation, 2. We are independent of the
structure and content of FS. company in accordance with the
9. Communication with the IRBA Code of Professional
directors. Conduct for Registered
Auditors and other independent
requirements applicable to
performing audits of financial
statements in South Africa. We
have fulfilled our other ethical
responsibilities in accordance
with the IRBA Code and in
accordance with other ethical
requirements applicable to
performing audits in South
Africa. The IRBA Code is
consistent with the IESBA Code
for Professional Accountants
(Parts A + B).
Subtitle: Not applicable – no other Sub-title: Report on other Legal Not applicable – no other
Report on reporting duties. and Regulatory Requirements. reporting duties.
other legal In terms of the IRBA rule pub-
and lished in Government Gazette
regulatory No 39457 dated 4 December 2015,
requirements we report that Taheer and Olongo
Inc has been the auditor of Markx
Ltd for four years.
continued
18/24 Auditing Notes for South African Students

Section Unmodified Adverse opinion Disclaimer of opinion


Signing off 1. Terry Tickett. 1. Olly Olongo 1. Terry Tickett
2. Terence Tickett 2. Oliver Olongo 2. Terrence Tickett
Partner Director Partner
Registered Auditor Registered Auditor Registered Auditor
1 May 0001 1 May 0001 1 May 0001
3. If the audit report is not 3. If the audit report is not 3. If the audit report is not
presented on a firm’s letter- presented on a firm’s letter- presented on a firm’s letter-
head, the name and address head, the name and address head, the name and address
of the auditor’s firm is of the auditor’s firm is of the auditor’s firm is
included in signing off. included in signing off. included in signing off.

18.5 Communicating key audit matters in the independent auditor’s report


– ISA 701
18.5.1 Introduction
ISA 701 is a brand new statement (not a revision) issued as part of the revised suite of reporting statements
effective for audits of financial statements for periods ending on or after 15 December 2016. As discussed
earlier in this chapter, the revised reporting standards are intended to “enhance the communicative value”
of the auditor’s report by providing greater transparency about the audit. By communicating key audit
matters, users of the financial statements should gain a better understanding of those matters that in the
auditor’s judgement were of most significance in the audit of the financial statements. It is also anticipated
that including key audit matters in the auditor’s report will enhance users understanding of the company
itself and any areas of significant management and auditor judgement in the financial statements.

18.5.2 Key audit matters: Definition and description


ISA 701 defines key audit matters as those matters that, in the auditor’s professional judgement, were of
most significance in the audit of the financial statements of the current period. Key audit matters are
selected from matters communicated with those charged with governance.
ISA 701 makes it clear that communicating key audit matters is not:
• a substitute for disclosures which are required in the financial statements, for example disclosures
required in terms of IFRS
• a substitute for a modified opinion
• a substitute for reporting in terms of ISA 570 (revised) with regard to a material uncertainty which may
exist, for example the reporting requirements relating to going concern in terms of ISA 570 (revised)
cannot be ignored by raising going concern issues as a key audit matter
• a separate opinion on individual matters. (This fact will actually be pointed out to users in the Key
Audit Matters section of the audit report).
At this stage, communicating key audit matters in terms of ISA 701, applies only to listed companies.
Determining and communicating key audit matters are not necessarily simple procedures and will be the
responsibility of the engagement partner. However, senior audit team members will assist the engagement
partner in meeting this responsibility. All team members should have at least a basic understanding of the
requirements of ISA 701.

18.5.3 Determining key audit matters


18.5.3.1 Framework
Determining the key audit matters to be included in the audit report is down to the auditor’s judgement.
ISA 701 provides a judgement based framework to guide auditors in making the decision. The diagram on
page 18/27 illustrates the recommended procedure in determining key audit matters and each step is
explained below the diagram. However, before you get to the diagram it is important to understand that
key audit matters are extracted only from the list of matters which are communicated with those charged
with governance of the company at various stages of the audit. In other words, if a matter has not been part
of the communication with those charged with governance, it cannot be a key audit matter. Similarly, it
Chapter 18: The audit report 18/25

is inferred from ISA 701 that the key audit matters included in the audit report cannot simply be a
duplication of all the matters communicated with those charged with governance; the auditor must
select the most significant matters in the audit of the financial statements.

18.5.3.2 ISA 260 (revised)


The duty of the auditor to communicate with those charged with governance is established by ISA 260
(revised Communication with those Charged with Governance. This is a reasonably long and “wordy”
statement and it is not necessary to understand the concept of key audit matters to have a detailed
knowledge of the statement.

18.5.3.3 Audit committee


Bear in mind that including key audit matters in the audit report applies to the audit of listed companies
and that listed companies must appoint an audit committee. Whilst those charged with governance of a
listed company will primarily be the board of directors, the audit committee, as a committee of the board
will be the body with which the auditor communicates on audit matters. So for this topic we will regard
communication with those charged with governance as communication by the auditor with the audit
committee and use the two terms interchangeably.

18.5.3.4 Matters to be communicated (to those charged with governance)


ISA 260 (revised) stipulates a number of matters that the auditor should include in his communication with
the audit committee throughout the audit.
(a) The auditor’s responsibilities in relation to the financial statement audit
• Forming and expressing an opinion on the financial statements which have been prepared by
management with the oversight of the audit committee (those charged with governance).
• The audit does not relieve management or the audit committee of their responsibilities.
(b) The planned scope and timing of the audit. Matters may include, among others:
• how the auditor plans to address significant risks of material misstatement
• how the auditor plans to address areas of higher assessed risks of material misstatement
• the auditor’s approach to internal control
• the application of the concept of materiality
• the nature and extent of specialised skill or knowledge needed on the audit
• the use of an auditor’s expert, internal audit, and
• the auditor’s preliminary views on key audit matters.
(c) Significant findings from the audit. The auditor should communicate with the audit committee:
• The auditor’s views about significant qualitative aspects of the company’s accounting practices,
including accounting policies, accounting estimates and financial statement disclosures, for example
the auditor may choose to comment on:
– the appropriateness of the accounting policies
– management’s methods and processes for identifying the need for, and making accounting
estimates
– changes in circumstances that may give rise to new or revised accounting estimates
– how estimates are recognised in the financial statements
– the reasonableness of assumptions used in developing estimates
– the risk of material misstatement in the estimates
– the issues involved in formulating sensitive disclosures, for example, directors’ remuneration,
revenue recognition, going concern, and
– the effect of significant transactions that are outside the normal course of business for the
company.
• Significant difficulties if any, encountered during the audit:
– delays in getting information from management, non-availability of client personnel, lack of co-
operation
18/26 Auditing Notes for South African Students

– unreasonable audit deadlines, and


– non-availability of expected information, for example supporting schedules for various account
headings
• Significant matters arising during the audit were discussed with management, such as significant
events or transactions that occurred during the year.
• Written representations the auditor requires, that is, on the completeness of disclosed contingent
liabilities.
• Circumstances that affect the form and content of the auditor’s report, such as:
– the auditor expects to modify the audit opinion
– a material uncertainty related to going concern, is required
– key audit matters are communicated
– the auditor considers it necessary to include an Emphasis of Matter or Other Matter paragraph,
and
– the auditor has concluded that there is an uncorrected material misstatement of other information
contained in the “annual report”.
• Any other significant matters arising during the audit that the auditor considers relevant to the
oversight role played by the audit committee in the financial reporting process, such as a change in
the audit strategy and audit plan based on a revision of the risk assessment.
(d) Auditor’s independence
For listed companies, the auditor should communicate to the audit committee:
• a statement that the engagement team and the firm have complied with the relevant ethical require-
ments regarding independence.
• all relationships and other matters between the audit firm and the client, that may reasonably be
thought to create threats to independence (e.g. self-interest, self-review, intimidation threats, etc.) and
the safeguards put in place to address them.
(e) In addition to requiring communication with the audit committee on the matters listed in (a) to (d),
ISA 260 (revised) contains an appendix of other ISAs which require certain information to be
communicated with those charged with governance, for example:
ISA 240 – The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial statements requires,
inter alia, that the auditor communicates with those charged with governance, identified or suspected
fraud perpetrated by management, employees with significant roles in internal control or others where
the fraud results in material misstatement in the financial statements.
ISA 265 – Communicating Deficiencies in Internal Control to those Charged with Governance requires that
the auditor communicate, in writing, significant deficiencies in internal control to those charged with
governance, on a timely basis.
ISA 450 – Evaluation of Misstatements Identified during the Audit requires that the auditor communicate
with those charged with governance, uncorrected misstatements (individually) and the effect they may
have on the auditor’s opinion.
ISA 550 – Related Parties requires that the auditor communicate with those charged with governance,
any significant matters arising during the audit in connection with the company’s related parties.
ISA 570 (revised) – Going Concern requires that the auditor communicate with those charged with
governance, events or conditions identified that may cast significant doubt on the company’s ability to
continue as a going concern.
The lists provided above (in (a) to (e)) are not exhaustive and have been included to:
• give you an idea of the large number of matters about which the auditor communicates with the audit
committee (those charged with governance), particularly on the audit of a listed company
• illustrate that communication with those charged with governance can take place at various stages of
the audit
• assist you in understanding that there are many matters communicated that would not be matters that
required significant audit attention and can therefore be ignored when determining key audit matters,
and
Chapter 18: The audit report 18/27

• only matters of most significance in the audit of the financial statements must be extracted from those
matters that required significant audit attention to be included as key audit matters in the audit report.
This decision is based on professional judgement.

18.5.4 Diagram: Determination of key audit matters

Note 1: The “population” from which key audit matters will be selected will be all formal communications
with the audit committee which have taken place during the full course of the audit process.
Note 2: Matters which required significant auditor attention in performing the audit are generally regarded
as those matters which:
(i) posed challenges to the auditor in obtaining sufficient appropriate audit evidence, for
example related party transactions
(ii) posed challenges to the auditor in forming an opinion
(iii) relate to areas of complexity and significant management judgement (e.g. accounting for
complex transactions and determining impairment allowances), and
(iv) require extensive input from senior audit personnel or personnel with specialised skills such
as an auditor’s expert.
Note 3: ISA 701 requires that in determining those matters that required significant audit attention, the
auditor should consider the headings in the three boxes shown next to Note 3 in the diagram.
(i) ISA 315 (revised) defines a significant risk as one which requires special audit consideration
and may include risks associated with material misstatement related to for example, fraud,
complex transactions, subjectivity in the measurement of financial information (e.g.
estimates) and related parties. The mere fact that significant risks require “special audit
consideration” may be an indication that the matter required significant audit attention. For
example, a successful response to an identified significant risk, say, assessing fair presen-
tation for a complex transaction, may be to allocate a senior member of the audit team to
address the risk. Whilst this response may amount to “special audit consideration”, it is
unlikely to be regarded as “significant audit attention” unless the senior member’s input was
time consuming, expensive and required specialised skills. The same logic would apply to
areas of higher assessed risk. Also remember that although in terms of ISA 260 (revised),
significant risks must be communicated with those charged with governance and therefore
satisfy the first requirement to be a key audit matter, they do not automatically “qualify” as a
key audit matter. The significant risk must have required significant audit attention and must
be a matter of “most audit significance”.
(ii) Again in terms of ISA 260 (revised), the auditor must communicate with those charged with
governance, the auditor’s view on significant qualitative aspects of the company’s accounting
practices. These frequently relate to critical accounting estimates and related disclosures and
are likely to be areas of significant auditor attention, particularly if the estimate has a high
18/28 Auditing Notes for South African Students

