Auditing Notes For South African Students-2 - Nodrm
Auditing Notes For South African Students-2 - Nodrm
Auditing Notes For South African Students-2 - Nodrm
for
South African Students
Twelfth Edition
Auditing Notes
for
South African Students
Twelfth Edition
G Richard (Editor)
C Roets (Editor)
A Adams
S West
Members of the LexisNexis Group worldwide
South Africa LexisNexis (Pty) Ltd
www.lexisnexis.co.za
JOHANNESBURG Building 8, Country Club Estate Office Park, 21 Woodlands Drive, Woodmead, 2191
CAPE TOWN First Floor, Great Westerford, 240 Main Road, Rondebosch, 7700
DURBAN 215 Peter Mokaba Road (North Ridge Road), Morningside, Durban, 4001
Australia LexisNexis, CHATSWOOD, New South Wales
Austria LexisNexis Verlag ARD Orac, VIENNA
Benelux LexisNexis Benelux, AMSTERDAM
Canada LexisNexis Canada, MARKHAM, Ontario
China LexisNexis, BEIJING
France LexisNexis, PARIS
Germany LexisNexis Germany, MÜNSTER
Hong Kong LexisNexis, HONG KONG
India LexisNexis, NEW DELHI
Italy Giuffrè Editore, MILAN
Japan LexisNexis, TOKYO
Korea LexisNexis, SEOUL
Malaysia LexisNexis, KUALA LUMPUR
New Zealand LexisNexis, WELLINGTON
Poland LexisNexis Poland, WARSAW
Singapore LexisNexis, SINGAPORE
United Kingdom LexisNexis, LONDON
United States LexisNexis, DAYTON, Ohio
© 2021
Copyright subsists in this work. No part of this work may be reproduced in any form or by any means without
the publisher’s written permission. Any unauthorised reproduction of this work will constitute a copyright
infringement and render the doer liable under both civil and criminal law.
Whilst every effort has been made to ensure that the information published in this work is accurate, the editors,
authors, writers, contributors, publishers and printers take no responsibility for any loss or damage suffered by
any person as a result of the reliance upon the information contained therein.
The original book was compiled specifically to assist students at tertiary institutions in South Africa with their
studies in auditing. This update is intended for the same purpose. The book is not designed to be used on its
own and stands ancillary to the Companies Act 2008 and its Regulations 2011, the International Standards on
Auditing and the (SAICA) Code of Professional Conduct as well as the King IV Report on Corporate
Governance for South Africa. Extensive reference is made to these and other pronouncements.
Notable changes to the twelfth edition are that of: Chapter 1 – Certain theories and concepts included in the
CA2025 competency framework are introduced and the new ISQM 1 and 2, as well as the revised ISA 220, are
introduced. Chapter 2 – Updates have been included relating to the Auditing Profession Amendment Act, 5 of
2021, which became effective on 26 April 2021.
Chapter 5 – This chapter has been substantially rewritten to include the updates relating to the revised ISA
315 “Identifying and Assessing the Risks of Material Misstatement”, effective for audits of financial statements for
periods beginning on or after 15 December 2021 (which also affects major parts of Chapter 7). Chapter 6 – This
chapter has been updated to include the revised ISA 220 “Quality Management for an Audit of Financial
Statements” as well as the related matters included in the new ISQM 1 which requires an engagement quality
review for certain engagements and ISQM 2 which deals with the quality reviewer’s responsibilities and the
appointment and eligibility of such a reviewer. Chapter 7 – As with Chapter 5, this chapter has also been
majorly affected by the revised ISA 315, and as such, substantial parts of the chapter has been rewritten.
Chapter 8 – The revisions to ISA 315 also affected this chapter, and updates were made accordingly. Specific
updates were also made to include relevant matters relating to IT general controls; end-user computing; and
automated application controls. Chapter 9 – More examples and/or illustrations have been included on
cryptocurrencies, cloud computing and networks.
For Chapters 10, 11, 12, 13 and 14 (the cycles), efforts have been made to make these chapters more practical
and to illustrate their link more clearly with the whole of the audit process. These chapters have also been
modernized to some extent, to align them with up-to-date business practices. Finally, substantial updates have
also been made to Chapter 18, The Audit Report.
This book intends to simplify what has proved to be a difficult subject for many generations of auditing
students. The authors hope that they have achieved this. Any comments or suggestions to improve subsequent
editions would be most welcome, especially from students who use the book.
v
Contents
Page
Preface ..................................................................................................................................... v
vii
CHAPTER
1
Introduction to auditing
CONTENTS
Page
1/1
1/2 Auditing Notes for South African Students
Example 1: Intaba Lodge (Pty) Ltd goes to BigMoney Bank to request a loan. BigMoney Bank tells Intaba Lodge
(Pty) Ltd that before the bank can consider giving the company a loan it must provide BigMoney Bank with
financial statements for the company which must be audited. In effect, BigMoney Bank is telling Intaba Lodge (Pty)
Ltd that the company can provide the financial information, but that the bank wants some assurance from a source
independent of Intaba Lodge (Pty) Ltd that the financial information provided by Intaba Lodge (Pty) Ltd is fair.
This is where the auditor comes in. The auditor will examine (audit) the information provided by Intaba Lodge
(Pty) Ltd and report to the bank on whether it is “fair”. (If the auditors do not think the information is “fair”, they
will say so.) This assurance about the financial information submitted by Intaba Lodge (Pty) Ltd adds to its
credibility and BigMoney Bank will be more comfortable about relying on the information when making the
decision on whether to grant the loan. If the (independent) auditor states that the information is fair the bank will be
more confident that granting the loan will not result in the bank suffering a loss because Intaba Lodge (Pty) Ltd
cannot repay the loan. If BigMoney Bank did not insist on audited financial information, Intaba Lodge (Pty) Ltd
could easily manipulate its financial information to deceive BigMoney Bank into granting it a loan.
Example 2: How does giving assurance relate to a television talent show and why do the promoters of the show
involve auditors? The answer is that the promoter wants the results of the talent show to be credible. He does not
want the sponsors, participants and very importantly the public who support the show, to think the results are fixed
(manipulated). If this impression is given, sponsors are likely to withdraw their support and audiences (and ratings)
will decline until there is no talent show. Thus, producers engage auditors, who are generally perceived by all the
parties concerned to be honest, reliable and conservative, to give an opinion on whether the information (e.g. votes
cast and counted, rules, etc.) underlying the result was “fair”.
In the context of the accounting and auditing profession we can express this more formally by referring to
the International Framework for Assurance Engagements, which defines an assurance engagement as one
“in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended
user . . . ” (see paragraph 3 below for a full discussion).
An audit of financial statements is by no means the only assurance engagement which registered auditors
conduct. As you will see later in this text, registered auditors also frequently perform review engage-
ments, which are also assurance engagements but which provide a lower level of assurance than an
audit provides.
• Internal auditors – auditors who perform independent assignments on behalf of the board of directors of
the company. These assignments are varied but usually relate to the evaluation of the efficiency,
economy and effectiveness of the company’s internal control systems and business activities and to the
evaluation of whether the company has identified and is responding to the business risks faced by the
company. In a sense, the internal audit function helps senior management to meet its responsibilities in
running the organisation by providing independent information about the company’s departments,
divisions or subsidiaries. The internal auditor enhances management’s degree of confidence that the
company’s systems are functioning as intended and that the risks are being assessed and addressed. The
internal auditor is an employee of the company, but must be independent of the department, division or
subsidiary in which the assignment is being carried out. The organisational structure and reporting lines
in the company will be designed to ensure that the internal audit function is as independent as possible.
An individual is not required to be registered with a professional body to be employed as an internal
auditor, but may choose to register with the Institute for Internal Auditors. Many internal auditors are
chartered accountants and will be registered with the South African Institute of Chartered Accountants.
• Government auditors – government auditors perform a role similar to that of the internal auditor – but
within government departments. They will evaluate and investigate the financial affairs of government
departments, reporting their findings to senior government. They assist government in meeting its
responsibilities in running the financial affairs of the country and increase the degree of confidence
which the government has in its departments, and indirectly, the confidence which the public has in the
government’s financial management. The government auditor (called the Auditor General), is an
employee of the government, but his status and organisational positioning make his office independent of
the government departments in which assignments are carried out. Registration with a professional
body is not required to be employed as a government auditor, but many government auditors are
registered with professional bodies.
• Forensic auditors – forensic auditors concentrate on investigating and gathering evidence where there has
been alleged financial mismanagement, theft or fraud. Forensic audits may be carried out in any
government or business entity, but it should be obvious that the forensic auditor needs to be independent
of the entity under investigation. Where an independent and competent forensic auditor has been
involved, the degree of confidence which the court/investigating body has in the financial evidence is
increased. Forensic auditing is a specialist field, but because of the emphasis on financial matters, most
if not all forensic auditors have a background/qualification in auditing.
• Special purpose auditors – these are auditors who specialise in a particular field, such as environmental
auditors, who audit compliance with environmental regulations, and VAT auditors who work for the
South African Revenue Services and who audit vendors’ VAT returns. The conclusion presented by the
special purpose auditors enhances the degree of confidence which, for example, SARS will have in the
“correctness” of the VAT returns audited, or a local authority will have in an environmental impact
report.
What is the characteristic common to these various audit (assurance) activities? The answer is simple but
very important – it is the characteristic of independence. The external auditor is independent of the company,
the internal auditor is independent of the department being audited and the VAT auditor is independent of
the entity whose VAT returns he may be examining. Regardless of whether it is external, internal, govern-
ment, forensic, VAT or any other kind of auditing, if the person performing the “audit” is not independent
of the entity being “audited”, the assurance given by the auditor will be worthless.
Let us relate this to Example 1 given earlier. If BigMoney Bank is not satisfied that the auditor who was engaged by
Intaba Lodge (Pty) Ltd was independent of Intaba Lodge (Pty) Ltd, then the bank will regard the auditor’s opinion
on the “fairness” of Intaba Lodge (Pty) Ltd’s financial information as little more than worthless.
Similarly, with regard to Example 2, the intention of the promoter of a television game show which makes use of
an auditor to verify results is to convey to the public and the show’s sponsors, that there is no “funny business”
going on with the results, and that results are not being manipulated. He wants his results and his show to have
credibility and the public to be confident that the result was valid. Now, if the auditor is not independent of the
game show promoter or is not perceived by the public to be independent, his opinion on the results will be
worthless!
1/4 Auditing Notes for South African Students
Finally, the word “auditor” is derived from the Latin word “audire” (to hear). In ancient times, accounting
took place orally, for example a servant would tell his master what he had done to protect and develop
crops, land or cattle. The master would listen to such accounts of stewardship and question the servants, in
other words, the master was the listener or auditor. As the skills of writing and bookkeeping evolved, so
auditing evolved with them, growing from merely listening to oral accounts of stewardship to examining
written records. In many instances, masters not wishing to attend to such matters would have appointed a
trusted person independent of the stewards to “satisfy himself of the truth” of the steward’s bookkeeping.
The foundation for the modern auditor had been laid, for example shareholders (master) engage auditors
(independent trusted person) to “satisfy themselves as to the fair presentation” of the directors’ (stewards)
bookkeeping, which is presented in the form of the annual financial statements. As business has evolved,
professional accountants are required more and more to give assurance on all kinds of different information
– not only financial statements. However, the basic premise of “enhancing credibility of information” and
“increasing confidence of users” remains.
Note: Postulates can be regarded as the philosophical foundations of a discipline. In their text, The
Philosophy of Auditing, written over 50 years ago, Mautz and Sharaf suggested a number of auditing
postulates on which modern day auditing is built. A broad understanding of these postulates will
increase one’s understanding of the discipline and why some aspects of auditing are as they are!
These postulates have been explained in the appendix to this chapter.
1.1.2.3 Accountability
The “auditing” profession, and here we are not restricting our discussion to registered auditors in public
practice, has blossomed over the years with the emergence of internal auditing, government auditing,
forensic auditing and environmental auditing as major forces in their own right. The dominant reason for
this is that the world at large requires accountability. Directors must be held accountable for the way in
which they run their businesses, the government must be held accountable for the way it spends taxpayers’
money, and companies whose activities affect the environment must be held accountable for the way in
which they adhere to environmental regulations and legislation. This has created a need for the wider
“auditing” profession to provide an independent service which assesses and evaluates whether directors,
governments, etc., are meeting their responsibilities. The world demands sound corporate governance and
auditors play a key role in meeting this demand.
1/6 Auditing Notes for South African Students
1.1.3 Specific theories as they relate to businesses, auditing and the profession
During your studies of auditing, you will come across different theories and philosophies, which relate to
specific aspects of businesses, auditing and the profession. Below are a few specific theories/philosophies as
they relate to businesses, auditing and the profession:
x Agency theory as it relates to governance and reporting. This theory, developed by Jensen and Meckling
(1976) explains the relationship between business principles (the shareholders/owners) and their agents
(the directors). The shareholders delegate authority to the directors, who then act on the shareholders’
behalf. Conflict of interest arises between ownership and control, where those who control the entity
(the directors) may not necessarily have the best interest of the shareholders and other stakeholders at
heart.
x Legitimacy theory as it relates to governance. This theory of Dowling and Pfeffer (1975) holds that, for
an entity to continue to exist, it must act in consensus with society’s values, norms and interests.
Entities thus have a social responsibility towards, and should exist in harmony with, their stakeholders.
x Stakeholder theory as it relates to personal and business ethics, governance and reporting. This theory
(usually accredited to Freedman, 1984) places focus on the effect that an entity and its activities have
on all of its stakeholders (e.g. employees, society, customers, suppliers, etc.) as opposed to focusing
only on its shareholders. In accordance with this theory, an entity is expected to have moral values and
social responsibilities.
x Ubuntu as it relates to governance. Ubuntu is an African philosophy which expresses compassion and
humanity. This philosophy manifests that a corporation has a responsibility to serve not only its share-
holders, but also its wider stakeholders.
x Utilitarian ethics as it relates to business ethics. In lay terms, Utilitarian ethics hold that ethical choices
should be based on that which will produce “the greatest good for the greatest number”.
x Virtue ethics as it relates to business ethics. Virtue ethics has to do with a person/organisation’s moral
foundation. An organisation should focus on what type of entity it wants to be and should practice
acting in a morally sound way.
this rather tedious definition is to break it down into its elements and relate it to the audit or review of a set
of financial statements.
express a conclusion in a negative form as to whether anything has come to his attention which causes him
to believe that the financial statements are not fairly presented. Because limited assurance is required for a
review engagement, the nature and extent of procedures conducted by the reviewer will be far less
comprehensive than for an audit, but the reviewer must still be satisfied that he has gathered sufficient
appropriate evidence to support his conclusion.
appropriate evidence about, and which compound the limitations of the audit. For example, in some
situations it is virtually impossible for the auditor to:
– determine the presence or effect of fraud conducted by senior management
– satisfy himself that all related parties and related-party transactions have been identified and correctly
treated in the financial statements
– determine the level of non-compliance with laws and regulations which may have an impact on the
financial statements
– identify and evaluate future events which may have a bearing on the going concern ability of the
company.
The point is that these “uncertainties” contribute to the limitations of the audit process and in turn make it
impossible for the auditor to provide absolute assurance.
fundamental ethical principles that all chartered accountants and registered auditors are required to observe
as:
• integrity: being straightforward and honest, in all professional and business relationships
• objectivity: not allowing bias, conflict of interest or undue influence of others to override professional or
business judgements (impartial, independent)
• professional competence and due care: maintaining professional knowledge and skill at the required level
and performing work diligently in accordance with applicable technical and professional standards
• confidentiality: respecting the confidentiality of client information
• professional behaviour: complying with laws and regulations and avoiding action which discredits the
profession.
Both ISA 200 (audit) and ISRE 2400 (review) endorse these specific fundamental principles.
(2) governance and leadership (including culture, leadership and organisational structure);
(3) relevant ethical requirements (including requirements related to independence, objectives set for the
firm, its personnel and others);
(4) acceptance and continuance of client relationships and specific engagements (including considerations
such as the nature, circumstances, integrity, ethical values, ability to perform the engagement as well
as financial and operational priorities);
(5) engagement performance (quality objectives set to address the quality of the engagement including
responsibility, supervision, professional judgement, consultation, resolution of differences, and docu-
mentation);
(6) resources (human, technological, and intellectual, as well as service providers);
(7) information and communication (quality objectives relating to obtaining, generating, using and com-
municating information); and
(8) the monitoring and remediation process (to provide information about the design, implementation and
operation of the system and to take relevant remedial actions to any deficiencies).
Should an engagement quality review be required (as in the case of the audit of a listed entity or in terms of
the specified responses to the risks identified as part of the firm’s risk assessment process, or by law or
regulation) the appointment and eligibility of such an engagement quality reviewer, as well as his/her
responsibilities, are dealt with in ISQM 2 (Engagement Quality Reviews).
ISA 220 – Quality Management for an Audit of Financial Statements, deals specifically with the engage-
ment partner’s and engagement team’s responsibility towards quality management for financial statement
audits, as applicable to the nature and circumstances of each audit. This standard emphasises the specific
responsibilities of the engagement partner (as the person who is ultimately responsible for the audit) and
the importance of professional judgement. It also allows for the engagement team to place reliance on the
firm’s system of quality management (however, not blindly) and it integrates the concepts of ISQM 1 (as
above). ISA 220 is dealt with in detail in chapter 6.
managed and owned by the same individuals (the members), there is no split between owners and
managers. Managers did not have to report their custodianship to the owners and the owners did not need
the protection of independent assurance as to the fairness of the financial statements because, in theory,
they worked in the business.
However, with the introduction of the Companies Act 2008, there was a shift in thinking as regards
which business entities should be required to have their annual financial statements audited. The Act
introduced a new method of determining which entities required an audit of their financial statements. The
decision no longer hinges on whether the entity is a company (audit) or a close corporation (no audit) but is
based rather on the level of public interest in the entity. As a result, the Companies Act 2008 and its
accompanying regulations stipulate that all companies and close corporations must calculate their public
interest score for each financial year. As you would expect, the score is based on factors which generally
determine the level of interest the public has in the entity. An entity’s public interest score will be the sum
of:
• a number of points equal to the average number of employees during the financial year
• one point for every R1 million (or portion thereof) of turnover
• one point for every R1 million (or portion thereof) of third-party liability at year-end, and
• one point for every individual who directly or indirectly has a beneficial interest in any of the com-
pany’s shares/members’ interests.
You will notice immediately that companies and close corporations with large labour forces and high
turnovers are going to have far higher public interest scores than small companies and close corporations.
The public interest score method recognises this and as a result public interest scores are broken down into
three strata, namely 350 points and above, 100 to 349 points and less than 100 points, as indicated in the
Companies Act’s regulations. The stratum into which the entity’s public interest score falls assists in
determining to which level of assurance engagement if any, an entity must subject its annual financial
statements.
In addition to the public interest score, there is another factor which must be taken into account in
determining to which assurance engagement the entity must subject its financial statements. This factor is
whether the annual financial statements are internally compiled by the entity or externally compiled by what is
termed an independent accounting professional (a suitably qualified accountant who is independent of the
entity whose annual financial statements are being compiled).
To complete the picture, remember that there are two types of assurance engagement, namely an
independent audit or an independent review. As we have discussed, an audit is far more comprehensive
than a review, and enables the auditor to give a higher level of assurance on the fair presentation of the
financial statements. As the objective is to create a climate of reliable financial information, particularly
relating to entities in which there is a high public interest, it is logical that companies and close
corporations that have a high public interest score and compile their annual financial statements themselves
should be externally audited. Similarly, companies and close corporations with lower public interest scores
that have their annual financial statements externally compiled (independently) should not have to be
audited, but could rather have their annual financial statements reviewed.
The following chart summarises this:
Public interest score in Close corporations and owner-
Company
points managed companies
Less than 100 Review No assurance engagement required
100 to 349 Audit if AFS internally compiled Audit if AFS internally compiled
Review if AFS externally compiled No assurance required if AFS externally
compiled
(Note 1)
350 and above Audit (regardless of who compiles the AFS) Audit (regardless of who compiles the
AFS)
Note 1: It may seem strange that close corporations and owner/managed companies that have their
financial statements externally compiled and have points falling in the range 100 to 349 do not
require their AFS to be audited or reviewed, while a “normal” company in the same situation
must have its AFS reviewed. This is because the Companies Act and its regulations specifically
exempt owner/managed companies and close corporations from the review requirement for their
Chapter 1: Introduction to auditing 1/15
annual financial statements on the grounds that as the owners and managers of these entities are
the same individuals, the external compilation adds the necessary level of credibility to the
financial statements and satisfies the limited interest the public has in these entities.
In addition to audit and review requirements arising out of public interest scores, the Companies Act 2008
and the regulations make it obligatory for certain other companies to have their annual financial statements
audited, regardless of their public interest score. These are:
(i) public companies and state-owned companies, and
(ii) companies which hold assets (exceeding R5m) in the ordinary course of their primary activities in a
fiduciary capacity for persons not related to the company.
The reason for these specific requirements is obvious – there is a strong element of public interest.
1.3.2 A model of the independent audit of the annual financial statements of a company
arising out of the requirements of the Companies Act 2008
As discussed earlier in this chapter, the establishment of the modern auditing profession arose out of the
split between ownership of a business enterprise and the management of that enterprise. As businesses grew
from entities owned and managed by the same person into large private or public companies where the
owners (shareholders) and managers (directors) were not the same person or persons, the need arose for an
independent party (the auditor) to express an opinion on whether the reports made by those managing the
business to those owning the business were fair. Note that this is the “three-party relationship” element of
an assurance engagement. As business formalised, it became a matter of public interest to lay down rules
and regulations to protect the large and small investor and the economic system as a whole. In virtually all
capitalist economies, this resulted in the promulgation of “Companies Acts” by the various governments.
South Africa was no exception, and for many years our Companies Act has played an integral part in the
practice of auditing. The diagram and explanation presented below illustrate the roles of the various parties
and the Companies Act in the audit.
Note (a): According to ISA 200, the overall objectives of the auditor are to:
• obtain reasonable assurance about whether the financial statements as a whole are free from
material misstatement, whether due to fraud or error, thereby enabling the auditor to express
an opinion on whether the financial statements are prepared, in all material respects, in
accordance with an applicable financial reporting framework (e.g. IFRS), and
• to report on the financial statements and communicate as required by the ISAs, in accord-
ance with the auditor’s findings.
Note (b): The auditor’s opinion is not an assurance of the future viability of the entity, nor the efficiency
with which management has conducted the affairs of the entity.
1/16 Auditing Notes for South African Students
Note (c): It is not an objective of the audit to discover or prevent fraud or to ensure compliance with the law.
These areas are the responsibility of management. The auditor’s responsibility is to carry out his
audit in such a way that there is a reasonable expectation of detecting such instances if they
affect fair presentation (i.e. the financial statements contain material misstatement arising from
fraud or error).
Note (d): Although this model and diagram would be very similar for a review engagement there would be
some important differences. The independent review engagement is covered in depth in chap-
ter 19.
1.3.3.2 Directors
• are responsible for running the company and reporting the results of their stewardship (management) to
the shareholders, by way of assertions in the annual financial statements; and
• for preparing the financial statements in terms of an appropriate financial reporting framework (e.g.
IFRS).
1.3.3.3 Auditors
• are responsible for gathering sufficient appropriate evidence to be in a position to give an independent
opinion on whether the annual financial statements issued by the directors to the shareholders present
fairly the financial position and results of operations of the company, in terms of the applicable financial
reporting framework; and
• for reporting the audit opinion to the shareholders.
1.3.4 The role of the Companies Act 2008 and Companies Regulations 2011
Section 30 of the Companies Act:
• makes it compulsory for all public companies to be audited and
• provides the Minister (the member of the Cabinet responsible for companies) with the power to make
regulations which require private companies to be audited, taking into account whether it would be
desirable in the public interest, having regard to the economic or social significance of the company as
indicated by:
– its annual turnover,
– the size of its workforce, or
– the nature and extent of its activities.
The Minister has exercised this power by promulgating in the Regulations, the requirement for all com-
panies and close corporations to calculate their public interest score. This in turn will play a role in determin-
ing whether the company (or close corporation) must have its annual financial statements audited.
The Companies Act 2008 also:
• regulates the appointment of auditors and directors, including disqualifying certain individuals from
filling these roles;
• places an obligation on the directors to prepare annual financial statements, stipulates some of the
content, and provides legal backing for the financial reporting standards;
Chapter 1: Introduction to auditing 1/17
• provides the auditor with the right of access to the company’s records, without which the auditor cannot
fulfil his independent audit function; and
• requires that public companies appoint an audit committee and lays down the functions of the audit
committee.
All of these Companies Act sections make it possible for an effective external audit to take place, making
the Companies Act an integral part of the model.
• Completeness: all transactions and events which should have been recorded, have been recorded, and all
related disclosures that should have been included in the financial statements have been included.
• Cut off: transactions and events have been recorded in the correct accounting period.
• Accuracy: amounts and other data relating to recorded transactions and events have been recorded
appropriately, and related disclosures have been appropriately measured and described.
• Classification: transactions and events have been recorded in the proper accounts.
• Presentation: transactions and events are appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and understandable in the context of the applicable finan-
cial reporting framework.
Aggregation means to combine or add together, and disaggregation means to break down. For example, in
the case of sales, the company may choose to disclose its sales broken down into categories that are
relevant to the company, for example, revenue from sales of different products, or by region or customer
type (government, private sector).
Assertions about account balances and related disclosures at the period end
• Existence: assets, liabilities and equity interests exist.
• Rights and obligations: the entity holds or controls the rights to assets, and liabilities are the obligations
of the entity.
• Completeness: all assets, liabilities and equity interests that should have been recorded have been
recorded, and all related disclosures that should have been included in the financial statements have
been included.
• Accuracy, valuation and allocation: assets, liabilities and equity interests have been included in the
financial statements at appropriate amounts and any resulting valuation or allocation adjustments (e.g.
depreciation, obsolescence) are appropriately recorded, and related disclosures have been appropriately
measured and described.
• Classification: assets, liabilities and equity interests have been recorded in the proper accounts.
• Presentation: assets, liabilities and equity interests are appropriately aggregated or disaggregated and
clearly described, and related disclosures are relevant and understandable in the context of the require-
ments of the applicable financial reporting framework.
The line item below appears in the statement of financial position (balance sheet) of Tradition Ltd:
Trade accounts receivable R2 782 924
What are the directors actually saying (asserting) about accounts receivable? In terms of the assertions they are
representing that at period end:
• the debtors included in the balance existed at year-end, that is, no fictitious debtors have been included (existence)
• Tradition Ltd holds or controls the rights to the amounts owed by debtors, for example, the debtors have not
been factored (rights)
• all debtors have been included in the amount of R2 782 924, and all related disclosures have been included
(completeness)
• the amount of R2 782 924 is appropriate and represents the amount that can reasonably be expected to be
collected from debtors after making a suitable allowance for debtors who will not pay (accuracy, valuation and
allocation)
• accounts receivable have been recorded in the proper accounts (classification), and
• accounts receivable have been appropriately aggregated/disaggregated and clearly described, and related
disclosures are relevant and understandable (presentation).
Note. If you are wondering why occurrence and cut-off are not dealt with in this example, remember that we
are dealing with a balance and related disclosures at period end. Occurrence and cut-off relate to the
transactions underlying the balance, in this case, credit sales.
Chapter 1: Introduction to auditing 1/19
While assessing risk relating to the accuracy, valuation and allocation assertion, the auditor discovers that to attract
more customers the client has relaxed its credit terms. As a result, the auditor considers that the accounts receivable
may be materially overstated (misstated) because in setting the allowance for bad debts, Tradition Ltd’s
management has not taken into account the fact that the company potentially has new and less creditworthy (credit
terms have been relaxed) customers. The auditor’s response will be to increase the procedures which he conducts on
the allowance for bad debts to determine whether it is fair or materially misstated.
Similarly, the auditor may assess the risk of the inclusion of fictitious debtors in the account balance as low, due
to Tradition Ltd’s excellent internal controls (control environment), the integrity of management and the absence of
any reason/incentive for management to manipulate the accounts receivable balance. The auditor will still conduct
procedures relevant to the existence assertion, but to a lesser extent.
1.4 Summary
The auditor is a professional person who plays an important role in strengthening the credibility of finan-
cial information and hence the general and investing public’s confidence in the financial and economic
system of the country. This role is carried out through the expression of opinions as to whether or not
financial statements are, or financial information is, presented fairly.
Confidence in the reliability of the auditor’s opinion can only be maintained as long as there is public
acceptance that:
• auditors are a body of practitioners who demonstrate the attributes which set them apart from the
general public and make them worthy of recognition as professionals; and
• the auditing profession adheres to a strict code of ethical principles.
The profession is dynamic and is constantly changing to meet the needs of the economic community and
the public at large. Auditing firms have diversified into many different services, both to remain competitive
and to make use of the vast pool of talent which exists within its membership. However, at the core of the
profession is the irrefutable need for a professional body which provides an independent opinion on the
fairness of financial information. Financial information is the lifeblood of the economy and it is vital in the
interests of society (the public at large) that such information be fair and credible.
1.5 Appendix
Auditing postulates
The word “postulate” is best explained by considering the following definitions from the Oxford Dictionary:
“thing(s) claimed as a basis for reasoning” and
“postulates provide a basis for thinking about problems and arriving at solutions . . . a starting point . . . a
fundamental condition”
Perhaps to express it simply we can say that the auditing postulates are the very foundation on which the
discipline is built. Without a foundation, nothing of permanence can be built.
1. No necessary conflict of interest exists between the auditor and management/employees of the
enterprise under audit (both the client and the auditor have the same objective with regard to fair
presentation)
Explanation
This postulate proposes that the auditor and the client’s management share a common desire to ensure that
the financial statements prepared by management, do achieve fair presentation.
This postulate assumes that management will not want to manipulate the financial statements to present a
misleading account of the affairs of the enterprise, for example, to hide fraud or to present a more favour-
able financial picture of the company to potential investors.
Discussion
This postulate implies that if management does not want to achieve fair presentation (and thus is willing to
manipulate/falsify information), it becomes impossible to perform a conventional (normal) audit.
The postulate is critical if audits are to be economically and operationally feasible, and yet its relevance
and applicability is becoming increasingly questionable. In view of the ever rising evidence of financial mis-
management, theft and fraud in business and government worldwide, is it realistic to presume that manage-
ment does have the desire to report business information honestly and fairly?
The auditor has traditionally been able to rely on management's integrity in the absence of contrary
evidence. In the light of the alarming increase in fraud in recent years, it has become increasingly important
for the auditor to evaluate management integrity with professional scepticism. Indeed, the adoption of
Chapter 1: Introduction to auditing 1/21
professional scepticism by the auditor is one of the requirements placed on the auditor in terms of ISA 200
– Overall Objectives of the Independent Auditor and the Conduct of an audit in accordance with Inter-
national Standards on Auditing. It means that the auditor can no longer take what he or she is told by
management as necessarily being the truth. It means not being “led around by the nose” or blindly accept-
ing what management or other employees tell him, and it means that the auditor cannot accept, as a basis
for the audit, that this postulate holds true.
ISA 200 defines professional scepticism as “an attitude that includes a questioning mind, being alert to
conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of
audit evidence”.
2. An auditor must act exclusively as auditor in order to be able to offer an independent and objective
opinion on the fair presentation of financial information
Explanation
The auditor's opinion can only be relied upon if he is free of any bias whatsoever, in other words,
independent. Furthermore, for the auditor to satisfy his duty as a professional, he should devote all of his
energy to performing the audit.
Discussion
The auditor has to be, and be seen to be, independent, if he is to retain credibility as an auditor. This requires
that all other interests that the auditor has which relate to an audit client, must be carefully assessed and if
they affect independence, either these interests or the audit must be relinquished. Unfortunately, the
relevance and applicability of this postulate is also becoming questionable as audit firms place increasing
emphasis on their ability to provide clients with other services, for example tax, management advice and
more. It is interesting to note that in the United States of America there is a strong move on the part of the
regulators of the auditing profession to commit to the principle of this postulate. Major financial scandals
such as the collapse of Enron, one of the largest companies in the world, provided strong evidence of a total
lack of independence on the part of the auditors who are alleged to have been party to, or to have had
knowledge of, serious financial manipulation and fraud by the company, but did nothing about it. Was this
a serious matter? It led to the worldwide demise of one of the “Big 5” auditing firms, once highly regarded
for its ethics and integrity. It was a serious matter!
South Africa has also reacted to the demands of this postulate. In terms of the new Companies Act 2008,
public companies (which must be audited) must also appoint an audit committee. The audit committee in
turn must approve any non-audit work that the auditor of the company is engaged to perform. This can be
seen to be an attempt to focus the auditor’s attention on performing the audit, not on providing other
services. The audit committee must be satisfied that the auditor is independent, and must state whether it is
satisfied with the audit of the annual financial statements. The committee is likely therefore to be very
careful about what other non-audit work is given to the auditor.
3. The professional status of the independent auditor imposes commensurate professional obligations
Explanation
Professional status implies that the auditor has qualities, knowledge and capabilities which set him apart
from the general public, but that this status brings responsibility with it.
Discussion
To enjoy this status, a professional has to live up to certain expectations and accept certain responsibilities.
The concepts of due care, service before personal interest, efficiency and competence flow from these expectations
and have to be accepted as responsibilities by professional accountants.
Discussion
An auditor cannot meet the audit objective of forming an opinion on fair presentation of the financial
information unless he has gained the necessary level of assurance through verification of the financial
information. With the advent of paperless transactions, trading on the Internet and E-Commerce, this
postulate is increasingly under threat, as transactions may not necessarily be supported by documents
which the auditor can see and touch, or even access. To respond to this, the profession will need to develop
new ways of gathering sufficient appropriate evidence to verify client data. Obviously, if financial data is
not verifiable, an opinion on its fair presentation cannot be given.
Discussion
This postulate is of critical importance to the economic and operational feasibility of audits. The alternative
(i.e. no effective internal control), is a situation where auditors are forced either to refrain from offering an
opinion, or to conduct extremely detailed audit examinations. Such alternatives are not constructive,
economical or feasible. Expressed simply, without internal control the audit function is not possible. In
effect, if a company has very poor internal control, the financial data produced by the accounting system is
most unlikely to be verifiable. (See postulate 5).
Discussion
This postulate emphasises the importance of objectivity and of having to measure “fair presentation”
against a predetermined accepted standard. The auditor’s opinion should be based on something which has
gained general acceptance rather than mere personal preferences. An accounting framework provides the
auditor with a “ready-made standard” against which to judge the fairness of the financial information
under audit. The implication is that if the auditor obtains evidence of the proper application of appropriate
generally accepted accounting practice, fair presentation will have been achieved.
7. That which held true in the past will hold true in the future (in the absence of any contrary
evidence)
Explanation
As a basic premise, the auditor may assume that in the context of an ongoing audit engagement at the same
client “things generally stay the same”. Thus historical evidence is crucial. Judgements about the future are
continually being made and accounted for on the basis of historical information. For example, when an
auditor evaluates the allowance which a client has made for bad debts to determine whether it is fair, he
will take into account such matters as:
• the payment records of debtors in prior years,
Chapter 1: Introduction to auditing 1/23
Discussion
The auditor has to draw on past experience when assessing judgements about the future. Factual historical
evidence is far more powerful than speculation. However, this should not be taken to mean that things do
not change; for example, the integrity of the directors may decline, forcing the auditor to rethink the extent
to which he can rely on the representations of management in the gathering of audit evidence. Trading
conditions can change in a host of different ways and new business risks may arise; the auditor must
recognise this in planning and performing the audit.