level of estimation uncertainty. For example, if a motor manufacturer has a major recall of
vehicles it has sold due to a design fault in say, its braking system and has to estimate the
costs relating to this, a significant amount of judgement is likely to be applied by manage-
ment in arriving at this estimate. It is also likely that significant attention will have to be
applied to the audit of the estimate.
(iii) Events or transactions that occurred during the reporting period may significantly affect the
financial statements and may require significant audit attention to ensure that the event or
transaction has been appropriately presented and disclosed. This can be perfectly illustrated
by the Volkswagen scandal. In 2015, the German car manufacturer was identified as having
manipulated carbon emissions tests on its vehicles to reflect lower emissions. This led to
massive recalls of vehicles, allegations of fraud/misrepresentation from regulatory bodies, the
dealership network and consumers which are likely to result in massive litigation costs as
well as significant reputational damage, all of which would have had (and will have in the
future), a significant effect on the company’s financial statements. A news bulletin put out by
Volkswagen AG in late 2015 relating to the scandal, indicated that, inter alia, the group
realignment was making good progress, approximately 450 external and internal experts
were involved in the investigation of the emissions scandal and that “technical solutions”
had been developed for customers. It is easy to understand that PWC, the auditors of
Volkswagen AG, will need to make significant assumptions and judgements relating to the
financial statements.
Note 4: The final step is for the auditor to decide which matters are of most significance in the audit.
(i) In the auditor’s judgement, there may be no key audit matters, and this is an acceptable
situation. There is no fixed number of key audit matters which must be reported, and it is not
anticipated that there will be “lengthy lists of key audit matters” (ISA 701 para A30), as this
would be contrary to the notion of most audit significance.
(ii) Selecting matters of most significance implies that the auditor will consider the significance
of the matter relevant to other matters (which required significant audit attention). Factors
which may influence this decision are:
• the importance of the matter to a user’s understanding of the financial statements and in
particular, its materiality
• the complexity or subjectivity involved in management’s selection of an appropriate
policy relating to the matter
• the nature and materiality quantitatively and qualitatively, of corrected and uncorrected
misstatements due to fraud or error (if any)
• the nature and extent of audit effort to address the matter, for example specialised skills,
consultations with external parties
• the nature and severity of difficulties in applying audit procedures, evaluating the results
of procedures and obtaining appropriate evidence relating to the matter
• the severity of any control deficiencies relevant to the matter, and
• whether the matter involved a number of separate but related auditing considerations, for
example a single matter may have ramifications for a number of account headings or dis-
closures.

18.5.5 Communicating key audit matters


Key audit matters are communicated in a separate section of the audit report under the heading “Key
Audit Matters”. Each key matter will have its own descriptive subheading, for example “Restructuring
Provisions”.
The description of each key audit matter must include:
• a reference to any related disclosures in the financial statements, and
• an explanation of why the matter was considered to be of most significance in the audit and how the
matter was addressed.
Chapter 18: The audit report 18/29

Bear in mind that key audit matters are likely to be complex and reasonably difficult to describe as
required, by their very nature. A simplified description of a key audit matter might read as follows:
“In terms of IFRS, the company is required to conduct an annual indicator review of its plant and equipment to assess
whether there has been any impairment of its plant and equipment. Due to declines in demand for the products manufactured
by the company, and due to physical damage caused to some plant and equipment as a result of flooding due to torrential
rain, management’s assessment of impairment was difficult and complicated. It was also highly judgemental and required the
application of assumptions relating to future trading conditions, foreign exchange rates and the availability of reconstruction
experts. This inspection review test and the subsequent impairment allowances were significant to our audit because plant
and equipment and the impairment thereof are material to the fair presentation of the financial statements.
We addressed this matter in the following manner. We engaged the services of an economist to assist us with the evaluation of
the assumptions made in respect of future trading conditions and foreign exchange movements. Senior audit personnel
working with client personnel, evaluated the company’s detailed plans (including costings) for the engagement of German
reconstruction experts and wherever possible, sought corroborative evidence from other sources to strengthen our assessment.
The company’s disclosures about this matter are included in note 7.”
Even if there are no key audit matters in the auditor's judgement, the Key Audit Matters section of the
audit report must still be included but will simply contain the following statement: “We have determined that
there are no key audit matters to communicate in our report”.
In terms of SAAPs 3 (revised May 2019), the Key Audit Matters section will be placed below the Basis for
Opinion section. In terms of ISA 701, the order in which the auditor lists each key audit matter in the
section will be a matter of professional judgement, with the likely order being the relative importance of
each matter.

18.5.6 Modified opinions, going concern issues and key audit matters
By their very nature, matters giving rise to a modified audit opinion, or a material uncertainty related to
events or conditions that may cast significant doubt about the company’s ability to continue as a going
concern, are likely to be key audit matters. However, in terms of ISA 705 (revised) and ISA 570 (revised),
both these situations are dealt with in their own separate and specific sections of the audit report. Therefore
they will not be included in the Key Audit Matters section of the audit report, but a reference to either the
Basis for Qualified (Adverse) Opinion section, or the Material Uncertainty Related to Going Concern
section, will be included in the Key Audit Matters paragraph as applicable. This requirement makes perfect
sense as there is no point in duplicating details of the matter in the audit report, i.e. dealing with the
modified opinion/going concern issue twice.

18.6 Emphasis of matter paragraphs and other matter paragraphs in the


independent auditor’s report – ISA 706 (revised)
18.6.1 Introduction
As explained earlier in this chapter, the intention behind the issue of the revised set of reporting statements
was to enhance the audit report by making it more informative and useful for users. ISA 706 has been
around for some years but the revised version introduces some important changes primarily brought about
by revisions to ISA 570 (revised) – Going Concern, and the introduction of ISA 701 – Communicating Key
Audit Matters in the Independent Auditor’s Report.

18.6.2 Emphasis of matter paragraphs


Definition
An emphasis of matter paragraph is a paragraph included in the auditor’s report that refers to a matter
(already) appropriately presented or disclosed in the financial statements but which is, in the auditor’s
judgement, of such importance that it is fundamental to a user’s understanding of the financial statements.
Note that:
• An emphasis of matter relates to a matter which has already been adequately dealt with in the financial
statements and is not a modification of the audit opinion.
• An emphasis of matter can never be used as a substitute for a qualified or adverse opinion or a disclaimer
of opinion, i.e. the auditor cannot decide that instead of modifying the opinion or disclaiming an
opinion, he will give the client “a break” and give an unmodified opinion with an emphasis of matter.
18/30 Auditing Notes for South African Students

• An emphasis of matter can never be a substitute for disclosures which are required in terms of the
financial reporting framework or that are otherwise necessary to achieve fair presentation.

18.6.3 Examples of where the use of an emphasis of matter may be necessary


• The client is involved in exceptional litigation or regulatory action (which has been appropriately
disclosed but which, in the auditor’s judgement, is very important for a user’s understanding of the
financial statements).
• A significant subsequent event occurs between the date of the financial statements and the date of the
auditor’s report (again, the subsequent event will have been appropriately presented or disclosed and is,
in the auditor’s judgement, very important to users).
• A major catastrophe that has had, or continues to have, a significant effect on the company’s financial
position, for example a serious accident at a mine.
Note (a): There are a small number of other ISAs (210, 560, 800) that have minor requirements relating to
the use of Emphasis of Matter paragraphs but which are of no real importance in understanding
the idea or intention of these paragraphs.
Note (b): Warning! If you have in the recent past, worked with the previous ISA 570 – Going Concern
you may be under the impression that where a company is a going concern but a material
uncertainty exists relating to events or conditions that may cast significant doubt on the com-
pany’s ability to continue as a going concern and the material uncertainty has been adequately
disclosed, an unmodified opinion and an emphasis of matter paragraph would be the appro-
priate report. This is no longer the case. In terms of the “new” ISA 570 (revised), this situation will
require an unmodified opinion and the addition of a new section in the auditor’s report, which is
headed “Material Uncertainty Related to Going Concern”. This paragraph replaces the
previously required Emphasis of Matter. Refer to the required wording in chapter 15 which
deals with going concern.

18.6.4 Emphasis of matter paragraphs and key audit matters


Key audit matters
Key audit matters are defined in ISA 701 as those matters that, in the auditor’s professional judgement,
were of most significance in the audit of the financial statements, and may cover such things as significant
risks and significant audit judgements relating to management’s calculations of important estimates and
allowances. Therefore, one might expect that “matters which require emphasis” and “key audit matters”
are virtually the same thing and that a key audit matter would give rise to an emphasis of matter and vice
versa. However, they are not the same thing and although as a trainee accountant (or similar), you are
unlikely to have to make important decisions about emphasis of matters and key audit matters, you should
have a basic understanding of how they differ and when they are used.
• The first thing to remember is that key audit matters are matters which were of most significance in the
audit of the financial statements and have been selected from matters that required significant audit
attention, for example the audit of complex transactions brought about by extensive restructuring of a
group involving numerous related parties.
• The requirement to communicate key audit matters relates only to listed companies, whilst an emphasis
of matter is a reporting requirement for all companies (and close corporations which are audited).
• Key audit matters and emphasis of matter paragraphs will each be located in their own sections of the
audit report.
• Because they are fundamentally different, emphasis on matter can never substitute for a key audit
matter. In other words, once the auditor determines a matter to be a key audit matter, it must be treated
as such and cannot be treated in the audit report as an emphasis of matter.
• There may be a matter which the auditor does not consider to be a key audit matter because it did not
require significant audit attention but which, in the auditor’s judgement, is fundamental to a user’s
understanding of the financial statements. If the auditor believes that it is necessary to draw users’
attention to this matter, which must, of course, have been appropriately presented or disclosed, an
Emphasis of Matter paragraph will be included in the report. A good example of this would be a
subsequent event that is very important to users’ understanding (and has been properly presented and
Chapter 18: The audit report 18/31

disclosed), but the audit was not a matter of “most significance” on the audit. It may for example, have
been a very straight-forward, uncomplicated subsequent event that did not require significant audit
attention.
• You will deduce from the above that the same matter cannot be included as a key audit matter and an
emphasis of matter. If the auditor wants to “highlight/emphasise” a key audit matter, he could, for
example, make it the first key audit matter to be listed or he could enhance its wording to convey its
importance.
Note (c): When an emphasis of matter paragraph is included in the report, it will normally be placed
beneath the Basis of Opinion section, and above the Key Audit Matters section.
Note (d): The paragraph heading may describe what the matter is about, for example Emphasis of Matter
– Subsequent event, and the wording will be “We draw attention to Note 13 of the financial
statements, which describes a flood in the company’s raw material storage facility. Our opinion is
not modified in respect of this matter”.

18.6.5 Other matter paragraphs


ISA 706 (revised) also allows for what are termed “other matter paragraphs” to be included in an audit
report. An “other matter” paragraph will be included if the auditor considers it necessary to communicate a
matter other than those that are presented or disclosed in the financial statements that, in the auditor’s
judgement, is relevant to users’ understanding of the audit, the auditor’s responsibilities or the auditor’s
report.
“Other matter paragraphs” are very uncommon and are not central to your understanding of the
auditor’s report on financial statements. The two simple examples below are included to give you a basic
idea as to when an “other matter paragraph” might be included:
• The auditor may wish to convey to users that the prior period’s financial statements were audited by
another auditor (audit firm).
• Where a set of audited financial statements has been prepared for a specific purpose (not the annual
financial statements), for a specific user(s), the auditor may wish to include in his report, a statement
that the report is intended solely for the intended users and should not be distributed to or used by other
parties.
Note (e): An “other matter paragraph” has nothing to do with the auditor’s opinion and cannot be used as
a substitute for any form of modification of that opinion.
Note (f): If, on the audit of a listed company, an “other matter” is judged by the auditor to be a key audit
matter, it must be treated as a key audit matter, not an “other matter”.
Note (g): An “other matter paragraph” is not the same as or a substitute for the Report on Other Legal
and Regulatory Requirements. However, suppose the other matter relates directly to the
auditor’s other reporting responsibilities, for example, the auditor’s responsibilities to report in
terms of sections 44 and 45 of the Auditing Profession Act. In that case, the other matter may be
included in the Other legal and Regulatory Requirements section.
Note (h): If an “other matter paragraph” is required in the report, it will normally be positioned after the
“Key Audit Matters” section and before the “Other Information” section, but it will be up to the
auditor’s judgement as to where it is best situated. The paragraph may also be given a
descriptive heading, for example “Other matter – audit of previous period’s financial
statements”.

18.7 The auditor’s responsibilities relating to other information – ISA 720 (revised)
(effective for audits of financial statements for periods ending on
or after 15 December 2016)
18.7.1 Introduction
The revision of ISA 720 has resulted in a very long and wordy statement which has grown from a
manageable five pages to fifty pages of the Students Handbook. Fortunately a detailed knowledge of the
statement is not central to your understanding of audit reports but there are some aspects of the topic of
which you should be aware.
18/32 Auditing Notes for South African Students

The essence of ISA 720 (revised) is that annual financial statements are usually issued together with a
wide range of other information in what is called the “annual report” or something similar. Besides the
annual financial statements, the annual report will often contain reports prepared to meet the information
needs of various stakeholders as well as supplementary/summarised information for shareholders. These
reports/schedules may cover such diverse matters as corporate social responsibility, labour practices,
selected operating data, summaries of key financial data, strategy overviews and detailed explanations of
amounts or disclosures in the financial statements. The auditor’s duty is to give an opinion on the financial
statements as defined/described in the Companies Act, section 29. This definition/ description does not
include other information. Therefore the auditor has no responsibility to give an opinion on other information
and is not in a position to do so.
However, there is a potential problem. If the other information is materially inconsistent with the financial
statements or the auditor’s knowledge obtained in the audit, it indicates that a material misstatement of the
financial statements exists or that the other information is misstated. If left “uncorrected” this could
undermine the credibility of the financial statements and the auditor’s report, and may inappropriately
influence the economic decisions of users. A misstatement of the other information exists when the other
information is incorrectly stated or otherwise misleading (including because it omits or obscures informa-
tion necessary for a proper understanding of a matter disclosed in the other information).

18.7.2 The auditor’s responsibilities


In terms of ISA 720 (revised) the auditor is required to “read the other information” and to:
• consider whether there is a material inconsistency between the other information and the financial
statements
• consider whether there is a material inconsistency between the other information and the auditor’s
knowledge obtained on the audit, and
• respond appropriately when the auditor identifies that material inconsistencies appear to exist or that
other information appears to be materially misstated.

18.7.3 Reading and considering the other information


The basis of consideration will be comparison of amounts and/or items in the other information with such
amounts or items in the financial statements.
The auditor is not expected to compare every single item or amount; it will be a matter of professional
judgement as to the selection of amounts and items for comparison. This selection judgement will be
influenced by the:
• significance of the amounts or other items in relation to the importance which users may attach to the
item or amount, for example, a table of key ratios in the other information may well be selected and
compared to the financial statements
• relative size of an amount, for example amounts that are immaterial are unlikely to be selected, and
• sensitivity of the particular amount or item, for example other information about bonuses or share-
based payments for senior management.
The auditor must also consider whether there is a material inconsistency between the other information
and the auditor’s knowledge obtained on the audit. For example, the other information may refer to a joint
venture which the company had entered into in the financial year, but which the auditor had no know-
ledge, or a report by the operations director may contain a paragraph which raises the probability of
technical obsolescence of certain of the company’s products, a factor which was not known to the auditor
and which was not taken into account when impairment losses for inventory were considered.
While reading the other information, the auditor must remain alert for indications that the other infor-
mation not related to the financial statements appears to be materially misstated. For example, the other
information may contain claims by the company which are (factually) incorrect and which are material
enough to influence users. The company may claim that it has the highest possible safety ratings, which
gives it access to government contracts when it doesn’t, or the company may claim to have been awarded
future prospecting/mineral rights when this has not occurred.
The responsibility for “reading and considering” will be allocated to senior experienced members of the
engagement team.
Chapter 18: The audit report 18/33

18.7.4 The auditor’s response when a material inconsistency appears to exist


or other information appears to be materially misstated
At this point the auditor needs to conclude on whether:
• the material misstatement is in the other information or in the financial statements as this may affect
how he proceeds, and
• his understanding of the entity needs to be updated. This will be necessary when the auditor
”discovers”, when reading the other information, information of which he was not aware and which
may have an influence on his audit. For example if the auditor “discovers” for the first time when
reading other information, that the company entered into a joint venture during the financial year, he
may need to revise his risk assessment and potentially carry out further audit procedures to respond to
the risk that say, the joint venture has not been appropriately accounted for.
When the auditor concludes that a material misstatement of the other information exists, he will request that
management correct the other information.
• If they fail to do so, the auditor will communicate with those charged with governance and request that
the correction be made.
• If the correction is made to the satisfaction of the auditor, the problem is resolved.
• If the correction to the other information is still not made, the auditor should:
– discuss with those charged with governance why they will not make the correction
– consider this response and determine whether the whole matter brings the integrity of the directors
into question to the extent that the auditor should reassess the risk of material misstatement in the
financial statements, for example could there be manipulation of the financial statements which has
been carefully concealed by the directors
– consider the effect of the matter on the audit report and communicate with those charged with
governance as to how the matter will be addressed in the audit report (bear in mind that the auditor
cannot modify his opinion in this situation because the misstatement is in the other information, not
in the financial statements), and
– consider whether a reportable irregularity is taking place.
When the auditor concludes, after reading the other information, that a material misstatement in the
financial statements exists, he should respond as he would to any other material misstatement identified on
the audit, for example:
• reassess risk with the added intention of establishing why the material misstatement was not identified
in the first place
• conduct further audit procedures to obtain sufficient appropriate audit evidence about the material misstate-
ment and to respond appropriately to any changes in his assessment of risk
• communicate with management and those charged with governance and request that the misstatement
be corrected
• if the directors agree to the correction, the auditor will carry out procedures to establish that the amend-
ments are appropriate and correctly applied: if so, the problem is resolved, and
• if the correction is not made, the auditor will evaluate it along with all other uncorrected misstatements
and decide upon the effect on the audit report (bear in mind that this is an uncorrected misstatement in
the financial statements, not the other information, which means that the auditor can modify his audit
opinion).

18.7.5 Other information and the audit report


As you will know, the audit report has a section which deals with Other Information. In terms of ISA 720
(revised), this section must include:
• a statement that management is responsible for the other information
• identification of the other information (see note 1)
• a statement that the auditor’s opinion does not cover the other information and accordingly that the
auditor does not express any form of assurance thereon
• a description of the auditor’s responsibilities relating to reading, considering and reporting on other
information, or
18/34 Auditing Notes for South African Students

• a statement that the auditor has nothing to report or if there is an uncorrected material misstatement of
the other information, a statement that describes the uncorrected material misstatement of the other
information.
Note 1: In South Africa, the Directors’ Report, Audit Committees’ Report and the Company Secretary’s
Certificate are regarded as “other information” and will be identified where applicable in the
Other Information section. (All three will be included in a listed company’s audit report, but in a
private company, only the Directors’ report is mentioned.) Other information, such as summary
schedules, reports and charts, is also included and is identified by page number.
Note 2: The Other Information section is not the same as an Other Matter paragraph.
Note 3: ISA 720 (revised) does distinguish between “other information obtained prior to the date of the
auditor’s report” and other information the auditor expects to obtain after the audit report. This
has not been dealt with as it is not regarded as being central to your understanding of how the
auditor deals with “other information”.
Note 4: Any modification of the audit opinion which may have arisen from the auditor’s “reading and
considering” of other information, will not be mentioned or dealt with in the Other Information
section. It will be dealt with like any other modification of the audit opinion.

18.8 Comparative information – Corresponding figures and comparative financial


statements – ISA 710
18.8.1 Introduction
ISA 710 was not revised along with the other reporting statements but conforming amendments effective
December 2015 were issued.
This statement provides guidance on the auditor's responsibility for comparative information presented
in the financial statements on which the auditor is reporting. In South Africa comparative information is
presented as corresponding figures as part of the current period financial statements and is intended to be
read in relation to amounts and disclosures relating to the current period.
This statement is not central to understanding audit reporting but does contain some points you should
be aware of as part of your overall understanding.

18.8.2 Objectives and procedures


The auditor’s objective with regard to the corresponding figures is to obtain sufficient appropriate evidence
that the comparative information included in the financial statements has been presented in all material
respects in accordance with the requirements for comparative information of the reporting framework
adopted for the financial statements. This amounts to carrying out procedures to determine whether:
• corresponding figures agree with the amounts and other disclosures presented in the prior period or,
when appropriate, have been properly restated and
• accounting policies used for corresponding figures are consistent with those applied in the current
period or if there have been changes in accounting policies, these changes have been properly accounted
for and adequately presented and disclosed.
Where the audit engagement is ongoing, the above requirements should be easily achieved by reference to
the auditor’s prior year working papers and the prior year financial statements. In the situation where the
prior period financial statements were either audited by another auditor, or not audited at all, the guidance
given in chapter 17 of Auditing Notes – ISA 510, Initial Audit Engagements – Opening Balances will need
to be followed. In effect, a “mini-audit” on the opening balances will be conducted.
Where the auditor becomes aware of a possible misstatement in a corresponding figure when performing
the current period audit, additional appropriate procedures must be conducted to establish the nature and
extent of the misstatement. Its effect on fair presentation of the corresponding figures as well as the current
period figures can then be assessed.
Chapter 18: The audit report 18/35

18.8.3 Reporting
Ordinarily the audit report will make no mention of the corresponding figures. Because South Africa
adopts the corresponding figure method of presenting comparatives, it is implied that the auditor’s opinion
is on the financial statements as a whole, including the corresponding figures.
• When the auditor’s report on the prior year financial statements included a modified opinion, and the
matter giving rise to the modification has been properly resolved and properly accounted for or disclosed,
the current audit report need not refer to the previous modification.
• When the auditor's report on the prior period included a qualified or adverse opinion or a disclaimer
opinion and the matter which gave rise to the modification is unresolved the auditor will modify the
current audit opinion.
• If the prior period financial statements were not audited the auditor must state in an Other Matter section
of the audit report that the corresponding figures are unaudited. (The Other Matter section is not to be
confused with the Other Information section.)
– However, this does not relieve the auditor of the duty to obtain sufficient appropriate audit evidence
that the opening balances do not contain misstatements that materially affect the current period’s
financial statements on which the audit opinion is to be expressed.
• If the auditor is unable to obtain sufficient appropriate evidence regarding the opening balances, the
auditor must qualify or disclaim an opinion on the current period’s financial statements.
• If the auditor encountered significant difficulty in obtaining sufficient appropriate audit evidence that the
opening balances do not contain misstatements that materially affect the current period’s financial
statements, the auditor may consider this to be a key audit matter (only applicable when key audit
matters are communicated in terms of ISA 701).
• In terms of ISA 710, if the prior period’s financial statements were audited by a predecessor auditor
(another auditor), and the auditor of the current financial statements decides to convey this fact to users
in the audit report, it would be raised in the Other Matter section. The Other Matter section must state:
– that the financial statements of the prior period were audited by the predecessor auditor
– the type of opinion expressed by the predecessor auditor and, if the opinion was modified, the
reasons therefor, and
– the date of that report.
For example: The financial statements of the company for the year ended 31 December 0001 were audited
by another auditor who expressed an unmodified opinion on those statements on 25 March
0002.
Note: All audit reports must be structured in the (new) format required by ISA 700. The illustrative
reports in ISA 710 have been updated and appear in the conforming amendments contained in the
Students Handbook of ISAs.