8. The financial statements submitted to the auditor for verification are free of collusive and other
unusual irregularities
Explanation
This postulate suggests that the auditor can start from the basic premise that the financial statements do not
contain misstatement which has arisen out of collusion or similar deceptions by management. Collusion
implies that there has been a deliberate attempt to misstate the financial statements. However, in terms of
this postulate the auditor may, in the absence of evidence to the contrary, assume that management has
taken adequate steps to ensure that the financial statements are free of “collusive or unusual irregularities”
engineered by employees and that members of the management team itself have not colluded in the presen-
tation of the financial statements.
Discussion
A cynical view may be that when these postulates were proposed (circa 1961), directors and employees
were more honest than they are today! Whether this postulate holds true today could no doubt be debated
at length, but the intense focus on corporate governance and the introduction of professional scepticism as
an important prerequisite for auditors suggest that this postulate is also under threat. However, for the
auditor to assume the opposite, namely that the financial statements are not free of “collusive and other
irregularities” would change the objective and focus of the auditor from forming an opinion on fair presen-
tation to an all-out search for fraud and other irregularities.
CHAPTER
2
Professional conduct
CONTENTS
Page
2.1 The SAICA and IRBA codes of professional conduct (effective 15 June 2019) ...................... 2/2
2/1
2/2 Auditing Notes for South African Students
2.1 The SAICA and IRBA codes of professional conduct (effective 15 June 2019)
There are two codes of professional conduct which provide ethical guidance to professional accountants
and auditors in South Africa. They are:
1. The SAICA code of professional conduct for professional accountants
2. The IRBA code of professional conduct for registered auditors.
Both of these codes are based on and consistent in all material aspects with the code of ethics for account-
ants released by the International Ethics Standards Board for Accountants (IESBA) published by the Inter-
national Federation of Accountants (IFAC) in April 2018. As you would expect, the two “South African”
codes are consistent with each other.
Why is it necessary to have two codes? The simple answer is that most professional accountants (i.e.
members of SAICA) are not members of the IRBA (i.e. registered auditors) because they do not conduct
audits. Typically, these professional accountants are in government, commerce or industry, engaged as
internal auditors, financial directors or company accountants. They become members of SAICA to benefit
from being part of a professional body and thus must comply with the SAICA code.
While the majority of the members of the IRBA (i.e. registered auditors) are also members of SAICA
(i.e. professional accountants), it is not a requirement that to be a member of the IRBA, the individual must
join SAICA. Therefore, the IRBA must have its own code and must define its own rules regarding
improper conduct.
As mentioned above, the two codes are very similar and are based on the same international code. One
important difference is that the SAICA code, in addition to having a section related to professional
accountants in public practice, has a separate section that deals with professional accountants in business,
that is, professional accountants in commerce and industry etc. Professional accountant is a generic term
used in the code to refer to a chartered accountant (CA (SA)), an associate general accountant (AGA
(SA)), associate accounting technician (FMAAT (SA), MAAT (SA), or PSMAAT (SA)). The IRBA obvi-
ously does not have such a section because, by definition, registered auditors are not in commerce and
industry, they are all registered auditors in public practice.
If an individual who is a member of both the IRBA and SAICA acts improperly or unethically, he can be
charged in terms of both codes. Again, this is perfectly logical; the IRBA disciplinary committee has the
power to “punish” one of its own members but has no power to “punish” the individual in terms of the
SAICA code. That would be up to the SAICA disciplinary process.
In summary:
• the SAICA code applies to a person who is registered with SAICA regardless of whether he is a
professional accountant in public practice or a professional accountant in business
• the IRBA Code applies to a much narrower field, namely those persons registered with the IRBA as
registered auditors, and
• provided an individual complies with the registration requirements of both SAICA and the IRBA, he
can be a member of both bodies.
Different religions, races, cultures, and backgrounds may see ethical issues from totally different perspect-
ives, so it is impossible to establish one set of hard and fast rules which can be applied to all situations
which raise ethical issues. So, in the absence of hard and fast rules, how do people decide whether the
ethical decision they have made is right? There is no simple solution, but if the answer to the following
questions is yes, then the decision is probably the right one:
• Is the decision honest and truthful?
• In making the decision, will I be acting in a way that I would like others to act towards me?
• Will this decision build goodwill and result in the greatest good for the most significant number?
• Would I be comfortable explaining my decision to people whom I respect for their moral values?
In effect, asking the above four questions acknowledges that a conceptual framework approach to ethics is
desirable. There cannot be a rule for every situation, so other processes must be available for the
professional accountant to deal with ethical issues.
While individual members of the profession will no doubt be concerned with ethical issues which affect
society as a whole (the death penalty, abortion or providing jobs at the expense of environmental
destruction), it will be their daily occupations that will give rise to specific ethical situations of a profes-
sional nature.
For example:
• Have I acted in a truly independent manner?
• Should I make use of confidential information obtained from a client for my advantage?
• Should I report a client who may be evading tax to the authorities?
Specific guidance and a way of thinking about ethical issues are provided in the various pronouncements
indicated below.
auspices of SAICA through a SAICA-accredited university, and that the SAICA code is cast a little wider
as it deals with professional accountants in business and public practice. No doubt, many of you will end
up in business and not as auditors.
2. Fundamental principles
The code establishes five fundamental principles with which professional accountants must comply:
2.1 integrity
2.2 objectivity
2.3 professional competence and due care
2.4 confidentiality, and
2.5 professional behaviour.
comprehensive set of rules to identify and resolve ethical issues. It is not possible to say “yes, you can
do that” or “no, you can’t do this” in all situations.
3.2 Therefore, professional accountants using their professional judgement are required to:
• identify threats to compliance with the fundamental principles
• evaluate the threats identified, and
• address the threats by eliminating them or reducing them to an acceptable level.
3.3 When applying the conceptual framework, the professional accountant shall:
• exercise professional judgement
• remain alert to new information and changes in facts and circumstances, and
• consider whether the same conclusion would likely be reached by another party (the third-party
test).
3.4 To be able to apply the conceptual approach, the professional accountant must understand the:
• fundamental principles
• types of threats which may arise, and
• safeguards that may be applied.
3.5 Clients, employers and other users shall be made aware of the inherent limitations of services provided.
3.6 A professional accountant shall not undertake or continue with any engagement he/she is not com-
petent to perform unless advice and assistance are obtained to carry out the engagement satisfactory.
2.4.2.3 Threats
Now that the fundamental principles have been described, it is necessary to consider the circumstances that
threaten compliance with them. The code categorises threats as follows:
1. Self-interest threats
These are threats that a financial or other interest will inappropriately influence the professional account-
ant’s judgement or behaviour and lead him to act in his self-interest.
For example:
• A professional accountant has shares in an audit client (objectivity).
• A firm is dependent for its survival on the fees from one client (objectivity).
• A member of the audit team will join the client as an employee shortly after completing the audit
(objectivity).
• The client is putting pressure on the audit firm to reduce fees (objectivity, professional competence, and
due care; for example, the audit team “cuts corners” to save costs).
• The engagement partner obtains confidential information about the client from a meeting with the
directors, which he could use to his financial advantage (objectivity, integrity, confidentiality and
professional behaviour).
2. Self-review threats
These are threats that a professional accountant will not appropriately evaluate the results of a previous
service performed by the professional accountant or by another individual in his firm, on which the profes-
sional accountant will rely as part of a current service.
For example:
• The former financial accountant of an audit client, a professional accountant, recently resigned and
joined the firm that conducts the audit of his former employer. He was placed on the audit team for the
current audit (objectivity and professional competence, and due care).
• In terms of ISA 315 (revised 2019), the audit team must obtain an understanding of the client’s system
of internal control. Thus, a firm issuing an audit opinion on the financial statements of a company for
which the same firm has designed or implemented the internal control system is subject to the threat
that the audit team will assume that the internal control system is sound, without evaluating it, because
their firm designed it (objectivity, professional competence and due care.)
3. Advocacy threats
These threats may arise when a professional accountant promotes a client’s or employing organisation’s
position to the point that his subsequent objectivity may be compromised.
Chapter 2: Professional conduct 2/9
For example:
• A professional accountant values a client’s shares and then leads the negotiations on the sale of the
client’s company.
4. Familiarity threats
These are threats that may arise when, because of a close relationship, a professional accountant becomes
too sympathetic to the interests of others.
For example:
• The professional accountant accepts gifts or preferential treatment from a client (objectivity). This type
of occurrence can threaten the basis of a professional relationship.
• The father of a member of the engagement team is responsible for the financial data, which is the
subject of the audit engagement.
• The audit engagement partner and audit manager have a long association with the audit client (object-
ivity and (potentially) professional competence and due care, in other words, the audit becomes too
casual and friendly).
5. Intimidation threats
These are threats that occur when a professional accountant may be deterred from acting objectively by
actual or perceived pressures, including attempts to exercise undue influence.
For example:
• A professional accountant in business fails to report a fraud perpetrated by his section head because he
fears he will be dismissed by the section head (objectivity, integrity, professional behaviour).
• An audit firm is being threatened with dismissal from the engagement (objectivity).
• Pressure to accept an inappropriate decision on an accounting matter is exerted by the client’s financial
director on a young, inexperienced audit manager (objectivity and integrity).
Not all threats fall neatly into the above categories! This does not mean they are not threats. They are, and
must still be addressed.
1. Acceptable level
An acceptable level would be when the accountant complies with the fundamental principles.
3. Addressing threats
If the professional accountant determines that the threat is not at an acceptable level, he/she shall reduce
the threat to an acceptable level by:
• eliminating the circumstances, including interests or relationships, that are causing the threats
• applying safeguards to reduce the threat to an acceptable level, or
• declining or ending the specific professional activity.
5. Professional scepticism
Under auditing, review and other assurance standards, including those issued by the IAASB, professional
accountants in public practice are required to exercise professional scepticism when planning and
performing audits, reviews and other assurance engagements. Professional scepticism is inter-related with
the following fundamental principles:
Integrity
• being straightforward and honest when raising concerns about a position taken by a client, and
• pursuing inquiries about inconsistent information and seeking further audit evidence about false or
misleading statements.
Objectivity
• recognising relationships, such as familiarity with the client, that might compromise the professional
accountant’s professional or business judgement, and
• considering the impact of such circumstances and relationships on the professional accountant’s
judgement when evaluating the sufficiency and appropriateness of audit evidence related to a matter
material to the client’s financial statements.
3. Threats
The categorisation of threats for professional accountants in business remains the same as for professional
accountants in public practice, namely, self-interest, self-review, advocacy, familiarity and intimidation:
• Self-interest threats are created when a financial or other interest will inappropriately affect the profes-
sional accountant’s judgement or behaviour:
– financial interests, loans or guarantees
– incentive compensation arrangements
– inappropriate personal use of corporate assets
– concern over employment security, and
– a gift or special treatment from a supplier.
Example 1: Lucas Borak, the financial director of Company A, has shares in Company A. The finan-
cial decisions he makes may be influenced by the effect the decisions will have on his
share value and not the facts relating to the decision.
Example 2: Carl Marks, the financial controller at Company B, participates in a performance bonus
scheme for managers. Financial decisions which he makes can materially affect the bonus
he receives.
• Self-review threats are created when a professional accountant in business evaluates a previous judge-
ment or service which he has performed. The threat is that the evaluation may be inappropriate, for
example, not diligently carried out.
Example 3: Jackie Jones, the financial director of Company X, determines the appropriate accounting
treatment for a complex financing transaction that he constructed and approved.
• An advocacy threat is created when a professional accountant in business promotes his employer’s
position to the extent that his objectivity is compromised.
Example 4: In attempting to sell a financial product marketed by the company for which he works,
Dickie Dell, a professional accountant, uses questionable tactics and debatable statistics in
“proving” the superiority of his company’s products (this is an advocacy threat to his
integrity, objectivity and professional behaviour).
• A familiarity threat is created when a professional accountant in business will be or becomes too
sympathetic to the interests of some other party, because he has a long or close relationship with that
party:
– a professional accountant in business is in a position to influence reporting or business decisions that
may benefit an immediate or close family member, and
– a professional accountant in business has a long association with business contracts influencing
business decisions.
Example 5: Billy Alviro, the managing director of Company Z, regularly accepts expensive gifts and
travel opportunities from two of his company’s major suppliers. The threat is that pref-
erential treatment will be given to these two suppliers because they are friends and not
because they are the best suppliers for the company. This is a threat to Billy’s objectivity,
and possibly, his professional competence and due care.
• Intimidation threats are created when a professional accountant will be deterred from acting objectively
because of actual or perceived pressures:
– threat of dismissal or replacement of the professional accountant in business or a close or immediate
family member over a disagreement about the application of an accounting principle or how financial
information is to be reported, or
– a dominant personality attempting to influence the decision-making process.
2/12 Auditing Notes for South African Students
As a professional accountant in business very often depends upon his employing organisation for his
livelihood, he can often be placed in a challenging position where ethical situations arise. He may be
put under pressure to behave in ways that could threaten his compliance with the fundamental
principles. A professional accountant in business may be put under pressure (intimidated by fear of
losing his job) to:
Example 6: Act contrary to law or regulation, for example, claim VAT deductions to which the com-
pany is not entitled (integrity, professional behaviour, objectivity).
Example 7: Facilitate unethical or illegal earnings strategies, for example, provide false documentation
to conceal the purchase and sale of illegal products (integrity, professional behaviour,
objectivity).
Example 8: Lie to, or intentionally mislead (including by remaining silent) others, in particular:
– the auditors, for example, by producing false evidence to support fictitious sales, or
– regulators, for example, by lying to customs officials about the nature of imported
goods to reduce import charges (integrity, professional behaviour, objectivity).
4. Evaluating threats
Although the professional accountant in business will have safeguards created by the profession, legislation
or regulation available to him, safeguards in the professional accountant’s workplace will likely be more
accessible and relevant to him.
For example,
A professional accountant, whose compliance with the fundamental principle of professional behaviour is
being threatened by intimidation from a superior, should have a means of exposing the intimidation (and
preventing his non-compliance) without fear of retribution. This may be an individual at the employer
appointed to deal with such matters and to whom the professional accountant can notify of the
intimidation.
The following will impact the professional accountant’s evaluation of whether a threat to compliance with
a fundamental principle is at an acceptable level:
• the employer’s system of corporate oversight, which, among other things, monitors the ethical
behaviour at all levels of management, including executive directors
• strong internal controls, for example, clear division of duties and reporting lines which hold employees
accountable for their actions
• recruitment procedures in the employing organisation emphasising the importance of employing high-
calibre, competent staff
• policies and procedures to implement and monitor the quality of employee performance
• policies and procedures to empower employees to communicate any ethical issues to senior levels
without fear of retribution
• leadership that stresses the importance of ethical behaviour and the expectation that employees will act
in an ethical manner
• policies and procedures, including any changes, to be communicated to all employees on a timely basis,
and appropriate training and education on such policies and procedures to be provided, and
• ethics and code of conduct policies.
5. Addressing threats
5.1 Sections 210 to 270 describe specific threats that may arise and include actions that might address
such threats.
5.2 A professional accountant in business should consider seeking legal advice if it is believed that
unethical behaviour has occurred and will continue within the organisation. He should also consider
resigning from the employing organisation if the circumstances that created the threat cannot be
eliminated, or should safeguards not be available or be incapable of reducing the threat to an accept-
able level.
Chapter 2: Professional conduct 2/13
2. Threats
2.1 Primarily, a conflict of interest creates a threat to objectivity but may also create a threat to other fun-
damental principles.
2.2 Situations in which conflicts may arise:
Example 1: Shoab Aktar is a professional accountant in business. He sits on the board of two
unrelated companies (A and B) who operate in the same business sector. At a board
meeting of company A, Shoab obtains confidential information that he could use to the
advantage of company B, but which would be to the disadvantage of company A. This
situation (conflict) creates a threat to his objectivity, confidentiality and professional
behaviour and integrity.
Example 2: Tom Collins, a professional accountant in business, has been engaged to provide finan-
cial advice to each of two parties to assist them in dissolving their medical partnership.
There are several contentious issues in the dissolution. This situation could create
threats to Tom’s objectivity (he may favour one partner over the other), professional
behaviour (he may act in a manner that discredits the profession by favouring one
partner because there is some reward for doing so) as well as his integrity.
Example 3: Paul Premium is a professional accountant employed by company Z. He is responsible
for contracting a company to supply a full range of IT support for company Z. Awarding
the contract to one of the strong contenders for the contract could result in a financial
benefit for an immediate family member (his wife or a dependent). This creates a
significant threat to his objectivity and possibly, confidentiality and professional behav-
iour (if for example he gave the immediate family member confidential information
about how she should charge for her services to win the contract).
Example 4: Fred Bennett, a professional accountant in business, sits on the investment committee of
company Q. The investment committee approves all significant investments the
company makes. If the investment committee approves a specific investment, it will
increase Fred’s personal investment portfolio value. This creates a threat to his object-
ivity, in other words, Fred votes to approve the investment, not because it is a good
investment for the company, but because it is a good investment for himself.
• obtaining appropriate oversight for the service he has provided, for example, acting under the super-
vision of an independent director (example 2 and 3), and
• consulting with third parties such as SAICA, legal counsel or other professional accountants on how to
resolve the conflict.
It may also be necessary to disclose the nature of conflicts of interest to interested parties and obtain
consent regarding the safeguards implemented. If such disclosure or consent is not in writing, the profes-
sional accountant is encouraged to document:
• the nature of the circumstances giving rise to the conflict of interest
• the safeguards applied to address the threats when applicable, and
• the consent obtained.
2. Threats
Intimidation or self-interest threats to objectivity, integrity or professional competence are created when a
professional accountant is pressured by internal or external parties, or by the prospect of personal gain, to
prepare or report information in a misleading way or to become associated with misleading information
through the actions of others, for example, manipulating reported profits or knowingly benefiting from
reported profits manipulated by others to earn additional bonuses.
2. Threats
2.1 The primary threat in this situation is that the professional accountant may fail to comply with the
fundamental principle of professional competence and due care.
2.2 A self-interest threat to compliance with the principles of professional competence and due care might
be created if a professional accountant has:
• insufficient experience, education or training
• inadequate resources
• inadequate time available for performing the duties, and
• incomplete, restricted or inadequate information.
2/16 Auditing Notes for South African Students
2.3 Factors that are relevant in evaluating the level of the threat include:
• the extent to which the professional accountant is working with others
• the seniority of the individual in the business, and
• the level of supervision and review applied to the work.
3. Safeguards
The relevant safeguards may be the following:
• to obtain assistance or training from someone with the necessary expertise
• to ensure that there is sufficient time and the necessary resources to perform the task to the required
professional standard
• the professional accountant shall refuse to perform an assignment, should he/she not possess the
experience or expertise and should the above safeguards fail to reduce or eliminate the resultant threat
to the fundamental principle of professional competence and due care.
2.4.3.5 Financial interests, compensation and incentives linked to financial reporting and
decision-making – section 240
1. Responsibility
Where a professional accountant in business (or his immediate or close family member) has a financial
interest in the employing organisation, including those arising from compensation or incentive arrange-
ments, he must ensure that he complies with the fundamental principles. A professional accountant in busi-
ness shall neither manipulate information nor use confidential information for personal gain, as this will
amount to self-interest threats to his compliance with the fundamental principles of objectivity or confiden-
tiality.
2. Threats
Self-interest threats to objectivity or confidentiality and, at times, professional behaviour may be created.
Such threats may arise where the professional accountant or an immediate or close family member:
2.1 holds a direct or indirect financial interest in the employing organisation, and decisions made by the
professional accountant can directly influence the value of the interest
2.2 is eligible for a profit-related bonus, and the value of the bonus could be directly affected by decisions
made by the professional accountant
2.3 holds, directly or indirectly, deferred bonus share rights or share options in the employing organisa-
tion, the value of which might be affected by decisions made by the professional accountant
2.4 has a motive and opportunity to manipulate price-sensitive information in order to gain financially
2.5 the professional accountant participates in compensation arrangements that provide incentives to
achieve performance targets, the amount of which can be influenced by the decisions made by the
professional accountant.
Note that self-interest threats arising from compensation or incentive arrangements may be further
compounded by pressure from superiors or peers whose “bonuses” may be influenced by decisions
made by the professional accountant in business.
For example:
All management above a certain level at company P participate in a bonus scheme based on the net
profit before tax. Peter Pinarello, the chief financial officer and a professional accountant, makes
several decisions that can affect the reported net profit before tax. As Peter is on a management level
that will benefit from the “bonus” scheme, a self-interest threat is created. Pressure from other
management on Peter to make financial reporting decisions that will maximise net profit before tax
(and hence their bonuses) will intensify the self-interest threat and may amount to an intimidation
threat.
• Implementing policies and procedures for a committee independent of management to determine the
level or form of senior management remuneration.
• Following any internal policies, disclosure to those charged with governance of:
– all relevant interests
– any plans to exercise entitlements or trade-in relevant shares, and
• Specific internal and external audit procedures to address issues that give rise to the financial interest.
Inducement
• An object, situation or action
• used as means to influence another individual’s behaviour
• includes minor acts of hospitality
• acts that result in non-compliance with laws and regulations (NOCLAR)
• gifts
• hospitality
• entertainment
• political or charitable donations
• appeals to friendship and loyalty
• employment or other commercial opportunities, and
• preferential treatment, rights or privileges.
2. Threats
Accepting or making inducements may create self-interest, familiarity or intimidation threats to objectivity
integrity and professional behaviour.
3. Factors to consider when determining whether there is an actual or perceived intent to influence
behaviour
The determination of whether there is actual or perceived intent to influence behaviour requires the
exercise of professional judgement. Relevant factors to consider might include:
• the nature, frequency, value and cumulative effect of the inducement
• timing of when the inducement is offered relative to any action or decision that it might influence
• whether the inducement is a customary or cultural practice in the circumstances, for example, offering a
gift on the occasion of a religious holiday or wedding
2/18 Auditing Notes for South African Students
• whether the inducement is an ancillary part of professional service, for example, offering or accepting
lunch in connection with a business meeting
• whether the inducement offer is limited to an individual recipient or available to a broader group. The
broader group might be internal or external to the employing organisation, such as other customers or
vendors
• the roles and positions of the individuals offering or being offered the inducement
• whether the professional accountant knows, or has reason to believe, that accepting the inducement
would breach the policies and procedures of the counterparty’s employing organisation
• the degree of transparency with which the inducement is offered
• whether the inducement was required or requested by the recipient, and
• the known previous behaviour or reputation of the offeror.
4. Safeguards
To protect against these threats, the professional accountant in business should:
• immediately inform higher levels of management or those charged with governance if such an offer is
made
• amend or terminate the business relationship with the offeror
• decline or not offer the inducement
• transfer responsibility for any business-related decision involving the counterparty to a counterparty
who would not be improperly influenced in making the decision
• be transparent with senior management or those charged with governance of the employing organisa-
tion
• register the inducement in a log maintained by the employing organisation
• have an appropriate reviewer, who is not otherwise involved in undertaking the professional activity,
review any work performed or decisions made by the professional accountant
• donate the inducement to charity after receipt and appropriately disclose the donation, for example, to
those charged with governance or the individual who offered the inducement
• reimburse the cost of the inducement, such as hospitality received, and
• as soon as possible, return the inducement, such as a gift, after it was initially accepted.
2.4.3.7 Responding to non-compliance with laws and regulations (NOCLAR) – section 260
1. General
A professional accountant might encounter or be made aware of non-compliance or suspected non-com-
pliance in the course of carrying out professional activities. This section guides the professional accountant
in assessing the implications of the matter and the possible courses of action when responding to non-
compliance or suspected non-compliance with:
• laws and regulations generally recognised to have a direct effect on the determination of material
amounts and disclosures in the employing organisation’s financial statements and
• other laws and regulations that may be fundamental to the operational aspects of the employer’s
business or its ability to continue in business or avoid material penalties.
NOCLAR is –
• any act or omission
• intentional or unintentional
Chapter 2: Professional conduct 2/19
2. Requirements
Professional accountants must understand legal or regulatory provisions and how non-compliance with
laws and regulations should be addressed, should it exist in a jurisdiction. The requirements may include
reporting the matter to an appropriate authority or a prohibition on alerting the relevant party.
Professional accountants must always act in the public interest, and the objectives when responding to
non-compliance with laws and regulations are therefore to:
• comply with the fundamental principles of integrity and professional behaviour
• by alerting management or those charged with governance, to seek to:
– enable them to rectify, remediate or mitigate the consequences of the non-compliance, or
– prevent the non-compliance where it has not yet occurred, and
• to take further action as appropriate in the public interest.
Many employing organisations have policies and procedures that deal with the reporting of, amongst
others, non-compliance with laws and regulations. The professional accountant shall consider this in
deciding how to respond to non-compliance (e.g. an ethics policy or internal whistle-blowing mechanism).
Professional accountants in business shall comply with this section on a timely basis, having regard to
the nature of the matter and the potential harm to the interests of the employing organisation, investors,
creditors, employees or the general public.
3. Threats
A self-interest or intimidation threat to compliance with the principles of integrity and professional behav-
iour is created when a professional accountant becomes aware of non-compliance or suspected non-com-
pliance with laws and regulations.
that disclosure is permitted according to the fundamental principle of confidentiality. The other profes-
sional accountant should also document the process as set out in step 5 below.
Senior professional accountants in business – namely directors, officers or senior employees able to
exert significant influence over and make decisions regarding the acquisition, deployment and control of
the employing organisation’s human, financial, technological, physical and intangible resources.
3.4 The senior professional accountant shall exercise professional judgement in determining the need for,
and nature and extent of, further action. In making this determination, the professional accountant shall
take into account whether a reasonable and informed third party would be likely to conclude that the
professional accountant has acted appropriately in the public interest by:
• informing the management of the parent company of the matter if the employing organisation is a
member of a group
• disclosing the matter to an appropriate legal body, and
• resigning from the employing organisation.
Step 5: Documentation
The senior professional accountant is encouraged to have the following documented:
• the matter
• the results of discussions with superiors, those charged with governance and other parties
• how the above parties have responded to the matter
• the courses of action considered, the judgements and the decisions made, and
• how the senior professional accountant is satisfied that all his responsibilities have been fulfilled.
• pressure to act without sufficient expertise or due care (s 230) – pressure from superiors to inappro-
priately reduce the extent of work performed
• pressure related to financial interests (s 240) – pressure from those who might benefit from participation
in an incentive scheme to manipulate performance indicators
• pressure related to inducements (s 250) – pressure to accept a bribe
• pressure related to non-compliance with laws and regulations (s 260) – pressure to structure a trans-
action to evade tax.
2. Threats
A professional accountant might face pressure that creates threats (such as intimidation) to compliance
with the fundamental principles when undertaking a professional activity. Pressure might be explicit or
implicit and might come from:
• within the employing organisation, for example, from a colleague or superior
• an external individual or organisation such as a vendor, customer or lender, and
• internal or external targets and expectations.
4. Safeguards
Discussions with the following parties may enable the professional accountant to evaluate the level of the
threat:
• the individual who is exerting the pressure – an attempt to resolve it
• the accountant’s superior (not the individual exerting the pressure)
• higher levels of management
• internal or external auditors
• those charged with governance
• disclosing the matter in line with policies, and
• consulting with:
– a colleague, human resources personnel, or another professional accountant
– relevant professional body (e.g. SAICA), and
– legal counsel.
• The professional accountant is encouraged to document the facts, the communications and parties with
whom the matter was discussed, the courses of action considered and how the matter was addressed.
It is important to note that threats may vary depending on the service the professional accountant is
providing. The services the professional accountant in public practice offers can be categorised as:
• assurance engagements – an engagement where the professional accountant expresses an opinion or a
conclusion which is intended to enhance the degree of confidence of a user of the information on
which the opinion or conclusion has been expressed, for example, an audit or review of financial
statements, or
• non-assurance engagements – an engagement where the professional accountant does not express an
opinion or draw a conclusion on information, for example, agreed-upon procedure engagements or
compilation engagements.
Threats to the fundamental principles may be more significant for assurance engagements than for non-
assurance engagements, particularly in the case of threats to objectivity.
Suppose an opinion on the fair presentation of Atco (Pty) Ltd’s financial statements is given by a
professional accountant who is not truly independent of Atco (Pty) Ltd.
For example:
If he owns shares in Atco (Pty) Ltd, the credibility of the opinion will be questionable. Holding shares
in an audit client is an unacceptable threat to the professional accountant’s objectivity. If, however, Atco
(Pty) Ltd was not an audit client and the professional accountant was asked to compile some financial
information for the company, his shareholding would not present a significant risk to his objectivity.
This does not mean that threats arising on non-assurance engagements can be ignored. Objectivity is
only one of the five fundamental principles and while there may be no specific threat to objectivity in a
non-assurance engagement, other principles such as a threat to the principle of confidentiality, may be
considerable in a non-assurance engagement, for example, when the professional accountant is advising
a client on a highly sensitive merger transaction.
2. The charts on the following three pages are designed to assist you in understanding the conceptual
framework approach. The examples given are nowhere near exhaustive.
3. Evaluating threats
Professional accountants need to evaluate whether the above threats are at an acceptable level. Conditions,
policies and procedures might impact this evaluation and might relate to:
• The client and its operating environment
Nature of client engagement:
– an audit client and whether the audit client is a public interest entity
– an assurance client that is not an audit client, or
– a non-assurance client.
As an example, providing a non-assurance service to an audit client that is a public interest entity may
result in a higher level of threat to compliance with the fundamental principle of objectivity.
Corporate governance structure promoting compliance with fundamental principles.
For example:
– the client requires appropriate individuals other than management to ratify or approve the appoint-
ment of a firm to perform an engagement
– the client has competent employees with experience and seniority to make managerial decisions
– the client has implemented internal procedures that facilitate objective choices in tendering non-
assurance engagements, or
– the client has a corporate governance structure that provides appropriate oversight and communica-
tions regarding the firm’s services.
• The firm and its operating environment indicate
– firm leadership that stresses the importance of compliance with the fundamental principles (e.g. to
act with integrity and professionally)
– the expectation that members of an assurance team will act in the public interest
– policies and procedures to implement and monitor quality control of engagements, including policies
and the monitoring thereof concerning independence and compliance with the fundamental prin-
ciples
– compensation, performance appraisal and disciplinary policies and procedures that promote com-
pliance with the fundamental principles
2/24 Auditing Notes for South African Students
Examples of circumstances that may create threats to professional accountants and some possible safe-
guards
Neither the threats nor the safeguards are exhaustive. The intention is to illustrate the application of the
conceptual framework.
Fundamental principle
Threat Example Safeguard
threatened
Self-interest 1. Walter Wiseman, an 1. Objectivity, Integrity, 1. • A policy within the audit
audit partner, owns 15% Professional Behaviour firm which prohibits partners
of Buttco (Pty) Ltd, an (Walter may overlook issues and employees from holding
audit client. that arise shares in an assurance client.
on audit, to protect his (Walter should dispose of his
investment.) investment.)
• A procedure for monitoring
this prohibition and a
disciplinary follow up for
transgressors.
2. Joe Zulu, an audit 2. Integrity, Objectivity, 2. • Removal of Joe from the
manager, has been Professional Behaviour audit engagement team.
offered a highly paid job (Joe may overlook issues • Having the key audit work
at his audit clients. that arise on audit so as not performed by Joe reviewed
to jeopardise the job offer.) by a professional accountant
independent of the
engagement.
• Notifying the company’s
audit committee of the
situation and the safeguards
put in place.
continued
Chapter 2: Professional conduct 2/25
Fundamental principle
Threat Example Safeguard
threatened
3. Fred Fasset could make 3. Integrity, Confidentiality, 3. • Ongoing education for
a great deal of money by Objectivity and Professional employees regarding ethical
getting his wife to Behaviour. (Fred would be issues, compliance with
purchase shares in a contravening the Insider legislation, etc., specifically
listed company where he Trading Act, acting relating to listed companies.
is in charge of the audit dishonestly and making use • Instant dismissal of a firm
before the annual of confidential information. employee (in this case Fred
financial statements are If his wife purchases shares, Fasset) for this kind of
released. Fred’s objectivity would breach of the fundamental
also be compromised.) principles and a policy that
requires that transgressors of
the Insider Trading Act be
reported to the relevant
authorities.
Self-review 1. Harris Ford, a partner in 1. Objectivity (Harris may be 1. • Notifying the third party of
an auditing firm has tempted to omit valid the extent of Harris and his
been asked by a third criticisms of the system as engagement team’s involve-
party to provide a report he designed it ment in the system design
on a (non-audit) client’s – he is reporting on his and implementation before
computerised sales own work.) accepting the engagement.
system, which he and
his team had recently
designed and
implemented.
2. Hopgood & Co write up 2. Objectivity (The audit firm 2. In effect, the Companies Act
the accounting records is not independent as it 2008 provides the safeguard.
of Tuis (Pty) Ltd and will be giving an opinion on • In terms of s 90, an individ-
have been approached to financial statements it ual (or firm) may not be
perform the annual prepared from accounting appointed as auditor if he (or
audit. records it compiled.) his partner or employees)
regularly performs the duties
of accountant or bookkeeper
of that company.
3. Clarence Kleynhans, 3. Objectivity, Integrity and 3. • A firm policy that prohibits
who was for some years Professional Competence newly appointed employees
the financial manager of (As Clarence would be in such as Clarence (coming
Kambo (Pty) Ltd, charge of the audit of from a client) from being
recently resigned to go financial information, some part of the audit team until,
back into the profession. of which he would have say, two years have lapsed.
He was employed by the been directly responsible for, • Appointing him to the
audit firm that holds the he cannot be regarded as engagement team (to make
appointment of auditor independent. His integrity use of his knowledge), but
of Kambo (Pty) Ltd and may also be threatened, as not as the manager.
because of his know- there could be issues in • Comprehensive reviews of
ledge of the company, it which he was involved as the work he carries out if he
has been suggested that the financial manager, but does work on the audit.
he be placed in charge of which he does not want to
• Notifying those charged with
the audit. be subject to audit. It is also
governance of the situation
possible that he lacks the
before placing him on the
professional competence
team.
to manage an engagement
of this nature.) Note: As the auditor should be
independent and seen to be inde-
pendent, the best safeguard would
be to keep Clarence off the team.
continued
2/26 Auditing Notes for South African Students
Fundamental principle
Threat Example Safeguard
threatened
Advocacy 1. Dandy Ncobo, a partner 1. Objectivity (Dandy may 1. • A firm policy which requires
(this category in an audit firm, has over-promote or over-state that a partner independent
of threat is far been requested to the worth of his client to get of the client (Hi-Shine (Pty)
less common negotiate the sale of a better price, Ltd), handle the sale
than the Hi-Shine (Pty) Ltd, to the extent that he is negotiation.
others) an audit client. perceived as not being • A firm policy that limits the
objective in his approach non-assurance services
to the negotiations.) offered to assurance clients
to only those with a minimal
threat of non-compliance
with the fundamental
principles.