18.9 The effect of a reportable irregularity (s 45 – Auditing Profession Act 2005)


on the audit report
This section has been prepared in terms of Part 3 of the revised guide for registered auditors: Reportable
Irregularities in terms of the Auditing Profession Act (effective July 2015), SAAPS 3 (revised May 2019)
with reference to paragraph 43 of ISA 570 (revised). None of these pronouncements are particularly
definitive and appear to allow some latitude in their application.
Section 44(2)(e) of the AP Act states that the registered auditor may not, without such qualifications as may
be appropriate, express an opinion to the effect that the financial statements:
• fairly present in all material respects, and
• are properly prepared in terms of the financial reporting standards, unless
• the registered auditor has not reported a reportable irregularity to the IRBA, or
• if such report was sent, the auditor has been able to send, prior to expressing the audit opinion, a
notification to the IRBA that he is satisfied that no reportable irregularity has taken place or is taking
place.
18/36 Auditing Notes for South African Students

The IRBA guide interprets the reference to “without such qualifications as may be appropriate” as meaning
that the audit report could result in:
• a modified audit opinion and a notification to the user that the auditor has reported a reportable irregu-
larity to the IRBA in terms of the Auditing Profession Act, or
• only a notification and no modification of the audit opinion. In other words, a notification (when
appropriately given) satisfies the requirement of section 44 (2) with regard to the term “qualifications”.
If the reportable irregularity does not affect the fair presentation of the financial statements, the audit report
only needs to include a notification to the user in the Report on other Legal and Regulatory Requirements
section of the audit report.
In terms of the IRBA guide the auditor is unable to issue an auditor’s report without appropriate
notification or a modified opinion and a notification, in the event that:
(a) the reporting process to IRBA is incomplete
(b) a reportable irregularity did exist, even if it is no longer taking place and in respect of which adequate
steps have been taken for the prevention or recovery of any loss as a result thereof
(c) a reportable irregularity existed which could not be/was not corrected (i.e. the reportable irregularity is
continuing).
Perhaps the easiest way to illustrate what can be a “tricky” reporting duty, is to describe a matter giving rise
to the reportable irregularity and to consider the auditor’s options. Assume that the first report has been
made by the auditor to the IRBA and that management has been notified.
Example: Inbound (Pty) Ltd imports goods into South Africa. The auditor has reason to believe that
during the past financial year the directors have been defrauding SARS by not declaring the true
nature of the goods imported, thereby paying less import duties than are due. The amounts
involved are material.
Situation 1. The directors of Inbound (Pty) Ltd acknowledge the fraud, make full declaration to SARS,
and make the necessary adjustments (e.g. raise SARS as a creditor for amounts owed
including penalties) and make full disclosure in the financial statements. The auditor is
satisfied.
Outcome 1. The auditor is able to notify the IRBA (second report) that the reportable irregularity did exist
but has been resolved.
The audit opinion does not need qualification (as the financial statements are fairly presented) but users
must be notified of the reportable irregularity by the inclusion of the following in the “Report on Other
Legal and Regulatory Requirements” section of the audit report.
“In accordance with our responsibilities in terms of section 44(2) and 44(3) of the Auditing Profession Act, we report that we
identified a Reportable Irregularity in terms of the Auditing Profession Act. We reported such matter to the Independent
Regulatory Board for Auditors. The matters pertaining to the reportable irregularity have been described in note 7 to the
financial statements”.
In terms of the IRBA guide the auditor could add some explanatory text if he deems it necessary, for
example:
The directors have responded to the circumstances and conduct in question to the extent that we believe
no further loss will be suffered by the parties identified in Note 7 and that all amounts owed including
penalties have been accounted for. The unlawful act described in Note 7 is to the best of our knowledge no
longer occurring.
Situation 2. The directors of Inbound (Pty) Ltd provide sufficient appropriate evidence to satisfy the auditor
that no reportable irregularity has taken place.
Outcome 2. The auditor must notify the IRBA (second report) that no reportable irregularity existed.
The matter will have no effect on the audit report, i.e. no modification of the audit opinion or
notification in the Report on Other Legal and Regulatory Requirements section, because no
reportable irregularity actually existed.
Situation 3. The directors of Inbound (Pty) Ltd acknowledge that the fraud has taken place, agree to
discontinue the fraud but refuse to make any adjustments to or disclosures in the financial
statements arising from the fraud, for example adjusting for the amounts owed to SARS
including penalties, or to notify the SARS of the fraud.
Outcome 3. The auditor must notify the IRBA (second report) that the reportable irregularity did exist and
as the directors will not take any corrective action, is continuing.
Chapter 18: The audit report 18/37

The audit opinion does need modification as the financial statements do not fairly present. The qualifi-
cation will be based on disagreement (misstatement) and the auditor will need to judge whether the effect
of the matter is material or material and pervasive.
Where the opinion is modified, it appears from the IRBA guide and SAAPs 3 (revised May 2019) and
paragraph 43 of ISA 700 (revised) that the auditor has the option of:
(i) Describing the reportable irregularity in the Basis for Qualified Opinion section and in the same
section, notifying users of his reporting duties in terms of the Auditing Profession Act as follows:
In accordance with our responsibilities in terms of section 44(2) and 44(3) of the Auditing Profession Act,
responsibilities beyond those required by the International Standards on Auditing, we report that we have
identified the matter described in the preceding paragraph as a reportable irregularity in terms of the Auditing
Profession Act. We have reported such matter to the Independent Regulatory Board for Auditors.
(ii) Describing the reportable irregularity in the Basis for Qualified Opinion section but notifying uses of
his reporting duties in terms of the APA in the Report on Other Legal and Regulatory Requirements
section by the inclusion of the following:
In accordance with our responsibilities in terms of section 44(2) and 44(3) of the AP Act, we report that we have
identified a reportable irregularity in terms of the Auditing Profession Act. We have reported such matter to the
IRBA. The matter pertaining to the reportable irregularity has been described in the audit report above.
Situation 4. Although having communicated to the directors of Inbound (Pty) Ltd that a first report has
been made to the IRBA, no response has been forthcoming from the directors.
Outcome 4. If the 30-day period for response from the directors has elapsed, the auditor has no option but
to report to IRBA (second report) that the reportable irregularity exists. The auditor has no
reason or additional evidence to change his original decision that a reportable irregularity
exists. The effect on the audit report will be the same as for situation 3, i.e. modification of the
opinion and notification to users of the auditor’s duties to report in terms of the AP Act.
With regard to the nature of the matter giving rise to the qualification, the auditor will need to decide
whether the matter is a material misstatement or an inability to obtain sufficient appropriate evidence. If
the auditor has sufficient appropriate evidence that the financial statements are materially misstated (either
account headings or disclosures), he would be entitled to modify the opinion on the basis of disagreement
(material misstatement) because he is satisfied that because of the fraud (which he believes has occurred),
the financial statements are misstated. On the other hand he may interpret the fact that because of the non-
response of the directors, he has been limited in his scope which in turn has led to an inability to obtain
sufficient appropriate evidence with regard to fair presentation. This is perhaps a somewhat technical point
and regardless of which basis of modification the auditor decides is appropriate, he will have satisfied his
reporting duties.
Note: In the unlikely event that the auditor has to sign the audit report between sending the first report to
the IRBA and the 30-day response date and the reportable irregularity has not been addressed, the
appropriate treatment would probably be for the auditor to include the normal details in the Report
on Other Legal and Regulatory Requirements section but to convey that the 30-day response period
had not expired at the date of the audit report. A far more desirable outcome would be to put
pressure on the directors to respond before the 30-day period is complete or to delay signing the
audit report until the 30-day period for response has expired so that the appropriate report can be
given.
In general it is anticipated that the directors will co-operate with the auditors with regard to reportable
irregularities, but this may not always be the case.
CHAPTER

19
Review engagements and related service
engagements

CONTENTS
Page
19.1 Engagements to review historical financial statements.................................................... 19/3
19.1.1 Introduction ...................................................................................................... 19/3
19.1.2 Companies that qualify for an independent review .............................................. 19/3
19.1.3 Description of a review engagement .................................................................. 19/3
19.1.4 Objectives .......................................................................................................... 19/5
19.1.5 Ethical requirements and professional scepticism ................................................ 19/5
19.1.6 Engagement level quality control ........................................................................ 19/6
19.1.7 Pre-conditions and preliminary engagement activities for accepting
a review engagement .......................................................................................... 19/6
19.1.8 The engagement letter ........................................................................................ 19/7
19.1.9 Performing the engagement ................................................................................ 19/7
19.1.10 Determining materiality ..................................................................................... 19/8
19.1.11 Obtaining an understanding of the entity ............................................................ 19/9
19.1.12 Inquiries and analytical procedures ..................................................................... 19/10
19.1.13 Performing additional procedures ....................................................................... 19/11
19.1.14 Procedures to address specific circumstances....................................................... 19/12
19.1.15 Reconciling the financial statements to the underlying accounting records ........... 19/12
19.1.16 Written representations from management ......................................................... 19/12
19.1.17 Forming the practitioner’s conclusion on the financial statements ........................ 19/13
19.1.18 Expressing a conclusion ..................................................................................... 19/13
19.1.19 The practitioner’s report ..................................................................................... 19/14
19.1.20 Modifications .................................................................................................... 19/15

19.2 “Agreed upon procedures” engagements ........................................................................ 19/16


19.2.1 Introduction ......................................................................................................... 19/16
19.2.2 Objective .............................................................................................................. 19/16
19.2.3 General principles of an agreed upon procedures engagement................................. 19/17
19.2.4 Terms of engagement ............................................................................................ 19/17
19.2.5 Reporting considerations ....................................................................................... 19/17

19/1
19/2 Auditing Notes for South African Students

Page
19.3 Compilation engagements ............................................................................................... 19/18
19.3.1 Introduction ....................................................................................................... 19/18
19.3.2 The compilation engagement .............................................................................. 19/19
19.3.3 Objectives .......................................................................................................... 19/19
19.3.4 Ethical requirements........................................................................................... 19/19
19.3.5 Professional judgement ....................................................................................... 19/19
19.3.6 Engagement level quality control ........................................................................ 19/20
19.3.7 Engagement acceptance and continuance ............................................................ 19/20
19.3.8 Performing the engagement ................................................................................ 19/20
19.3.9 The practitioner’s report ..................................................................................... 19/21
Chapter 19: Review engagements and related service engagements 19/3

19.1 Engagements to review historical financial statements


19.1.1 Introduction
While review engagements have been carried out by auditors for many years, the concept of an independ-
ent review of a company’s financial statements replacing an external audit of a company’s financial
statements became an option with the promulgation of the Companies Act 2008. This option has resulted
in a marked increase in the number of review engagements that practitioners are conducting and hence
renewed interest in the relevant international standards on review engagements, particularly ISRE 2400
(revised) – Engagements to review historical financial statements.
Sometimes it appears that a review engagement is just a very watered down audit and is not really
important. While a review does not give the same level of assurance as an audit, it is still an assurance
engagement on which reliance is placed and that must be carried out in terms of the international standard.

19.1.2 Companies that qualify for an independent review


The option to be independently reviewed, as opposed to being externally audited, is determined by the
public interest score of the company and whether the company’s financial statements are internally or
externally compiled.
A private company with a public interest score of less than 100 must (at least) have its financial state-
ments independently reviewed regardless of whether its financial statements are internally or externally
compiled. The review of this category’s financial statements must be carried out by a registered auditor or
an individual who qualifies to act as an accounting officer of a close corporation.
A private company with a public interest score of 100 to 349 may have its financial statements independ-
ently reviewed if its annual financial statements are externally compiled. If the financial statements are
internally compiled, the company must be audited. The review of the financial statements of companies in
this category must be carried out by a registered auditor or a chartered accountant.

19.1.3 Description of a review engagement


The review of financial statements is a limited assurance engagement. ISRE 2400 (revised) defines limited
assurance as “the level of assurance obtained where engagement risk is reduced to a level that is acceptable
in the circumstances of the engagement, but where that risk is greater than for a reasonable assurance
engagement, as a basis for expressing a conclusion. The combination of the nature, timing and extent of
evidence gathering procedures is at least sufficient for the practitioner to obtain a meaningful level of
assurance. To be meaningful, the level of assurance obtained by the practitioner is likely to enhance the
intended user’s confidence about the financial statements”.
The essence of this is that for a review, the practitioner will conduct sufficient procedures to give a level
of assurance that will increase the level of confidence a user has that the financial statements are fairly
presented, but not to the level of confidence which an audit would provide. An audit provides reasonable
assurance, a review provides limited assurance.
In a review engagement, the practitioner performs primarily inquiry and analytical procedures. Obviously,
he may choose to perform other types of procedure, for example, observation, reperformance, etc., but the
concentration in normal circumstances will be inquiry and analytical review to obtain sufficient appropriate
evidence on which to base his conclusion.

Comparison of an audit engagement and a review engagement


Factor Audit Review
1. Conducted by Registered auditor PIS less than 100: Registered auditor
or individual who qualifies for appointment
as an accounting officer.
PIS 100 to 349: Registered auditor
or a CA (SA).
2. Assurance given Reasonable assurance Limited assurance.
3. Standards ISAs ISRE 2400 (revised)
continued
19/4 Auditing Notes for South African Students

Factor Audit Review


4. AFS compiled by Client company PIS less than 100: client or external party
PIS 100 to 349: Independent accounting
professional (If internally compiled,
AFS must be audited).
5. Ethical considerations Yes Yes
including objectivity to be
applied
6. Professional scepticism to be Yes Yes
adopted
7. Quality control procedures Yes Yes
required
8. Pre-conditions and pre- Yes Yes
engagement activities including
an engagement letter.
9. Strategy Audit strategy formulated Not specifically required
10. Materiality Planning, performance and Materiality set for the financial statements
final (evaluation) as a whole to:
Identify areas of the financial statements
where material misstatements may arise
Evaluate whether financial statements are
free from material misstatement.
11. Understanding of entity Yes, to identify and evaluate Yes, to identify where material misstatement
risks of material misstatement may arise and provide a basis for designing
procedures to address these areas.
12. Understanding internal control Detailed understanding General understanding.
13. Risk assessment procedures Yes, as a basis for determining No
further audit procedures
(nature, timing and extent)
14. Tests of controls Yes No
15. Substantive tests Full range Usually, inquiry and analytical procedures
but may use other substantive procedures
including tests of detail if additional
procedures are required.
16. Going concern procedures Yes Yes

17. Related party procedures Yes Yes

18. Fraud procedures Yes Yes


19. Report: Opinion Conclusion
19.1 title Independent Auditor’s Report Independent Reviewer’s Report
19.2 addressee (usual) Shareholders Shareholders
Directors and auditors Directors and Reviewers
19.3 responsibility
paragraphs Yes describe audit Yes describe review and emphasise that it is
not an audit.
19.4 description of
engagement
19.5 explanation of Yes Yes
modification paragraph
continued
Chapter 19: Review engagements and related service engagements 19/5

Factor Audit Review


19.6 opinion/conclusion In our opinion . . . fair Based on our review nothing has come
wording presentation has been achieved to our attention that causes us to believe
in all respects. that fair presentation has not been achieved
in all material respects.
19.7 other reports required Yes Yes
by Companies Act
paragraph
19.8 modification of Opinion: except for: Conclusion: except for:
opinion/conclusion adverse adverse
disclaimer disclaimer
19.9 emphasis of matter Yes Unlikely. Not provided for in ISRE 2400.
20. Reportable irregularity duties Yes, in terms of Auditing Yes, in terms of Companies Regulations
Professional Act 2005. 2011.
Report to IRBA. Report to CIPC.

19.1.4 Objectives
The objectives of the practitioner conducting a review engagement are to:
x Obtain limited assurance about whether the financial statements as a whole, are free of material
misstatement, thereby allowing the practitioner to express a conclusion on whether anything has
come to his attention that causes him to believe the financial statements are not prepared, in all
material respects, in accordance with an applicable financial reporting framework, for example,
IFRS for SMEs. The limited assurance is obtained primarily by inquiry and analytical proced-
ures.
x Report on the financial statements. The report may contain a qualified or adverse conclusion
and may even disclaim a conclusion.

19.1.5 Ethical requirements and professional scepticism


As a review is an assurance engagement, the independence of the practitioner is an important ethical con-
sideration. Thus, the practitioner must be independent in mind and appearance. Likewise, the other funda-
mental principles of ethical/professional behaviour cannot be compromised because the engagement is a
review and not an audit. The fundamental principles are:
• integrity
• objectivity
• professional competence and due care
• confidentiality, and
• professional behaviour.
The adoption of an appropriate level of professional scepticism is important on a review engagement.
Remember that professional scepticism is an attitude. It means that the practitioner does not just accept
what he is told, or what he reads at face value. It also means that he does not allow himself to be “led
around by the nose”. It does not mean that in being sceptical, the practitioner abandons good professional
behaviour. In the context of this type of engagement, professional scepticism means that the practitioner:
• should question inconsistencies and investigate contradictory evidence
• should question the reliability of responses to inquiries and other information obtained from manage-
ment and those charged with governance
• be alert to:
– evidence which is inconsistent with other evidence
– information that calls into question the reliability of documents and responses to inquiries
– conditions that may indicate fraud, and
– any other circumstances that suggest the need for additional procedures, for example, missing docu-
ments, lack of knowledge displayed by employees relating to inquiries.
19/6 Auditing Notes for South African Students

Adopting an appropriate level of professional scepticism will reduce the risk of the practitioner overlooking
unusual circumstances, over-generalising when drawing conclusions from evidence and of using
inappropriate assumptions in determining the review plan and in the evaluation of evidence gathered. In a
sense, professional scepticism guards against the review team treating a review engagement as “not that
important” as referred to in the introduction to this chapter.

19.1.6 Engagement level quality control


The review engagement partner must possess competence in assurance skills and techniques (e.g. profes-
sional judgement, evaluating evidence, understanding information systems) and must take responsibility
for:
• the engagement being performed in accordance with the firm’s quality control policies including being
satisfied with:
– the pre-engagement procedures including the integrity of management, and
– the collective competence and capabilities of the engagement team
• the direction, supervision, planning and performance of the review, and
• the appropriateness of the review report/conclusion.

19.1.7 Pre-conditions and preliminary engagement activities for accepting a review


engagement
Before accepting any assurance engagement (audit or review), the practitioner will carry out preliminary
engagement activities, namely:
• determining whether the practitioner wishes to establish or continue a professional relationship with the
prospective/existing client
• considering the integrity of the client’s principal owners, key management and those charged with
governance
• determining whether the firm is competent to perform the engagement; skills, knowledge and resources,
and
• determining whether the firm complies with ethical requirements, for example, independence.
In addition, and perhaps even prior to considering the above, the practitioner must satisfy himself that the
pre-conditions for accepting a review engagement are present, that is, he must:
• determine whether the financial reporting framework applied in the preparation of the financial
statements to be reviewed, is acceptable, for example, IFRS or IFRS for SMEs, and
• obtain the agreement of management that it acknowledges and understands its responsibilities–
– for the preparation of the financial statements in accordance with the applicable financial reporting
framework
– for such internal control as management determines is necessary to enable the preparation of the
financial statements that are free from material misstatement, whether due to fraud or error
– to provide the practitioner with access to all information of which management is aware is relevant to
the preparation of the financial statements, for example, records, documentation, etc.
– to provide the practitioner with any additional information that he may request for the review, and
– to provide, as well as any unrestricted access to persons within the entity, in the case where the
financial statements have been compiled by an independent accounting professional, access to that
individual.
The importance of the above points is confirmed by the fact that if the practitioner is not satisfied with any
of the above pre-conditions, he should attempt to have the matter resolved by management and those
charged with governance. Should the auditor still not be satisfied, the practitioner should not accept the
engagement.
Chapter 19: Review engagements and related service engagements 19/7

19.1.8 The engagement letter


Much of what is covered in the pre-conditions for accepting a review engagement will be recorded in an
engagement letter. ISRE 2400 (revised) requires that an engagement letter be obtained that deals with the
following:
• the intended use and distribution of the financial statements (and any restrictions thereon)
• identification of the applicable financial reporting framework
• the objective and scope of the review
• the responsibilities of the practitioner
• the responsibilities of management
• a statement that the engagement is not an audit and that the practitioner will not express an audit
opinion on the financial statements
• reference to the expected form and content of the report and a statement that the form and content may
differ from its expected form and content
• arrangements concerning the involvement of other practitioners and experts in the review, for example,
the independent accounting professional who compiled the financial statements (applicable to reviews
for companies with a public interest score between 100 and 349 that have their financial statements
externally compiled)
• the expectation that management will provide written representations, and
• a request for management to acknowledge receipt of the engagement letter and to agree to the terms of
the engagement.

19.1.9 Performing the engagement


When considering an audit engagement, the process is reasonably well defined and extensively dealt with
in the ISAs that cover specific aspects of the process, for example, planning, identifying risks, materiality,
audit evidence, etc. The independent review does not have a similar set of its own statements and is guided
by the content of ISRE 2400 (revised). However, this does not mean that the content and principles
contained in the ISAs are not relevant to varying degrees, for example, the principles of audit evidence
apply equally to reviews and in fact, the reviewing practitioner’s “toolbox” is the same as that of the
auditor. The difference is the emphasis that is placed on the use of available procedures. In a review, the
emphasis will be placed on the use of inquiry and analytical procedures, but this does not preclude the
reviewer from observation, external confirmation, recalculation and reperformance.
Furthermore, while it is not as detailed and defined as the audit process, there is a review process that
must be adhered to if compliance with ISRE 2400 (revised) is to be achieved. Diagrammatically it can be
represented as follows:
19/8 Auditing Notes for South African Students

Diagrammatical representation of the review process

19.1.10 Determining materiality


ISRE 2400 (revised) requires that the practitioner shall determine materiality for the financial statements as
a whole and apply this materiality in designing procedures and evaluating results. For a review engage-
ment, the practitioner is required to identify areas in the financial statements where material misstatements
are likely to arise and to provide limited assurance on whether the financial statements are free from
material misstatement. The practitioner sets materiality for the engagement so that he has a guideline to
work with.
There is no magic formula for determining materiality. The practitioner must apply professional
judgement. The concept of materiality in any assurance engagement proposes that misstatement will be
material if it could reasonably be expected to influence the economic decisions of users. Thus, the practi-
tioner will attempt to evaluate what “amount” of misstatement the users of the reviewed financial
statements would tolerate. This is no easy task!
Note, that in a review engagement, because it consists primarily of inquiry and review, the practitioner
does not set performance materiality (as for an audit), as performance materiality is used for determining
the extent of testing for particular classes of transactions, account balances, or disclosures.
As with audit materiality, review engagement materiality is both quantitative and qualitative, which
means that a misstatement that may be quantitatively immaterial, may have a qualitative aspect to it, for
example, it may be related to fraud, or it may relate to inadequate or omitted disclosures that are quali-
tatively material.
For the purposes of determining materiality for a review engagement, the practitioner must be mindful of
the “types” of users of the financial statements he is reviewing and their needs. The majority of review
engagements will be carried out on companies with low public interest scores and will tend to be smaller
companies. The users of financial statements of companies with a public interest score of less than 100,
would probably be restricted to the shareholders (usually a limited number), the bank and perhaps other
Chapter 19: Review engagements and related service engagements 19/9

finance providers. In these circumstances, it is acceptable for the practitioner to assume that users will
simply be seeking some “comfort” (limited assurance) that the financial statements reflect a reasonably fair
representation of the state of the company.
For example:
A shareholder who is not involved directly in the company might use the financial statements to broadly
assess how the company is doing.
Another example:
A bank may be seeking some assurance that the overdraft it is providing is reasonably secure and that the
value of inventory that has been offered as security for the overdraft, is not materially misstated.
Perhaps the point to be made is that if a user is making important decisions of some magnitude or serious
consequence, an audit opinion and not a review conclusion would be required.