Familiarity 1. The financial director 1. Objectivity and professional 1. • A firm policy that forbids the
of Travel Bug Ltd has competence and due care. acceptance of gifts and
offered to take the whole (This type of situation hospitality which are any-
audit team on an changes the professional thing other than clearly
all-expenses paid relationship between the insignificant.
weekend to an exclusive audit team from “profes- • A strict disciplinary action
game lodge. He has sional” to “familiar”. In for any transgressions by
stated that this will return, the financial director staff members who do not
become a yearly event may expect “favours” from adhere to this policy.
if the audit deadline the audit team. The promise
is met. of future trips if the deadline
is met may threaten the
objectivity, adherence to
standards and due care of
future audit teams who may
be tempted to “overlook”
audit problems to ensure the
deadline is met.)
2. Marie Lopes, the audit 2. Objectivity (Marie will 2. • Removal of Marie from the
manager on the audit of shortly have an immediate audit.
Topaz Ltd will shortly family member (spouse) • Policies and procedures
marry Bill Brown the who can exert direct and within the firm which
financial director of significant influence over monitor specifically the
Topaz Ltd. the information she will be independence of the firm’s
auditing. Her independence employees so that situations
is compromised.) such as this are identified
and can be addressed.
Intimidation 1. The financial director of 1. Objectivity, professional 1. • A review of the work carried
Rubdub Ltd has competence and due care out on the audit by a partner
informed Rex Randolf, and integrity. (To retain the independent of the client.
the engagement partner audit, Rex may compromise • Quality control procedures
on the audit of Rubdub on standards, for example, within the firm that review
Ltd, that unless the audit do insufficient audit work, the desirability of continuing
fee is reduced by 30%, and fail to follow up professional relationships
his firm will be removed problems which he is fully with the firm’s clients.
from the appointment of aware should be followed up • Raising the matter with the
an auditor. so as not to audit committee and/or
go “over budget” on the other governance structures.
reduced fee.)
continued
Chapter 2: Professional conduct 2/27
Fundamental principle
Threat Example Safeguard
threatened
2. The financial director 2. Objectivity, professional 2. • Appointing an engagement
of ProTech (Pty) Ltd is competence and due care. team that consists of
very aggressive, (The financial director’s experienced, strong-willed
domineering and attitude may compromise individuals who will behave
dismissive of the audit the audit team’s professionally under
function and audit team. professional judgement. pressure.
They may be “bullied” • Quality procedures within
into ignoring problems on the firm which review the
the audit out of fear of the desirability of continuing
financial director.) professional relationships
with the firm’s clients.
• Discussion of the situation
with the client’s governance
structure.
• Discussion of the situation
with the audit committee.
2. Threats
2.1 Conflicts of interest create a threat to the professional accountant’s objectivity and may also give rise
to threats to the other fundamental principles, particularly confidentiality. Such threats may arise
when:
Type 1: the professional accountant provides a professional service related to a particular matter for
two or more clients whose interest in respect to that matter are in conflict, or
Type 2: the interests of the professional accountant concerning a particular matter and the client’s
interests for whom the professional accountant provides a professional service related to
that matter are in conflict.
Examples:
• Advising client A and client B at the same time where client A and client B are competing to
acquire Company C (Type 1).
• Client X wants to acquire Company Z, and engages professional accountant Y to advise on the
acquisition. Company Z is an audit client of professional accountant Y. A conflict of interest arises
if professional accountant Y has obtained confidential information from the audit of Company Z,
which may be relevant to the acquisition (Type 1).
• P and Q are partners but wish to dissolve the partnership due to an ethical disagreement. Both
partners have engaged professional accountant R to advise them on the financial aspects of the
dissolution (Type 1).
• Company S pays royalties to Company T. Professional accountant V provides Company T with
an assurance report on the “fair presentation” of the amount of royalties due while at the same
time performing the royalties payable calculation on behalf of Company S (Type 1).
• Professional accountant O advises Company Q to invest in Company R, a company in which
professional accountant O’s wife has a financial interest (Type 2).
• Professional accountant F advises a client to purchase and install an expensive suite of financial
reporting software. The local agent for the installation and maintenance of the software is a com-
pany in which professional accountant F’s son is the majority shareholder and managing director
(Type 2).
2/28 Auditing Notes for South African Students
2.2 Generally when there is a potential conflict of interest, there will be a confidentiality threat as well.
The professional accountant will need to be mindful of precisely what information can be divulged to
each of the parties involved.
3. Conflict identification
A professional accountant in public practice must identify potential conflicts of interest, including potential
conflicts because of a network firm, before accepting a new client. Such steps shall include identifying:
• the nature of the relevant interests and relationships between the parties involved
• the service and its implication for relevant parties.
An effective process to identify actual or potential conflicts of interest will take into account factors such as:
• the nature of the professional services provided
• the size of the firm
• the size and nature of the client base, and
• the structure of the firm, for example, the number and geographic location of offices.
The professional accountant should also remain alert for changes in circumstances that may create conflicts
of interest. Refer to section 320, professional appointments, for more information on client acceptance.
4. Evaluating threats
The professional accountant in public practice should evaluate the level of the threat caused by conflicts of
interest. Factors that are relevant in evaluating the level of the threat include:
• the existence of separate practice areas for speciality functions within the firm, which might act as a
barrier to the passing of confidential client information between practice areas
• policies and procedures to limit access to client files
• confidentiality agreements signed by personnel and partners of the firm
• separation of confidential information physically and electronically
• specific and dedicated training and communication.
5. Safeguards
5.1 Having separate engagement teams who are provided with clear policies and procedures on main-
taining confidentiality.
5.2 Having an appropriate reviewer, who is not involved in providing the service or otherwise affected by
the conflict, review the work performed to assess whether the key judgements and conclusions are
appropriate.
5.3 Disclosing to all parties involved in the “conflict” situation that there is a conflict of interest and
explaining the threats which arise therefrom. If any safeguards have been or will be put in place, for
example see 5.2 above, these should also be disclosed and explained. The parties should acknowledge
their understanding and acceptance of the situation. (If the parties do not accept, the professional
accountant will have to decline or resign from the service leading to the conflict of interest.) All of the
above should be documented (it should not be verbal, and acceptance should not simply be implied).
5.4 The professional accountant should discontinue an engagement or not accept the engagement should
explicit consent be sought and not be granted by a client.
5.5 Specific disclosures in order to obtain explicit consent may result in a breach of confidentiality. The
firm shall generally not accept or continue with an engagement under these circumstances unless:
• the firm does not act in an advocacy role for one client against another client in the same matter
• specific measures are in place to prevent disclosure of confidential information between engage-
ment teams, and
• the firm applies the reasonable and informed third-party test and concludes that it is appropriate to
accept or continue the engagement.
Chapter 2: Professional conduct 2/29
2. Threats
2.1 The two fundamental principles most at threat are integrity and professional behaviour. These would
be threatened if, for example, the client’s management condoned unethical (dishonest) business
practices, such as being involved in a business sector that may have a reputation for questionable
business practices like second-hand car parts, or being socially or morally questionable. This may
include companies that have no regard for environmental damage or that exploit their workforce.
2.2 Having accepted the client, a self-interest threat to professional competence and due care is created if
the engagement team does not possess, or cannot acquire, the competencies necessary to perform the
engagement.
3. Evaluating threats
3.1 The professional accountant in public practice should evaluate the threat level caused by the client’s
acceptance. Factors that are relevant in evaluating the level of the threat include:
• pre-engagement activities, including obtaining knowledge and understanding of the client, its
owners, management and those charged with governance and business activities
• the client’s commitment to addressing the questionable issues, such as improving corporate
governance practices or internal controls.
3.2 Factors that are relevant in evaluating the level of the threat caused by engagement acceptance (there-
fore after accepting the client) include:
• obtaining an appropriate understanding of the:
– nature of the client’s business
– complexity of its operations
– requirements of the engagement, and
– purpose, nature and scope of the work to be performed.
• knowledge of relevant industries or subject matter
• experience with relevant regulatory or reporting requirements, and
• the existence of quality control policies and procedures when accepting the engagement.
4. Safeguards
Safeguards that may be implemented include:
• assigning sufficient staff with the necessary competencies
• using experts where necessary (it should first be determined whether reliance is warranted)
• agreeing on a realistic timeframe for the performance of the engagement.
2. Threats
2.1 The threat to the proposed accountant is in essence the same as the threats posed by taking on a new
client/accepting a new engagement. There may be threats to the proposed accountant’s compliance
with the fundamental principles of professional competence and due care, professional behaviour and
integrity. For example, there may be a threat to professional competence if the professional account-
ant does not know all the relevant facts about the proposed client.
2.2 The threat to the existing accountant is that he fails to comply with the fundamental principle of
confidentiality (e.g. by divulging confidential information to the proposed accountant without client
permission) and professional behaviour (by bringing discredit to the profession by, for example,
criticising either the client he is losing or the proposed accountant). There is also a potential threat to
integrity. The existing accountant must be honest and truthful in his dealings with the proposed
accountant. The threat is genuine if the existing accountant is angry/upset about being replaced.
3. Safeguards
3.1 In addition, the proposed accountant should effect the following safeguards:
• discussions with the current professional accountant to evaluate the significance of any threats and
also identify suitable safeguards, and
• obtaining information from other sources such as through inquiries of third parties or background
investigations regarding senior management or those charged with governance of the client.
As mentioned above, the fundamental principle of confidentiality should still be honoured. The
incoming (proposed) accountant will usually need the client’s permission, preferably in writing, to
initiate discussions with the existing or predecessor accountant.
If unable to communicate with the existing or predecessor accountant, the proposed accountant shall
take other reasonable steps to obtain information about any possible threats. This means including
enquiries from third parties and performing background checks on the proposed client.
Suppose the proposed client refuses or fails to give permission for the proposed accountant to
communicate with the existing or predecessor accountant. In that case, the proposed accountant shall
decline the appointment unless there are exceptional circumstances of which the proposed accountant
has complete knowledge, and has verified all relevant facts by some other means.
3.2 The existing accountant should address the threats facing the firm by implementing the following
safeguards:
• obtaining the client’s permission to discuss the client’s affairs with the proposed accountant and
defining the boundaries of what may be discussed (in writing)
• complying with relevant laws and regulations governing the request, and
• providing the proposed accountant with information honestly and unambiguously.
2. Threats
2.1 This situation could give rise to a self-interest threat that the professional accountant will fail to
comply with the fundamental principle of professional competence and due care if he is not provided
with the same set of facts or evidence provided to the existing accountant.
For example:
The matter on which a second opinion is sought is how a complex transaction that is subject to
various conditions should be treated in the financial statements. The professional accountant from
whom the second opinion has been sought gives his opinion without being aware of the full extent of
the various conditions. His opinion is then discredited, and he appears incompetent.
2.2 Another threat that arises is that the second opinion may appear to be a criticism of the provider of
the first opinion if it differs from the first opinion. This is a threat to compliance with the principle of
professional behaviour.
Chapter 2: Professional conduct 2/31
3. Safeguards
3.1 Describing the limitations surrounding any opinion in communications with the client.
3.2 Obtaining the client’s permission to contact the provider of the first opinion to discuss the matter. (If
this permission is not given, the professional accountant should consider very carefully whether it is
appropriate to provide a second opinion.)
3.3 Providing the existing or predecessor accountant with a copy of the opinion.
2. Threats
In an attempt to secure the engagement, a professional accountant may quote a fee that is so low that it will
be challenging to perform the engagement according to applicable standards. This is potentially a self-
interest threat to compliance with the fundamental principle of professional competence and due care, and
to a lesser extent, integrity (this is not an honest practice) and objectivity (the low fee may adversely
influence the nature and extent of tests performed).
3. Evaluating threats
Factors that are relevant in evaluating the level of the threat include:
• whether the client is aware of the terms of the engagement and, in particular, the basis on which fees are
charged and the services to which fees relate, and
• whether the fee level is set by an independent third party such as a regulatory body.
4. Safeguards
Examples of actions that might be safeguards to evaluate the threat include:
• adjusting the level of the fee or the scope of the engagement, and
• having an appropriate reviewer review the work performed.
Contingent fees
1. Responsibility
Contingent fees (fees calculated on a predetermined basis relating to the outcome of the work performed or
as a result of a transaction that arises from the service) are acceptable for a wide range of non-assurance
engagements. The professional accountant may charge such fees per business norms. (Contingent fees for
assurance engagements are not permitted.)
A professional accountant shall not charge contingent fees to prepare an original or amended tax return,
as these services are regarded as creating self-interest threats to objectivity that cannot be eliminated.
Safeguards are not capable of reducing the threat to an acceptable level.
2. Threats
The charging of contingent fees may give rise to a self-interest threat to objectivity. The professional
accountant becomes more interested in the fee that could be earned than the quality of the service offered.
3. Evaluating threats
Factors that are relevant in evaluating the level of the threat may depend on:
• the nature of the engagement
• the range of possible fee amounts
• the basis for determining the fee
• disclosure to intended users of the work performed by the professional accountant and the basis of
remuneration
2/32 Auditing Notes for South African Students
Referral fees/commissions
1. Responsibility
A professional accountant may receive or pay a fair referral fee or commission, but must ensure that the
payment of such fees or commission does not compromise the fundamental principles.
2. Threats
The threats that may arise are compliance with the principles of objectivity, professional competence and
due care and integrity.
Example 1: The firm of Jones and Jones does not offer information technology (IT) services. Any requests
they receive for IT services are referred to other firms and Jones and Jones receives a referral
fee. These fees vary from firm to firm. The threat is that Jones and Jones will refer the client
to the firm that pays the highest referral fee but which may not necessarily be the most
suitable for the particular assignment.
Example 2: Jones and Jones receive a 15% commission for any office equipment which OfficeMan (Pty)
Ltd sells to clients of Jones and Jones, who have been referred to the company by Jones and
Jones. Again, Jones and Jones are interested in the transaction and may be referring clients to
OfficeMan (Pty) Ltd because of the commission and not because of the suitability of
OfficeMan (Pty) Ltd’s products.
3. Safeguards
3.1 Disclosure to the client of any arrangements to pay or receive a referral fee or commission and the
details thereof. These disclosures should be made in advance of the transaction taking place and should be
in writing.
3.2 Obtaining prior agreement, in writing, from the client for commission arrangements in connection
with the sale by a third party of goods or services to the client.
2. Threats
Offering or accepting inducements might create a self-interest, familiarity or intimidation threat to com-
pliance with the fundamental principles, particularly the principles of integrity, objectivity and professional
behaviour.
Examples of circumstances where offering or accepting such an inducement might create threats even if
the professional accountant has concluded there is no actual or perceived intent to improperly influence
behaviour include:
• Self-interest threats
– A professional accountant is offered hospitality from the prospective acquirer of a client while providing
corporate finance services to the client.
Chapter 2: Professional conduct 2/33
• Familiarity threats
– A professional accountant regularly takes an existing or prospective client to sporting events.
• Intimidation threats
– A professional accountant accepts hospitality from a client, the nature of which could be perceived to
be inappropriate were it to be publicly disclosed.
3. Safeguards
Refer to section 250 for examples of actions that might be safeguards to address such threats created by
offering or accepting such an inducement.
2. Threats
2.1 The custody of a client’s assets may threaten compliance with the fundamental principles of profes-
sional behaviour and objectivity.
Example: Ronnie Rings, a professional accountant, has been given sole authority to operate the
bank accounts of Marjory Manoj, a wealthy client who is on an extended visit overseas.
She has requested that Ronnie pay her taxes, rates, electricity accounts, etc., as they fall
due. The threat is that Ronnie may use his client’s funds to enrich himself (self-interest),
for example, make speculative deals from which he benefits using Marjory’s money.
2.2 A further threat is that a client may be trying to launder illegal money through the firm. This presents
a threat to compliance with the law (professional behaviour) and allegations of the professional
accountant being involved in dishonest practice (integrity).
2.3 The professional accountant may be accused of misuse of client assets.
3. Safeguards
3.1 Safeguards for all client monies which the professional accountant controls or is liable to account for
are the following:
• do not refer to such client monies as being “in trust” or in a “trust account” as this could be mis-
leading
2/34 Auditing Notes for South African Students
•
maintain one or more bank accounts with an institution or institutions registered in terms of the
Banks Act, 1990 (Act 94 of 1990), that are separate from the professional accountant’s bank
account
• the accounts have to be appropriately named to distinguish them from the firm’s normal business
accounts or a specific account named and operated per a relevant client (such as ABC’s client
account)
• deposit client monies without delay to the credit of such client account
• maintain such records as may reasonably be expected to ensure that the client monies can be
readily identified as being the property of the client, for example, detailed bookkeeping and being
able to supply the client with an analysis of the account/s
• perform a reconciliation between the designated bank account and the client monies ledger
account/s, and
• do not hold client monies indefinitely unless explicitly allowed by laws and regulations. Profes-
sional accountants are encouraged to hold client monies for a limited period, depending on the
professional service provided.
3.2 The professional accountant is entrusted with client assets other than client monies:
• do not refer to such client assets as being held “in trust” or in a “trust account” as this could be
misleading
• maintain such records as may be reasonably expected to ensure that the client assets can readily be
identified as being the property of the client, and
• for documents of title, the professional accountant should arrange to safeguard the documents
against unauthorised use.
3.3 A professional accountant shall apply appropriate measures to protect the client assets:
• use an umbrella account with sub-accounts for each client
• open a separate bank account and provide the professional accountant with appropriate power of
attorney or signatory rights over the account
• consider whether the firm’s indemnity and fidelity insurance is sufficient to cover incidents of
fraud or theft, and
• where a formal engagement letter is entered into covering the professional service involving
custody of client assets, the engagement letter shall address the risks and responsibilities relating to
such client assets.
2.4.4.8 Responding to non-compliance with laws and regulations (NOCLAR) – section 360
1. General
A professional accountant might encounter or be made aware of non-compliance or suspected non-com-
pliance in the course of carrying out professional activities. This section guides the professional accountant
in assessing the implications of the matter and the possible courses of action when responding to non-
compliance or suspected non-compliance with:
• laws and regulations generally recognised to have a direct effect on the determination of material
amounts and disclosures in the employing organisation’s financial statements, and
• other laws and regulations that may be fundamental to the operational aspects of the employer’s
business or its ability to continue in business or to avoid material penalties.
NOCLAR is –
• any act or omission
• intentional or unintentional
• committed by a client or an employer or those charged with governance, by management or other
individuals working for, or under the direction of a client or employer
• that is contrary to the prevailing laws or regulations, being:
– all laws and regulations which affect material amounts and disclosure in financial statements, and
– other laws and regulations that are fundamental to an entity’s business.
Chapter 2: Professional conduct 2/35
2. Requirements
Professional accountants must understand legal or regulatory provisions and how non-compliance with
laws and regulations should be addressed, should it exist in a jurisdiction. The requirements may include a
requirement to report the matter to an appropriate authority or a prohibition on alerting the relevant party.
Professional accountants must always act in the public interest, and the objectives when responding to
non-compliance with laws and regulations are therefore to:
• comply with the fundamental principles of integrity and professional behaviour
• by alerting management or those charged with governance, to seek to:
– enable them to rectify, remediate or mitigate the consequences of the non-compliance, or
– prevent the non-compliance where it has not yet occurred, and
• to take further action as appropriate in the public interest.
Many employing organisations have policies and procedures that deal with the reporting of, among other
things, non-compliance with laws and regulations. The professional accountant shall consider this in
deciding on how to respond to non-compliance (e.g. an ethics policy or internal whistle-blowing mech-
anism).
Professional accountants in business shall comply with this section on a timely basis, having regard to
the nature of the matter and the potential harm to the interests of the employing organisation, investors,
creditors, employees or the general public
3. Threats
A self-interest or intimidation threat to compliance with the principles of integrity and professional behav-
iour is created when a professional accountant becomes aware of non-compliance or suspected non-
compliance with laws and regulations.
Step 5: Documentation
The professional accountant is encouraged to have the following matters documented:
• how management or those charged with governance have responded to the matter
• the courses of action considered, the judgements and the decisions made, and
• how the professional accountant is satisfied that all his responsibilities have been fulfilled.
4. Part 4A of the Code essentially provides narrative passages about such matters as financial interests,
family and personal relationships, temporary staff assignments and a host of other situations which may
threaten independence. In this text, we have chosen to illustrate the application of the conceptual
approach to these potential independence problems by way of example. We have described a situation,
circumstance or relationship, identified the threat posed and then suggested suitable safeguards.
– use different individuals to conduct an additional review of the affected audit work or re-
perform that work to the extent necessary
– recommend that the audit client engage another firm to review or re-perform the affected
audit work to the extent necessary and
– if the breach relates to a non-assurance service that affects the accounting records or an
amount recorded in the financial statements, engage another firm to evaluate the results of
the non-assurance service or have another firm re-perform the non-assurance service to the
extent necessary to enable the other firm to take responsibility for the service.
2.2 If action can be taken to address the consequences, the firm shall discuss with those charged with
governance:
• the significance of the breach, including its nature and duration
• how the breach occurred and how it was identified
• the action proposed or taken and why the action will satisfactorily address the consequences of
the breach and enable the firm to issue an audit report
• objectivity has not been compromised and
• any steps proposed or taken by the firm to reduce or avoid the risk of further breaches occur-
ring.
2.3 If the firm determines that action cannot be taken to address the consequences of the breach
satisfactorily, the firm shall inform those charged with governance as soon as possible and take the
steps necessary to end the audit engagement in compliance with any applicable legal or regulatory
requirements.
2.4 If the breach occurred, the firm should document:
• the breach
• the actions taken
• the key decisions made
• all the matters discussed with those charged with governance, and
• any discussions with the professional or regulatory body.
continued
Chapter 2: Professional conduct 2/41
continued
Chapter 2: Professional conduct 2/43
continued
Chapter 2: Professional conduct 2/51
continued
2/54 Auditing Notes for South African Students
3
Statutory matters
CONTENTS
Page
3/1
3/2 Auditing Notes for South African Students
Page
3.1 Introduction
Registered auditors and chartered accountants cannot escape the need to have a sound knowledge of the
laws and regulations which govern their professional activities as well as the activities of their clients. A
knowledge of common law, for example, negotiable instruments, contracts, etc. has to be obtained by all
aspirant auditors and accountants during the early years of their study, and in addition, hundreds of
sections relating to specific disciplines such as income tax and company law must be absorbed. This
chapter will concentrate on the more important sections of the Companies Act 71 of 2008 (Companies
Act), the Close Corporations Act 69 of 1984 (Close Corporations Act) and the Auditing Profession Act 26
of 2005 (APA). This chapter is not an in-depth study of these Acts – it must instead be regarded as a
summary of important sections with brief commentary to be used in conjunction with the Acts themselves.
– reducing costs associated with the formalities of forming a company and maintaining its
existence
• promoting innovation and investment in South African markets and companies by providing for:
– flexibility in the design and organisation of companies, and
– a predictable and effective regulatory environment
• promoting the efficiency of companies and their management
• encouraging transparency and high standards of corporate governance
• making company law compatible and harmonious with best practice jurisdictions internationally.
In support of the five objectives, five more specific goals were set as follows:
• Simplification
Example: The Act should provide for a company structure that reflects the characteristics of close
corporations (CCs), such as a simplified procedure for incorporation and more self-
regulation.
• Flexibility
Example: Company law should provide for “an appropriate diversity of corporate structures”,
and the distinction between listed and unlisted companies should be retained.
• Corporate efficiency
Example: Company law should shift from a capital maintenance regime based on par value to one
based on solvency and liquidity.
Example: There should be clarification of board structures and director responsibilities, duties
and liabilities.
• Transparency
Example: Company law should ensure the proper recognition of director accountability and
appropriate participation of other stakeholders.
Example: The law should protect shareholder rights and provide enhanced protections for
minority shareholders.
Example: Minimum accounting standards should be required for annual reports.
• Predictable regulation
Example: Company law should be enforced through appropriate bodies and mechanisms, either
existing or newly introduced.
Example: Company law should strike a careful balance between adequate disclosure in the
interests of transparency and over-regulation.
Regulation 26
This regulation introduces the concept of the public interest score, which every company (and CC) must
calculate at the end of each financial year. The public interest score is used primarily to determine:
• which financial reporting standards the company must comply with
• the categories of companies that must be audited/reviewed, and
• who must carry out the review of a company which must be independently reviewed.
Note (a): The public interest score will be the sum of:
(i) a number of points equal to the average number of employees during the financial year
3/6 Auditing Notes for South African Students
(ii) 1 (one) point for every R1million (or portion thereof) in third party liability of the com-
pany, at the financial year-end
(iii) 1 (one) point for every R1million (or portion thereof) in turnover during the financial year,
and
(iv) 1 (one) point for every individual who directly or indirectly has a beneficial interest in any
of the company’s securities.
Example: The following relevant details pertaining to Plus (Pty) Ltd:
Detail Public Interest Points
1. Employees at 1 March 19XX 300
2. Employees at 28 Feb 20XX 360
3. The average number of employees 660 ÷ 2 330
4. Long and short term liabilities at 28 Feb 20XX = R9m 9
5. Turnover for the year to 28 Feb 20XX = R82,7m 83
6. Shareholders = 14 14
Public interest score 436
This illustrative example is straightforward, but the interpretation of the public interest score may be less
so, for example:
• If an individual is an employee and a shareholder (direct interest in the company’s securities), will he be
counted twice in the public interest score?
• If a trust holds shares in a company, is the trust counted as an individual or is it the number of trustees
or beneficiaries of the trust, or both, which are used in the public interest score?
• Similarly, if another company owns shares in a company (whether in a holding/subsidiary company or
not) does the company holding the shares count as an individual or is it the number of individuals who
hold shares in that company, and thereby have a beneficial interest in the shares of the company in
which the investment is held? (See note (b) below.)
• Are temporary or part-time employees included in the public interest score?
• Concerning third-party liability, what is a third party?
• If a private company has a subsidiary, is its portion of the subsidiary’s turnover included in determining
its turnover for public interest score purposes?
No doubt there will be other questions raised pertaining to the interpretation of the “public interest score”.
Time, practice and case law will eventually resolve these questions.
Note (b): In terms of a JSE listing requirement, the subsidiaries of all listed companies must be externally
audited regardless of their public interest scores.
Regulation 27
This regulation does two things. Firstly, it states that a company’s financial statements may be compiled
internally or independently.
To be classified as compiled independently, the Annual Financial Statements (AFS) must be prepared:
• by an independent accounting professional (see note (a) below)
• based on financial records provided by the company, and
• following any relevant financial reporting standard.
Note (a): An “independent accounting professional” means a person who:
(i) is a registered auditor in terms of the APA, or
(ii) is a member in good standing of a professional body accredited in terms of the APA, such
as SAICA, or
(iii) is qualified to be appointed as an accounting officer of a CC in terms of the Close
Corporation Act, for example, a member of SAICA, ICSA, CIMA, ACCA, or SAIPA
(iv) does not have a personal financial interest in the company or a related or inter-related
company
(v) is not involved in the day to day management of the company and has not been so involved
during the previous three years
Chapter 3: Statutory matters 3/7
(vi) is not a prescribed officer or full-time executive employee of the company (or a related or
inter-related company) and has not been such an employee or officer during the previous
three financial years, and
(vii) is not related to any person contemplated in (iv) to (vi) above.
Secondly, regulation 27 stipulates the applicable financial reporting standards with which different cat-
egories of company must apply. (Note that the requirements for non-profit companies have not been
included in this text. Reference can be made to the regulations themselves if necessary.)
Regulation 28
This regulation stipulates the categories of companies that are required to be audited. These are:
(i) public companies and state-owned companies
(ii) any profit (or non-profit) company which, in the ordinary course of its primary activities, holds assets
in a fiduciary capacity for persons not related to the company, and the aggregate value of the assets
held exceeds R5million at any time during the financial year, and
(iii) any company whose public interest score in that financial year
• is 350 or more
• is at least 100 if its annual financial statements for that year were internally compiled.
Note (a): In terms of the JSE listing requirements, all subsidiaries of listed companies must be externally
audited regardless of their public interest scores. This is primarily because the holding com-
pany’s consolidated financial statements must contain audited figures for the audit report to
have any value.
Regulation 29
This regulation deals with the matters surrounding the independent review of a company’s financial state-
ments (including important regulations pertaining to reportable irregularities).
3/8 Auditing Notes for South African Students
(i) A company that is not required to be audited must have an independent review of its annual financial
statements unless it is a private company in which every shareholder is a director (owner-managed).
(ii) If the company’s public interest score is 100 or more, the review must be conducted by a registered
auditor or by a member of a professional body accredited in terms of the APA (SAICA is currently
the only such body).
(iii) If the company’s public interest score is less than 100, the review can be carried out by a qualified
person to be appointed as an accounting officer in terms of the Close Corporations Act, for example
ACCA, SAIPA, CIMA, SAICA, etc.
(iv) The review should be carried out in terms of the International Statement on Review Engagements
ISRE 2400.
(v) An independent review of a company’s annual financial statements must not be carried out by an
independent accounting professional who was involved in preparing the said financial statements
(independence requirement).
In terms of section 10 of the Close Corporations Act 1984, CCs must calculate their public interest score (on the
same basis as a company) and may also have to have their financial statements audited. The following
chart summarises which companies and CCs must be audited, which must be reviewed and which need not
bother with external (professional) intervention.
Note (a): This review (less than 100 points) must be carried out by a Registered Auditor or an individual
who qualifies for appointment as an Accounting Officer of a CC in terms of section 60 of the
Close Corporations Act, for example SAICA, SAIPA, ACCA, CIMA, etc.
Note (b): Audit can only be carried out by a Registered Auditor. This review (100 to 349 points) may only
be carried out by a registered auditor or a chartered accountant. Externally compiled means
compiled by an “independent accounting professional” as defined.
Note (c): This category of CC and owner-managed company is exempt from review in terms of section
30(2A) of the Companies Act.
Note (d): Subsidiary companies of listed companies must be externally audited (JSE listing requirement).
Note (e): All public companies (listed or otherwise) and state-owned companies must be audited.
Note (f): Private companies which hold fiduciary assets for persons not related to the company which in
aggregate have exceeded R5m at any time during the year must be audited.
Note (g): A private company may include a clause that requires that it be audited in its MOI, or a
company may be voluntarily audited, for example directors decide to have the AFS externally
audited.
might find themselves in are very similar, the definitions of a reportable irregularity and the procedure to be
followed by the auditor and reviewer do differ. For regulation 29, the following will apply to reportable
irregularities at a review client:
(i) Definition: a reportable irregularity (RI) means any act or omission committed by any person
responsible for the management of a company, which:
• unlawfully has caused or is likely to cause material financial loss to the company, or any member,
shareholder, creditor or investor of the company in respect of his, her or its dealings with the
company, or
• is fraudulent or amounts to theft, or
• causes or has caused the company to trade under insolvent circumstances.
(ii) Procedure: if an independent reviewer is satisfied or has reason to believe that an RI is taking place,
he must:
• without delay, send a written report to the CIPC giving the particulars of the RI and any other
information he deems appropriate
• within three business days of sending the report to the CIPC, notify the board (of the company) in
writing of the sending of the report, and the provisions of this section of regulation 29
• a copy of the report must be submitted with this notice to the board (of the company)
• as soon as reasonably possible, but not later than 20 business days from the date the report was
sent to the CIPC
– take all reasonable measures to discuss the report with the directors
– allow the directors to make representations in respect of the report
– send another report to the CIPC, which must include a statement (with supporting infor-
mation) that the reviewer is of the opinion that;
* no RI has taken place or is taking place, or
* the suspected RI is no longer taking place, and that adequate steps have been taken for the
prevention or recovery of any loss, or
* the RI is continuing.
Note (a): If the second report states that the RI is continuing, the CIPC must, as soon as possible after the
receipt of the report, notify any appropriate regulator, for example SARS or SAPS, in writing,
with a copy of the report.
Note (b): To investigate or report an RI, the independent reviewer may carry out whatever procedures he
or she deems necessary.
2.4 The function of the Social and Ethics Committee is to monitor the company’s activities, having regard
to any relevant legislation, legal requirements or codes of best practice, with regard to:
• social and economic development, including the company’s standing in terms of the goals and pur-
poses of:
– the ten principles set out in the United Nations Global Company Principles
– the Organisation for Economic Co-operation and Development (OECD) recommendations
regarding corruption
– the Employment Equity Act 55 of 1998
– the Broad-Based Black Economic Empowerment Act 53 of 2003.
• good corporate citizenship
– promotion of equality, prevention of unfair discrimination and reduction of corruption
– development of communities in which it operates or within which its products are predomin-
antly marketed
– sponsorship, donations and charitable giving.
• the environment, health and public safety, for example the impact of its products/services on the
environment.
• consumer relationships, for example advertising, public relations and compliance with consumer
protection laws.
• labour and employment.
Note (a): A subsidiary company which in terms of the section must appoint a social and ethics committee
need not do so if its holding company has a social and ethics committee that will perform the
functions required by regulation 43 on behalf of the subsidiary.
Note (b): The committee must:
• draw any matters arising from its monitoring activities to the attention of the board, and
• one of its members must report to the shareholders at the company’s annual general meeting
(AGM).
or company and the individuals or companies (entities) related to them (as defined by s 2) are
considered by the Act to be the same person. For example, a company must obtain a special
resolution to give a loan to a director. It cannot get around this requirement by giving the loan to
the director’s wife or child because they are related persons as defined in section 2. Thus, a
special resolution will still be required.
Note (b): An individual is defined as a natural person; a juristic person is a “person” formed by law, for
example CC, trust, and a “person” includes a juristic person.
Note (c): The section also guides what constitutes control:
Example 1: Company B is a subsidiary of Company A. Company A controls Company B
(s 2(2)(a)(i)).
Example 2: Joe Sope and his wife (related person) control the majority of the voting rights in
Company C.
• The control can be by virtue of the two of them owning the majority of the shares or as a
result of a shareholders agreement (s 2(2)(a)(ii)).
• Joe and his wife do not have to hold the shares themselves. The shares in Company C could
be held by an entity that Joe and his wife control. The control can be direct or indirect.
Example 3: Fred Bloggs and his son Bob have the right (by virtue of their combined share-
holding) to control the appointment of the directors of Company D, who control a majority of
the votes at a meeting of the board (s 2(2)(a)(ii)(bb)).
Example 4: Jeeves Ndlovu owns the majority of the members’ interests (or controls the majority
of members’ votes) in Starwars Close Corporation (s 2(2)(b)).
Example 5: Charlie Weir, the senior trustee of Cape Trust, has, in terms of the trust agreement,
the ability to control the majority of votes of trustees or appoint the majority of trustees or to
appoint or change the majority of the beneficiaries of the trust (s 2(2)(c)).
Example 6: Martin Mars owns the majority interest in both Thunder CC and Lightning CC. The
two CCs will be related (s 2(1)(c)(iii)).
Note (d): In addition to the specific situations given in the section, there is also a “general” proviso (s 2(d))
which suggests that if a person can materially influence the policy of a juristic person in a
manner comparable to the examples given above, that person will have control.
Note (e): Situations/transactions relating to the Act may arise that prejudice a person because by definition
the person is related to the company despite the person having acted independently. Section 2(3)
enables the court, the Companies Tribunal (or the Takeover Regulation Panel (TRP) in the case
of a takeover transaction) to exempt the person from the effect of the relationship if there is
sufficient evidence to conclude that the person acts independently of any related person, for
example, although Joan and Peter de Wet are married (and thus by definition are related) they
may live apart and may conduct entirely separate business and social lives.