19.1.11 Obtaining an understanding of the entity


The practitioner is required to obtain an understanding of the entity to provide the background against
which he plans and performs the engagement and exercises his professional judgement. The major purpose
of this is to identify where material misstatements are likely to arise and thereby to provide a basis for
designing procedures to address these areas.
Note that on an audit engagement, the “understanding of the entity” phase is carried out to identify and
evaluate the risk of material misstatement at financial level and at assertion level so that further audit
procedures can be planned. This is not the case for a review engagement. Although not as detailed (as for
an audit), the process of obtaining an understanding of the entity in a review engagement, enables the
practitioner to:

In terms of ISRE 2400 (revised), the practitioner shall obtain an understanding of:
• relevant industry, regulatory, legal and other external factors including the applicable financial reporting
framework
• the nature of the entity, including:
– its operations
– ownership and governance structures
– types of investment the entity is making
– the way the entity is structured and financed
– the entity’s objectives and strategies
• the entity’s accounting systems and accounting records
• the entity’s selection and application of accounting policies.
The statement makes the point that obtaining an understanding of the entity is a “continual dynamic
process” of gathering, updating and analysing information throughout the engagement. Practitioners need to
avoid simply carrying out a routine set of standard procedures without much thought and assuming that
not much has changed since the previous engagement.
The statement also makes the point that the practitioner should gain an understanding of the “tone at the
top” and the control environment, as these factors are likely to reveal much about management’s attitude
to fair financial reporting.
19/10 Auditing Notes for South African Students

19.1.12 Inquiries and analytical procedures


To obtain sufficient appropriate evidence as a basis for his conclusion on the financial statements, the
practitioner must design and perform inquiry and analytical procedures:
• to address all material items in the financial statements, including disclosures, and
• to focus on addressing areas in the financial statements where material misstatements are likely to arise.
Remember that when conducting these procedures, the practitioner remains alert to:
• evidence that is inconsistent with other evidence
• information that calls into question the reliability of documents and responses to inquiries, and
• conditions that may indicate fraud.
The practitioner’s inquiries of management should include the following:
• how management makes significant accounting estimates
• the identification of related parties and related party transactions and the purpose of those transactions,
and
• whether there are significant, unusual or complex transactions, including:
– significant changes in the client’s business activities
– significant changes to the terms of contracts that may affect the client’s financial statements, for
example, new debt covenants
– significant journal entries or other adjustments to the financial statements
– significant transactions occurring near the end of the reporting period
– the existence of any actual, suspected or alleged fraud or non-compliance with regulations that could
affect the determination of material amounts and disclosures in the financial statements, for example,
taxation regulations not adhered to
– whether management has identified and addressed events occurring between reporting date and the
date of the practitioner’s report that require adjustment to, or disclosure in, the financial statements
– the basis of management’s assessment of the company’s going concern ability, and
– material commitments, contractual obligations or contingencies that have affected, or may affect, the
financial statements.
Analytical procedures involve the evaluation of financial information through analysis of relationships
among both financial and non-financial data. The practitioner’s analytical procedures can address a
number of objectives, for example:
• when obtaining an understanding of the entity, the practitioner may perform a simple comparison of
current and prior period’s gross profit percentages to get an overall understanding of the “normality” of
the current year gross profit. If there are material changes, either positive or negative, the practitioner
will investigate more closely, those factors affecting gross profit
• in identifying inconsistencies and variances from expected trends, values or norms, for example,
comparing the “days outstanding” ratio for debtors for the current and previous three years
• providing corroborative evidence in relation to other inquiry or analytical procedures, for example, a
marked reduction in the days outstanding debtors ratio, may corroborate the client’s accountant’s
representation that credit management controls have been significantly improved, and
• serving as an additional procedure when the practitioner becomes aware of a matter that he believes
may cause the financial statements to be misstated, for example, the practitioner conducts an in-depth
comparative analysis of inventory quantities by description, value, location, etc to provide additional
evidence to support a large increase in the value of inventory reflected in the financial statements.
Analytical procedures can vary from simple to very complex statistical analysis:
• simple comparison, for example, monthly sales for current year to monthly sales for the prior three
years by corresponding month
• ratio and trend analysis, for example, comparison of current ratio period to period
• comparison of financial and non-financial data, for example, payroll costs to number of employees, and
• statistical analysis, for example, regression analysis.
Chapter 19: Review engagements and related service engagements 19/11

In order to carry out the analysis, the practitioner will make use of information from most, if not all, of the
following sources:
• financial information for comparable prior periods, for example, previous year, three years, etc.
• information about expected operating and financial results, for example, budgets and forecasts
• relationships among elements of financial information within the period, for example, sales commis-
sions (expense) to sales (revenue)
• information regarding the industry in which the client operates, for example, industry norms for gross
profit, industry averages for payroll expenses, and
• relevant non-financial information for current and prior periods, for example, delivery costs to delivery
vehicles, sales to sales personnel.

19.1.13 Performing additional procedures


Essentially the practitioner is required to conduct additional procedures if he becomes aware of a matter
that causes the practitioner to believe that the financial statements may be materially misstated. The practi-
tioner may be alerted to the matter in a number of ways, for example, he may consider that management is
being evasive in responding to inquiries, or that explanations for variances resulting from analytical
procedures are inadequate. The practitioner may also be alerted by the non-availability of supporting docu-
mentation where it is required.
The practitioner can conduct whichever additional procedures he deems necessary to settle his concern
that the financial statements may be materially misstated. The types of procedure the practitioner is most
likely to conduct are:
• additional inquiry that is more focused and probing
• additional analytical procedures but in greater detail and directed specifically at the affected amounts or
disclosures
• substantive tests of detail:
– inspection of physical assets and documentation, and
– re-performance/recalculation, and
• external confirmation.
Example 1. The practitioner’s ratio analysis of accounts receivable suggests that the allowance for doubtful
debts is materially understated. An important aspect of the allowance is the aging of debtors to
identify long outstanding debts. Inquiries of management have not satisfied the practitioner.
As an additional procedure the practitioner may decide to reperform the aging of a sample of
debtors’ balances.
Example 2. The practitioner believes that sales may be materially misstated. A comparison of sales by
month revealed that sales for the last month of the year are considerably higher than budget or
the corresponding month for the previous year. Management’s explanation is that “it was just
a good trading month” is unconvincing based on other broad analytical evidence. As an addi-
tional procedure the practitioner may decide to perform detailed “cut-off” tests to determine
whether sales made after year end, have been incorrectly included in the sales for the last
month prior to year end.
Example 3. The practitioner believes that plant and machinery may be materially overstated by the
incorrect inclusion of leased items. Inquiry of the client’s financial accountant gave the
practitioner the impression that the financial accountant did not understand the financial
reporting standards for leases. As an additional procedure the practitioner may decide to
carefully read all lease contracts into which the client has entered, to determine whether any
operating leases have been inappropriately capitalised as finance leases.
Example 4. The practitioner believes that the financial statements may be materially misstated by the
omission of a significant contingent liability pertaining to a matter he identified in the minutes
of directors’ meetings. Management and the directors consider that although a claim against
the company has been lodged, nothing will come of it and the matter can be ignored. As an
additional procedure the practitioner may request that management obtain an attorney’s
representation letter from the company’s attorneys pertaining to litigation and claims.
19/12 Auditing Notes for South African Students

19.1.14 Procedures to address specific circumstances


In addition to the general discussion on performing a review, ISRE 2400 (revised) raised three specific
matters in respect of which the practitioner must conduct procedures. These are:

19.1.14.1 Related parties


In addition to making inquiries at the “understanding the client” stage as to the existence and identity of
related parties and related party transactions, the practitioner must remain alert for arrangements or
information that may indicate related parties/related party transaction that have not been identified or
disclosed to the practitioner. If the practitioner identifies significant transactions outside the client’s normal
course of business, the practitioner should inquire of management about:
• the nature of the transactions
• whether related parties could be involved, and
• the business rationale (logic) behind those transactions, that is, is it an arm’s-length transaction, or is it
possibly designed to conceal misappropriation or manipulation of the financial statements?

19.1.14.2 Fraud and non-compliance with regulations


If there is an indication that fraud or non-compliance has taken place, the practitioner must:
• communicate the matter to senior management and those charged with governance
• request management’s assessment of the effects on the financial statements, and
• consider the effect if any, on the practitioner’s report and determine whether there is a responsibility to
report the occurrence or suspicion of fraud or illegal acts to anyone outside the entity. This requirement
is very important in the South African context. The reason is that the Companies Regulations 2011,
Regulation 29, places an obligation on the independent reviewer to report any “reportable irregularity”
to the Commission (CIPC) if the practitioner (reviewer) is satisfied or has reason to believe that a
reportable irregularity is taking place. The situation is very similar in nature and procedure to an auditor
reporting a reportable irregularity to the IRBA in terms of the Auditing Profession Act 2005. Refer to
chapter 3 for a discussion on reportable irregularities.

19.1.14.3 “Going concern”


A review of a client’s financial statements includes a consideration of the entity’s ability to continue as a
going concern. In many instances, “going concern” will not be an issue, but if the practitioner becomes
aware of events or conditions that may cast significant doubt about the entity’s ability to continue as a
going concern, a proper assessment of “going concern” should be performed. The assessment of “going
concern” on an audit and on a review will be similar. For a detailed discussion, refer to chapter 15 of this
text.

19.1.15 Reconciling the financial statements to the underlying accounting records


The practitioner must obtain evidence that the financial statements agree with the underlying accounting
records. This simply requires that the practitioner trace the financial statement amounts and balances to the
relevant accounting records such as the ledger, summary records or schedules such as the trial balance.

19.1.16 Written representations from management


Management is requested to provide written representations because they are far more reliable than oral
representations and because they focus management’s mind on what they are telling the reviewer. Oral
communication with the practitioner may be simpler and less time consuming but also means that
subsequently facts can be refuted and claims of “misunderstanding of what was said” can be made. If the
communication is written, management are likely to be more truthful and careful in what they
communicate to the practitioner. There are also some matters that the practitioner may not identify other
than through a management representation. The written representation request should be carefully worded
as it is an important source of evidence in a review engagement.
The document should include representations that:
• management has fulfilled its responsibilities for the preparation of the financial statements in
accordance with the applicable financial reporting framework (note that even where an “independent
Chapter 19: Review engagements and related service engagements 19/13

accounting professional” has compiled the financial statements, management is still responsible) and
has provided the practitioner with all relevant information and access to information
• all transactions have been recorded and reflected in the financial statements, and
• management has disclosed to the practitioner–
– the identity of the client’s related parties, related party relationships and transactions of which
management is aware
– significant facts relating to frauds or suspected frauds
– known, actual or possible non-compliance with laws and regulations
– all information relevant to the going concern ability of the entity
– where required, that all subsequent events have been adjusted for or disclosed in the financial
statements
– all material commitments, contractual obligations or contingencies, and
– all material non-monetary transactions or transactions undertaken for no consideration.
If management does not provide “one or more” of the requested written representations, the practitioner
should:
• discuss with management and those charged with governance, and
• re-evaluate the integrity of management and evaluate the effect of this on the evidence gathered.
If the practitioner concludes that there is sufficient doubt about the integrity of management or manage-
ment does not provide the representations requested, the practitioner must disclaim a conclusion.

19.1.17 Forming the practitioner’s conclusion on the financial statements


In forming the conclusion, the practitioner must:
• evaluate whether the financial statements adequately refer to the financial reporting framework in terms
of which they have been prepared, for example, IFRS for SMEs, and
• consider whether (in the context of the reporting framework)–
– the terminology used in the financial statements is appropriate
– the financial statements adequately disclose the significant accounting policies selected and applied
– the accounting policies are consistent with the framework and appropriately applied
– accounting estimates appear reasonable
– the information presented in the financial statements appears relevant, reliable, comparable and
understandable
– the financial statements provide adequate disclosures to enable users to understand the effects of
material transactions and events on the entity’s financial position, financial performance and cash
flows
– the overall presentation, structure and content of the financial statements complies with the relevant
framework, and
– whether the financial statements, including the notes, appear to represent the underlying transactions
and events in a manner that achieves fair presentation.

19.1.18 Expressing a conclusion


The practitioner has the following options with regard to the conclusion to be expressed on the financial
statements
19/14 Auditing Notes for South African Students

19.1.18.1 Unmodified conclusion


The practitioner gives an unmodified conclusion on the financial statements as a whole when he has
obtained limited assurance to be able to conclude that nothing has come to his attention that causes him to
believe that the financial statements do not fairly present, in all material respects, the financial position (at
reporting date) of the entity, and its financial position and its cash flows for the year then ended, in
accordance with the applicable financial reporting framework (e.g. IFRS for SMEs).

19.1.18.2 Modified conclusion – Financial statements materially misstated


(see para. 19.1.20)
The practitioner shall give a modified conclusion on the financial statements as a whole when he
determines that, based on the procedures performed and the evidence obtained, the financial statements are
materially misstated. The practitioner will give:
• a qualified conclusion “except for” where he concludes that the matter(s) giving rise to the modifica-
tion, is material but not pervasive, or
• an adverse conclusion when the effects of the matter giving rise to the modification, are both material
and pervasive.

19.1.18.3 Modified conclusion – Inability to obtain sufficient appropriate evidence


(see para. 19.1.20)
The practitioner shall give a modified conclusion if he is unable to form a conclusion due to inability to
obtain sufficient appropriate evidence. The practitioner will give:
• a qualified conclusion “except for” where he concludes that the possible effects on the financial state-
ments of undetected misstatements, if any, could be material but not pervasive, or
• disclaim a conclusion if he concludes that the possible effects on the financial statements of undetected
misstatements, if any, could be both material and pervasive.

19.1.19 The practitioner’s report


The practitioner’s report on a review engagement has the same basic structure as the audit report but the
wording is different due to the different nature of the engagement. The wording for the report in the South
African context is contained in SAAPS 3 (revised) that, in turn, is based on ISRE 2400 (revised).
(a) Structure
• Title
• The addressee
• Introductory paragraph
• Responsibility of directors’ paragraph
• Independent reviewer’s responsibility paragraph
• A description of a review and its limitations paragraph
• An explanation paragraph when the conclusion is qualified or an adverse conclusion is given or a
conclusion is disclaimed (e.g. basis for qualified conclusion)
• Conclusion paragraph
• Other reports required by the Companies Act paragraph
• Signing off
(b) Title: Independent reviewer’s report
(c) Addressee: To the shareholders of Keystone (Pty) Ltd
(d) Introductory paragraph
We have reviewed the financial statements of Keystone (Pty) Ltd set out on pages 8 to 27, that comprise the
statement of financial position as at 31 March 0001 and the statement of comprehensive income, statement
of changes in equity and statement of cash flows for the year then ended, and the notes, comprising a
summary of significant accounting policies and other explanatory information.
Chapter 19: Review engagements and related service engagements 19/15

(e) Directors’ responsibility


The company’s directors are responsible for the preparation and fair presentation of these financial
statements in accordance with the International Financial Reporting Standard for small and medium-sized
entities, and the requirements of the Companies Act of South Africa, and for such internal control as the
directors determine is necessary to enable the preparation of financial statements that are free from material
misstatement, whether due to fraud or error.
(f) Independent reviewer’s responsibility
Our responsibility is to express a conclusion on these financial statements. We conducted our review in
accordance with the International Standard on Review Engagements ISRE 2400 (revised) – Engagements to
Review Historical Financial Statements. ISRE 2400 (revised) requires us to conclude on whether anything has
come to our attention that causes us to believe that the financial statements, taken as a whole, are not
prepared in all material respects in accordance with the applicable accounting framework. This standard
also requires us to comply with relevant ethical requirements.
(g) Description of a review and its limitations
(Note that this paragraph does not have a heading in the report. All other paragraphs do.)
A review of financial statements in accordance with ISRE 2400 (revised) is a limited assurance engage-
ment. The independent reviewer performs procedures, primarily consisting of making inquiries of
management and others within the entity, as appropriate, and applying analytical procedures, and evalu-
ates the evidence obtained. The procedures performed in a review are substantially less than those per-
formed in an audit conducted in accordance with International Standards on Auditing. Accordingly, we do
not express an audit opinion on these financial statements.
(h) Conclusion (unmodified)
Based on our review, nothing has come to our attention that causes us to believe that these financial
statements do not fairly present, in all material respects, the financial position of Keystone (Pty) Ltd as at
31 March 0001 and its financial performance and cash flows for the year then ended in accordance with the
IFRS for SMEs and the requirements of the Companies Act of South Africa.
(i) Other reports required by the Companies Act
As part of our independent review of the financial statements for the year ended 31 March 0001, we have
read the Directors’ Report for the purposes of identifying whether there are material inconsistencies
between this report and the reviewed financial statements. The Directors’ Report is the responsibility of the
directors. Based on reading the Directors’ Report, we have not identified material inconsistencies between
this report and the reviewed financial statements. However, we have not reviewed the Directors’ Report
and accordingly do not express a conclusion thereon.
(j) Signing off (no heading)
Jo January
Joseph January
Registered Auditor
15 May 0001
Patchwork Office Park
East London

19.1.20 Modifications
Where the reviewer’s conclusion requires modification, a paragraph must be included in the report
explaining the modification. This paragraph will be positioned above the conclusion paragraph and will be
headed according to the type of modification. The options are:

There is no standard wording for “Basis for” paragraphs. The paragraph must be sufficiently clear and
detailed to the extent the user needs to understand the modification.
19/16 Auditing Notes for South African Students

19.1.20.1 “Except for” conclusion


An “except for” conclusion is given where the matter on which the modification to the conclusion is based,
is material but not pervasive. The modification can be based on misstatement or inability to obtain
sufficient appropriate evidence. When an “except for” conclusion is given, the wording of the other
paragraphs does not change. The conclusion paragraph will be headed “Qualified Conclusion” and will be
worded as follows:
• Misstatement: “Based on our review, except for the effects of the matter described in the Basis for
Qualified Conclusion paragraph, nothing has come to our attention . . .”.
• Inability to obtain sufficient appropriate evidence: “Based on our review, except for the possible effects
of the matter described in the Basis for Qualified Conclusion paragraph, nothing has come to our
attention . . .”.

19.1.20.2 Adverse conclusion


An adverse conclusion is given when the financial statements are materially misstated and the
misstatement is deemed to be pervasive to the financial statements. When an adverse conclusion is given,
the wording of the other paragraphs does not change. The conclusion paragraph will be headed “Adverse
Conclusion” and will be worded as follows:
“Based on our review, due to the significance of the matter discussed in the Basis for Adverse Conclusion paragraph, we
conclude that these financial statements do not present fairly, the financial position of . . . .”

19.1.20.3 Disclaimer of conclusion


A disclaimer of conclusion is given when the reviewer was unable to obtain sufficient appropriate evidence
about multiple elements of the financial statements. The effect of this inability is that the practitioner is
unable to complete the review and thus unable to form a conclusion. This has ramifications for the wording
in other paragraphs in the report that are explained below. The conclusion paragraph will be headed
“Disclaimer of Conclusion” and will be worded as follows:
“Due to the significance of the matters described in the Basis for Disclaimer of Conclusion paragraph, we were unable to
obtain sufficient appropriate evidence to form a conclusion on these financial statements. Accordingly, we do not express a
conclusion on these financial statements.”
Changes to other paragraphs when a disclaimer is given, will be as follows:
• in the Introductory paragraph, the words “We have reviewed . . .” will change to “We were engaged to
review . . .”
• the wording in the Independent Reviewer’s Responsibility paragraph is replaced by the following
wording
“Our responsibility is to express a conclusion on these financial statements. Because of the matter described in the Basis
for Disclaimer of Conclusion paragraph, however, we were not able to obtain sufficient appropriate evidence as a basis for
expressing a conclusion on the financial statements.”

19.2 “Agreed upon procedures” engagements


19.2.1 Introduction
ISRS 4400 – Engagements to perform agreed upon procedures regarding financial statements, provides
guidance on this related services engagement (ISRS stands for International Standards on Related
Services).
Although the engagement is referred to as an agreed upon procedures engagement, the report arising
from the engagement is referred to as a factual findings report.

19.2.2 Objective
In an “agreed upon procedures” engagement, the auditor is engaged to carry out procedures (usually of an
audit nature) that have been agreed upon by the parties involved, for example, the auditor, the client and
any interested third party. The auditor reports only on the facts as found. No assurance is given, neither in the
form of an audit opinion nor in the form of a review conclusion. The users of the report are required to
draw their own conclusions from the facts presented.
Chapter 19: Review engagements and related service engagements 19/17

19.2.3 General principles of an agreed upon procedures engagement


General ethical principles, to which practitioners are expected to adhere for this type of engagement,
remain the same as for any engagement, for example:
• integrity
• objectivity
• professional competence and due care
• confidentiality, and
• professional behaviour.
Note: Independence from the client is not a requirement for this type of engagement. However, the
practitioner is still required to be objective in the performance of the engagement. Where the
practitioner is not independent, a statement to that effect must be made in the report arising from
the engagement.
The practitioner must comply with ISRS 4400.
The engagement must be properly planned so that an effective engagement will be performed.
The practitioner must maintain appropriate documentation to:
• support the report on factual findings, and
• provide evidence that the engagement was carried out in terms of ISRS 4400.
The practitioner must carry out the procedures agreed upon and use the evidence obtained as a basis for the
report of factual findings. Procedures to be agreed upon may include:
• inquiry and analysis
• re-computation, comparison and other clerical accuracy checks
• observation
• inspection, and
• obtaining confirmations.

19.2.4 Terms of engagement


As with any engagement it is important that the terms of engagement are clear to all parties, for example,
the client must understand that in this type of engagement no assurance is given. The terms of engagement
should be set out in an engagement letter and should include:
• a clear indication that the engagement does not constitute an audit or review and that accordingly no
assurance will be given
• the purpose of the engagement
• identification of the financial information to which the agreed upon procedures will be applied
• nature, timing and extent of the specific procedures to be applied
• anticipated form of the report of factual findings
• limitations on the distribution of the report, and
• a listing of the procedures to be performed that were agreed upon.

19.2.5 Reporting considerations


(a) Title: Report of Factual Findings

(b) Addressee: To the directors of Pentel Ltd (will be whoever engaged the practitioner)

(c) Description of the engagement*


We have performed the procedures agreed with you and described below with respect to the accounts payable of Pentel
Ltd . . . as at (date), set forth in the accompanying schedules. Our engagement was undertaken in accordance with the
International Standard on Related Services applicable to agreed-upon procedures. The procedures were performed solely
to assist you in evaluating the validity of the accounts payable and are summarised as follows: . . .
Note: A summary of the procedures would be inserted here followed by the results of the procedures
conducted.
19/18 Auditing Notes for South African Students

(d) Explanation of the nature of the report*


Note: As indicated, no assurance is given. The report is simply a presentation of the findings arising from
the performance of the agreed upon procedures. To emphasise this, the following paragraphs are
included in the report:
* Because the above procedures do not constitute either an audit or a review made in accordance with Inter-
national Standards on Auditing or International Standards on Review Engagements, we do not express
any assurance on the accounts payable as at (date).
* Had we performed additional procedures, or had we performed an audit or review of the financial
statements in accordance with International Standards on Auditing or International Standards on Review
Engagements, other matters might have come to our attention that would have been reported to you.