• it appears that the company will be able to pay its debts as they become due in the ordinary course
of business for 12 months after the liquidity and solvency test is considered, or
• in the case of a distribution (see note (e) below), 12 months after the distribution is made.
Note (a): This section is very important because it represents a fundamental change to company legisla-
tion. The Companies Act 1973 was based upon what was termed the capital maintenance
concept, which simplistically speaking, resulted in very strict regulations on any transactions
which affected the capital of the company. For example, a company was prohibited from giving
financial assistance to anyone for the purchase of shares in that company. A Companies Act
based on this concept was regarded as inflexible and over-regulatory. On the other hand, the
Close Corporations Act has been based on the liquidity/solvency test since its inception and has
proved to be effective. As has been explained, the legislators and other interested parties required
that the new Companies Act be more flexible and accommodating but at the same time
sufficiently protective for stakeholders in the company. The Companies Amendment Act 2006
introduced the liquidity/solvency concept for companies and the Companies Act 2008 adopted
it. As will become evident, whenever important transactions are resulting in outflows of
amounts relating in some way to capital/profits, the liquidity/solvency test comes into play. For
example, a company can now provide financial assistance to a person to purchase shares in the
company, provided, among other things, that the liquidity/solvency requirements are satisfied.
Note (b): Where the test is applied, the financial information considered must be based on:
• accurate and complete accounting records as required by the Companies Act section 28, and
in one of the official languages of the Republic, and
• financial statements which satisfy the Companies Act section 29 and relevant financial
reporting standards.
Note (c): The fair valuation of the assets and liabilities must include any reasonably foreseeable contingent
assets and liabilities.
Note (d): The liquidity/solvency test will also help protect the company’s stakeholders from abuse by the
directors (or a majority shareholder) of their powers. The requirements to satisfy the liquid-
ity/solvency test will usually be accompanied by other requirements for the transaction to be
legal, for example, permission in the MOI and/or a special resolution.
Note (e): In terms of a simplified definition, a “distribution” is a direct or indirect transfer by a company
of money or other property to a shareholder by virtue of that shareholder’s shareholding. For
example, a dividend paid to a shareholder is a distribution, but a salary paid to a shareholder
who also works in the company is not a distribution. A salary is a payment to an employee. In
the context of section 4, if a distribution is made, the liquidity/solvency test is only satisfied if
the company can pay its debts as they become due in the ordinary course of business for
12 months from when the distribution is made, not from when the decision to make the distribu-
tion was taken.
• its MOI must state that it is a personal liability company. This amounts to a clause in the
MOI which provides that the directors and past directors are jointly and severally liable,
together with the company, for any debts and liabilities of the company that were contracted
during their terms of office.
Note (f): A public company is a profit company that is not an SOC, a private company or a personal
liability company.
Note (g): In terms of section 11(3)(c), company names must end with the appropriate expression (or
abbreviation thereof) which conveys their company category, namely:
• public company: Anglovaal Limited (or Ltd)
• personal liability company: Mitchells’ Incorporated (or Inc.)
• private company: Rubberducks Proprietory Limited (or (Pty) Ltd)
• state-owned company: Tollroad SOC Ltd
• non-profit company: Educate NPC.
Note (h): Although not formally categorised in the Act, a few provisions recognise two further “types” of
company. Both of these “types” of company are exempted from a few requirements of the Act.
These “types” are:
• companies where all of the shares are owned by related persons (which results in a dimin-
ished need to protect minority shareholders), and
• companies where all the shareholders are directors (which results in a diminished need to
seek shareholder approval for certain board actions and audit requirements in some
circumstances).
These are not hugely significant but are in line with making the Act more flexible.
but in terms of section 19(5), a person must be regarded as having notice and knowledge of any
restrictive or prohibitive section15(2)(b) and (c) provisions in the MOI if:
• the company’s name includes the element RF (refer to notes on section 11), and
• the company’s NOI or any subsequent Notice of Amendment (NOA) has drawn attention to the
restrictive or prohibitive sections.
This is very important for people or companies dealing with a company with (RF) attached to its
name – the reason for the (RF) must be followed up.
Note (a): In terms of the Companies Act 1973, a company was required to state its “main” and
“ancillary” objects in its Memorandum. This in a sense defined the capacity of the company,
and thus any action by the company which appeared to be outside the stated objects of the
company could be challenged as being beyond the capacity of the company and, therefore an
“ultra vires” act. In terms of the common law, ultra vires acts are null and void. For example,
could a company that had a primary objective of being a wholesaler of clothing decide to open a
video store, or would that have been an ultra vires act?
The Companies Act does not require that the company state its “main” and “ancillary” objects,
and at the same time gives the company the legal power of an individual. So in terms of the Act
there is nothing to prevent a company that sells clothing from opening a video store. Thus the
difficulty with “capacity/ultra vires” has been largely removed by the Act (see note (b)).
Note (b): The company’s shareholders can still limit, restrict or qualify the purposes, powers or activities
of their company in the MOI. For example, the MOI may expressly prohibit the company’s
directors from purchasing financial derivatives (e.g. options or futures). This gives rise to some
interesting questions. For example:
Q1. If the company purchases futures through XYZ Stockbrokers and subsequently suffers loss,
can the company refuse to make good (pay up) on the loss because the company had no
capacity (it was restricted in the MOI) to purchase the futures and therefore the transaction
was null and void?
A1. In terms of section 20(1), no action of the company is void by reason only that:
• the action was prohibited by the MOI, or
• as a consequence of the limitation, the directors had no authority to authorise the
action.
Q2. Can the company get out of the transaction because XYZ Stockbrokers should have known
that the company was prohibited from purchasing futures because the MOI is a public
document (constructive notice)?
A2. In terms of section 19(4), a person is not deemed to know the contents of a document
merely because the document:
• has been filed, or
• is accessible for inspection.
Furthermore, in terms of section 20(7), XYZ Stockbrokers are entitled to presume that the com-
pany complied with all of the formal and procedural requirements (such as obtaining authority)
in terms of the Act, the company’s MOI and rules unless:
• they know or reasonably ought to have known, that the company had failed to comply with
the requirement.
However, both the answers to Q1 and Q2 are influenced by section 19(5), which states that a
person (XYZ Stockbrokers) must be regarded as knowing restrictive provisions in the company’s
MOI if the company’s name contains the element (RF), which it should!
Q3. Can the shareholders ratify (approve) an action by the company or the directors that the
MOI actually restricts? For example, could the shareholders ratify the director’s action of
purchasing the futures?
A3. Yes. In terms of section 20(2), they may ratify the action by special resolution. (Note: An
action which is in contravention of the Companies Act cannot be ratified.)
Chapter 3: Statutory matters 3/19
Q4. Can a director who discovers that his fellow directors (the company) are about to carry out
an action that is prohibited by the MOI restrain (prevent) the company from doing so, for
example, prevent the directors from purchasing futures from XYZ Stockbrokers?
A4. Yes. In terms of section 20(5), one or more shareholders or directors may take proceedings
to restrain the company.
Q5. Do the shareholders have a claim for damages against a director who causes the company
to do anything inconsistent with the Act or any restrictions, etc., in the MOI or rules? For
example, can a shareholder sue the directors for losses suffered in the futures transaction
with XYZ Stockbrokers?
A5. Yes – section 20(6). This section says that each shareholder of a company has a claim for
damages against any person who intentionally, fraudulently or due to gross negligence,
causes the company to do anything which is inconsistent with the Act or with a limitation,
restriction, or qualification in the MOI or rules, unless the shareholders have ratified the
action.
Note (c): It will be an offence by the company if it fails to accommodate any reasonable request for access
or to refuse, impede, interfere with or attempt to frustrate any person entitled to information
from exercising his rights.
Note (d): In terms of section 31, a person who holds securities in a company is entitled to receive notice of
publication of the AFS, and on following the required steps, to receive, without charge, one
copy of the AFS.
• whether the financial statements which have been summarised were audited, independently
reviewed or neither
• the name and professional designation (if any) of the individual who prepared or supervised
the preparation of the financial statements which have been summarised, and
• the steps required to obtain a copy of the financial statements which have been summarised.
Note (e): Section 29 gives legal force to the accounting standards, for example, IFRS, IFRS for SMEs.
Note (a): The concept of a par value share has been abandoned. There are thousands of companies that
currently have par value shares in issue; these shares retain the description and rights they had
before the introduction of the new Act but will in due course have to be “converted” to no-par
value shares in terms of the transitional arrangements.
Note (e): If the preferences, rights or limitations attached to a share have been materially and adversely
altered, a holder may apply for relief (s 164 covered later).
• to any such person related to such corporation, company, director, prescribed officer or member
provided
• any conditions or restrictions in respect of the granting of financial assistance set out in the MOI
are adhered to, and
• the board is satisfied that:
– immediately after providing the financial assistance, the company would satisfy the liquidity/
solvency test
– the terms under which the financial assistance is proposed are fair and reasonable to the com-
pany, and
• a special resolution is obtained (see note (d) below).
Note (a): The requirements of this section do not apply to:
• a company whose primary business is the lending of money
• financial assistance in the form of an accountable advance to meet
– legal expenses about a matter concerning the company, or
– anticipated expenses to be incurred by the person on behalf of the company, or
– amounts to defray the recipient’s expenses for removal (relocation) at the company’s
request.
Note (b): Financial assistance can be a loan, guarantee, or provision of security.
Note (c): If financial assistance is given in contravention of this section or the MOI, the transaction will be
void, and a director will be liable for losses suffered by the company, if:
• the director was present at the meeting when the board approved the resolution or partici-
pated in making such decision, and
• failed to vote against the resolution, despite knowing that the provision of financial assistance
was inconsistent with the Act or the MOI.
Note (d): The special resolution must have been passed within the previous two years. The approval given
by the special resolution can be for a specific recipient or generally for a category of potential
recipients.
Note (e): If the loan is made to a director according to an employee share scheme, a special resolution is
not required (other requirements must be satisfied).
Note (f): The MOI (or company or board) cannot permit the granting of a loan in contravention of this
section, for example the MOI cannot contain a clause, and the directors cannot pass a resolution
that overrides the requirement to apply the liquidity/solvency test.
Note (g): Where the board adopts a resolution to provide financial assistance (as contemplated by this
section), the company must provide written notice of the resolution to all shareholders (unless
every shareholder is a director) and to any trade union representing the company’s employees.
• If the total value of all financial assistance given within the financial year exceeds one-tenth
of 1% of the company’s net worth at the time of the resolution, this notice must be given
within ten business days of the adoption of the resolution.
• If the total value does not exceed one-tenth of 1% of net worth, the notice must be given
within 30 days after the end of the financial year.
Note (h): This section is simpler than its predecessor (Companies Act 1973 s 226) but is still cast very
wide. The intention is to control abuse by the directors by, for example, making loans to
themselves which are not in the interests of the company. The section does not seek to prejudice
the directors but rather to control them. The section seeks to control financial assistance to a
director in whatever “form” that director may be, for example, a CC or company controlled by
the director, or a person related (as defined) to the director, such as his wife. The section also
covers directors of companies related to the company granting the loan, for example, its holding
company, subsidiary or fellow subsidiary.
Note (i): The section also applies to “prescribed officers” of the company.
3/28 Auditing Notes for South African Students
Note (c): If the company acquires any shares contrary to section 46 or this section (s 48), the company
must apply for a court order to reverse the acquisition no more than two years after the
acquisition. The court may order that:
• the person from whom the shares were acquired return the amount paid by the company,
and
• the company re-issue an equivalent number of shares of the same class.
Note (d): A director of the company will be liable for any loss, damages or costs arising from an acquisi-
tion of shares contrary to section 46 or section 48 if:
• he was present at the meeting when the board approved the acquisition or he participated in
the making of the decision, and
• failed to vote against the acquisition despite knowing it was contrary to sections 46 or 48.
Note (e): A decision by the board to “buy back” shares held by a director or prescribed officer or a person
related to the director or prescribed officer must be approved by a special resolution.
If any buy-back involves the acquisition of more than 5% of the issued shares of any particular
class of the company’s shares, the decision is subject to the requirements of sections 114 and
115, which deal with “schemes or arrangements”.
3. Sections 51, 52 and 53 – Registration and transfer of certificated and uncertificated securities
3.1 A certificate evidencing any certificated security must state on its face:
• the name of the issuing company
• the name of the person to whom security was issued
• the number and class and designation, if any, of the share being issued, and
• any restrictions on transfer.
Note (a): The certificate must be signed (manually or by electronic or mechanical means) by two persons
authorised by the company’s board.
Note (b): In the absence of evidence to the contrary, the certificate is satisfactory proof of ownership.
3.2 A company that has its uncertificated securities administered by a central securities depository may
request the depository to furnish it with all details of its uncertificated securities reflected on the
depository’s database.
Note (c): A person who holds a beneficial interest in any security of the company and who wishes to
inspect the uncertificated securities register, may do so, but must do it:
• through the relevant company, and
• following the rules of the central securities depository.
3/30 Auditing Notes for South African Students
The depository must, within five business days, produce a record of the company’s uncertifi-
cated securities register reflecting the names and addresses of the persons to whom securities
were issued, the number of securities issued to them, and any other recorded details pertaining
to the security, for example, restrictions on transfer.
Note (d): The depository may only effect the transfer of uncertificated securities held in an uncertificated
securities register:
• on receipt of an authenticated instruction, or
• an order of court.
The transfer must comply with the rules of the depository.
Note (b): The AGM of a public company must, at a minimum, provide for the following business to be
transacted
• presentation of:
– the directors’ report
– audited financial statements
– an audit committee report
• election of directors to the extent required by the Act or the MOI
• appointment of:
– an auditor
– an audit committee
• any matters raised by shareholders (with or without advance notice to the company).
Note (c): Except to the extent that the MOI provides otherwise:
• the board may determine the location of any shareholders’ meeting
• any shareholders’ meeting may be held in the Republic or in a foreign country.
Note (d): Every shareholders’ meeting of a public company must be reasonably accessible within the
Republic for electronic participation by shareholders (see s 63) irrespective of whether the meet-
ing is held in the Republic or elsewhere.
If a director or shareholder believes that the notice does not satisfy these requirements, he may
apply, before the start of the meeting, for a court order restraining the company from putting the
resolution to the vote. The court order may also require that the deficiencies in the notice be
rectified. Once a resolution has been accepted it cannot be challenged because the notice of the
resolution did not comply with the Act.
Note (b): For an ordinary resolution to be approved, it must be supported by more than 50% of the voting
rights exercised on the resolution.
Note (c): The MOI can stipulate a higher percentage for ordinary resolutions or one or higher percentages
for resolutions relating to different resolutions, for example, 55% for resolutions relating to
capital expenditure, 60% for resolutions relating to investments. (The “more than 50%”
requirement for removing a director cannot be increased). There must always be at least 10%
between the highest ordinary resolution percentage and the lowest special resolution percentage.
Note (d): For a special resolution to be approved, it must be supported by at least 75% of the voting rights
exercised on the resolution.
Note (e): The MOI can stipulate a different (lower or higher) percentage for a special resolution (or
variable higher or lower percentages for different matters) but at all times, there must be a margin
of at least 10% between the highest requirements for an ordinary resolution and the lowest
requirement for special resolution, on any matter.
Note (f): A special resolution is required to:
• amend the MOI (ss 16 and 32)
• ratify a consolidated revision of a company’s MOI (s 18)
• ratify actions by the company or directors in excess of their authority (s 20)
• approve an issue of shares to a director (s 41)
• authorise the granting of financial assistance (ss 44 and 45)
• approve a decision by the directors to buy back shares from a director (s 48)
• authorise the basis for compensation to directors (s 66)
• approve the voluntary winding up of the company (ss 80 and 81)
• approve an application to transfer the registration of the company to a foreign jurisdiction
(s 82), and
• approve any fundamental transaction (Chapter 5), including:
– disposal of all or the greater parts of the assets of the company
– amalgamations or mergers, and
– schemes of arrangement.
Note (g): The MOI can stipulate that a special resolution be required to approve matters other than those
listed in note (f).
Note (a): The MOI may stipulate a higher minimum number of directors.
Note (b): The MOI may provide for:
• the direct appointment and removal of one or more directors by any person named in the
MOI, for example, the Chairperson
• a person to be an ex officio director, for example, the senior labour relations manager could be
an ex officio director by virtue of his status and position in the company. A person, despite
holding the relevant office, may not be appointed an ex officio director if he or she becomes
ineligible or disqualified to act as a director
• the appointment of alternate directors
but in a profit company (other than an SOC) the MOI must provide for at least 50% of the
directors (and 50% of any alternates) to be elected by the shareholders.
Note (c): A person who is ineligible or disqualified from being a director cannot be elected or appointed as
a director (such an appointment will be nullified).
Note (d): A director must consent (in writing) to serve as a director.
Note (e): The company may pay remuneration to its directors for services as a director except to the
extent that the MOI provides otherwise. Remuneration for services as a director may be paid
only according to a special resolution approved by the shareholders within the previous two
years.
Note (b): A director removed by the board may apply (within 20 business days) to the court for a review.
If the director is not removed, any director or shareholder who voted to have the said director
removed may also apply to the court for a review. Any holder of voting rights that may be
exercised in that director’s election can also apply to the court for a review.
Note (c): If a company has less than three directors, this section cannot operate as there would either be no
remaining director to vote (one director company) or one remaining director to vote (two dir-
ector company). In this case, the aggrieved director or shareholder can apply to the Companies
Tribunal.
Regulation 43
In terms of this regulation, the following companies must appoint a social and ethics committee:
• listed public companies
• SOCs, and
• any other company that has scored above 500 points in its public interest score in any two of the
previous five years.
See the start of this chapter for more information on this regulation (at 3/9).
Quorum
• A majority of the directors must be present before a vote may be called.
Except to the extent that the company’s MOI provides otherwise, if all of the directors of the company
acknowledge actual receipt of the notice, are present at the meeting, or waive the notice of the meeting, the
meeting may proceed even if the required notice period was not given or there was a defect in giving the
notice.
Voting
• Each director has one vote, and a majority of votes cast approves a resolution.
• In the case of a tied vote, the chair has a casting vote if the chair did not initially have a vote or cast a
vote, otherwise the matter being voted on fails (the chair does not get two votes in the event of a tie).
Note (d): The board and its committees must keep minutes that reflect every resolution adopted by the
company (and other important discussions etc held at the meeting).
Note (e): Resolutions adopted must be dated and sequentially numbered and become immediately effect-
ive unless the resolution states otherwise. Any minute of a meeting or a resolution signed by the
chair of the meeting, or by the chair of the next meeting is evidence of the proceedings of that
meeting, or adoption of that resolution.
Note (f): The MOI may alter the requirements for directors’ meetings.
Note (c): If a director (or related person) acquires a personal financial interest in an “agreement/matter”
in which the company of which he is a director has an interest after the “agreement/matter” has
been approved, the director must promptly disclose to the board:
• the nature and extent of that interest, for example, 15% shareholding, and
• the material circumstances relating to the acquisition of the interest (this is to determine
whether there has been any irregular/fraudulent intention on the part of the director to get
around declaring his interest before the contract was approved).
Note (d): A contract in which a director (or related person) has a financial interest will be valid if approved
after full disclosure as in 18.2 above.
If the contract was approved without the necessary disclosure, the contract would be valid if:
• it has been subsequently ratified by an ordinary resolution (interest must be disclosed)
• it has been declared to be valid by a court (any interested party can apply to the court).
Note (e): If the director does not declare his interest, any interested party can apply to the court to declare
the contract valid. However, if neither note (d) nor (e) applies, the contract is voidable at the
option of the company.
Note (f): There are several exclusions to this section. The section will not apply to:
• a director or a company if one person holds all the issued securities (shares) and is the only
director. Effectively there is no real “conflict of interest” as the company and the individual
are one and the same
• a director in respect of a decision which may generally affect all directors in their capacity as
directors, for example, a decision on directors’ bonuses
• a decision to remove the director from office.
Note (g): If a director who has a financial interest is the sole director but does not hold all the issued secur-
ities (shares) in the company, the said director cannot approve the agreement:
• it must be approved by ordinary resolution of the shareholders
• after the director has disclosed the nature and extent of his interest to the shareholders.
Note (h): For the purposes of this section, the term director includes:
• an alternate director
• a prescribed officer
• a person who is a member of a committee of the board, irrespective of whether or not the per-
son is also a member of the company’s board. (Note that a person who is not a member of the
board may be appointed to a board committee but will not have a vote on the committee.)
Note (a): To ensure that he has exercised his powers and functions in compliance with the above, a
director:
• should take reasonably diligent steps to be informed about any matter to be dealt with by the
directors
• should have had a rational basis for making a decision and believing that the decision was in
the best interests of the company
• is entitled to rely on the performance of:
– employees of the company whom the director reasonably believes to be reliable and
competent
– legal counsel, accountants or other professionals retained by the company
– any person to whom the board may have reasonably delegated authority to perform a
board function
– a committee of the board of which the director is not a member, unless the director has
reason to believe that the actions of the committee do not merit confidence
• is entitled to rely on information, reports, opinions and recommendations made by the
above-mentioned persons.
Note (b): For the purposes of this section, the term “director” includes:
• an alternate director
• a prescribed officer
• a person who is a member of a committee of the board, irrespective of whether or not the
person is also a member of the company’s board. Note that a person who is not a board
member may be appointed to a board committee but will not have a vote on the committee.
– the provision of financial assistance to any person including a director (as defined) while
knowing that the financial assistance was in contravention of the Act or MOI
– a resolution approving a distribution (as defined) while knowing the distribution was in con-
tradiction of the Act (s 46) (only applies if liquidity/solvency test is not satisfied, and it was
unreasonable at the time to think the test would be satisfied)
– the acquisition by a company of its own shares, while knowing that the acquisition was con-
trary to the Act (ss 46, 48)
– an allotment (of securities) while knowing that the allotment was contrary to the Act.
Note (a): In addition, each shareholder has the right to claim damages from any director who fraudulently
or due to gross negligence causes the company to do anything inconsistent with the Act.
Note (b): The MOI and rules will be binding between each director (prescribed officer) and the company.
Note (c): For the purposes of this section, the term “director” includes:
• an alternate director
• a prescribed officer
• a person who is a member of a board committee, irrespective of whether or not the person is
also a member of the board. Note that a person who is not a director may be appointed to a
board committee but will not have a vote on this committee.
Note (d): The liability of a director in terms of this section will be joint and several with any other person
who is held liable for the same act.
Note (c): Within 60 business days after a vacancy in the office of company secretary arises, the board must
fill the vacancy by appointing a person who has the “requisite knowledge and experience” – no
formal qualification or membership of a professional body required!
(vi) include a copy (or summary) of sections 115 and 164 (s 164 deals with the rights of dissenting
shareholders).
Note (a): In terms of section 115, such a scheme of arrangement must be approved by special resolution.
Note (b): The expert engaged by the company must be:
• qualified and have the competence and experience to:
– understand the type of arrangement proposed
– evaluate the consequences of the arrangement, and
– assess the effect of the proposed arrangement on the value of securities and on the rights
and interests of a holder of any securities, or the creditor of the company
• able to express opinions, exercise judgment and make decisions impartially.
Note (c): The expert engaged must not:
• have any relationship with the company which would lead a reasonable and informed third
party to conclude that that relationship compromises the integrity, impartiality or objectivity
of the expert
• have had any such relationship within the immediately preceding two years, or
• be related to any person who has or has had such a relationship.
Note (d): Neither the MOI nor any resolution of the board or security holders can override the require-
ments of sections 113 or 115 in respect of a scheme of arrangement.
Chapter 5 – Part B – Authority of Panel and Takeover Regulations – nil
Chapter 5 – Part C – Regulation of affected transactions and offers – nil
Regulation 126
For the purposes of business rescue, this regulation categorises companies (basically in terms of their public
interest score) and business rescue practitioners in terms of their experience. This is done to identify which
practitioners can be appointed to “rescue” which companies. The categorisations are as follows:
Company Score Practitioner Experience
Large 500 or more Senior Member of accredited professional body, for
example SAICA. At least ten years’ business
turnaround/rescue experience.
Medium Public: less than 500 Experienced Member of accredited professional body, for
Other: 100 to 499 example SAICA. At least five years’ business
turnaround/rescue experience.
Small Less than 100 Junior Member of accredited professional body, for
example SAICA but less than five years’
experience, or no experience at all.
(ii) set aside the appointment of the practitioner on the grounds that he or she:
• is not qualified, or
• is not independent of the company
• lacks the necessary skills.
(ii) a failure by the company or the directors to perform any material obligation, the practitioner must take
necessary steps to rectify the situation and may direct management to rectify the situation
(iii) reckless trading, fraud or other contravention of any law relating to the company, the practitioner must
forward the evidence to the appropriate authority (for further investigation and possible prosecu-
tion) and direct management to take the necessary steps to rectify the situation, including recov-
ering any misappropriated assets of the company.
Note (a): When a company is financially distressed, shareholders and/or directors may be tempted to act
in a manner that is reckless, fraudulent or which results in voidable transactions, for example, a
director purchasing one of the company’s machines for an amount considerably below its
market (fair) value, before the company is liquidated. In other words, the shareholders/directors
may place their own interests above those of the company and creditors, in an attempt to min-
imise their own losses.
2. Sections 147 and 148 – First meetings of creditors and employees’ representatives
2.1 In terms of these sections, the practitioner must, within 10 days of being appointed, convene and
preside over the first meeting of creditors and a (separate) first meeting of employees’ representatives.
2.2 The purpose of these meetings is to inform these groups whether the practitioner believes that there is
a reasonable prospect of rescuing the company.
Note (a): The practitioner must give notice of the respective meetings to every creditor, and employee
(trade union if applicable) setting out the date, time and place of the meeting, and the agenda for
the meeting.
Chapter 3: Statutory matters 3/53
contained in the chapter is unlikely to affect the everyday practice of auditing, and will be more relevant to
lawyers. Thus only a few sections have been included in these summaries, along with brief comments
where appropriate.
Chapter 7 – Parts C to F
The remaining sections in this chapter of the Companies Act 2008 are mainly procedural and are beyond
the scope of this text.
1.3 The CIPC is also responsible for advising the Minister on national policy relating to companies and
intellectual property law.
1.4 The CIPC will be headed by a Commissioner and Deputy Commissioner, both appointed by the
Minister. Specialist Committees may be appointed by the Minister to advise on matters relating to
company law or policy and the management of the Commission’s resources.
Companies Act came into operation, namely, 1 May 2011. Existing CCs can convert themselves into
companies or may elect to remain as CCs. Those CCs that do not convert will, for the time being, be
controlled by the existing Close Corporations Act, but there have been some important amendments to this
Act to bring it into line with the Companies Act.
At its inception, the Close Corporations Act was built around what has been termed the liquidity/
solvency principle, as opposed to the capital maintenance concept, around which the former Companies
Act was built. The new Companies Act moves away from the capital maintenance concept, towards the
liquidity/solvency principle. Simplistically, the capital maintenance concept requires prohibitions or strict
requirements to be in place in respect of transactions involving the capital of a company. This is in contrast
to the liquidity/solvency principle, which primarily requires that the liquidity and solvency of the entity
remain intact after any transaction relating to the entity’s capital.
1.2 It is signed by all members who formed the CCs and contained:
• the name of the CC
• principal business of the CC
• postal address, physical address
• full name and ID of each member
• the percentage of each member’s interest
• particulars of each member's contribution (s 24)
• the accounting officer’ name and address
• the date of the financial year-end.
Note (a): This document equates partially to the MOI of a company.
Note (b): Founding Statements of existing CCs are lodged with the CIPC (s 13).
Note (c): All existing CCs have a CC registration number, and are issued with a certificate of incorpor-
ation (s 14)).
Note (d): Any changes to the information in the founding statement will result in an amended founding
statement having to be lodged (s 15). Circumstances at existing CCs can still result in the need for
an amended founding statement, for example a new member may join the CC.
Note (e): Each year the CC must lodge an annual return to confirm the validity of the CC’s founding data
(s 15A).
Note (f): A CC must keep a copy of its founding statement and annual return at its registered office.
Part IV Membership
1. Section 29 – Requirements for membership
1.1 Subject to some exceptions, only natural persons may be members of a CC.
1.2 A natural person will qualify for membership:
• if he is entitled to a members’ interest (i.e. made a contribution or purchased the interest)
• in his official capacity as a trustee of a testamentary trust, provided that no juristic person is a bene-
ficiary of the trust
• in his official capacity as a trustee, administrator, executor of an insolvent, deceased or mentally
disordered member’s estate or his duly appointed/authorised legal representative
• in his official capacity as trustee of an inter vivos trust (with certain provisos), for example no juristic
person shall directly or indirectly be a beneficiary of the trust.
1.3 Joint memberships (two or more persons holding a single member’s interest) are not allowed (s 30).
1.4 The intention of the legislature is to keep membership as natural as possible so that the “closeness” of
the corporation is not complicated by juristic entities (non-people).
1.5 A corporation may have one or more members, but not more than ten (s 28).
4.1.3 For the following transactions, consent in writing of members (or a member) holding at least
75% of the members’ interests will be required:
• a change in the principal business
• a disposal of the whole, or substantially the whole, undertaking of the corporation
• a disposal of all, or the greater portion of, the assets
• any acquisition or disposal of immovable property by the corporation.
4.1.4 Differences between members will be decided by a majority vote of members.
4.1.5 At any meeting, the members of the corporation shall have the number of votes which
corresponds with his percentage interest.
4.1.6 A corporation shall indemnify every member in respect of expenditure incurred or to be
incurred by him (on behalf of the corporation).
4.1.7 Payments as defined (see point 8) shall be made in terms of agreement between members, but
in proportion to their members’ interest.
• Wherever IFRS for SMEs is an option, the CC must meet the scoping requirements outlined in the
IFRS for SMEs.
• It appears that the Accounting Officer’s Report will be required to accompany all annual financial
statements, regardless of the financial reporting standard used or whether an audit was conducted.
2.4 The accounting officer may be a person, a firm of auditors (APA), any other firm or CC, provided
each partner or member is qualified to be appointed.
Part VIII Liability of members and others for the debts of the CC
1. Section 63 – Joint liability for the debts of the corporation
This section must be read bearing in mind that it is designed to secure compliance with various provisions
of the Act by exposing members to joint and several liability with the corporation for the debts of the
corporation if they do not comply.
1.1 Abbreviation CC
If the name of the corporation is used in any way without the abbreviation CC or equivalent, any
member who is responsible for, or who authorised or knowingly permits the omission of the
abbreviation, will be jointly and severally liable to any person who enters into any transaction with
the corporation from which a debt accrues for the corporation while that person, as a result of the
omission of the CC or equivalent abbreviation, is unaware that he is dealing with a corporation.
1.2 Contribution payment outstanding
Where a member fails to pay over his contribution to the CC, he will be liable for every debt of the
corporation incurred from date of registration of the founding statement, to the date when the
contribution payment is actually made by the member.
1.3 Invalid member
Any juristic person or trustee of an inter vivos trust who purports to hold, directly or indirectly, a
member’s interest in contravention of section 29 – Requirements for membership, shall be liable for
every debt of the corporation incurred during the time the contravention continued (despite the
invalid membership).
1.4 Acquisition of members’ interest
Any payment made by a CC in respect of the acquisition of a member’s interest which does not have
the prior written consent of all members, or does not meet the solvency/liquidity requirements, will
3/68 Auditing Notes for South African Students
result in every member, including the member who received the payment, being liable for the debts of
the corporation incurred prior to making such payment (unless the member was unaware of the
payment or was aware but took all reasonable steps to prevent the payment), .
1.5 Financial assistance
Where the CC gives financial assistance for the acquisition of a member’s interest in contravention of
the Act, 1.4 shall apply.
1.6 Disqualified from management
Where any person who is disqualified from managing the company performs a management function,
that person shall be liable for every debt of the corporation which it incurs as a result of that member’s
participation in management.
1.7 Vacancy: Accounting officer
When the position of accounting officer has been vacant for a period of six months, any person who
was a member of the corporation during the period and at the end of it, and was aware of the
vacancy, is liable for every debt incurred by the corporation incurred during the six month period.
The member will also be liable for debts incurred after the six month period until the vacancy is filled.
3.7.2 Chapter II: Independent regulatory board for auditors (ss 3 to 31)
This chapter is broken down into seven parts.
• Part 1 establishes the IRBA as a juristic person and orders that the IRBA must exercise its functions in
accordance with the APA and any other relevant law. It also states that the IRBA is subject to the
Constitution.
• Part 2 spells out the functions of the IRBA. The matters which are dealt with include accreditation and
registration, education, fees for being a member of IRBA, etc, promoting the integrity of the profession,
prescribe standards, etc.
• Part 3 gives the IRBA its general powers and its powers to make rules. General powers make it possible
for the IRBA to operate, for example, by giving it the power to appoint staff, enter into agreements,
acquire property, borrow money, etc. The power to make rules allows the IRBA to execute its
responsibilities in terms of the Act.
• Part 4 lays out the governance requirements of the Regulatory Board. These sections cover such matters
as appointment of members of the Regulatory Board, their terms of office, disqualification from
membership, meetings, the role of the Chief Executive Officer, etc., for example, the board must consist
of not less than six but not more than 10 non-executive members appointed by the Minister.
• Part 5 deals with committees of the Regulatory Board. Most significantly, it lays down the requirement
that at least the following permanent committees must be established:
Section 20 and 21 : committee for auditor ethics
Section 20 and 22 : committee for auditing standards
Section 20 : an education, training and professional development committee
Section 20 : an inspection committee
Section 20 and 24 : an investigating committee
Section 20 and 24 : a disciplinary committee
3/70 Auditing Notes for South African Students
• Part 6 deals with the funding and financial management of the Regulatory Board and covers the
collection of fees, an annual budget and strategic plan, and the preparation of financial statements.
• Part 7 deals with national government oversight and executive authority. This explains that the Minister
of Finance is the executive authority for the IRBA, and that the IRBA is accountable to the Minister.
(ii) Only individuals who are registered auditors may be shareholders. (If the company is a private
company, its membership is not limited to 50).
(iii) Every shareholder must be a director and every director must be a shareholder.
(iv) The MOI of the company provides that the company may, without the confirmation of the
Court, purchase any shares held in it and allot those shares per the company’s MOI.
(v) Only a shareholder may act as a proxy for another shareholder, in other words, no outsiders
may attend, speak or vote at any company meeting. This must be stipulated in the MOI.
Note (a): An accounting company is required to comply with all sections of the Companies Act, for
example, produce AFS, hold meetings, etc.
Note (b): Section 38 ensures that registration with the IRBA is restricted to auditors, regardless of the form
the firm takes. Registration requirements are strict. For example, an auditor and a lawyer cannot
form a partnership and apply to be a firm of registered auditors. Likewise, a firm that wishes to
constitute itself as a company cannot include lawyers or others as shareholders or directors.
Many auditing firms (partnerships and companies) have lawyers, engineers, IT specialists on
their staff, but they cannot be partners or shareholders.
3.7.4 Chapter IV: Conduct by and liability of registered auditors (ss 41 to 46)
1. Section 41 – Practice
1.1 Only a registered auditor may engage in public practice.
1.2 A person who is not registered in terms of the APA, may not:
• perform any audit (see notes (a), (c) and (e))
• pretend to be, or hold out to be, registered in terms of the APA (note (b))
• use the name of any registered auditor (see note (d))
• perform any act to lead persons to believe that he is registered in terms of the APA.
Remember: the term “audit” is defined as meaning an examination, in accordance with applicable
auditing standards, of:
(i) financial statements, with the objective of expressing an opinion as to their fairness in terms of
an identified reporting framework, or
(ii) financial and other information, prepared in accordance with suitable criteria with the objective
of expressing an opinion on the financial and other information.
Note (a): This section does not prohibit a non-registered individual from performing an audit under a
registered auditor’s direction, control and supervision, for example, an employee in an auditing
firm.
Note (b): An individual or firm may not use the descriptions “registered auditor”, “public accountant”,
“registered accountant and auditor”, “accountant in public practice” or any other designation
likely to create the impression of being a registered auditor in public practice unless they are
registered with the IRBA. Remember, this is a prohibition created by law; it is similar to the
medical profession, you cannot call yourself a medical doctor if you are not registered as such
with the Health Professions Council of South Africa.
Note (c): The section does not prohibit:
• any person from using the description “internal auditor” or accountant. Any person can offer account-
ing services (not auditing) to the public and call themselves a “financial advisor” or a “management
accountant”, etc.
• any member of a not-for-profit club or similar entity, from acting as auditor for that club or entity,
provided he receives no fee or other considerations for the audit
• the Auditor-General from appointing any person who is not a registered auditor, to carry out on his
behalf, any audit in terms of the Public Audit Act 25 of 2004.
Note (d): For example, Joe Janks is a registered auditor practicing under the name of “J Janks Registered
Auditor and Accountant”. He retires and sells his practice to Paul Paris who is a very competent
accountant but not eligible to register with the IRBA. Paul Paris would not be allowed to retain
the name of the firm as “J Janks Registered Auditor and Accountant” and would not be able to
retain the firm’s audit clients.
3/72 Auditing Notes for South African Students
Note (e): Except with the consent of the IRBA, a registered auditor may not knowingly employ
• any person (formerly registered but) no longer registered as a result of the termination or
cancellation of registration, or
• any person who was declined registration on the grounds of having been removed from an
office of trust, convicted and sentenced for fraud, theft, etc., as laid out in section 37, note (c).
Note (f): Section 41(6) states that a registered auditor may not
• practice under a firm name unless every letterhead bears the firm name, the first name (or
initials) and surname of the registered auditor, the names of the managing or active partners
in the case of a partnership, or in the case of a company, the present first names, or initials,
and surnames of the directors.
• sign any account, statement, report or other documents which purports to represent an audit
unless the audit was performed by, or under the supervision of that auditor (or a co-partner
or co-director) in accordance with prescribed auditing standards (see note (a))
• perform audits unless adequate risk management practices and procedures are in place
• engage in public practice during any period in respect of which the registered auditor has
been disqualified from registration
• share any profit derived from performing an audit with a person that is not a registered
auditor.
2.3 In terms of section 44(4), (5) and (6), if a registered auditor was responsible for keeping the books,
records or accounts of an entity on which he is reporting on anything in connection with the business
or financial affairs of the entity, details of the dual roles undertaken must be included in the report.
Note (d): In terms of section 90 of the Companies Act, a person who, alone or with a partner or
employees, habitually or regularly performs the duties of accountant or bookkeeper or performs
related secretarial work may not be appointed auditor.
Note (e): The passing of closing entries, assisting with adjusting entries or framing financial statements or
other documents are not regarded as “being responsible for keeping the books, records or
accounts” (see s 44 (5)).
Note (f): A registered auditor who has or has had a conflict of interest (as prescribed by the IRBA) may
not conduct an audit of that entity.
3.6 Section 45(7) states that if an individual registered auditor has reported an irregularity to the
Regulatory Board in terms of subsection (1)–
• the individual registered auditor may not be removed; and
• the entity may not remove the registered auditor until subsection (3) is complied with.
On the face of this, it does not seem too difficult, but as with most legal matters, clarity is required on
several aspects. The following notes apply to the phrases or terms used in the definition and the section.
Note (a): Any unlawful act or omission
• An unlawful act will be
(i) an act which is contrary to any law passed by a government
(ii) an act which is contrary to regulation (e.g. regulations pertaining to pollution)
(iii) an act which is contrary to accepted common-law principles.
• The unlawful act may arise out of negligence or intentionally (negligence arises where the person ought
to have known that the act or omission committed was unlawful).
• Auditors are not legal experts but, in terms of ISA 250 Consideration of Laws and Regulations in an
Audit of Financial Statements, should be capable of recognising instances where non-compliance with
laws and regulations by the entity may materially affect fair presentation. The auditor is not required to
introduce additional audit procedures to detect unlawful acts.
Note (b): Committed by any person responsible for management of an entity
• To be an RI, the irregularity must have been committed by a person responsible for the management of
the entity.
• For a company, this can generally be interpreted as:
(i) the board of directors of a company and the holding company in group situations, and
(ii) any person who is a principal executive officer of the company, and
(iii) any person who exercises executive control.
• For other types of entity, it can generally be interpreted as the
(i) board of the entity, and
(ii) the individuals responsible for the management of the company, and
(iii) any person who exercises executive control.
• If an employee of an entity commits an unlawful act with the knowledge or direction of any person respon-
sible for management, the auditor would regard this as an unlawful act committed by management.
Note (c): Has caused or is likely to cause, material financial loss to the entity, or to any member, shareholder, creditor
or investor . . .
• If the unlawful act or omission is committed by any person responsible for management, which has
caused, or is likely to cause, loss to any of the above parties, it is reportable.
• If the act will not cause financial loss, it is not reportable in terms of this requirement but it may still be
reportable in terms of the other two conditions, namely, the act amounts to fraud/theft or is a breach of
fiduciary duty.
• Whether the loss is material is a matter of professional judgement; it does not relate to the materiality
levels set for the audit. The absolute and relative size of the loss is considered, for example a loss of
R1m as a result of an unlawful act is in absolute terms material, but in the context of a large listed
entity, it may be immaterial.
• If a benefit has been accrued from the unlawful act, it may not be set off against the “loss” incurred, for
example, a R1m bribe which results in a contract for the entity of R20m, cannot be ignored because the
entity is R19m “to the good” (see note (d) below).
Note (d): Is fraudulent or amounts to theft
• As indicated above, if the fraudulent act is theft or fraud but does not result in financial loss to the
entity, for example, a company submits and is paid out on a false insurance claim, the act is reportable as
it is fraud. (Note: The insurance company has in fact suffered loss.)
• Fraud is defined as “the unlawful and intentional making of a misrepresentation which causes actual or
potential prejudice to another”, for example, submitting a false insurance claim.
Chapter 3: Statutory matters 3/75
• Theft is the “unlawful taking of a thing which has value with the intention to deprive the lawful owner
or the lawful possessor of that thing”, for example, members of the management team sell inventory
belonging to the entity, falsify the inventory records, and keep the proceeds.
Note (e): Represents a material breach of any fiduciary duty owed by such person to the entity or any partner,
member, shareholder, creditor or investor of the entity, under any law applying to the entity or the conduct
or management thereof.
• A fiduciary duty can generally be defined as an obligation to act in the best interests of another party.
• A person generally comes into a fiduciary relationship when he controls the assets of another, or holds
the power to act. Fiduciaries are expected to be loyal and to act in good faith towards the person to
whom they owe the fiduciary duty and must not profit from their position as a fiduciary.
• Common examples of fiduciary relationships which the registered auditor will encounter are:
(i) a director in relation to his company
(ii) a member in relation to his CC
(iii) a partner in relation to his co-partners.
• The measurement of the materiality of the breach is again a matter of professional judgement and will
bear no relationship to audit materiality. Only inconsequential or trivial breaches should be regarded as
non-material.
• The key obligations in terms of the directors’ fiduciary duties owed to their company include:
(i) preventing a conflict of interest between themselves and the company
(ii) not exceeding the limitations of their powers (ultra vires)
(iii) considering the affairs of the company in a objective manner and in its best interests (unfettered
discretion)
(iv) exercising their powers for the purpose for which they were granted.
Note (f): Section 45(1) and (2) place a duty on the individual registered auditor to report the irregularity
• You will remember from section 44 that an individual registered auditor must be identified as responsible
and accountable for an audit; it is this individual who is required to report any RI.
• In order to report, the registered auditor does not need absolute or irrefutable proof that a reportable act
has taken place; he needs only to be “satisfied or have reason to believe”. If challenged, the auditor will
have to show that there were sufficient grounds to report the irregularity. It is important to note that
there is no legal protection for the registered auditor if he reports the irregularity without sufficient grounds to
do so.
• It is important to note that in respect of the RI, the registered auditor may consider information that
comes to his knowledge (or the knowledge of the firm) from any source. This will include knowledge
obtained from
(i) providing other services to an audit client, for example, a reportable fraud is picked up while
preparing a VAT return
(ii) providing services to another client, for example, at an audit of a client (company B), the auditor
learns that another audit client (company A) in the same industry is paying bribes to obtain con-
tracts
(iii) third parties, for example, press coverage of court cases, or articles about illegal importing in a
particular business sector such as sports footwear.
Obviously, the auditor would be expected to consider the reliability of the source of information.
• Using information from any source will not be regarded as a breach of the fundamental principles of
confidentiality as spelled out in the Code of Professional Conduct as it is a legal requirement that the
registered auditor “considers such information”.
Note (g): Reporting without delay
• From the point of “being satisfied or having reason to believe”, the auditor must report “without
delay.” This time period is not defined and should be interpreted as the period a “reasonable auditor”
would take to report.
3/76 Auditing Notes for South African Students
Note (h): In terms of the APA, a registered auditor only has an obligation to report RIs in respect of an audit client
(but see note (k) below (very important!))
• In terms of section 1 – “Definitions”, an audit means the examination of, in accordance with the applic-
able auditing standards:
(i) financial statements with the objective of expressing an opinion as to their fairness or compliance
with an identified framework and any applicable statutory requirements, or
(ii) financial and other information prepared in accordance with suitable criteria, with the objective of
expressing an opinion on that financial and other information.
• Take note that the auditor has a responsibility to report in respect of an audit client, not solely in respect
of the service rendered.
For example:
Green and Brown, a firm of registered auditors, is carrying out an “agreed-upon procedures” engagement
for Tacksi (Pty) Ltd (no opinion is given for this type of engagement). Green and Brown also perform the
annual audit of Tacksi (Pty) Ltd, and Bill Brown is the registered auditor responsible for the audit. During
the course of conducting the “agreed upon procedures engagement”, Gary Green, the individual
performing the engagement, suspects that a management fraud is taking place at Tacksi (Pty) Ltd. In terms
of Green and Brown’s appointment to perform agreed-upon procedures, this is not an RI, but as Tacksi
(Pty) Ltd is an audit client, Bill should be informed of the suspected management fraud and should consider
whether it is a reportable irregularity.
• It is also important to note that the definition of “audit” is not restricted to the audit of financial state-
ments.
• Where an individual registered auditor performs an audit on behalf of the Auditor-General, “reportable
irregularities” will be reported to the Auditor-General, not the IRBA. This is because the entity has not
appointed the auditor, i.e. the formal relationship is between the entity and the Auditor-General.
Note (i): Reasonable measures
• The registered auditor is required to take “reasonable measures” to discuss the report submitted to the
IRBA with the client. Most often, this should be a straightforward exercise as the client will want to
discuss it. If this is not the case, reasonable measures will be judged in terms of what a reasonable
auditor would do.
Note (j): Section 45(4) places a duty on the IRBA to notify any appropriate regulator in writing of the RI.
• The term “appropriate regulator”, is defined in section 1 and covers a wide range of parties, for
example, a national government department, commissioner, regulator, authority, agency, board
appointed to regulate, oversee or ensure compliance with any legislation, regulation or licence, rule,
directive, notice in terms of or in compliance with, any legislation as appears appropriate to the
Regulatory Board.
• Where the RI is a criminal act, the Regulatory Board is likely to inform the Director of Public
Prosecutions, who may, in turn, request the Commercial Branch of the SAPS to investigate the matter.
(i) If this occurs, the auditor should expect a visit from the Commercial Branch. As no legal privilege
between a practitioner and a practitioner’s client exists, and as the practitioner is not protected by
the Code of Professional Conduct in respect of confidentiality, the practitioner cannot legally
refuse to hand over documents to SAPS, provided the SAPS is acting within its powers. Legal
advice should be sought immediately.
Note (k): In terms of the Companies Act and the Companies Regulations 2011, all companies must
calculate their public interest score. This score, combined with other factors, identifies certain
companies which must subject their AFS to an independent review by a registered auditor
(chartered accountants or other categories of accountant may carry out certain reviews). As this
company is not an “audit client” section 45 of the APA will not apply, so an RI uncovered
during an independent review, will not be reportable to the IRBA in terms of the APA. However,
in terms of regulation 29, an independent reviewer (who will frequently be a registered auditor),
will be obliged to report an “RI” uncovered on a review engagement, but to the CIPC, not the
IRBA. Requirements and procedures are essentially the same and are described in chapter 3 of
this text.
Chapter 3: Statutory matters 3/77
The auditing statements in effect provide the standards to which the registered auditor must
adhere in the performance of his function. It stands to reason, therefore, that if the performance
of the auditor is to be judged, it will be judged against the standards which the profession itself
has set.
7 When must the first report be made to the IRBA? “Without delay” from when the auditor is
satisfied or has reason to believe that an RI has
taken place
When must management be notified of the report? Within 3 days of the auditor making the
first report to the IRBA
9 What must the auditor do next? Take all reasonable steps to discuss the report
with management and having done so must make
a second report to IRBA which states that
no RI has or is taking place
or
the suspected RI is no longer taking place and
that adequate steps have been taken for the
prevention or recovery of any loss
or
that the RI is continuing
10 Is there a time limit on this second report? Yes As soon as reasonably possible, but no later than
30 days from the date of the firstt report to the
IRBA.
CHAPTER
4
Corporate governance
CONTENTS
Page
4.1 Section 1 – Background, fundamental concepts, application and disclosure ....................... 4/2
4.1.1 Introduction ........................................................................................................... 4/2
4.1.2 Brief background to corporate governance in South Africa ....................................... 4/2
4.1.3 Application regimes for codes of corporate governance ............................................ 4/3
4.1.4 The King IV Report on corporate governance for South Africa ................................. 4/4
4.1.5 King IV and the International Integrated Reporting Council (IIRC) .......................... 4/12
4.1.6 Application and disclosure ...................................................................................... 4/14
4/1
4/2 Auditing Notes for South African Students
1994 and to assess its currency against developments, locally and internationally, since its publication in
1994” and to “consider and recommend reporting on issues associated with social and ethical accounting,
auditing and reporting on safety, health and environment”. The committee also sought to recommend how
the success of a company’s compliance with a new Code of Corporate Governance could be measured.
The King Committee consisted of representatives from all major interest groups, including the internal
and external audit professions. The report was issued in March 2002. The product of the 2002 King Report
was the Code of Corporate Practices and Conduct. This was a set of principles/recommendations, not a
prescriptive set of instructions or an Act. It did not in any way supersede laws and regulations on
companies or business in general and did not lay down a set of “punishments” for breaches of the Code. As
with King I, the JSE required compliance with the recommendations of King II by listed companies.
1.3 The King IV Report has introduced a further variation, namely “apply and explain” which is explained
on page 4/16.
As far as possible, King IV has been drafted in a non-prescriptive format, and an apply and explain (as
opposed to apply or explain) application regime has been adopted. In effect, King IV assumes the
voluntary application of the Code’s principles and recommended practices and requires an
explanation of how the organisation is doing in achieving the principles laid out in the Code.
2. Structure
The following paragraphs indicate how the King IV Report is structured and provide a brief explanation of
how the matters raised in each part of the Report have been dealt with in this chapter. The approach
adopted in this chapter is to include all pertinent information from the King IV Report (without
unnecessary duplication) in a manner that is “easy to work with” in gaining an understanding of the topic.
Additional information other than that contained in the King IV Report has been included in this chapter.
Students should make use of the Report itself when working with this chapter.
This chapter has been presented in two sections:
Section 1 – Background, Fundamental Concepts, Application and Disclosure.
Section 2 – The King IV Code on Corporate Governance.
• Foreword. The report contains a foreword that discusses several issues pertinent to the topic. These
issues have been covered where necessary in this chapter in this chapter in section 1.
• Part 1: Glossary of Terms. The glossary has not been included in this chapter. When it is necessary to
clarify a word or a phrase in the text, its meaning has been reproduced.
• Part 2: Fundamental concepts. Explanations of the fundamental concepts have been included with, in
some cases, additional information in this chapter in section 1, or where it is desirable, as an addition to
the explanation of a principle in section 2.
• Part 3: King IV application and disclosure. The matters dealt with in this part of the King IV Report have
been included in this chapter in section 1.
• Part 4: King IV on a page. This diagrammatical summary has not been reproduced. A complete list of
the 17 principles and a summary of the recommended practices for each principle cover has been
included as an Appendix at the end of section 2.
• Part 5: King IV Code on Corporate Governance. This part of the King IV Report deals with each of the
principles and lists the recommended practices that should be implemented to achieve the desired
governance outcomes. This part of the King IV Report has been comprehensively covered in this
chapter, in section 2. Additional information has been included.
• Part 6: Section supplements. This part contains supplements intended to demonstrate how the Code
should be interpreted in the context of certain identified organisations, such as municipalities, non-
profit organisations, retirement funds, SMEs, and state-owned enterprises (SOEs). Essentially, the prin-
ciples remain the same, but the relevance and application of the recommended practices will vary, in
other words, an SME is unlikely to have an audit committee (or any other board committee for that
matter), or to appoint non-executive directors. This part has not been covered any further in this
chapter.
• Part 7: Content development process and King Committee. This part deals with the process of “putting
King IV together” and lists the individuals who did so. It has not been reproduced in this chapter.
the triple context in which it operates. The value creation process is the process that results in
increases, decreases or transformations of the capitals caused by the company’s business activ-
ities and outputs.
Note (b): There is a popular misconception that “corporate governance” is a concept which applies only
to large companies. It is undoubtedly true that small and medium-sized companies will not have
the resources or the need to implement “good corporate governance” in the same manner or
method as a large company.
For example, medium and smaller companies do not usually have audit committees, risk com-
mittees or numerous non-executive directors, but there is no reason that these companies cannot
aspire to and achieve the highest levels of good corporate governance based on the principles
and practices recommended by King IV. Such concepts as ethical leadership and responsible
corporate citizenship are not unique to large companies; they are for all corporate entities.
The essence of King IV is that the principles and intended governance outcomes apply to all
organisations, but the recommended practices can be applied to suit the circumstances of the
specific organisation. King IV introduces proportionality, which it describes as the “appropriate
application and adaption of practices”. This means that the recommended practices are meant to
be applied proportionally, taking into account:
• the size of turnover and workforce
• resources (the organisation has available to apply the practices)
• the complexity of the organisation’s strategic objectives and operations.
Note (c): The point made in 3.3 above is that good corporate governance is not some stand-alone concept
that has a life of its own. Instead it is something that permeates all aspects of the company. This
holistic approach is an essential requirement for achieving good governance. It requires what is
termed integrated thinking, which means that when the board and management make business
decisions, they do so in the context of the company being an integral part of society, its role as a
corporate citizen, its stakeholder relationships and its economic, environmental and societal
sustainability.
Note (d): The point made in point 3.5 above is that good corporate governance is not only about putting
in place the right structures and processes. For example, while having a properly constituted
board and clear lines of authority and reporting, along with detailed procedure manuals are
essential, requirements of good corporate governance must be implemented and applied
throughout the company in an environment that promotes ethical behaviour.
This means that in the context of corporate governance, the board assumes responsibility for:
4.1 Providing the direction for how each governance area (e.g. ethics, risk, remuneration, assurance)
should be approached, address and conducted (strategy).
Chapter 4: Corporate governance 4/7
4.2 Formulating policy in frameworks, codes, standards and plans to articulate and put the strategy into
place.
4.3 Overseeing and monitoring the policy’s implementation and execution and the plan in terms of
recommended practices.
4.4 Ensuring accountability for the performance in each of these governance areas through reporting and
disclosure.
Recommended practices in the King IV Code are organised following the sequence of responsibilities (4.1–
4.4 above).
guide how society and its different components (such as companies behave in that society. It is
certainly true that different religions, races, cultures and backgrounds see ethical issues from a
different perspective and may have different ideas about the meaning of ethical culture and
ethical behaviour. However, there is little doubt that the vast majority of people support a
society that is honest and truthful, rejects such social ills as fraud and corruption, and desires
societal behaviour that engenders trust and integrity. As members of society, companies should
embrace these desires.
Note (c): In terms of King IV, “values” are the convictions and beliefs about:
• how a company and those who represent it should conduct themselves;
– how the company’s resources and stakeholders, both internal, for example, employees,
and external, for example, customers, should be treated
– what the core purposes and objectives of the company are, for example, maximising
profits for shareholders or putting the legitimate needs of greater society first
– how work duties should be performed, for example, delivering excellent service, rejecting
any form of corrupt practice.
Again in terms of King IV culture, in the context of a company, is the way the directors, manage-
ment and other staff relate to each other, their work and the outside world in comparison to
other companies.
Note (d): A company’s values are formalised and documented in mission statements and corporate codes
of conduct in their various forms. For example, employees may be given a code of behaviour,
whilst a potential supplier may be required to sign a code of trade practices or something similar.
Note (e): The governance of ethics refers to the role of the board in ensuring that how the company’s
values are expressed and implemented results in an ethical culture. For example, an ethical
culture is unlikely to be created by ramming rules and regulations down employee’s throats and
adopting an autocratic “big stick” approach. An ethical culture is achieved when the board sets
the example by behaving ethically, and management and other employees want to voluntarily
embrace the company’s values and make an effort to do so. The board, management and
employees must be aware that the “ethical way is the best way” for themselves, the company
and society to prosper. Likewise, they should realise that trust in a company’s integrity and
reputation is hard-earned but easily lost. The importance of managing and protecting the com-
pany’s ethical culture is paramount.
Note (f): Concerning rights, as a corporate citizen, a company has a right to a suitable operating infra-
structure, a functional legal and police system and an administrative infrastructure.
Note (g): Concerning its obligations and responsibilities to society, a company as a corporate citizen is
obliged among other things, to operate within the law, pay its taxes, consider the legitimate
needs of society, and respect the natural environment. The status of a company in society means
that it is accountable not only for financial performance or for isolated corporate social
initiatives but for outcomes in the economic, social and environmental context. It is unethical
for organisations to expect society and future generations to carry its operations’ economic,
social and environmental costs and burdens.
explain that the “best interests of the company” should be interpreted “within the parameters of sustainable
development and being a responsible corporate citizen”. This basis of decision-making is termed the stake-
holder-inclusive approach, and in terms of this model, the best interests of the company are not necessarily equated
with the best interests of the shareholders. The interests of the shareholders do not automatically take precedence
over the interests of other stakeholders, that is, the interests of providers of financial capital are not
prioritised.
Note (k): The stakeholder-inclusive approach to decision-making supports the enhancements of the six
capitals and, therefore, sustainable development.
Note (l): At this point, you may be thinking that shareholders want their companies to consider the
interests of all stakeholders as this will promote sustainability and good corporate citizenship. It
seems so logical. However, bear in mind that many companies and shareholders are short-term
profit-driven. Boards are put under severe pressure to produce dividends for shareholders. Many
shareholders, including corporate shareholders such as “speculative” investment companies, are
not necessarily “long-term shareholders” but move their investments in and out of different
companies in an attempt to maximise their short-term profits and cash flow.
requires that a report which is a “concise communication about how an organisation’s strategy, governance
performance and prospects, in the context of its external environment, lead to the creation of value over the
short, medium and long term, should be produced”.
So how do all these reports fit together? In order to clarify the standing of the integrated report with other
reports, King IV deals with it “as one of the many reports that may be issued by the company as is
necessary to comply with legal requirements and/or to meet the particular information need of material
stakeholders”.
King IV is not prescriptive. It is recommended practice that:
• an integrated report could be a stand-alone report which connects the more detailed information in other reports, or
it could be
• a distinguishable, prominent part of another report that includes the financial statements, a sustainability report
and any other reports issued in compliance with legal requirements.
The practice recommended in the King IV Code is for the company to “issue a report annually that presents
material information in an integrated manner and that provides its users with a holistic, clear, concise and
understandable presentation of the organisation’s performance in terms of sustainable value creation in the
economic, social and environmental context”.
affected by, the six capitals it uses in the economic, social and environmental context in which it
operates. Integrated reporting is a process founded on integrated thinking that results in a periodic
integrated report about value creation over time. An integrated report is a concise communication about
how a company’s strategy, governance, performance and prospects fit together.
2.5 Social and relationship capital – the institutions and relationships and other networks which the
company can use (and contribute to) to enhance individual and collective well-being, for example:
• the trust that a company has developed with the community in which it operates, or with other
key stakeholders such as its suppliers and workforce, and
• the trust and other intangible benefits derived from the company’s brand and reputation.
2.6 Natural capital – the renewable and non-renewable environmental resources that support the
company’s past, current or future prosperity, including air, water, land, minerals and forests, and the
ecosystem in general.
Obviously not all capitals are equally relevant or applicable to all companies. As the Framework points out,
while most (large) companies interact with all capitals to some extent, these interactions might be relatively
minor (immaterial) or so indirect that they are not sufficiently important to include in the integrated report.
1.5 Note that whilst it is not compulsory in terms of the law, for companies to apply the King IV Code,
other bodies to which the company is connected may require the company to do so.
For example, the JSE requires that listed companies apply the Code, or a holding company may
require that subsidiaries do so.
4. Proportionality
4.1 Implementing the King IV Code should be done based on proportionality, as it cannot be applied in
the same manner and to the same extent in all companies. For example, SMEs are unlikely to have
the necessary resources to implement the recommended practices which a listed company might
implement and in fact will not need to implement practices to the same extent. For example, SMEs
will normally not require a chief audit executive or an audit committee, and will be less concerned
about the composition of the board in respect of non-executive directors.
4.2 However, this does not mean that SMEs should not strive for good corporate governance, or that they
do not need to concern themselves with being good corporate citizens or ethically conducting
business. Therefore, the principles promoted by the King IV Code are applied by all entities.
4.3 Regarding practices, the King IV Code seeks to instil a qualitative approach in which recommended
practices are implemented in a manner and to an extent which achieves that principle, that is, the
King IV recommended practices are adapted to suit the entity’s situation.
4.4 Practices should be scaled per the following proportionality considerations particular to the entity:
• size and turnover
• size and workforce
• resources
• extent and complexity of activities, including the entity’s impact on the triple context in which it
operates, namely the economy, society and the environment.
4/16 Auditing Notes for South African Students
A director has an overriding fiduciary duty to act in good faith, in a manner that the director
reasonably believes is in the company’s best interests, and in terms of the common law, and may
be held liable for loss, damages, or costs of any breach of this duty.
• Directors should avoid conflicts of interest: The personal interests of a director, or a person closely
associated with the director, should not take precedence over those of the company. This principle
has been partially legislated for by section 75 of the Companies Act 2008, which requires that a
director disclose any financial interest which he may have (or which any person related to the
director, as defined by s 2, may have) in any matter which is to be considered at a meeting of the
board.
For example, the board may be considering entering into a contract with a company owned by a
director’s wife (related person). The director must declare this fact before the meeting and should
not take part in the “consideration” or approval of the matter.
• Directors should act ethically beyond mere legal compliance: Conflicts of interest may not be as clear cut
as this example and may only be known to the director himself. It is up to the director’s integrity to
do the right thing, for example, declare the conflict, resign from the board, whatever is
appropriate. Directors should have the courage to act with integrity and honesty in all decisions in
the company’s best interests. A director should not lack the courage to stand up to other board
members, for example a domineering CEO or chairman, when integrity and honesty demand it.
• Directors should set the tone for an ethical organisational culture.
1.2 Competence
• The board as a whole, and directors individually, assume responsibility for the ongoing develop-
ment of their competence to run the company effectively.
For example, a financial director should keep abreast of new accounting standards applicable to
the company, and all directors should, by attending presentations and courses, etc. keep up to date
with international and industry-specific affairs, developments and trends.
• Directors should ensure that they have sufficient knowledge of the company, its industry, the
economic, social and environmental context in which it operates, and the significant laws,
regulations, rules, codes, and standards applicable to it. King IV recommends that subject to
stipulated policies and procedures, a director should have unrestricted access to professional
advice and the company’s information, documentation, records, property and personnel.
• Directors must act with due care, skill and diligence, and take reasonably diligent steps to become
informed about decisions.
Again, in terms of section 76 of the Companies Act, 2008, to discharge his duties (exercise his powers
and duties) a director:
• should take reasonably diligent steps to be informed about any matter to be dealt with by the
directors
• should have had a rational basis for making a decision and believing that the decision was in the
best interests of the company
• is entitled to rely on the performance of:
– employees of the company whom the director reasonably believes to be reliable and competent
– legal counsel, accountants or other professionals retained by the company
– any person to whom the board may have reasonably delegated authority to perform a board
function
– a committee of the board of which the director is not a member unless the director has reason
to believe that the actions of the committee do not merit confidence
• is entitled to rely on information, reports, opinions recommendations made by the above-
mentioned persons.
1.3 Responsibility
• Directors should assume collective responsibility for:
– steering and setting the direction of the company
– approving policy and planning
– overseeing and monitoring of implementation and execution by management
– ensuring accountability for organisational performance.
4/18 Auditing Notes for South African Students
•
Directors should exercise courage in taking risks and capturing opportunities but in a responsible
manner and in the company’s best interests.
• Directors should take responsibility for anticipating, preventing or lessening the negative outcomes
of the company’s activities and outputs on:
– the triple context (social, economic and environmental) in which it operates, and
– on the capitals that it uses or affects.
• Directors should attend board meetings (and board committee meetings as appropriate) and
devote sufficient time and effort to prepare for those meetings.
1.4 Accountability
• Directors should be willing to answer for (be held accountable for) the execution of their respon-
sibilities even when such responsibilities have been delegated.
1.5 Fairness
• Directors must consider and balance the legitimate and reasonable needs, interests and expecta-
tions of all stakeholders in the execution of their governance role and responsibilities, in other
words, they must adopt a stakeholder inclusive approach.
• Directors should direct the company in a way that does not adversely affect the natural environ-
ment, society or future generations.
1.6 Transparency
• Directors should be transparent in the manner in which they exercise their governance roles and
responsibilities.
2. Disclosure
The arrangements by which the directors are held to account for ethical and effective leadership should be
disclosed, for example, compliance with codes of conduct and performance evaluations.
– incorporating such codes in employment and supply contracts; for example, a supply contract may
include a clause that stipulates that the company will not do business with a company that engages in
any form of unfair labour practices such as “sweatshop labour”
– holding workshops and seminars to inform employees about the relevant codes and how they are
implemented in the workplace.
• The directors should delegate the responsibility for implementing and executing the codes and ethics
policy to management.
• The directors should exercise ongoing oversight of the management of ethics and oversee that it results
in the following:
– application of the company’s ethical standards to the recruitment process, evaluation of performance
and reward of employees as well as the sourcing of suppliers
– having sanctions and remedies in place to deal with breaches of the ethical standards; for example, a
formal disciplinary procedure
– the use of protected disclosure or whistle-blowing mechanisms to detect breaches
– monitoring and assessing adherence to the codes of ethics and conduct by employees, business asso-
ciates, contractors and suppliers.
For example, this may involve monitoring the nature and frequency of complaints/instances of
alleged unethical behaviour and having “ethics” as an agenda item for meetings with employee
bodies, business associates etc. Suppliers may be asked to provide annual written confirmation that
they are complying with the ethical terms of their supply contracts, or business associates may be
asked to comment on any unethical behaviour by them, which may have been alleged in the financial
press.
• Disclosure: The following should be disclosed:
– an overview of the arrangements for governing and managing ethics
– key focus areas during the reporting period
– measures taken to monitor organisational ethics and how the outcomes of monitoring were addressed
– planned areas of future focus.
Recommended practices
1. The board should set the direction for how corporate citizenship should be approached and addressed
by the company.
2. The board should ensure that the company’s responsible citizen efforts include compliance with:
• the Constitution of South Africa (including the Bill of Rights)
• the law
• leading standards on corporate citizenship
• adherence to its codes of conduct and policies.
3. The board should oversee that the company’s core purpose and values, strategy and conduct are con-
gruent with it being a responsible corporate citizen.
4. The board should oversee and monitor, on an ongoing basis how the consequences of the company’s
activities and outputs affect its status as a responsible corporate citizen. This oversight and monitoring
should be performed against measures and targets agreed with management in all of the following
areas:
• workplace, for example, fair remuneration, development of employees, health and safety
• economy, for example, economic transformation, fraud and corruption, tax policy
Chapter 4: Corporate governance 4/21
• society, for example, public health and safety, community development, consumer protection
• environment, for example, pollution prevention, waste disposal.
5. Disclosure. The following should be disclosed:
• an overview of the arrangements for governing and managing responsible corporate citizenship
• key areas of focus during the reporting period
• measures taken to monitor corporate citizenship and how outcomes were addressed
• planned areas of future focus.
Note (a) In terms of Regulation 43 of the Companies Regulations 2011, every state-owned company,
listed public company and any other company that has in two of the previous five years scored
above 500 points in its public interest score, must appoint a Social and Ethics committee. This
committee is required to monitor the company’s activities concerning any relevant legislation,
legal requirements or codes of best practice about:
• social and economic development
• good corporate citizenship
• the environment, health and public safety
• consumer relationships, and
• labour and employment.
King IV has recommended additional requirements for the Social and Ethics committee, namely, that the
committee directs and oversees:
• the management of ethics, and
• the social responsibility aspects of the remuneration policy.
Thus, it is an essential committee in the creation and maintenance of the company’s ethical culture and its
status as a responsible corporate citizen.
Note (b) Tax strategy and policy. King IV adopts the attitude that it is no longer acceptable to have overly
aggressive tax strategies, such as exploiting mismatches between the tax regimes of various juris-
dictions to minimise tax, even if these actions are legal, for example, companies shifting profits
from the country where they have their customer-base to a country which has a lower tax rate.
In terms of current thinking, the due payment of tax is linked to corporate citizenship and
reputation. King IV requires that the board and audit committee should be responsible for a tax
strategy and policy which is legal and reflects good corporate citizenship.
Recommended practices
1. The board should steer and set the direction for realising the company’s core purpose and values
through its strategy.
2. The board should delegate the formulation and development of the company’s short-, medium- and
long-term strategy to management.
3. Management’s strategy should be approved by the board. When considering approval, the board should
challenge (question and consider) it constructively concerning:
• the timelines and parameters which determine the meaning of the short, medium and long term
• the risks, opportunities and other matters connected to the triple context
4/22 Auditing Notes for South African Students
• the extent to which the proposed strategy depends on resources and relationships connected to the
various forms of capital (six capitals)
• the legitimate and reasonable needs, interests and expectations of (all) material stakeholders
• the increase, decrease or transformation of the various forms of capitals that may result from the
execution of the proposed strategy
• the interconnectivity and interdependence of all of the above.
4. The board should ensure that it approves the policies and operational plans developed by management
to effect the strategy, including key performance measures and targets for assessing the achievement of
strategic objectives and positive outcomes over the short, medium and long term.
5. The board should delegate the responsibility to implement and execute the approved policies and plans
to management.
6. The board should exercise ongoing oversight of implementing strategy and operational plans against
agreed performance measures and targets.
7. The board should oversee that the company continually assesses and responds to the negative conse-
quences of its activities and outputs on the triple context (social, economic and environmental) in which
it operates and the capitals which it uses or affects.
8. The board should be alert to the organisation’s general liability about its reliance on the capitals, its
solvency and liquidity, and its status as a going concern.
4.2.2.2 Reporting
Principle 5. The board should ensure that reports issued by the company enable stakeholders to make
informed assessments of the performance of the company and its short, medium and long-term prospects
This principle intends to provide stakeholders with useful information about the company within the triple
context, so that stakeholders can better assess the company’s ability to sustain itself by its ability to create
value. Reporting needs to be far more than simply presenting historical financial information such as a set
of annual financial statements – much more information on the economic, social and environmental
aspects and the six capitals of the company must be included.
Recommended practices
1. The board should set the direction for approaching and conducting the company’s reporting.
2. The board should approve management’s determination of the reporting frameworks and standards to
be applied in reports, for example, IFRS, JSE listing requirement, the International Integrated
Reporting Framework, taking into account:
• legal requirements
• the intended users
• purpose of each report.
3. The board should ensure that all reports required in terms of the law, for example, annual financial
statements, and which are required to meet the legitimate and reasonable information needs of material
stakeholders, for example, a sustainability report, are issued.
4. The board should determine the materiality of information to be included in reports. A piece of
information will be material if its inclusion or omission would affect the report users’ ability to properly
assess the report’s subject matter.
5. The board should ensure that the company issues an integrated report annually (at least). This report
may be:
• a stand-alone report which connects the more detailed information in other reports and addresses,
completely and concisely, the matters which significantly affect the company’s ability to create
value, or
• a distinguishable, prominent and accessible part of another report that includes the AFS and other
reports that must be issued.
6. The board should ensure the integrity of external reports.
Chapter 4: Corporate governance 4/23
7. The board should ensure the following information is published on the company’s website or other
platforms or media so that it is accessible to stakeholders:
• corporate governance disclosures required in terms of the Code
• integrated reports
• annual financial statements and other external reports.
3. The chief executive officer and at least one other executive should be appointed to the board (note: JSE
regulations require that a financial director be appointed).
4. The board’s composition should have a suitable diversity of academic qualifications, technical expertise,
industry knowledge, experience, nationality, age, race, and gender to conduct the board’s business and
make it effective and promote better decision-making.
5. Staggered rotation of the directors should be implemented to retain valuable skills and maintain
continuity of knowledge and experience and introducing “new blood”.
6. The board should establish a defined succession plan which includes identification, mentorship and
development of potential future directors.
7. The board should have a majority of non-executive directors, the majority of whom should be inde-
pendent.
8. The board should set targets for race and gender representation in its membership.
2. At the beginning of each board meeting or its committee meetings, all directors should be required to
declare whether any of them has any conflict of interest in respect of a matter on the agenda.
3. Non-executive directors may be categorised by the board as independent if it concludes that there is no
interest, position, association or relationship which, when judged from the perspective of a reasonable
and informed third party, is likely to influence or cause bias in decision-making in the best interests of
the company. Each case should be looked at individually and considered on a substance over form
basis. However, the following situations suggest that a non-executive director should not be classified as
independent. The director:
• is a significant provider of financial capital or ongoing funding to the company or is an officer,
employee or representor of such provider of financial capital or funding
• participates in a share-based incentive scheme of the company
• owns shares in the company, the value of which is material to the personal wealth of the director
• has been employed by the company as an executive manager during the preceding three financial
years or is a related party to such executive manager, for example spouse
• has been the designated (external) auditor for the company, or has been a key member of the exter-
nal audit team during the preceding three years
• is a significant or ongoing professional advisor to the company (other than as a director)
• is a member of the board or the executive management of a significant customer of, or supplier to
the company
• is a member of the board or executive manager of another company which is a related party to the
company
• is entitled to remuneration contingent on the performance of the company.
Note (a): Executive director: a director who is involved in the management of the company and/or is a full-
time salaried employee of the company and/or its subsidiary.
Non-executive director: a director who is not involved in the management of the company.
The role of the non-executive director is to provide independent judgment and advice/opinion on
issues facing the company, (provide an “outsiders” view). They are required to attend board and
board committee meetings to which they have been appointed.
Independent non-executive director: to be classified as independent, a non-executive director would
need to be regarded as such by a reasonable and informed third party.
Note (b): This Code’s recommended practice mirrors the Companies Act 2008, section 75 requirements
relating to a director’s personal financial interest in a matter to be considered at a meeting of the
board, but “widens the net” by requiring that any conflict of interest be declared. In terms of
King IV, a conflict of interest occurs when there is a direct or indirect conflict, in fact, or in
appearance, between the interests of the director and that of the company.
Note (c): If any of the above applies to the director, it does not mean he cannot be appointed as a non-
executive director, it simply means that he cannot be categorised as an independent non-executive
director.
Note (d): If a director has served as an independent non-executive director for nine years, he may continue
to serve categorised as independent but only if the board concludes, based on an annual assess-
ment that the director “exercises objective judgement” and the board concludes there is no
interest, position, association or relationship which, when judged by a reasonable and informed
third party, is likely to influence the director unduly or cause bias in his decision-making. The
question here is whether an individual who has had a strong nine-year “link” with a company
can reasonably be seen to be independent of that company.
Note (e): King IV emphasises that the board must have a balance of skills, experience, diversity,
independence and knowledge of the organisation. It must be composed in a manner that enables
it to discharge its duties fully. King IV also makes the point that balance is not simply achieved
by having independent non-executive directors and executive directors. All directors are legally
required to act independently regardless of whether they are classified, executive, non-executive
or independent non-executive. “Balanced composition” means balanced in terms of skills,
experience, diversity, etc.
4/26 Auditing Notes for South African Students
4. Disclosure. The following disclosures about the composition of the board should be made:
• whether the board is satisfied that the composition reflects the appropriate mix of knowledge, skills,
experience, diversity and independence
• the targets set for gender and race representation on the board and progress made against these
targets
• categorisation of each director as executive or non-executive
• categorisation of non-executive directors as independent or not – where an independent non-execu-
tive director has been serving for longer than nine years, details of the board’s assessment and find-
ings regarding that director’s independence
• the qualifications and experience of the directors
• the length of service and age of directors
• reasons for removal, resignation or retirement of any director
• other directorships and professional positions held by each director.
Note (a): In terms of section 94 of the Companies Act, each member of an audit committee:
• must
– be a non-executive (King IV) director of the company, and
– satisfy any minimum qualifications the Minister may prescribe to ensure that the audit
committee taken as a whole comprises persons with adequate financial knowledge and
experience (see note (a) below).
• must not be
– involved in the day to day management of the company’s business or have been involved
at any time during the previous financial year, or
– a prescribed officer, or full-time executive employee of the company or another related or
inter-related company, or have held such a post at any time during the previous three
financial years, or
– a material supplier or customer of the company, such that a reasonable and informed
third party would conclude that in the circumstances, the integrity, impartiality or object-
ivity of that member of the audit committee would be compromised
– a “related person” to any person subject to the above prohibitions.
Note (b): Regulation 42 requires that at least one-third of the members of a company’s audit committee
must have academic qualifications or experience in economics, law, accounting, commerce,
industry, public affairs, human resources or corporate governance.
Note (c): Section 94 is far more detailed and specific concerning the duties of a (statutory) audit com-
mittee. The duties of an audit committee are to:
• nominate for appointment as auditor of the company, a registered auditor who, in the
opinion of the audit committee, is independent of the company
• determine the fees to be paid to the auditor and the auditor’s terms of engagement
• ensure that the appointment of the auditor complies with the provisions of this Act, and any
other legislation relating to the appointment of auditors
• determine the nature and extent of any non-audit services that the auditor may provide to the
company, or that the auditor must not provide to the company, or a related company
• preapprove any proposed agreement with the auditor for the provision of non-audit services
to the company
• prepare a report to be included in the annual financial statements for that financial year:
– describing how the audit committee carried out its functions
– stating whether the audit committee is satisfied that the auditor was independent of the
company, and
– commenting in any way the committee considers appropriate on the financial statements,
the accounting practices and the internal financial control of the company
• receive and deal appropriately with any concerns or complaints, whether from within or
outside the company, or on its own initiative, relating to:
– the accounting practices and internal audit of the company
– the content or auditing of the company’s financial statements
– the internal financial controls of the company, or
– any related matter
• make submissions to the board on any matter concerning the company’s accounting policies,
financial control, records and reporting, and
• perform such other oversight functions as determined by the board.
4. Performance evaluation. In terms of Principle 9, the board should evaluate the performance of the audit
committee. The board should determine the methodology and frequency (at least every three years) of
the evaluation.
4/30 Auditing Notes for South African Students
5. Disclosure. In addition to any statutory disclosure requirements and the general disclosure requirements
relating to committees of the board (see page 4/27), there should be disclosures on:
• whether the audit committee is satisfied that the auditor is independent of the company with refer-
ence to:
– the policy and controls that address the provision of non-audit services and the nature and extent
of non-audit services rendered
– how long the audit firm has served (tenure)
– audit partner rotation and significant management changes during the audit firm’s tenure may
affect the familiarity risk between external audit and management.
• significant matters that the audit committee has considered in relation to the annual financial state-
ments and how these were addressed by the committee, for example, contentious accounting pol-
icies, the need to modify the audit report
• The audit committee’s view on:
– the quality of the external audit
– the effectiveness of the chief audit executive and the arrangements for internal audit
– the effectiveness of the design and implementation of internal controls
– the nature and extent of any significant weaknesses in the design, implementation or execution of
internal financial controls that resulted in material financial loss, fraud, corruption or error
– the effectiveness of the CFO and the finance function
– the arrangements in place for combined assurance and the committee’s views on its effectiveness.
4. Disclosure. The general disclosures as set out on page 4/27 pertaining to board committees should be
made in respect of the risk committee.
Note (a): The King IV Code recognises that companies operate in an increasingly volatile environment,
for example, constant change, developments in technology, civil protest and financial/economic
instability. The code addresses the fact that organisations need to strengthen their ability to
analyse complex situations, including the “not so obvious” risks (and opportunities) related to it.
Note (b): King IV also points out that risks and opportunities are closely related, and any form of risk
analysis should consider the associated opportunities.
2. The CEO should be responsible for leading the implementation and execution of approved strategy,
policy and operating planning and should serve as the chief link between management and the board.
3. The CEO should not be:
• the chairperson
• a member of the remuneration, audit or nomination committees, but should attend by invitation
(recusing himself when matters of personal interest arise) if needed to contribute pertinent informa-
tion and insights.
4. The CEO and the board should agree on whether the CEO takes up additional positions, including
directorships of other companies. Time constraints and potential conflicts of interest should be balanced
against the director’s professional development.
5. The board should ensure a succession plan for the CEO, for succession in an emergency and in the long
term.
6. Performance evaluation
• The board should evaluate the CEO’s performance against agreed performance measures and targets
at least once a year.
• The board should determine the methodology and frequency (at least once a year) of the evaluation
of the CEO.
7. Disclosure. The following should be disclosed in relation to the CEO:
• the notice period stipulated in the CEO’s employment contract and the contractual conditions
related to termination
• any other professional commitments which the CEO has, including any directorships outside the
company (group), and
• whether a succession plan is in place for the position of CEO, in terms of emergency or longer-term
succession.
Note (a): Risk and opportunity go hand in hand and are treated as a combination in terms of King IV.
Think of it like this: A pharmaceutical company has as one of its strategic objectives, to expand
its markets into Africa. The outbreak of serious viruses, for example Ebola or Zika, and more
recently Covid–19, presents the company with an opportunity to develop a suitable vaccine or
treatment to counter the virus, but this will require significant investment in research,
development and manufacture of the drug. This poses risks for the company, for example, the
risk that the company will not find a cure or that another company will beat them to it; or the
risk that the company’s reputation will suffer because it will exploit the situation for commercial
gain. There are many risks that need to be identified and evaluated before the opportunity is
taken.
Note (b): The board should delegate to management the responsibility for designing, implementing and
monitoring the process of managing risk and opportunity and integrating it into the day to day
activities of the company; for example a second-hand car parts dealer needs to have processes
(controls and procedures) in place to ensure that the company is not buying and selling parts
from stolen cars; a chicken producer needs to have processes to minimise the risk of disease; a
retailer must have processes in place to minimise loss from bad debts.
• As can be seen from the point above, risks are very diverse, but management, led by the chief
executive officer, remains responsible to manage those risks (and opportunities).
• In larger companies, a chief risk officer (CRO) may be appointed to manage risk and
opportunity. He should have access to the board and regularly interact with it on strategic
matters.
Note (c): In the performance of their day-to-day activities, all staff members are faced with a level of risk.
For example, a worker on an assembly line may be exposed to significant health risks, and a
credit controller is exposed to the risk of overextending credit. Some risks are far more
significant than others, but management should attempt to inculcate, by training and re-
enforcement, a culture of risk management. For example, the factory manager, foreman and
worker should ensure that the necessary protective clothing is worn and safety procedures are
followed to the letter.
Equally, a culture of identifying and following through on opportunities should be encouraged,
for example sales personnel may identify opportunities in the market, whilst a factory foreperson
or worker may identify an opportunity to reduce costs by changing an existing process.
Note (d): The board should oversee the adequacy and effectiveness of risk management, including:
• whether the existing fraud risk management policies and procedures are effective in
preventing, detecting and responding to fraud
• whether frameworks and methodologies to understand and deal with the probability of
anticipating unpredictable risks, for example collapse in the oil price
• in effect, this requires some “crystal ball gazing” by directors! The future is uncertain, and
any number of unexpected occurrences can severely affect a company’s sustainability. Such
occurrences can range from natural disasters, such as drought, flooding, war, and financial
collapse, and are frequently not predictable.
• However, directors are tasked with the duty to consider the sustainability of their companies,
and this principle requires that they keep abreast with political, physical, environmental,
economic, social, technological and trade trends. The company’s risk assessment process
should include sessions for directors at which the “unknown future” is analysed, brain-
stormed and debated possibly on a “what if” basis.
Note (f): Risk assessment and response. There are several frameworks for assessing risk which a company
might use. King IV is not prescriptive and does not provide such a framework. However, the
following paragraphs provide two simple frameworks which a company may use to assess risk
and which may give you a better understanding of the topic.
risk. In determining the severity/significance of the risk, the board (risk committee) may consider such
things as:
• the probability of the risk occurring
• the potential effect of the risk (on the six capitals)
• how effective a risk response might be
• the threat to solvency, liquidity, and going concern.
2. In assessing risk, the board (risk committee) may take into account, among other things:
• stakeholder risks: for example, what risks will a proposed expansion of the company pose for the
community in which the expanded business operation will occur, such as an increase in pollution,
increased crime, or loss of recreational land?
• reputational risks: for example, will the company suffer a loss to its reputation if it fails to support a
particular cause or does not take appropriate action against a director convicted of fraud?
• compliance risk: in relation to legislation that significantly affects the company, for example, what
risks arise for the company if it does not adequately implement the Companies Act requirements?
Does an agreement with a competitor in the same business amount to price-fixing?
• ethics risk: for example, will introducing a bonus scheme for sales employees based on sales increase
the risk of unethical selling practices by sales personnel?
• sustainability issues: for example, is the risk of loss of employees through HIV/AIDS on the increase?
What is the risk of causing environmental damage if the company undertakes a particular project?
• corporate social investment, employee equity, BEE, skills development and retention: for example, is
there a risk of losing valuable skills because of poor remuneration packages? Is there a risk that a
new employee promotion strategy will fail to satisfy employee equity requirements?
• financial risk: for example, is there a risk that a new venture will not generate sufficient cash flow to
sustain itself? Is there a risk of severe adverse currency fluctuations?
• A company may also choose to use the six capitals as a framework for assessing risk (and oppor-
tunity), that is, consider risk in terms of the effect on the company’s financial, manufactured, human,
social and relationship, environmental and intellectual capitals.
3. Another framework for risk assessment may be to consider risk in the following categories:
• strategic risks: for example, the risks associated with adopting or changing company strategy, such as
the expansion of the manufacturing facility, entering a new market in a foreign country, or acquiring
another company
• operating risks: for example, risks relating to health and safety, and the environment, for a chemical
manufacturer
• financial risks: for example, the effect on cash flows should a company decide to move from a cash
sales basis to a credit sales basis, or the risk associated with committing the company to long-term
borrowing to finance an expansion
• information risks: for example, the risks associated with introducing electronic funds transfer for pay-
ment of creditors, or a retail company deciding to introduce online trading (note, this could also be
classified as a strategic risk)
• compliance risks: for example, the risk that a business decision may result in significant breaches of
legislation relating to pollution, the environment, taxation, price-fixing, foreign exchange, fraud, etc.
• reputational risks, for example, as above.
Risk identification should not simply amount to risk committee members giving their opinions; it
should be a process that uses data analysis, business indicators, market information, portfolio analysis,
etc.
4. Once the risks have been identified, the board, risk committee and management, should consider the
possible risk response options. Again there are various models to respond to risk, but options will
normally include:
• avoid or terminate the risk by not commencing or ceasing the activity which creates the exposure to
the risk, for example, if the company can no longer tolerate the risk of doing business in a foreign
country, then close that business down
4/38 Auditing Notes for South African Students
• treat, reduce or mitigate the risk for example, exposure to the risk of foreign exchange losses may be
treated, reduced or mitigated by taking forward cover
• transfer the risk to a third party, for example, if the company considers that the proper maintenance
of its computer system, database, etc., is at risk, it may decide to outsource this responsibility.
Taking out insurance is a common method of transferring risk
• accept the risk, for example, if a transport company’s risk assessment reveals that a 100% increase in
the cost of diesel to say R25 a litre will seriously jeopardise its going concern ability, but that the risk
of this occurring is low, the company may simply decide to accept the risk, rather than perhaps
replacing its fleet of vehicles with more fuel-efficient vehicles
• exploit the risk, for example, where a retailer of expensive clothing anticipates loss of market share
due to the economic downturn, it may decide to introduce a range of cheaper clothing to regain its
market share. This amounts to identifying and following through on opportunities.
• integrate several of the options given above.
5. The board should consider the need to receive periodic independent assurance on the effectiveness of
the company’s technology and information arrangements.
6. Disclosure. The following should be disclosed about technology and information:
• an overview of the arrangements for governing and managing information and technology
• key areas of focus during the reporting period, for example, changes in policy, significant acquisi-
tions, response to major incidents
• actions taken to monitor the effectiveness of technology and information management and how
outcomes were addressed
• planned areas of future focus.
The notes to this section are included to provide you with a better understanding of the importance of
appropriate technology and information governance. They are based on King III and an initial draft of
King IV.
Note (a): It is not difficult to understand why technology and information governance is so important to
the modern-day business and why the associated risk is so vital to sustainable development.
Similarly, a company that does not take the opportunities offered by technology to develop its
business (or even keep up) will disappear. A bank that does not offer the latest computer-based
services, for example, electronic fund transfer, full internet banking, and ATMs, will lose cus-
tomers fast. Manufacturing companies may depend upon computers for inventory control,
production control and its entire integrated financial reporting system. An insurance company or
medical aid may have vast databases of confidential information which must not be com-
promised in any way if, among other things, reputational and financial damage is to be avoided.
Note (b): In addition to the types of risks arising from the few examples given above, the costs of
installing, running and maintaining a sophisticated computerised system can be considerable;
there is, therefore, a risk that the company could be wasting money if costs are not properly
controlled.
All of this requires a process of information technology (IT) governance that should focus on:
(i) strategic alignment with the business and collaborative solutions, including a focus on
sustainability. This simply means that IT and the business are totally interlinked. IT cannot
“stand alone” and equally, the business operations depend upon IT. It is, therefore,
imperative that IT supports the objectives of the business and that IT and business
managers collaborate in solving problems and developing both IT and the business itself;
for example, a company that wishes to introduce trading over the internet cannot hope to
be successful without working with its IT department. Similarly, an IT department should
not be busy developing software that does not meet the needs of the business!
(ii) value delivery, optimising expenditure and proving the value of IT. The board should not
approve IT projects before a thorough cost/benefit analysis that demonstrates the value of
the IT project has been done. Once a project is up and running, it should be regularly
evaluated to determine whether the expected “return on investment” is being achieved
(iii) risk management, safeguarding IT assets, disaster recovery and continuity of operations
(iv) resource management, optimising knowledge and IT infrastructure. This means that part of
IT governance is ensuring that maximum (optimal) benefit is gained from the use of the IT
resources which the company has at its disposal.
Note (c): The responsibility for implementing policy and for embedding it into the day-to-day, medium-
and long-term decision-making, activities and culture of the company should be delegated to
management; for example, an IT steering committee may be formed, and a chief information
officer (CIO) appointed to interact regularly with the board on strategic and other matters.
Note (d): The board should oversee the adequacy and effectiveness of the technology and information
management, including:
(i) exploitation (making use of) opportunities offered by technology and digital developments,
for example, social media for communicating with customers, developing company-
specific apps for smartphones
(ii) ethical and responsible use of technology and information, for example, selling customer
information, or bombarding customers with unwanted or undesirable advertising on
cellphones
4/40 Auditing Notes for South African Students
(iv) whether management manages information in a manner that increases the intellectual
capital in the company, for example analysing data and making use of Internet search
engines to obtain the latest information
(v) the integration of people, technology, information and processes within the company and
its environment; for example, the ongoing assessment of return on investment in tech-
nology or an investment in a new inventory control system
(vi) compliance with relevant laws, for example, laws relating to electronic trading and privacy
of information.
Note (e): The board should oversee the management of cyber-security risks:
(i) Cyber-security risks should be integrated into risk and opportunity management.
(ii) Responsibilities for cyber-security should be delegated to competent and capable individ-
uals expert in cyber-security. (Cyber-security is of paramount importance to the company
and therefore should be of paramount importance to the board. Substandard cyber-security
threatens virtually all aspects of a large company and can pose a significant threat to the
company’s sustainable development, reputation and financial well-being.)
(iii) Management of cyber-security should include a cyber-security plan that has:
• the technical tools for defence, for example, hacking of the data on the system
• training, education, and actions create a culture where employees are alert to cyber-
security risks and proactive in raising concerns.
(iv) Critical IT-related events and incidents must be monitored, for example, attempted
hacking, assisting with preventing and detecting cyber breaches, combined with an ongoing
revision of cyber-security policy based on external (and internal) developments, for
example, the emergence of new viruses.
(v) A continuity and disaster recovery plan must be implemented and maintained.
(vi) Periodic formal review of the adequacy and effectiveness of the company’s technology and
information management
Note (f): Information security has three components:
• confidentiality: information should be accessible only to those authorized to have access
• integrity: the accuracy and completeness of information and processing must be safeguarded
• availability: authorised users have access to information when required.
Note (g): Sound cyber-security contributes, for example:
• to building trust between the company and its business partners, customers and employees;
for example, if weaknesses in IT security in an online trading company such as Amazon or
Takealot result in confidential information about registered customers becoming freely
available, customers will simply not be prepared to use the site. Without this trust, new
business strategies attempted by the online trading company are unlikely to succeed.
• sustaining normal business operations: for example, if a company’s system “crashes” frequently
and users cannot get information, the company will lose business. If your bank is frequently
offline you are eventually going to look for a new bank. If you cannot access an online
trading store, you are going to search for another store.
• avoiding unnecessary costs: brought about by failures in cyber-security. This is similar to the
previous benefit but perhaps less obvious. For example, breaches in confidentiality could lead
to litigation (very costly) and/or the need to spend money on repairing the reputational
damage (marketing campaigns, etc.) which such litigation often brings.
• meeting compliance requirements: companies must comply with the law in numerous ways, for
example, a company must pay VAT. If the process of recording VAT is not secure and the
database on which the VAT information is stored is not safeguarded, the amount of VAT
indicated as payable may be inaccurate and incomplete or may not be available at all.
These are just a few examples of the importance of cyber-security but should be sufficient to illustrate its
major importance.
Chapter 4: Corporate governance 4/41
responsible remuneration is now seen as a corporate citizenship matter, and King IV recommends that
it be overseen by the social and ethics committee in collaboration with the remuneration committee.
King IV also recommends extended remuneration disclosures (in a prescribed format), which
supplements the disclosure requirements of the Companies Act 2008.
2. The recommended practices are covered in the following subsections:
Remuneration policy....................................................................................................... Page 4/42
Remuneration report
(i) background statement ............................................................................................. Page 4/42
(ii) overview of the policy ............................................................................................. Page 4/43
Implementation report .................................................................................................... Page 4/43
Voting on remuneration .................................................................................................. Page 4/43
3. Bear in mind that in terms of King IV, the company should have a remuneration committee:
• the chairperson should be an independent non-executive director
• all members should be non-executive directors, the majority of whom should be independent.
4. Also, bear in mind that section 30 of the Companies Act 2008 requires full disclosure of directors’ (and
prescribed officers’) remuneration to be made in the annual financial statements of each company
required by the Act to have its financial statements audited.
Recommended practices – Remuneration policy
1. The board should assume responsibility for the governance of remuneration by setting the direction for
how remuneration should be approached and addressed on an organisation-wide basis.
2. The board should approve a policy that articulates and gives effect to its direction on fair, responsible
and transparent remuneration.
3. The remuneration policy should be designed to achieve the following:
• attract, motivate, reward and retain human capital
• promote the achievement of strategic objectives
• promote positive outcomes
• promote an ethical culture and responsible corporate citizenship.
4. The remuneration policy should specifically provide for:
• ensuring that the remuneration of executive management is fair and responsible in the context of
overall employee remuneration in the company
• the use of performance measures that support positive outcomes across the economic, social and
environmental context and/or all the capitals the company uses or effects
• voting by shareholders on the remuneration policy and implementation report.
5. All elements of remuneration and the mix of these should be set out in the remuneration policy,
including:
• basic salary, plus financial and non-financial benefits
• variable remuneration, including short- and long-term incentives
• payments on termination of employment or office
• sign-on, retention and restraint payments
• commissions and allowances
• fees of non-executive directors.
6. The board should oversee that the implementation and execution of the remuneration policy achieve
the policy’s objective.
Recommended practices – The remuneration report
1. The background statement. This should briefly provide the context for remuneration considerations and
decisions with reference to:
• internal and external factors that influenced remuneration, for example, the need for specialist skills,
and remuneration levels in the industry
Chapter 4: Corporate governance 4/43
• the most recent results of voting on the remuneration policy and the implementation report and the
measures taken in response to it
• the focus areas of the remuneration committee, and any substantial changes to the remuneration
policy, for example, a project focused on devising and implementing a fair incentive scheme for all
grades of employee
• whether remuneration consultants have been used and whether the remuneration committee is
satisfied that they were independent and objective
• the opinion of the remuneration committee on whether the implementation of the policy has
achieved stated objectives, for example, the retention of talented individuals
• future areas of focus, for example, pre-empting remuneration issues relating to a potential skills
shortage in the medium term.
2. Overview of the remuneration policy. The overview should address the policy’s objectives and how the
policy seeks to accomplish these. The overview should include the following:
• the remuneration elements, for example basic salary and commissions and design principles (e.g.
mix, tax efficiency) driving and influencing the remuneration for executive management and other
employees
• details of obligations in executive employment contracts which could give rise to payments on ter-
mination of employment or office; for example, a director being compensated for loss of office is a
change in business strategy and makes his position as a director redundant
• a description of the framework and performance measures used to assess the achievement of strat-
egic objectives and positive outcomes
• an illustration of the potential consequences on total remuneration for executive management of
applying the remuneration policy under minimum, on-target and maximum performance outcomes;
for example, if performance outcomes exceed t targets, what the potential increase in remuneration
is expected to be
• a statement of how fairness and responsibility were achieved in employees’ remuneration in relation
to executive directors and vice versa
• for non-executive directors, the basis of computation of fees, for example, could be based on the
skills the non-executive director brings to the board or could be an appropriate attendance fee
• justification for using benchmarks; for example, for performance evaluation or selling remuneration
in terms of industry norms
• a reference (electronic link) to the company’s full remuneration policy for public access.
voting rights exercised. Such measures should provide for taking steps in good faith and with best
reasonable effort towards at least:
• an engagement process to ascertain the reasons for the dissenting vote
• appropriately addressing legitimate and reasonable objections and concerns raised.
4. In the event that either or both the policy or report are voted against by 25% or more of the voting rights
exercised, the following should be disclosed in the background statement of the remuneration report for
the following year:
• with whom the company engaged, and the manner and form of the engagement to ascertain the
reasons for dissenting votes
• the nature of steps taken to address legitimate and reasonable objections and concerns.
Note (a): A non-binding advisory vote takes place when the directors ask the shareholders to endorse, for
example (in this case) the remuneration policy. If the shareholders do not approve the resolution
(endorse the policy), the vote is not binding on the directors, in other words, they do not have to
change the policy, but they should “be advised” that the shareholders are not satisfied. This
should obviously be taken into account by the remuneration committee in setting future policy.
Note (b): In terms of King IV, in the event that either or both the remuneration policy or the implementation
policy are voted against by 25% or more of the voting rights exercised, the remuneration
committee should proactively address the shareholders’ concerns. The remuneration committee
should ensure that there is disclosure in the following year of the steps that were taken to address
shareholders’ concerns regarding the nature of the engagement with the shareholders; for
example, meetings, questionnaires, etc., and their outcomes.
Note (c): When evaluating the performance of the remuneration committee (and considering re-appoint-
ments to the committee), the board should consider the results of any non-binding advisory
votes and the committee’s subsequent actions, for example, the rejection of the policy by a
majority of the shareholders is a strong indication that the remuneration committee is not doing
its job!
4.2.4.5 Assurance
Principle 15. The board should ensure that assurance services and functions enable an effective control
environment and that these support the integrity of information for internal decision-making and of the
organisation’s external reports
This principle is dealt with in the King IV Code in three sections:
• Combined assurance ........................................................................................................ Page 4/44
• Assurance of external reports............................................................................................ Page 4/45
• Internal audit ................................................................................................................... Page 4/46
• the organisation’s specialist functions that facilitate and oversee risk management and compliance
• internal auditors, internal forensic fraud examiners, safety assessors, etc.
• independent external assurance service providers, for example external auditors
• other external assurance providers, for example, environmental auditors, and external actuaries
(who provide assurance with regard to pension liabilities)
• regulatory inspectors, for example health and safety inspectors.
5 The board and its committees should assess the output of the organisation’s combined assurance with
“objectivity” and “professional scepticism” and, by applying an enquiring mind, form their own
opinion on the integrity of information and reports and the effectiveness of the control environment.
Note (a): The concept of the combined assurance model was introduced into corporate governance by
King III. Perhaps think about it like this; providing assurance means adding credibility to some-
thing. Ultimately a stakeholder using reports and other information disclosed by the company
wants to be satisfied (assured) that the information is reliable and can be “believed”. For
example, the company’s bank wants assurance that the company’s annual financial statements
are fairly presented, so they require externally audited financial statements. Similarly, a director
who is required to issue a report to the local community on the environmental impact of a
proposed mining operation will want to be assured that the information he is passing on to the
community, is reliable and factually correct. He wants to be sure that the risk (and opportunities)
related to the project have been carefully and reliably assessed by the risk committee and that
any environmental impact reports have been “audited” by suitably qualified company personnel
such as geologists and engineers. The board itself will want to be satisfied (assured) that the
external audit has been efficiently and effectively carried out and that the internal audit function is
achieving its objectives. This assurance is obtained by appointing an audit committee to oversee
these two assurance providers. At a lower level, line managers, section heads, etc. want
assurance that the information they are receiving and on which they base their decision, is
reliable. Much of this information is provided by the internal control system. If the system is
properly designed and appropriate control activities are implemented (e.g. approval and author-
isation), line managers and section heads gain some assurance that the information on which
they are basing their decisions is valid, accurate and complete. However, do they and others
such as the directors, not want assurance that the internal control system is operating as it
should? Yes, they do, and this assurance is going to be provided by the internal and external
audits which are likely to “test” the system, and possibly by the risk committee to ensure that the
system addresses any relevant risks adequately. There are any number of decisions being taken
in a large company by many individuals and committees on a wide variety of matters. The
combined assurance model attempts to intertwine the various levels of assurance to provide all
decision-makers with information that they believe can be relied upon when making decisions.
4. Disclosure. External reports should disclose information about the type of assurance process applied to
each report in addition to the independent external audit opinions required in terms of legislation. This
information should include:
• a brief description of the nature, scope and extent of the assurance functions, services and processes
underlying the preparation and presentation of the report
• a statement by the board on the integrity of the report and the basis for this statement.
Note (a): As we have seen, the board of a company will want to ensure that reports issued by the company
have integrity. This means that the reports are reliable (i.e. valid, accurate and complete) and
useful (i.e. the reports reflect relevance, consistency and measurability). Users also want to be
appropriately assured of a report’s integrity. However, assurance cannot be given without pro-
viding some set of standards against which the assurance is measured. In the case of annual
financial statements, this is reasonably straightforward – an external auditor provides assurance
that the financial statements are fairly presented in terms of the reporting standards of IFRS and
the requirements of the Companies Act 2008. The auditor also knows what he is required to do
to be in a position to give that assurance, namely that he must comply with the auditing
standards. For other reports, such as an environmental report or a report on the company’s social
responsibility performance, there may be no overriding standards/criteria that must be complied
with. Thus the audit committee is tasked with “applying its mind to assurance requirements over
reports” and how “overseeing of assurance provided” will be carried out.
• The board should have primary responsibility for the removal of the CAE.
• The board should obtain annual confirmation from the CAE that the internal audit conforms to the
profession’s code of ethics.
6. The board should monitor, on an ongoing basis that the internal audit:
• follows the approved risk-based internal audit plan
• reviews the organisational risk profile regularly and proposes adaptations to the audit plan accord-
ingly.
7. The board should ensure that the internal audit provides an annual overall statement y about the effect-
iveness of the company’s governance, risk management and control processes.
8. The board should ensure that an external, independent quality review of the internal audit function is
conducted at least once every five years.
Note (a): King IV confirms that the internal audit plays a pivotal role in corporate governance, and that an
internal audit function should strive for excellence. Change, the complexity of business,
organisational dynamics and a more stringent regulatory environment require that (large)
companies maintain an effective internal audit function.
Note (b): Internal audit services may be provided by a department within the company itself, or may be
outsourced; for example, many large auditing firms provide internal audit services to non-audit
clients.
Note (c): The internal audit’s key responsibility is to the board through the audit committee. It assists the
board in discharging its governance responsibilities by:
• performing reviews of the company’s governance process, including ethics
• performing an objective assessment of the adequacy and effectiveness of risk management
and internal controls
• systematically analysing and evaluating business processes and associated controls
• providing a source of information regarding fraud, corruption, unethical behaviour and
irregularities.
Note (d): The internal audit function should adhere to the Institute of Internal Auditors Standards for the
Professional Practice of Internal Auditing and Code of Ethics.
Note (e): The audit committee should ensure that the internal audit:
• brings a systematic, disciplined approach to its function which results in
• an ongoing improvement to risk governance and the control environment.
Note (f): The audit committee should ensure that the internal audit follows a risk-based internal audit plan.
• A compliance-based approach to internal audit sets out to determine whether or not the com-
pany is complying sufficiently with internal controls and other rules and regulations. This
was not regarded as sufficiently productive by King III and the recommendation (which has
been confirmed by King IV) was that internal audit be risk based, that is, that the internal
audit function gains a thorough understanding of the risks which the business faces as well as
considering whether there are risks which have not been identified, and then conducts tests to
determine that an appropriate risk management process is in place and being properly
conducted. This does not mean that there will be no “internal control or other compliance
testing”. This will still occur as part of the overall function of the internal audit.
• A risk-based audit approach to internal audit (as opposed to a compliance-based approach)
should be adopted. An audit plan should be developed and discussed with the audit com-
mittee. The plan should:
– address the full range of risks facing the company; for example, strategic, operational,
financial, ethical, fraud, IT, human and environmental
– identify areas of high priority, the greatest threat to the company, risk frequency and
potential change
– indicate how assurance will be provided on the risk management process and how the
plan reflects the level of maturity of the risk management process. Note: The more mature
(developed, effective, and well-implemented) the risk management process, the more
4/48 Auditing Notes for South African Students
comprehensive the plan can be – it is very difficult to give assurance on an immature risk
management process
– have any changes to it timeously approved/ratified by the audit committee.
Note (g): The CAE will set the tone of the internal audit function and should have at least the following
attributes:
• strong leadership
• command respect for his competence and ethical standards
• be a strong communicator, facilitator, influencer, networker and innovator
• have a practical approach
• be able to think strategically and have strong business analysis skills.
Note (a): Stakeholders in a company go well beyond the obvious, for example shareholders and employ-
ees. Stakeholders are any group that can affect or be affected by the company, and include share-
holders, employees, creditors, lenders, suppliers, customers, regulators, the media, analysts, the
community in which the company may operate, etc. A company does not operate in a vacuum –
it is a widely interactive entity. The board should therefore identify stakeholders to ensure that
they are accommodated in the reporting process.
Note (b): A particular stakeholder group’s effect on the company may be direct or indirect. For example, it
is reasonably obvious that a long-term strike will directly affect the operations of the company
(and hence sustainability); it is less obvious that there may be an indirect negative effect on the
reputation of the company (perceived to be a poor employer), which may also affect its ability to
create value sustainably because it cannot attract quality staff.
Note (c): The stakeholder-inclusive corporate governance approach aims to manage the relationship
between a company and its stakeholders. Such an approach will have a good chance of
enhancing stakeholder confidence, relieving tensions and pressures, enhancing/restoring the
company’s reputation, and aligning differing expectations, ideas and opinions on issues. This
increases social and relationship capital.
Note (d): Managing stakeholder relations should be proactive. It is mainly about communication (and
constructive engagement) both formal (AGM, meetings with regulators) but can also be through
informal processes, such as social functions, websites, media, “feedback” sessions to the com-
munity, employees, etc.
Note (e): Essentially, this principle requires that companies promote positive, constructive stakeholder
activism. Obviously, the board needs to act in the company’s best interests and must guard
against activism that seeks to damage the company’s operations or reputation. For example, a
disgruntled journalist may seek to damage the company by constant negative reporting. The
board will need to react carefully to this to ensure that the journalist’s cause is not strengthened
by, for example, aggressive personal attacks in the media on the journalist.
Note (f): The major stakeholders and the underlying factors on which the relationships with these stake-
holders should be built are as follows:
Suppliers: • It is in the company’s interest to have stable suppliers who supply products
or services of the necessary quality at an acceptable price when required.
• This is especially important for suppliers of strategic products or services; for
example, a sugar milling company is entirely reliant on its transport supplier
to deliver sugar cane to the mill if it has outsourced this function. Equally,
the transport company will have invested heavily in capital expenditure and
needs the contract with the sugar milling company to remain in business.
• A mutually beneficial relationship contributes to the sustainability of both
companies.
Creditors: • These are stakeholders to whom the company owes money. The company
should be mindful that creditors, if not paid, have the power to have business
rescue processes imposed on the company and, in more severe situations,
have the company liquidated.
• Creditors should be managed accordingly, paid on time at the correct
amount. Payment terms should be fair to both parties.
• Creditors are usually suppliers either of goods, services or finance and a
mutually beneficial relationship should be developed. For example, a
supermarket chain should not push its payment terms for smaller suppliers to
120 days when they should be 60 days, just because it has the power to do
so, knowing that the small supplier depends on the supermarket chain.
Employees: • Employees are arguably the most important asset the business has and are
very often the difference between successful and unsuccessful businesses.
• Companies should engage their employees in improving the business,
ensuring that employees at all levels benefit from the improvement: for
example, incentive schemes, bonuses, etc.
4/50 Auditing Notes for South African Students
• The company should also ensure that employees can develop their potential
and capabilities by providing training, a healthy and safe working
environment and the opportunity for employees to advance in the company.
• Proper leadership, which includes strong communication with employees, is
essential. Failing to manage employees properly may result in low morale,
poor productivity and work quality, strikes, “go-slows”, or even sabotage.
Good quality staff may be difficult to recruit and keep in the business.
Government: • Although perhaps not obviously, government is very much a stakeholder.
• A company should abide by the laws of the land and pay taxes due by it in
whatever form the tax may be; for example, normal tax, VAT, import duties,
etc. Where a company is required to comply with withholding tax
provisions, it should do so.
• All employees who deal with government (including local and provincial)
and civil servants at any level should:
– act in a manner which promotes mutual respect and co-operation
– not engage in any form of corruption with government at large or any
civil servant.
• Companies should not give “major gifts” to politicians or other government
officials and should consider carefully whether it is appropriate to make
financial contributions to political parties or similar groupings.
External
auditors: • The company should not view the external audit function as an unnecessary
cost or threat to, or imposition on, management.
• There is little doubt that a properly conducted external audit is of real value
to a company. It adds significant credibility to the financial statements and is
an integral independent element of the combined assurance model. The audit
may also be an early warning system of pending problems.
• Essentially, the external auditor is appointed by and accountable to the
shareholders, but in reality he indirectly benefits all stakeholders.
• External audits work mainly with management and the audit committee,
and company policy should promote co-operation between the parties, a free
flow of information and an appreciation of the independence requirements of
external audit.
Consumers/
customers: • The saying “the customer is king” has a great deal of truth to it. Without
customers, the company is not sustainable – it cannot create value.
Customers using the company’s products and services can range from
individuals to government to large corporations.
• For customers to respect a company, the company:
– should market responsibility; for example, not glorify products that can
be harmful to health, such as cigarettes, alcohol, certain food products
– should communicate product information’ for example, content break-
down on foodstuffs, and safety precautions for electrical products
– should not sell products that, for example, are harmful to the environ-
ment, customers’ health or that have been manufactured in labour
“sweatshops” or under other adverse situations
– should price goods fairly and in line with the quality of the goods.
Industry: • A company’s sustainable development and value creation are dependent on
other entities within its sphere of operations. A company should therefore
acknowledge its responsibility to its industry as a whole.
• To achieve this, a company should participate in or facilitate forums to
address industry risks and opportunities, and most industries have such
bodies.
Chapter 4: Corporate governance 4/51
– complies with standards and processes for developing content and sharing (disseminating)
it: for example, approval of information to be sent out to stakeholders
– provides for gathering and analysis of information from relevant communication plat-
forms to assess reputational risk and formulate responses; for example, following
industry-related blogs and public reaction sites such as Twitter
– includes a plan for addressing communication in crises, like a bank having its system
hacked
• it facilitates the measurement of the quality of stakeholder relationships
• it facilitates a dispute resolution mechanism as part of the terms and conditions of the com-
pany’s contractual arrangements with employees and other stakeholders.
Note (h): Dispute resolution. Dispute resolution is an essential aspect of stakeholder relationships. Disputes
can be internal (e.g. with an employee or shareholder) or external (e.g. with a supplier,
customer, local community), and are simply a part of “doing business”. Obviously, disputes can
be taken to court, but this is generally costly and time-consuming.
• In terms of the six capitals model, relationships are a form of capital and King IV makes the
point that a dispute resolution process should be regarded as an opportunity, not only to
resolve the dispute at hand, but also to maintain and enhance the social and relationship
capital of the company.
• It is recommended practice that the board sets up mechanisms/processes to resolve disputes,
for example, where a dispute arises with an employee, there must be a laid down procedure
for that employee and the company to follow. Where there is a dispute (e.g. unlawful strike)
with a labour union, an established legal procedure must be followed and the company must
have processes in place to adhere to that procedure.
• Alternative dispute resolution (ADR) is now a widely accepted practice (and considered to be
“good corporate governance”) that involves the parties to the dispute taking the matter to
arbitration, adjudication or mediation. This essentially amounts to a party independent of the
disputing parties hearing both sides of the dispute and “presenting a finding or solution”.
Note (i): The Companies Act 2008 recognises the principle of ADR for disputes arising out of Companies
Act provisions. See section 156 and related sections.
• The directors should select a dispute resolution method that best serves the interests of the
company. For example, going to court, arbitration or adjudication results in a judgment,
whereas mediation or conciliation allows the disputing parties and an impartial and neutral
third party to work together to resolve their dispute. This implies a settlement agreement
rather than a handed down judgment.
• In deciding on which dispute resolution method to follow, the board should consider at least
the following factors:
– Time available to resolve the dispute – court proceedings can continue for years with
postponements, appeals, etc. ADR can be concluded more promptly. It is usually in
the interests of the disputing parties to resolve the matter speedily.
– Principle and precedent – where the company wants a binding decision on an important
matter of principle which will result in a precedent for any future disputes, court action
is likely to be more suitable.
– Business relationships – ADR, especially mediation/conciliation, is normally far more
“friendly” than court proceedings. It is important to maintain good business
relationships (sustainability) and mediation/conciliation is more likely to contribute to
the continuation of good business relationships.
– Expert recommendations – where the parties do not wish to go to court, but do not have
the necessary expertise to devise a solution, an expert may be required to facilitate a
solution. (This constitutes conciliation.)
– Confidentiality – where confidentiality for the disputing parties is very important, ADR
may be more suitable, as dispute resolution proceedings may be conducted in confi-
dence.
Chapter 4: Corporate governance 4/53
– Rights and interests – as indicated in the point above, court proceedings, arbitration and
adjudication result in the decision-maker (e.g. judge) imposing a resolution of the dispute
on the parties based on the principles and rights applicable to the dispute. This will
usually result in a narrow range of outcomes. Mediation and conciliation allow the
parties a level of flexibility, innovation and creativity in fashioning a mutually beneficial
solution.
For example: A court decision regarding a breach of contract between a company and
its major supplier might impose a significant financial penalty on the supplier, which
would be detrimental to the supplier and the business relationship between the two
parties. Mediation or conciliation on the same dispute could result in no financial
penalty but an agreement by the supplier to change its pricing policy and have the
contract between the company and supplier redrafted.
– Empowerment of participants – if mediation or conciliation is to be promptly and
successfully concluded, the personnel involved must be given the necessary powers to
act.
• The success of ADR is mainly dependent on the willingness of the parties to resolve the
dispute. Obviously, presentation skills, a thorough knowledge of the dispute’s subject matter
and a professional approach are prerequisites. Those who fall short of the “will and
capacity” to resolve the dispute should be excluded. Thus the board should select the
appropriate individuals to represent the company in ADR.
• As discussed earlier, it is becoming more and more common for companies to include an
“alternative dispute resolution” clause in business contracts. This clause essentially commits
both parties to ADR in the event of a dispute. It is interesting to note that the ADR clause
recommended by the Institute of Directors and the Arbitration Foundation of South Africa
includes the phrase “the parties (to the dispute) shall seek an amicable resolution to such
dispute . . . ”. This will depend mainly on the attitude and will of the participants.
4.2.5 Appendix 1
The 17 principles of the King IV Code and a brief summary of what the recommended principles cover
(Note: This has been compiled in the context of a company.)
Principles: Leadership, ethics and corporate citizenship Summary of what the recommended practices cover
1. The board should lead ethically and effectively. 1.1 Characteristics which the directors should cultivate
and exhibit to lead ethically and effectively.
2. The board should govern the ethics of the company 2.1 Setting and approving codes of conduct.
in a way that supports the establishment of an 2.2 Communicating codes of conduct to stakeholders
ethical culture. (including employees).
2.3 Overseeing whether the desired results of managing
ethics are being achieved.
2.4 Disclosure requirements relating to organisational
ethics.
3. The board should ensure that the organisation is 3.1 Overseeing that the company’s core purpose and
and is seen to be a responsible corporate citizen. values, strategy and conduct are congruent with
responsible corporate citizenship in relation to:
• the workplace
• the economy
• society
• the environment.
3.2 Disclosure in relation to corporate citizenship.
Principles: Strategy, performance and reporting
4. The board should appreciate that the company’s 4.1 The factors against which the strategy should be
core purpose, its risks and opportunities, strategy, measured/challenged before approval.
business model, performance and sustainable
development are all inseparable elements of the value
creation process.
5. The board should ensure that reports issued by the 5.1 Determining the reporting frameworks to be used.
company enable stakeholders to make informed 5.2 Complying with legal requirements and meeting the
assessments of the company’s performance and its information needs of material stakeholders.
short-, medium- and long-term prospects. 5.3 Annual issue of an integrated report.
5.4 The integrity of external reports.
5.5 Materiality for the purposes of deciding what should
be included in external reports.
Principles: Governing structures and delegation
6. The board should serve as the focal point and 6.1 How the board exercises its leadership role.
custodian of corporate governance in the company. 6.2 Creating a board charter.
6.3 External professional advice protocols.
6.4 Disclosures in relation to the board’s role and
responsibilities.
7. The board should comprise the appropriate balance of 7.1 Composition of the board
knowledge, skills, experience, diversity and • factors in determining the number of directors;
independence for it to discharge its governance role for example, mix of knowledge, skills, diversity
and responsibilities objectively and effectively. • non-executive/independent non-executive
directors
• rotation and succession
7.2 Nomination, election and appointment of directors
to the board.
7.3 Independence and conflicts:
• factors to consider when classifying a director as
an independent non-executive director.
continued
Chapter 4: Corporate governance 4/55
Principles: Leadership, ethics and corporate citizenship Summary of what the recommended practices cover
7.4 Disclosure of the composition of the board.
7.5 Disclosure of the composition and the lead
independent non-executive director’s:
• role and responsibilities
• membership and positions on board committees
• succession plans.
7.6 Disclosures relating to the chair.
8. The board should ensure that its arrangements for 8.1 Delegation to, and formal terms of reference for,
delegation within its own structures promote board committees.
independent judgement, and assist with the balance 8.2 Roles, responsibilities and composition of:
of power and the effective discharge of its duties. • audit committees
• nomination committees
• risk-governance committees
• remuneration committees
• social and ethics committees.
8.3 Disclosures relating to committees both general and
specific.
9. The board should ensure that the evaluation of its 9.1 Who should conduct the evaluations.
performance and that of its committees, its 9.2 Frequency of evaluations.
chairpersons and its individual members, support 9.3 Disclosure in relation to the evaluations.
continued improvement in its performance and
effectiveness.
10. The board should ensure that the appointment of, 10.1 The appointment of a chief executive officer:
and delegation to, management contribute to role • role and responsibilities
clarity and the exercise of authority and • membership and positions on board committees
responsibilities.
• additional professional positions
• succession plans.
10.2 Disclosure relating to the CEO.
10.3 Delegation of powers and authority to management.
10.4 Key management functions.
10.5 Company secretary/corporate governance
professional:
• appointment and removal
• access and independence
• authority and powers
• qualities
• evaluation.
10.6 Disclosure relating to the position.
11. The board should govern risk in a way that 11.1 Setting and approving risk strategy/policy.
supports the company in setting and achieving its 11.2 Risk appetite/loss tolerance.
strategic objectives. 11.3 Overseeing whether the desired results of managing
risk are being achieved.
11.4 Disclosures relating to risk and opportunity.
12. The board should govern technology and information 12.1 Setting and approving technology and information
in a way that supports the company setting and risk strategy/policy.
achieving its strategic objectives. 12.2 Overseeing whether the desired results of technology
and information technology management
collectively, and of its two components separately,
are being achieved.
12.3 Disclosures relating to technology and information.
continued
4/56 Auditing Notes for South African Students
Principles: Leadership, ethics and corporate citizenship Summary of what the recommended practices cover
13. The board should govern compliance with 13.1 Setting and approving compliance policy.
applicable laws and adopted non-binding rules, 13.2 Delegating compliance management to management
codes and standards in a way that supports the 13.3 Overseeing whether the desired results of managing
company being ethical and a good corporate compliance are being achieved.
citizen.
13.4 Disclosures relating to compliance.
14. The board should ensure that the company 14.1 Setting and approving remuneration policy.
remunerates fairly, responsibly and transparently so as 14.2 The objectives of a remuneration policy.
to promote the achievement of strategic objectives 14.3 Elements of remuneration to be included in the
and positive outcomes in the short-, medium- and policy.
long-term.
14.4 The Remuneration Report must contain:
• a background statement
• an overview of the remuneration policy
• an implementation report.
14.5 Voting on remuneration.
15. The board should ensure that assurance services and 15.1 Delegation to the audit committee.
functions enable an effective control environment, and 15.2 The combined assurance model.
that these support the integrity of information for 15.3 Different categories of assurance service-providers
internal decision-making and the organisation’s and functions.
external reports.
15.4 Objectivity and scepticism in the assessment of
assurance.
15.5 The integrity of external reports.
15.6 Disclosures relating to the nature, scope and extent
of the assurance process applied to each report.
15.7 The internal audit must show:
• delegation to the audit committee
• an approved charter (role and responsibilities)
• provision of skills and resources to the IA
• details of the chief audit executive’s:
– appointment, remuneration, removal
– lines of reporting, access and independence
• a risk-based internal audit plan
• an annual statement on the effectiveness of
control processes
• quality review of internal control.
Note: Internal audit disclosures are covered under audit
committees.
16. In the execution of its governance role and 16.1 Setting and approving a policy for stakeholder
responsibilities, the board should adopt a relationships.
stakeholder-inclusive approach that balances the 16.2 Delegation to management.
needs, interests and expectations of material 16.3 Overseeing whether the desired results of stakeholder
stakeholders with the best interests of the company relationship management are achieved.
over time.
16.4 Disclosures relating to stakeholder relationships.
16.5 Shareholder relationships.
16.6 Relationships within a group.
17. The board of an institutional investor should ensure 17.1 Setting, approving and implementing a policy for
that responsible investment is practiced by the responsible investing.
company to promote good governance and the 17.2 Disclosure of the responsible investment code.
creation of value by the companies in which it
invests.
CHAPTER
5
General principles of auditing
CONTENTS
Page
5.1 The system of internal control ........................................................................................... 5/2
5.1.1 Introduction ........................................................................................................... 5/2
5.1.2 Limitations of internal control ................................................................................. 5/3
5.1.3 The system of internal control (ISA 315 (revised 2019) para 12) ................................ 5/4
5.1.4 Components of the system of internal control (ISA 315 (revised 2019) para 12) ......... 5/5
5.1.5 The system of internal control in more/less complex entities (scalability) .................. 5/16
5.1.6 The external auditor’s interest in the entity’s system of internal control ..................... 5/18
5/1
5/2 Auditing Notes for South African Students
• most of the time, ordinary employees are responsible for executing the internal control procedures, for
example, signing a document, issuing a receipt, or reconciling an account, and the success of the control
procedure will depend on them. In addition, ordinary employees often have a far better understanding
of their functions and may be well placed to participate in the risk assessment process. Many companies
have “suggestion box” schemes that reward employees for coming up with better ways of doing things,
including improvements to the entity’s internal control system.
You will probably have realised already that an entity’s internal control system is not one hundred percent
foolproof and that there is no single control that neatly addresses each identified risk. Internal control
policies and procedures are fallible and work best in combinations.
If we further consider the examples given under 5.1.1.1, providing you with a student identity card to
address a security risk is of little value if the issue of the ID cards is not strictly controlled, or if your card is
not used in the process of entering the library. Either a security guard must compare you to the photograph
on your identity card or you should have to scan your card through an access turnstile. Again, these con-
trols on their own may also be ineffective – the security guard may not do his job properly, or you might
give your ID card to a non-student friend! Concerning the PIN, someone may obtain your PIN illegally or
you may give it to somebody. Even if the cashier gives you a receipt for that purchase, it will be of no use
unless a record of the sale, which the cashier cannot alter, is kept, and an individual, other than the cashier,
reconciles the actual cash on hand with the record of sales for the day.
Of course, management could pile one internal control procedure on top of another, for example, employ
two security guards checking every student’s ID card at the library. However, this would be expensive and
probably counterproductive to the smooth operation of the library, and would still not be foolproof!
5.1.2.1 Limitations due to human judgement in decision making and human error
This includes errors in the design of a control, and errors due to the person implementing or reviewing the
control not understanding the control, or failing to take appropriate action. Management also applies
judgement in the design, change and implementation of controls relating to the risk they choose to assume.
5/4 Auditing Notes for South African Students
For example:
• Management may choose to implement controls based on available resources and make judgements to
cut costs.
• Management designs controls to address certain risks identified. If they misidentify these risks or incor-
rectly implement controls that adequately address the identified risks, the implemented controls will be
ineffective.
• Management may decide to direct controls mainly onto routine transactions; for example internal
controls to record the sale of the company’s normal trading inventory will have been designed around
the receipt of a customer order, a picking slip (a document used to select goods from stores to fill the
order) and a delivery note. The documents will result in an invoice being made out. Occasionally a
company may sell a non-trading item, such as old company furniture or an old vehicle and in this situa-
tion, it is unlikely that there will be a customer order, a picking slip (the item being sold is not picked
from stores) or a delivery note. Hence there is a risk that the sale will not be raised (entered in the
records), as it is a non-routine transaction.
• The potential for human error due to carelessness, distraction, mistakes of judgement and the misunder-
standing of instruction; for example a recently appointed sales clerk calculates discounts on a sale after
VAT has been charged, either because he does not understand what he is supposed to do, or he is simp-
ly careless.
• The possibility that control procedures may become inadequate due to changes in conditions and, there-
fore, that compliance with procedures may deteriorate; for example a company may experience a steady
but definite increase in sales to the extent that the only way that its salespeople can keep up with the
demand from customers is to ignore certain controls. They may stop checking the customer’s credit lim-
it before the sale is made or confirm that their account is up to date. Controls have remained static, but
risks have changed.
5.1.3 The system of internal control (ISA 315 (revised 2019) para 12)
The system of internal control can be defined as the system designed, implemented and maintained by
those charged with governance, management and other personnel, to provide reasonable assurance about
the achievement of an entity’s objectives with regard to:
• the reliability of the entity’s financial reporting
• the effectiveness and efficiency of its operations, and
• its compliance with applicable laws and regulations.
Chapter 5: General principles of auditing 5/5
5.1.4 Components of the system of internal control (ISA 315 (revised 2019) para 12)
The literature on internal control provides a useful framework for understanding the system of internal
control. This framework suggests that a system of internal control consists of five components which will
each be discussed below.
The controls in the control environment, the entity’s risk assessment process and the entity’s process to
monitor the system of internal control are mainly indirect controls (controls that are not specifically to
prevent, detect or correct misstatements at assertion level, but support other controls, thereby having a
possible indirect effect on the timely prevention or detection of misstatements). However, some of the
controls within these components may also be direct controls. Note that these components may not be an
exact resemblance of the entity’s system of internal control. The entity may also use different technology.
For audit purposes, different terminology or frameworks may also be used.
(b) How those charged with governance demonstrate independence from management and exercise
oversight of the entity’s system of internal control
The entity’s control consciousness is strongly influenced by those charged with governance, primarily the
board of directors. When those charged with governance are separate from management, consideration
should be given to whether there are sufficient individuals who maintain an independent and professional
relationship with management and how they exercise oversight of the entity’s system of internal control.
How those charged with governance identify and accept their responsibilities to oversee the system of
internal control, and whether they retain oversight responsibility for the design, implementation and con-
duct of management in this regard, may also be considered.
(d) How the entity attracts, develops, and retains competent individuals
People are an integral part of the internal control process – perhaps the most important. A company that
does not have sound policies regarding its human resource (people) will not have a good control environ-
ment. Thus, the entity should have in place:
• standards for recruiting the most qualified individuals (e.g., minimum qualifications, checking educa-
tional background, prior work experience, past accomplishments and evidence of integrity and ethical
behaviour)
• training policies that communicate prospective roles and responsibilities (e.g., training schools and
seminars to illustrate performance and behaviour expectations), and
• performance appraisals linked to promotions to demonstrate the commitment of the entity to advance
qualified personnel to higher levels of responsibility.
(e) How the entity holds individuals accountable for their responsibilities in pursuit of the objectives of
the system of internal control
As mentioned earlier, individuals should know and understand for what and how they will be held account-
able. Holding individuals accountable for their responsibilities in aiming to achieve the entity’s control
objectives may be accomplished through: mechanisms to communicate and hold individuals accountable
for the performance of controls and implementing necessary corrective actions if any; and performance
measures linked to incentives/rewards for those responsible for the system of internal control (it should
also be established how the measures are evaluated and how it remains relevant). Consideration should be
given to how pressures associated with the pursual of control objectives impact individual responsibility
and performance measures and how disciplinary action is taken.
Chapter 5: General principles of auditing 5/7
x new personnel who may have a different view or understanding of the system of internal control
x significant or rapid expansion of the entity’s operations may place strain on controls
x corporate restructuring may change the risk associated with the system of internal control
x use of IT, such as maintaining the integrity of data; IT strategy not effectively supporting the busi-
ness strategy; or changes or interruptions in the IT environment (e.g., IT personnel; necessary
updates not being performed).
(c) Once objectives have been defined, and the risks identified and assessed, the risk can be responded to.
The overall response will be for management to:
• put in place an information system, including business processes. These are quite complicated sound-
ing words but essentially:
– an information system is just a combination of machines (which most often include computers),
software where computers are involved, people who carry out procedures, and data, and
– related business processes are the activities designed to purchase, produce, sell and distribute the
entity’s products and ensure compliance with laws and regulations, and record information.
The two are interrelated, and the distinction between them can be blurred. Think of them as a com-
bined process/method of initiating, recording, processing and reporting transactions, either manually
or through computers, or a combination of both.
• put in place control activities: Control activities are the actions, supported by policies and procedures
which, if properly designed and carried out, reduce or eliminate a specific risk or risks.
Both the information system and business processing are dealt with in the next component.
5.1.4.3 The entity’s process to monitor the system of internal control (mainly indirect controls)
Monitoring the system of internal control is a continual process to evaluate the system’s effectiveness and
take timely remedial actions that may be necessary. Successful monitoring may involve assessing internal
control performance through ongoing activities or periodic evaluations, or a combination thereof, by man-
agement itself, supervisory staff such as department heads, or “independent” bodies such as internal audit
or risk committees. Monitoring the system of internal control is not only about determining whether the
control activities are actually taking place; but also about determining whether the controls are effective.
Monitoring can take place in various ways.
Example 1. The internal audit department of Zuma Ltd checks on a random but regular basis whether
bank reconciliations are accurately and timeously carried out.
Example 2. Zuma Ltd installed closed-circuit TV cameras in its receiving bay and warehouse in an
attempt to reduce theft of inventory. The operations manager analyses inventory movements
independently over a period of time to determine whether loss from theft of inventory has
declined. If not, the cameras are not proving to be an adequate response to the risk of theft,
and other control activities will have to be introduced.
Example 3. Ruiz CC has control activities in place to reduce losses from bad debts. By monitoring the
amounts written off over time, management can assess whether the controls are effective.
Example 4. Costa TV Ltd, a service provider, has a phone-in line that customers can call if they are unhap-
py with the company’s fee charging, such as incorrect amounts invoiced. Calls are recorded and
monitored by the service manager, particularly the number and nature of the complaints.
Example 5. Chemicalplus Ltd engages an environmental expert to monitor the government pollution
index with which the company must comply. Substantial fines are payable for failing to meet
the government requirements.
Chapter 5: General principles of auditing 5/9
The important point about monitoring the system of internal control is that if it is not carried out, neither
the board nor management will know whether:
• the entities financial reporting is effective
• operations are being effectively and efficiently conducted, or
• the entity is complying with applicable laws and regulations.
Although the system of internal control consists of the five components, (5.1.4.1 to 5.1.4.5), the system
itself is a process – the components are not independent of each other. To be effective as an internal control
system, the components must all work together.
For example, if there is a poor control environment, it is unlikely that the control activities will be effect-
ively carried out. In theory, the information system may be well-designed, and appropriate control activ-
ities may be stipulated, but if the control environment is one of “don’t worry too much about controls”, the
information system and control activities will not be effective. Similarly, inadequate identification and
assessment of the entity's risks will result in an inadequate system with insufficient control activities. A
well-designed system that is not monitored over time will also become ineffective.
So, is the information system with its machines, people, documents and data, a sufficient response on its
own to the risk that the financial information it produces may not be valid, accurate and complete? The
answer is no, the fourth component of internal control, termed the control activities component, must be
added.
(a) The information system will need to define and provide the machines, documents, ledgers and proced-
ures which will guide the entity’s transactions through the system. This will include:
• initiation of the transaction, for example, receipt of a customer’s order over the phone or through
the post
• recording the transaction, for example, entering the details of the customer’s order on an internal
sales order
• processing the transaction, for example, picking the goods ordered from the warehouse and dispatch-
ing them to the customer and raising the sale by preparing a sales invoice, and
• posting (transferring) the transaction to the general ledger, for example, this will usually involve
entering the invoice in the sales journal and posting (transferring) amounts and totals to the general
ledger accounts (sales and accounts receivable) and the debtors ledger.
Within this process, there will be procedures to correct errors that may occur, such as correction of
invoices made out using incorrect prices.
As pointed out above, the activities may take place in a manual or computerised environment. The
vast majority of systems will be a combination of the two.
(b) Books and documents
All of the actions described above will be supported by ledgers, journals, records and documents spe-
cific to the type of transaction, for example a sale should be supported by a customer order, an internal
sales order, a picking slip used to select goods, a dispatch (delivery ) note and an invoice. There should
be a sales journal and a debtors ledger as well as the general ledger. (Documents used in all the major
cycles are described in the subsequent “cycle chapters” of this text.)
(c) Document design
Properly designed documents can assist in promoting the accuracy and completeness of recording
transactions:
• preprinted, in a format that leaves the minimum amount of information to be filled in manually
• prenumbered – consecutive prenumbering facilitates identification of any missing documents either
at the recording stage or subsequently for example, a clerk listing goods received notes at the end of
a week may discover that certain GRNs are missing
• multicopied, carbonised and designed for multiple use; for example a salesclerk taking an order
from a customer over the phone should complete only the top copy of the sales order; stores could
then use the first carbon copy of the sales order as a “picking slip” to select the goods picked, and
the second carbon copy sent to accounting. In addition, each copy should be a different colour for
easy identification
• designed in a manner that is logical and simple to complete, for example key pieces of information
required to execute the transaction should have a prominent position on the document. An essential
piece of information on a sales order would be the customer’s account number, hence the sales
order should display quite clearly the necessary space into which the account number can be
entered. Further good design may be to break the account number space into a series of small blocks
totalling the number of digits in the account number. This enhances the chances of the complete
account number being recorded, and
• contain blank blocks or grids which can be used for authorising or approving the document; for
example, a blank block for the preparer of the document to sign, plus a second blank block for the
person who checked the document to sign. This characteristic facilitates isolation of responsibility.
Obviously, these characteristics relate primarily to manual systems, but remember that some compu-
terised systems still make use of hardcopy documents. The computer may produce the document itself,
but the principles remain the same. As you will see when you study computerised controls, pro-
grammed controls (automated controls) can enhance accuracy and completeness considerably.
Chapter 5: General principles of auditing 5/11
Function Example
Initiation and approval A purchase order is authorised
Executing The order is placed with a supplier
Custody The goods are delivered and placed in the warehouse
Recording The purchase is entered into the accounting records and the
perpetual inventory records are updated
Let us assume, for example, that Clarence Carter is responsible for all of the functions above. He could
very easily purchase goods for himself which will be paid for by the company. He will have access to an
official company order so he can order the goods he wants and, as he is also placing the order, he can
choose whichever supplier he likes (the supplier could even be his own business run by his wife). As Clar-
ence is also responsible for taking delivery of the goods, he will make out the necessary document (goods
received note) when the goods are delivered. He now has the goods in his possession and can take them
home. If he also updates the perpetual inventory records, he can ensure that the records agree with the
physical inventory (in case anyone checks) by not recording the goods purchased or by writing up a ficti-
tious goods issue. It will be even easier if there are no perpetual inventory records. Concerning paying for
the goods, the necessary documents will be there to support the payment, for example, a signed purchase
order, a supplier delivery note, a goods received note, and a supplier invoice. So even if Clarence is not
involved in the actual payment of the supplier, there is no reason that the goods will not be paid for. Obvi-
ously, if Clarence is really devious, he will restrict his fraudulent purchases to items that the company
normally purchases in order not to draw attention to the purchase. For example, if he works for a garden
tool wholesaler and orders himself a big screen TV, it will be difficult for the transaction not to be noticed.
However, if he buys garden tools for his use or which he intends to sell to make some extra cash, the
transaction will not appear out of the ordinary.
Chapter 5: General principles of auditing 5/13
The idea behind the segregation of duties is that other employees are introduced into the functions sur-
rounding the transaction. In a large organisation with the necessary resources, the purchase transaction
would be divided up as follows:
This example of good segregation of duties illustrates that Clarence Carter would not be able to purchase
goods for himself and have the company pay. His biggest problem would probably be getting his hands on
the goods he has ordered. Even if he could get hold of a purchase order and place an order with the sup-
plier, he still has to obtain the physical goods. Remember that once the goods have been delivered, the
receiving clerk and the storeman can be held accountable, so they are going to make sure they carry out
their duties properly. On top of that, the accounting section is keeping an independent record of what inven-
tory should be on hand. The storeman will want to make sure that his physical inventory agrees with these
records and management will be carrying out reviews to see if the physical inventory and the inventory
records agree. In effect, each step in making a purchase has been allocated to a different employee and the
next employee in the process is checking on the previous employee.
In a perfect situation, all of the functions above would be segregated, but due to cost and insufficient em-
ployees, it is frequently impossible. So which of the divisions are most important? Generally speaking,
“custody” and “recording” are the most incompatible. The reason for this is that if an individual has control
of the asset and keeps the records pertaining to the asset, the record of the asset can be made to agree with the
physical assets on hand.
For example, a storeman who has access to the inventory and the perpetual inventory records can steal
inventory and alter the records to ensure that the theoretical inventory on hand agrees with the physical
inventory. The same logic can be applied to other physical assets such as equipment. The employee in
charge could steal equipment and manipulate the fixed asset register. What about the company’s bank
account? The custodian of the bank account is the employee who has the power to effect EFTs. If this
individual also writes up the cash journals, he can make whatever payments he likes and describe them in
the cash payments journal as valid business payments. If the credit controller (who is the custodian of the
company’s debtors), can make adjusting entries to the debtors ledger, he will be able to invalidly write off
the debt of a friend or customer so that they do not have to pay. If custody and recording are not segregat-
ed, the effectiveness of “review” is diminished as the physical and theoretical will be easily reconciled.
Segregation of duties is not aimed solely at safeguarding the assets of the business. It is a very effective
technique to ensure that transactions are recorded and processed accurately and completely and that only
transactions that actually occurred and were authorised are recorded and processed. In effect, segregation
of duties provides a series of independent checks on whether employees are doing their jobs properly.
The biggest enemy of segregation of duties is collusion. As we discussed under the limitations of internal
control, segregation of duties (and other control activities) can be circumvented if management or employ-
ees collude (work together) intentionally with other individuals inside or outside the company.
For example, if the storeman and the keeper of the perpetual inventory records collude, they will be able
to cover up inventory theft. Essentially if one employee in the process agrees, for whatever reason, not to
check the action of another employee who he is supposed to check, segregation of duties breaks down.
Collusion will frequently be with parties outside the organisation, a buyer colludes with a supplier to charge
the company a higher price and later they share the proceeds, or as described earlier, a receiving clerk
5/14 Auditing Notes for South African Students
colludes with a supplier’s driver and the storeman to accept a short delivery as a full delivery. The driver
will then sell the goods which should have been delivered, and share the proceeds with the receiving clerk
and the storeman. This will be even easier if a person who has access to the perpetual inventory records is
included in the scam.
Good segregation of duties starts by dividing the company’s cycles, for example, acquisitions and
payments, payroll, into functions and then further segregating the duties within the function. (See chap-
ters 10–14.)
Isolation of responsibility
For any internal control system to work effectively, the people involved in the system must be fully aware
of their responsibilities and must be accountable for their performance. It is equally important that the
employees acknowledge in writing, that they have performed the task or control procedures necessary to
fulfil their responsibility. This is usually done by signing. Once a document is signed it isolates the
employee who was responsible for carrying out some control activity. A signature also isolates a transfer of
responsibility from one person to another.
For example:
When a supplier delivers goods to Mbali (Pty) Ltd, the company’s receiving clerk counts the goods re-
ceived and signs the supplier’s delivery note, a copy of which is kept by the company. This signature fulfils
two important functions. Firstly, if there is a subsequent problem with the delivery, management can isolate
who was responsible for receiving the delivery. Secondly, the signature acknowledges the physical transfer of
the goods and responsibility therefore from the supplier to the purchaser. Other examples will be the fore-
man signing a schedule of overtime to approve it, or the chief buyer signing an order to acknowledge that
the detail of the order has been checked, it is supported by a signed requisition and the supplier to whom
the order will be sent is approved by the company.
Reconciliation
A reconciliation compares two different sets of recorded information (data elements) or of recorded infor-
mation and a physical asset.
For example:
• the cash journal to the bank statement
• the individual creditor’s accounts to creditors statements
• subsidiary ledgers to the general ledger, for example the debtors ledger to the general ledger
• physical inventory and plant and equipment to the perpetual inventory and asset register respectively, or
• the wage expense from one wage period to the next.
There are any number of reconciliations that can take place, but the object of comparison and reconcilia-
tion is to identify, investigate and resolve differences where necessary. There is no point simply performing the
mechanical reconciliation of quantities or amounts without investigating and resolving the reconciling
items.
Chapter 5: General principles of auditing 5/15
Verification
Verification compares two or more items with each other, or comparing an item to, for example, a policy.
Unexpected results or unusual conditions will then be followed up. In practice, verification as a control will
usually be carried out by employees in management or supervisory positions and may include a review of:
• performance against budgets, forecasts, departmental targets, etc.
• key performance indicators, ratios, etc., and
• current to prior period, financial or operating information.
For example, a review of the key performance indicators may reveal that the gross profit percentage has
declined sharply. The follow-up may reveal that breakdowns in the custody controls for inventory have
occurred, resulting in the theft of inventory.
Performance reviews
As a control activity, reviews of performance provide a basis for identifying problems. When carrying out a
review, the reviewer is looking for consistency and reasonableness in the data being reviewed. Unexpected
results or unusual conditions will then be followed up. Review as a control will usually be carried out by
employees in management or supervisory positions and may include review of:
• performance against budgets, forecasts, departmental targets, etc.
• key performance indicators, ratios, etc., and
• current to prior period, financial or operating information.
For example, a review of the key performance indicators may reveal that the gross profit percentage has
declined sharply. The follow up may reveal that breakdowns in the custody controls for inventory have
occurred, resulting in the theft of inventory.
Detective controls
As discussed earlier in this chapter, internal control activities are not foolproof and not all errors will be
prevented. There may be collusion, or employees may be careless or want to take shortcuts. Detective
controls are like a “second line of defence” and are designed and implemented to identify the errors, thefts,
omissions, etc., which got through the “first line of defence”. Reconciliations and reviews are common
types of detective control activities, but segregation of duties (e.g., one employee checking another), as well
as custody controls, have a detective element to them.
Corrective controls
These are controls that are implemented to resolve errors and problems which have been identified by
detective controls. For example, if the accounting department “detects” an invalid charge from a supplier
(an invoice for goods which were not actually received), what procedures must be followed to rectify the
situation and ensure that the invoice is not paid and that the same problem does not keep happening?
Although control activities can be classified in this manner in manual accounting systems, the classifica-
tion into descriptions is more relevant and defined in computerised accounting systems. Because computers
can process vast quantities of transactions at lightning speed and invisibly, preventing unauthorised or
erroneous transactions from entering the system is very important, and because the consequences of not
doing so can be extreme, detective controls are also very important as the problem causing the errors, etc.,
must be corrected very quickly. In addition, the capabilities of the computer and its software allow a wide
range of preventive and detective controls to be implemented. These are discussed in chapter 8.
5/16 Auditing Notes for South African Students
• The size of the organisation is not necessarily a factor when the IT environment is assessed. What
matters is the sophistication of the IT environment. Even small organisations can have well-controlled
IT systems that might be considered for IT control and automated application control testing and reli-
ance by the auditor.
Generally in smaller, less complex entities, there is far less distinction between the board of directors and
management – frequently they are the same individuals. There will probably be no non-executive directors
and as a result, independent oversight “check” on management is not possible. If there is no oversight of
management by those charged with governance, the control environment will be weakened.
5.1.5.3 The entity’s process for monitoring the system of internal control
• Monitoring the internal control process in a less complex entity will again be left up to management and
carried out informally. It is unlikely that there will be an independent internal audit department, reviews
by external bodies or customer hotlines! Furthermore, as the directors are probably involved in the day
to day operations, there will be little independent monitoring of facts, figures and performance. On the
positive side, this direct involvement should give management a good idea of whether the process is
working successfully.
Do not get the impression that all less complex entities have weak internal control as this is simply not
the case. There are many smaller entities with outstanding internal control systems. Sound systems
design, competent and dedicated employees, combined with ethical and “hands on” management, can
far outweigh the disadvantages of being a smaller or less complex entity.
5.1.6 The external auditor’s interest in the entity’s system of internal control
The external auditor is primarily interested in the fair presentation of the entity’s annual financial state-
ments. The financial statements are a product of the entity’s information systems, which include the
accounting system. Therefore, it stands to reason that the better the system of internal control, the more
likely it is that the financial statement will be fairly presented.
ISA 315 (revised 2019) – Identifying and assessing the risks of material misstatement, requires that the
auditor obtain an understanding of the entity and its environment, the applicable financial reporting
framework, as well as the entity’s system of internal control. The ISA suggests that a good way of doing the
latter may be to evaluate the five components of the system of internal control.
For example, ISA 315 states that the auditor should identify and assess the risk of material misstatement
occurring in the financial statements so where the entity itself has a risk assessment process, it makes sense
for the auditor to understand the entity’s process and benefit from it in obtaining knowledge about the risks
faced by the entity.
Similarly, an assessment of the entity’s control environment will significantly influence the auditor’s
assessment of the risk of material misstatement in general and will in turn directly affect how the audit is
conducted (here it is important to note that the risk assessment process provides the foundation for identifying and
assessing the risks of material misstatement and for designing further audit procedures). An understanding of the
information systems, communication and control activities is equally important for the auditor as, without
understanding these, the auditor is unable to properly assess the risk that management’s objective of pro-
ducing valid, accurate and complete financial information will be achieved. Finally, suppose the system of
internal control process is properly monitored. In that case, the auditor may be in a position to work with
the monitoring bodies such as internal audit and will, at the very least, be able to derive benefit from the
results of the monitoring and how and whether issues in which the auditor is interested, have been
addressed.
There is no hard and fast way in which the quantity of audit evidence needed can be precisely calculated.
It is a very subjective decision requiring a strong dose of professional judgement. Certainly, there are
statistical models which can assist in determining sample sizes, but even these models require the auditor to
make some subjective decisions. The quantity of audit evidence relates to the “extent of testing” compo-
nent of the audit plan (the other two being the nature and timing of tests). The audit plan is only decided
upon once the full exercise of devising the overall audit strategy has taken place. The planning process also
includes making subjective decisions, for example, evaluating risk, so the auditor is really left with using his
professional expertise to determine whether enough evidence has been gathered in light of the prevailing
circumstances surrounding the audit.
• Reliability
Some evidence is simply more reliable than other evidence. The hierarchy of reliability for audit evi-
dence can be expressed as follows:
– evidence developed by the auditor is the most reliable source, for example, the auditor inspects inventory to
obtain evidence of its existence
– evidence provided directly by a third party to the auditor (as opposed to the client) is reasonably reliable
evidence, provided that the third party is independent of the client, reputable and competent, for example,
information obtained from the client’s attorneys
– evidence obtained from a third party but which was passed through the client is less reliable as the client may
have had the opportunity to tamper with the evidence, for example, a bank statement or certificate of
balance which is not sent directly to the auditor
– evidence generated through the client’s system will be more reliable when related internal controls are
effective
– evidence provided by the client is the least reliable as it lacks “independence”, that is, it is provided by the
persons who are responsible for the assertion for which the evidence is required
– written evidence (whether paper or electronic) is considered more reliable than oral evidence as oral evidence
is easily denied or misinterpreted, and
– evidence provided by original documents is more reliable than evidence provided by photocopies or
facsimiles.
Clearly, the auditor will have to rely on evidence from all of the above sources, (e.g., developed by the
auditor, provided by the entity, provided by a third party) and would therefore not reject evidence solely
on the grounds of its source. Indeed, even evidence provided by the client may be very reliable, particu-
larly if the accounting systems and internal controls are strong and the directors and employees are
competent, reliable and trustworthy. It follows that the hierarchy should be regarded as a guideline.
• Relevance
The relevance of audit evidence means its relevance to the assertion which is being audited. It is very
important that the auditor understands exactly to which assertion the evidence being gathered, relates.
If this is not understood, incorrect conclusions will be drawn.
For example, when the auditor of Meadows Ltd selects a sample of inventory items from the invent-
ory records to count and inspect at the annual inventory count, he obtains evidence of the existence of
that inventory and (possibly) some evidence of the physical condition of the inventory. The physical
condition is relevant to the valuation assertion as it provides evidence relating to the reasonableness of
the allowance for obsolete inventory. However, the inspection of inventory does not provide evidence to
support the rights assertion applicable to that inventory – simply because the auditor has counted and
inspected the inventory in the client’s warehouse does not mean that the client has the rights (owner-
ship) to that inventory. It may be inventory held on consignment on behalf of another company or it
may be inventory which has been sold, but not yet collected by, or delivered to, the purchaser.
5/20 Auditing Notes for South African Students
Similarly, this test will not provide any evidence relevant to the completeness of inventory. The test for
completeness requires that the items be selected from the physical inventory and traced to the records to
determine whether they have been included in the records.
When performing tests of controls, the auditor attempts to determine whether the major objective of the
accounting system and related internal control, to produce valid, accurate and complete information, is being
achieved. In doing this, the auditor obtains evidence relating to the occurrence, accuracy, cut-off, classification,
and completeness assertions relating to transactions processed through that accounting system. Again, the
auditor must be quite sure which assertion the procedure being performed (and the evidence gathered from
the procedure) is relevant. For example, the auditor may deduce from the tests of controls, that the con-
trols for the recording of sales at the proper amount (accuracy) are sound, however, this does not provide
evidence that all sales actually made, were recorded (completeness) or that all sales recorded, were genuine
sales (i.e., not fictitious) (occurrence).
Finally, a single procedure will not necessarily be relevant to only one assertion, it may provide evi-
dence relevant to a number of assertions.
5.2.3.1 Assertions about classes of transactions and events and related disclosures:
(i) Occurrence – transactions about events that have been recorded or disclosed, have occurred, and such
transactions and events pertain to the entity.
(ii) Completeness – all transactions and events that should have been recorded have been recorded, and all
related disclosures which should have been included in the financial statements, have been included.
(iii) Accuracy – amounts and other data relating to recorded transactions and events have been recorded
appropriately, and related disclosures have been appropriately measured and described.
(iv) Cut-off – transactions and events have been recorded in the correct accounting period.
(v) Classification – transactions and events have been recorded in the proper accounts.
(vi) Presentation – transactions and events are appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and understandable in the context of the requirements
of the applicable financial reporting framework.
5.2.3.2 Assertions about account balances, and related disclosures, at the period end:
(i) Existence – assets, liabilities and equity interests exist.
(ii) Rights and obligations – the entity holds or controls the rights to assets, and liabilities are the obliga-
tions of the entity.
(iii) Completeness – all assets, liabilities and equity interests that should have been recorded, and all related
disclosures that should have been included in the financial statements, have been included.
(iv) Accuracy, valuation and allocation – assets, liabilities and equity interests have been included in the
financial statements at appropriate amounts and any resulting valuation or allocation adjustments
have been appropriately recorded, and related disclosures have been appropriately measured and
described.
(v) Classification – assets, liabilities and equity interests have been recorded in the proper accounts.
(vi) Presentation – assets, liabilities and equity interests are appropriately aggregated or disaggregated and
clearly described, and related disclosures are relevant and understandable in the context of the
requirements of the applicable financial reporting framework.
5/22 Auditing Notes for South African Students
The following diagram illustrates the breakdown of the assertions and to which categories they apply:
Assertion Transactions, Balances, assets, liabilities, equity
events and related disclosures interests and related disclosures
Occurrence
Completeness
Accuracy
Cut off
Classification
Existence
Accuracy, rights and obligations
Valuation and allocation
Presentation
The auditor’s duty is to gather sufficient, appropriate evidence to support the assertion being audited.
Whilst every assertion should be considered for audit, the auditor will obviously direct his attention to
those assertions which present a risk of material misstatement, which, if not detected, could lead the audit-
or to express an inappropriate opinion on the financial statements (see chapter 7 for a discussion on audit
risk). When the auditor carries out risk assessment procedures for the various account headings, he will
consider the risk of material misstatement in terms of the assertions applicable to the account heading.
For example, the auditor of Skosana-Smit Ltd may look at all of the information that she has gathered
about the company’s inventory and then work through the assertions applicable to the inventory account
balance and related disclosures and assess the impact of the information on her assessment of the risk of
material misstatement in the inventory account heading and its related disclosures. It will be necessary for
the auditor to identify the assertions for which evidence should be gathered and then design an audit plan
that will provide enough relevant and reliable evidence to base an opinion on.
Consider the diagram above in conjunction with the following examples:
Example 1
When the auditor gathers evidence about sales transactions, he will be seeking evidence to support the fol-
lowing assertions:
• occurrence – all sales included are genuine sales (not fictitious) of the entity (a genuine sale of the com-
pany’s goods/services has occurred)
• completeness – all sales which were made, have been included in the total of sales made for the year
• accuracy – all sales have been recorded appropriately: this implies prices are correct and that the correct
discount and VAT rates have been used and correctly calculated
• cut-off – all sales recorded, occurred in the accounting period being audited
• classification – all sales have been posted to (recorded in) the proper account: this implies that a credit
sale has been posted to the correct debtor’s account and that VAT has also been correctly posted, and
• presentation – the sales transactions have been presented in terms of the disclosure requirements of the
relevant financial reporting standard.
Take note that the auditor will also ensure that related disclosures pertaining to “sales” are complete, accu-
rate, relevant and understandable.
The assertions which do not apply to sales are existence (accuracy), valuation and allocation and rights and
obligation. Why is this? It is because these three assertions apply to balances in the statement of financial
position, which are carried forward to the following period, and not to transactions. To explain it slightly
differently, the auditor does not try to establish that a sale existed at the reporting date, he seeks evidence
that the sale, which is included in total sales, actually occurred; furthermore, the auditor does not seek to
value the sale at year-end, he seeks to establish that the amount of the sale was correctly recorded at the
time it was made during the year.
Chapter 5: General principles of auditing 5/23
Example 2
When the auditor gathers evidence about plant and equipment, he will be seeking evidence to support the
following assertions:
• existence – all plant and equipment included in the balance, existed at reporting date
• completeness – all plant and equipment owned by the company, is included in the balance reflected in the
financial statements
• accuracy valuation and allocation – the plant and equipment has been reflected in the statement of finan-
cial position at appropriate amounts; and that reasonable adjustments have been made for depreciation,
impairment and/or obsolescence
• rights – the company has (holds or controls) the right of ownership to the plant and equipment reflected
in the statement of financial position (any encumbrances on that ownership must be disclosed), and
• presentation – plant and equipment has been appropriately aggregated/disaggregated and clearly
described; for example, plant and equipment has been presented in the statement of financial position
aggregated with land and buildings as a separate line item under non-current assets as property, plant
and equipment and has been disaggregated in the property, plant and equipment disclosure notes into
plant and machinery, fixtures and fittings and tools and equipment.
Disclosure is far more comprehensive and complex for plant and equipment than for sales (Example 1) and
obviously presents more risk that there will be material misstatement in the disclosures. The auditor must
satisfy himself that the related disclosures are accurately measured and described, complete, relevant and
understandable in terms of the applicable financial reporting framework.
The assertions which do not apply to the plant and equipment account heading are occurrence and cut-off.
Why is this? These two assertions apply only to transactions/events and not to balances contained in the
statement of financial position. The auditor seeks to establish that plant and equipment appearing in the
statement of financial position actually existed at reporting date; auditing the purchase of the plant and
equipment (a transaction) will provide evidence that the purchase occurred but it will not provide evidence
that the item of plant and equipment was in existence at year-end, (it may have been stolen, sold or
destroyed since being purchased), or that it was fairly valued at year-end, (it may have been severely dam-
aged since it was purchased).
In conclusion, once the auditor has gathered sufficient, appropriate evidence relating to the assertions, he
will be in a position to evaluate the evidence and express an opinion on the fair presentation of the financial
statements.
Analytical procedures could be part of risk assessment, for example, the auditor performs an analysis of the
company’s sales by month, product, branch etc., to gain an understanding of the entity. Analytical procedures
are also used when carrying out substantive procedures.
For example, when considering the valuation of debtors at Energy-Bars Ltd, the company’s auditor per-
forms a comprehensive comparative analysis of the debtors balance to satisfy herself that the allowance for
bad debts is “fair”.
Note that analytical procedures are not used as tests of controls, as they do not provide evidence that a
control activity is being carried out as it should be.
• Inspection: involves examining records or documents, whether internal or external, in paper form,
electronic form or other medium, for example inspecting a purchase order for an authorising signature
or a physical examination of an asset, for example inspecting a piece of equipment for evidence of its
existence and condition.
• Observation: consists of looking at a process or procedure being performed by others, or of observing the
performance of control activities, for example observing an inventory count performed by the client’s
employees.
• External confirmation: involves obtaining a direct written response from a third party to a request/query
from the auditor to that third party in paper form or by electronic or other medium, for example the au-
ditor requests a client’s debtors to confirm the amounts owed to the client at reporting date.
• Recalculation: consists of checking manually or electronically, the mathematical accuracy of documents
or records.
• Re-performance: involves the auditor’s independent execution of procedures or controls that were origi-
nally performed as part of the entity’s internal control.
• Analytical procedures: involves evaluating financial information through analysis of plausible relation-
ships among both financial and non-financial information.
• Inquiry: consists of seeking information, both financial and non-financial from knowledgeable persons
within the entity or outside the entity.
As discussed above, it is not possible to categorise each of the above procedures as simply a risk assessment
procedure, a test of controls procedure or a substantive procedure. Any of the above procedures (other than
analytical procedures as a test of controls), or a combination thereof, can be used when assessing risk or
carrying out tests of controls or substantive tests. The procedure will be categorised in terms of what the
auditor is trying to achieve.
Example 1
• Inquiry – risk assessment
The auditor inquires of the head of internal audit as to his assessment of the likelihood of material
misstatement of inventory.
• Inquiry – substantive test
The auditor makes inquiries of the factory manager as to the impairment write-downs for a particular
machine.
Example 2
• Re-performance – tests of controls
The auditor re-performs the monthly bank reconciliation to confirm that the control activity of recon-
ciling the balance per the cash book and the balance per the bank statement has been properly carried
out. If the reconciliation is incorrect, the control is not working.
• Re-performance – substantive test
The auditor re-performs the year-end bank reconciliation as part of the verification of the bank balance
reflected in the year-end financial statements (same procedure, different objective!).
Example 3
• Inspection – risk assessment
The auditor examines the minutes of directors' meetings to identify important decisions that have been
taken that may affect the financial statements.
Chapter 5: General principles of auditing 5/25
Example 4
• Observation – risk assessment
The auditor observes the operation of the production line in a manufacturing company as part of
assessing the risk of material misstatement in the valuation of work in progress (possibly to decide
whether it will be necessary to engage an expert).
• Observation – tests of controls
The auditor observes the procedures actually conducted by warehouse personnel when receiving goods
ordered.
Balances
Accounting system and
Transactions
related control activities
Totals
For example, when credit purchase transactions are processed through the accounting system the trade
creditors balance is increased as is the total on the purchases account. When creditors are paid, the pay-
ment transactions are processed through the accounting system and the trade creditors balance is
decreased. The total of purchases remains unaffected, but the cash (bank) account balance is reduced.
When wage transactions are processed through the accounting system, the cash (bank) account balance is
reduced, and the wage expense total increased. Remember, as the transactions are recorded on source
documents and passed through the accounting system, they will be subjected to a range of control activ-
ities. The conclusion that can be drawn is that if the accounting system and related control activities are
sound, the balances and totals produced will be sound. The auditor interested in the fair presentation of
balances and totals could test the accounting system and related control activities to determine whether
they produce reliable balances and totals. These tests are known as tests of controls.
5.4.2 Definitions
ISA 530 –Audit Sampling provides the following definitions:
• Audit sampling – involves applying audit procedures to less than 100% of the items within a population
of audit relevance such that all sampling units have a chance of selection to provide the auditor with a
reasonable basis on which to draw conclusions about the entire population.
• Anomaly – a misstatement or deviation that is demonstrably not representative of misstatements or
deviations in the population.
• Population – means the entire set of data from which a sample is selected and about which the auditor
wishes to draw conclusions. For example, all items included in an account balance or a class of trans-
actions are populations. A population may be divided into strata, or sub-populations, with each stratum
being examined separately.
• Sampling risk – the risk that the auditor’s conclusion based on a sample may be different from the
conclusion that would be reached if the entire population were subjected to the same audit procedure.
There are two types of sampling risk:
– the risk is that the auditor will conclude, in the case of a test of controls, that controls are more
effective than they are, or in the case of tests of detail, that a material misstatement does not exist
when in fact it does. The auditor is primarily concerned with this type of erroneous conclusion
because it affects audit effectiveness and is more likely to lead to an inappropriate audit opinion, and
5/28 Auditing Notes for South African Students
– the risk is that the auditor will conclude, in the case of a test of controls, that controls are less effect-
ive than they actually are, or in the case of tests of detail, that a material misstatement exists when in
fact is does not. This erroneous conclusion affects audit efficiency because it will usually lead to addi-
tional audit work being carried out to establish that the initial conclusion was incorrect.
• Non-sampling risk – is the risk that the auditor arrives at, an erroneous conclusion for any reason not
related to sampling risk, for example, because he has applied his sampling plan incorrectly, adopted an
inappropriate procedure or misunderstood the results of his sampling exercise.
• Sampling unit – means the individual items constituting a population, for example, credit entries on
bank statements, sales invoices listed in the sales journal, inventory line items, or individual debtors
balances in the debtors ledger.
• Statistical sampling – means any approach to sampling that has the following characteristics:
– random selection of a sample, and
– use of probability theory to evaluate sample results, including measurement of sampling risk.
A sampling approach that does not have these characteristics is considered non-statistical sampling.
• Stratification – is the process of dividing a population into subpopulations, each of which is a group of
sampling units that have similar characteristics (often monetary value) for example, debtors balance
from R1 to R10 000, R10 001 to R25 000, R25 001 to R50 000.
• Tolerable rate of deviation – a number or percentage of deviations from prescribed internal control pro-
cedures set by the auditor. The auditor seeks to obtain an appropriate level of assurance that actual
deviations do not exceed the number/percentage set by the auditor in the population.
• Tolerable misstatement – a monetary amount set by the auditor in respect of which the auditor seeks to
obtain an appropriate level of assurance that the monetary amount set by the auditor is not exceeded by
the actual misstatement in the population.
In the first example from 5.4.6.1, a 90% confidence level would mean statistically that if 100 random
samples were selected, 90 of them would be expected to give a reliable representation of the extent to
which purchase journal entries are supported by GRNs, and 10 may not.
• Tolerable misstatement/tolerable rate of deviation: This is the maximum extent of “error” that the auditor
is willing to accept and still feel that the objective of the sampling procedure has been achieved. The
converse of this is the extent of misstatement or rate of deviation which the auditor decides is unac-
ceptable (which will lead to more extensive or alternative procedures). In the first 5.4.6.1 example, if the
auditor wishes to rely on a GRN supporting purchase journal entries (i.e., goods were received) he or
she must be sure that it happens in, say, 97% of cases. The tolerable deviation will then be 3%. In the
debtors example, the tolerable misstatement would be expressed in rand for example R10 000 of the
balance pertains perhaps to debtors for which the auditor cannot prove existence using the positive cir-
cularisation procedure. The less deviation or misstatement the auditor is prepared to tolerate, the larger
the sample size.
• Expected misstatement/rate of deviation: Most sampling plans require an estimate of the expected “error
rate” to be made because the greater the anticipated misstatement/rate of deviation, the larger the sam-
ple size will be in order to achieve sufficient assurance. The estimate is based either on past experience,
knowledge of the business or a pilot sample.
• The population size (the number of sampling units): Some sampling plans require that the population size
be known to arrive at the sample size, and other sampling plans do not. In our example, the population
will be every entry in the purchase journal, or every debtor in the debtors ledger. For very large popula-
tions, variation in the size of the population has little, if any, effect on sample size.
Data analytics, which are discussed in chapter 8, can assist with sampling.
Chapter 5: General principles of auditing 5/31
5.4.6.10 Evaluate
Once the sample result is projected over the population, it is compared to the tolerable deviation/mis-
statement. The auditor then concludes on the sample in terms of his confidence level and precision if these
have been set. Should the results of a sampling exercise be unsatisfactory, the auditor may:
• request management to investigate the deviations/misstatements and the potential for further devia-
tions/misstatements, and to make any necessary adjustments, and/or
• modify planned audit procedures, for example in the case of a test of controls, the auditor might extend
the sample size, test an alternative control or modify related substantive procedures.
5.4.7 Conclusion
Sampling is an integral part of auditing. Although it has its limitations in the audit context, it is used exten-
sively on virtually every audit. Both statistical and non-statistical approaches are used, and both have their
place. Evidence obtained from sampling is not in itself complete and is persuasive rather than conclusive.
However, it is an important component in the process of gathering sufficient, appropriate evidence.
CHAPTER
6
An overview of the audit process
CONTENTS
Page
6.2 Quality management for an audit of financial statements – ISA 220 (revised) .................... 6/3
6.2.1 Leadership responsibilities for managing and achieving quality on audits .................. 6/3
6.2.2 Ethical requirements, including those related to independence .................................. 6/4
6.2.3 Acceptance and continuance of client relationships and audit engagements ............... 6/4
6.2.4 Engagement resources............................................................................................. 6/5
6.2.5 Engagement performance........................................................................................ 6/5
6.2.6 Consultation and differences of opinion ................................................................... 6/6
6.2.7 Engagement quality control review .......................................................................... 6/6
6.2.8 Monitoring ............................................................................................................. 6/7
6/1
6/2 Auditing Notes for South African Students
Page
6.6 Responding to assessed risk .............................................................................................. 6/21
6.6.1 Overall response at financial statement level ............................................................ 6/21
6.6.2 Audit procedures to respond to the assessed risk of material misstatement
at the assertion level (further procedures) ................................................................. 6/22
6.6.3 Audit procedures carried out to satisfy the requirements of the ISAs
(other procedures) ................................................................................................... 6/23
6.1 Introduction
This chapter and chapter 7 – Important elements of the audit process, are interrelated and should be
studied in conjunction with each other to obtain a solid understanding of the audit process.
Chapter 6 provides an overview of the audit process, and includes a reasonably comprehensive coverage
of some stages (or aspects of a stage) of the process, for example, preliminary engagement activities, whilst
chapter 7 provides a detailed discussion on the important elements of the audit process, for example,
materiality. This is not to suggest that those aspects covered in chapter 6 are not important, but rather that
the elements covered in chapter 7 require more detailed explanation.
Once you have an idea of what is involved overall, you will better understand how the detail fits in.
Remember that the auditor’s objective is to be in a position to form an opinion on whether the financial
statements fairly present, in all material respects, the financial position of the company at a particular point
in time, and the results of its operations for a period that ended at that point in time. The auditor goes
through a process to achieve this objective.
However, before considering the overview of the audit process it is necessary to gain an understanding of
ISA 220 that deals with quality management for an audit of financial statements. It is of utmost importance
that all stages of the process are carried out with a high level of competence and compliance with the
standards that are expected of a “professional” accountant. To ensure that this happens, audit firms are
required to put in place policies and procedures to ensure that the desired quality standards are achieved for
all aspects of the audit. Quality management is not only motivated by a need and desire to offer a highly
professional and meaningful service but the most effective safeguard for the auditor against the risk of being
sued for negligence by a client is to perform quality audits. Two statements are relevant here ISA 220, and
ISQM1 – Quality management for firms that perform audits or reviews of financial statements, or other
assurance or related services engagements.
ISA 220 is summarised below; reference can be made to ISQM1 for expanded explanations. ISA 220
seeks to provide guidance on the specific responsibilities of firm personnel regarding quality control proced-
ures for audits. In effect the statement places a responsibility on the engagement partner and a collective
responsibility on the engagement team to conduct a quality audit within the context of the firm’s system of
quality management. Every team needs a captain to take charge, and in terms of ISA 220 the engagement
partner fulfils this role.
6.2 Quality management for an audit of financial statements – ISA 220 (revised)
6.2.1 Leadership responsibilities for managing and achieving quality on audits
The engagement partner (designated auditor – Auditing Profession Act of 2005 (APA) is required to take
overall responsibility for managing and achieving quality on the audit engagement. The engagement
partner should also take responsibility for creating an environment that emphasises the firm’s culture (that
demonstrates a commitment to quality) and expected behaviour of engagement team members (by com-
municating directly with the team members and by leading through example). It is expected of the engage-
ment partner to be sufficiently and appropriately involved from the planning phase to the concluding phase
of the audit to assure that he/she can determine the appropriateness of significant judgements made and
conclusions reached, as it relates to the nature and circumstances of the audit (this can be achieved by
taking responsibility for, and varying, the nature, timing and extent of the direction and supervision of the
team and the review of their work).
In creating an environment as described above, the engagement partner should take responsibility for
actions being taken that reflect the firm’s commitment to quality. The engagement partner should also take
responsibility for setting the expectations for the engagement team’s behaviour and communicating the
expected behaviour. In doing this, the engagement partner should emphasise:
• that all engagement team members are responsible for contributing to the management and achieve-
ment of quality
• the importance of professional ethics, values and attitudes
• the importance of open and robust communication within the engagement team, and supporting the
ability of engagement team members to raise concerns without fear of reprisal, and
• the importance of each engagement team member exercising professional scepticism throughout the
audit engagement.
6/4 Auditing Notes for South African Students
Even when assigning certain aspects of the audit, such as the design or performance of procedures, to other
members of the engagement team, the engagement partner remains ultimately responsible for managing
and achieving quality on the audit through direction and supervision and review of their work.
• whether the engagement team has the competence and capabilities, including sufficient time, to perform
the engagement, and
• whether significant matters that have arisen during the current or previous engagement have implica-
tions for continuing the engagement.
If the engagement partner obtains information that would have caused the firm to decline the audit engage-
ment had it had access to the information prior to accepting the engagement, the engagement partner
should convey the information to the firm so that appropriate action can be taken. The firm may have been
seriously misled by the directors as to the activities/operations of the company, a situation that is only
discovered once the audit is underway. For example, the company is involved in frequent and regular
illegal acts ranging from foreign exchange contraventions and illegal import of counterfeit goods. In this
instance the auditor would be required to meet its section 45 of the APA (Reportable Irregularities) duty,
and would ultimately withdraw from the engagement.
6.2.5.1 Direction
The engagement partner directs the audit engagement by informing the members of the engagement team
of:
• their responsibilities (e.g., achieving quality, maintaining objectivity, adopting a suitable level of profes-
sional scepticism, ethics, supervision etc.)
• the nature of the entity’s business
• the objectives of the work to be performed
• risk-related issues and potential problems, and
• the detailed audit strategy and audit plan.
6.2.5.2 Supervision
This includes the following:
• monitoring progress on the audit
• considering the capabilities and competence of the individual members of the team, whether they have
the necessary time, whether they understand their instructions and are carrying them out in accordance
with the audit strategy and plan
6/6 Auditing Notes for South African Students
• addressing significant issues that arise on audit, and modifying the audit strategy and audit plan
appropriately
• identifying matters for consultation or consideration by more experienced members of the engagement
team
• providing coaching and on-the-job training to help engagement team members develop skills or com-
petencies, and
• creating an environment where engagement team members raise concerns without fear of reprisals.
6.2.5.3 Review
Review procedures are conducted on the basis that more experienced team members, including the engage-
ment partner, review the work performed by less experienced team members. A reviewer will consider
whether:
• the work has been performed in accordance with professional standards and regulatory and legal
requirements
• significant matters have been raised for further consideration
• appropriate consultations have taken place (and recommendations implemented and documented)
• there is a need to revise the nature, timing and extent of audit work
• the work performed supports the conclusions reached and is adequately documented
• the evidence obtained is sufficient and appropriate to support the auditor’s report, and
• the objectives of the audit procedures have been achieved.
Note: The engagement partner, in addition to his overall responsibility for the review process, must also
carry out timely reviews of specific matters such as:
• critical areas of judgement applied on the audit, and
• significant risks and responses thereto.
• obtain an understanding of the information communicated by the firm related to the firm’s monitoring
and remediation process, especially information related to deficiencies that may affect areas involving
significant judgements made by the engagement team
• discuss, with the engagement partner and members of the engagement team, significant matters and
significant judgements made in planning, performing and reporting on