(f) Modified factual findings reports


Note: As no assurance is given, qualification is not an option. No “Emphasis of Matter” paragraph can be
added. The results are presented without opinion or conclusion.

(g) Closing paragraph*


Note: The report is signed in the normal manner (see comments on page 18/12) but above the signing off,
the following paragraph is added to clarify the restricted nature of the engagement and report:
* Our report is solely for the purpose set forth in the first (description of engagement) paragraph of this report
and for your information and is not to be used for any other purpose or to be distributed to any other parties.
This report relates only to the accounts and items specified above, and does not extend to any financial
statements of Pentel Ltd, taken as a whole.

(h) Signing off*


Roddy Rockett
Rodney Rockett
Registered Auditor
15 March 0001
116 Vista Park
Durban
* The factual findings report does not have paragraph headings. They have been included here to convey
the structure and content of the report. The wording of the paragraphs is in italics.

19.3 Compilation engagements


19.3.1 Introduction
Much like the review engagement, practitioners have been conducting compilation engagements for many
years. However, the requirements of the Companies Act 2008 and the Companies Regulations 2011, have
increased the importance and frequency of these engagements. In terms of Regulation 29, a company that
is not required to be audited must have its annual financial statements independently reviewed. A private
company will qualify to have its annual financial statements reviewed if:
• it has a public interest score of 100 to 349, and
• the company’s annual financial statements are compiled externally by an “independent accounting profes-
sional” as defined in Regulation 27.
A registered auditor (or chartered accountant) will satisfy the definition of accounting professional and as
long as such individual is independent of the client, for example, no financial interest in the client, not
involved in the day-to-day running of the client, etc., he may undertake a compilation engagement as
envisaged by the International Standards on Related Services ISRS 4410 (revised). It is likely therefore that
accounting and auditing firms will experience an increase in the frequency of compilation engagements. Of
course, a registered auditor or chartered accountant who compiles the financial statements may not also
perform the review (or audit) of those financial statements.
Chapter 19: Review engagements and related service engagements 19/19

19.3.2 The compilation engagement


Definition
An engagement in which the practitioner applies accounting and financial reporting expertise to assist
management in the preparation and presentation of financial information of an entity in accordance with
an applicable financial reporting framework, and reports as required by ISRS 4410 (revised).
The value to users of financial information compiled in accordance with ISRS 4410 (revised) arises from
the ethical application of the practitioner’s professional expertise. It is very important therefore that the
practitioner complies with the required professional standards, both “technical” and “ethical”. A compila-
tion engagement is not just a matter of picking up a trial balance from a client and drawing up a set of
financial statements; the practitioner must comply with ISRS 4410 (revised) to the extent that its
requirements are satisfied.
Management retains responsibility for the financial information and the basis on which it is prepared.
For example, it is not the responsibility of the compiling practitioner to select accounting policies or decide
upon appropriate estimates/allowances.
A compilation agreement is not an assurance engagement. It does not require the practitioner to verify
the accuracy or completeness of the information provided by management, or otherwise to gather evidence
to express an audit opinion or review conclusion.
This text deals primarily with the application of ISRS 4410 (revised) in the context of the compilation of
annual financial statements in terms of IFRS for SMEs.

19.3.3 Objectives
The practitioner’s objectives are to:
• apply accounting and financial reporting expertise to assist management in the preparation and
presentation of financial statements in accordance with IFRS for SMEs, and
• report in accordance with the requirements of ISRS 4410 (revised).

19.3.4 Ethical requirements


In terms of the Code of Professional Conduct, the fundamental principles are:
• integrity
• objectivity
• professional competence and due care
• confidentiality, and
• professional behaviour.
The fundamental principle of integrity requires, inter alia, that the practitioner should not be associated with
information that he believes to be false, misleading (by inclusion or exclusion) or recklessly provided. This
is clearly applicable to any financial statements that a practitioner compiles and if the situation (false,
misleading, reckless) arises, the practitioner must take steps to disassociate himself from the financial
statements.
While the fundamental principle of objectivity is applicable to a compilation engagement, the require-
ments of section 290 – Independence – Audit and Review Engagements do not apply to compilation
engagements.

19.3.5 Professional judgement


There are a number of matters in a compilation agreement that require the application of sound profes-
sional judgement. These include judgement on ethical and technical matters. Important matters requiring
professional judgement include:
• the acceptability of the financial reporting framework to be used. For example, does the entity satisfy
the scoping requirements for the application of IFRS for SMEs?
• assisting management with the selection of appropriate accounting policies
• assisting management with accounting estimates, for example, impairments, and
• preparation and presentation of the financial information in accordance with IFRS for SMEs.
19/20 Auditing Notes for South African Students

19.3.6 Engagement level quality control


The engagement partner must take responsibility for the overall quality level of the compilation engage-
ment to which he is assigned. This includes:
• following appropriate procedures for the acceptance of a new compilation engagement client or
continuing with an existing compilation engagement client
• being satisfied that the engagement team has the necessary competence and capabilities
• being alert to the possibility of non-compliance by members of the engagement team with ethical
requirements, for example, disclosing confidential client information, showing a lack of due care
• directing, supervising and performing the engagement in compliance with professional standards and
applicable legal/regulatory requirements, and
• taking responsibility for the maintenance of appropriate engagement documentation.

19.3.7 Engagement acceptance and continuance


A compilation agreement should not be accepted unless the practitioner has agreed the terms of engagement
with management in an engagement letter. This includes:
• The intended use and distribution of the financial information, for example, the annual financial
statements are compiled for the purposes of having the independent review conducted in terms of the
requirements of the Companies Regulation Number 29. Initial distribution will be to Joseph Soap and
Co, Registered Auditors, who will conduct the review. Thereafter distribution will be to the bank and
the company’s shareholders. Restrictions on distribution should also be stated.
• Identification of the applicable financial reporting framework, for example, IFRS for SMEs.
• The objective and scope of the compilation engagement (see paragraph 19.2.3).
• The responsibilities of the practitioner, including compliance with relevant ethical requirements, for
example, no association with false, misleading information.
• The responsibilities of management for:
– the financial information and for the preparation and presentation thereof in accordance with a
reporting framework that is acceptable in relation to the intended use thereof
– the accuracy and completeness of the records, documents, explanations and other information
provided by management
– judgements needed in the preparation and presentation including those judgements with which the
practitioner may assist management, and
– the expected form of the practitioner’s report.
• Conveying that the engagement is not an assurance engagement.
• Conveying that the practitioner will not express an audit opinion or a review conclusion.
• Arrangements concerning the involvement of a predecessor practitioner if any, and other practitioners
or experts if any.
• The possibility that management or those charged with governance may be requested to confirm in
writing, certain explanations/information conveyed orally to the practitioner.
• Arrangements for the ownership of the practitioner’s engagement documentation.
• A request to management to acknowledge receipt of the engagement letter and to agree to the terms of
engagement included in the letter.

19.3.8 Performing the engagement


19.3.8.1 The practitioner’s understanding
The practitioner cannot compile a set of financial statements for a client in a vacuum. The practitioner
should obtain an understanding of:
• the client’s business and operations, including the company’s accounting system and accounting
records:
– the nature of the entity’s assets, liabilities, revenues and expenses
Chapter 19: Review engagements and related service engagements 19/21

– the size and complexity of the entity and its operations


– the level of development of the entity’s management and governance structures regarding their
management and oversight of the entity’s accounting records and financial reporting system, and
– the complexity of the financial reporting system and the principles and practices of the industry in
which the client operates, and
• the applicable financial reporting framework, for example, a good knowledge of IFRS for SMEs.
Obtaining an understanding is an ongoing process throughout the engagement. The understanding
establishes a frame of reference within which the practitioner can exercise professional judgement.

19.3.8.2 Compiling the financial information


• The practitioner will compile the financial statements using the records and documents supplied by
management. Other information and explanations will also be necessary and should come from
management as well. The practitioner should be given access to what he considers necessary to carry
out the compilation.
• If in the course of carrying out the compilation, the practitioner becomes aware that any of the
documents, records, information or explanations (including any significant judgements) are incomplete,
inaccurate or otherwise unsatisfactory, he must:
– bring it to the attention of management, and
– request the additional or corrected information.
• If the practitioner is unable to complete the engagement because management has failed to provide the
necessary records, documents, explanations or other information as requested by the practitioner, the
practitioner must withdraw from the engagement and inform management and those charged with
governance, as to the reasons for withdrawing.
• If the practitioner believes that amendments to the compiled financial statements are needed to ensure
that they are not materially misstated, the practitioner cannot simply make the amendment but must
propose the appropriate amendment to management.
Example 1. The practitioner may become aware from reading the directors’ minutes that a piece of
machinery has been damaged. A discussion with management revealed no impairment of the
machinery that was required and was material, had been recognised.
Example 2. The practitioner realises from the documentation he has been presented with, that a material
contingent liability has been omitted from the notes to the financial statements.
• If these types of situation arise, the practitioner will need to make a decision on the materiality of the
matter. Materiality in this situation will be judged in the normal manner, i.e. the matter will be material
if “the misstatement or omission could reasonably be expected to influence the economic decisions of
users based on the financial statements”.
• If management declines to make the required adjustments, the practitioner must withdraw from the
engagement and inform management and those charged with governance of the reasons for
withdrawing. Note that the practitioner does not have the option of “qualifying” the compilation report.
The compilation can either be achieved or it cannot. Also be mindful of the fact that the auditor cannot
be associated with a set of financial statements that he knows to be false, misleading or recklessly
provided. If the financial statements are materially misstated, they will be at least misleading, and the
practitioner must withdraw.

19.3.9 The practitioner’s report


The practitioner’s report is reasonably short and uncomplicated. As mentioned earlier, there is no
opportunity for giving an “except for” or adverse opinion, a disclaimer of opinion or an emphases of
matter. No opinion is given nor is any conclusion drawn.
Note: Paragraph headings marked * are not included. The headings have been provided simply to describe
the structure and content of the report.
19/22 Auditing Notes for South African Students

(a) Title: Practitioner’s compilation report


(b) Address: To the management of Towrite (Pty) Ltd
(c) Introductory paragraph*
We have compiled the accompanying financial statements of Towrite (Pty) Ltd based on information you
have provided. The financial statements comprise the statement of financial position of Towrite (Pty) Ltd
at 28 February 0001, the statement of comprehensive income, statement of changes to equity and statement
of cash flows for the year then ended, and a summary of significant accounting policies and other
explanatory information.
(d) Practitioner’s “role”*
We performed this compilation engagement in accordance with the International Standard on Related
Services 4410 (revised) – Compilation engagements. We have applied our expertise in accounting and
financial reporting to assist you in the preparation and presentation of these financial statements in
accordance with International Financial Reporting Standards for Small and Medium-sized entities (IFRS
for SMEs). We have complied with relevant ethical requirements, including principles of integrity,
objectivity, professional competence and due care.

(e) Management’s responsibility*


These financial statements and the accuracy and completeness of the information used to compile them are
your responsibility.

(f) Reliance*
Since a compilation engagement is not an assurance engagement, we are not required to verify the
accuracy or completeness of the information you provided to us to compile these financial statements.
Accordingly, we do not express an audit opinion or a review conclusion on whether these financial
statements are prepared in accordance with IFRS for SMEs.

(g) Signing off*


Freddie Filander
Frederick Filander (may include professional designation)
15 April 0001
Fasttrack Park
Cape Town
Note: The above report is for a set of general purpose financial statements prepared in terms of IFRS for
SMEs, primarily because this is the most common compilation engagement likely to be undertaken
by auditing and accounting firms. A compilation engagement can be carried out in respect of other
information including modified financial reporting frameworks – the principles will remain the
same.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy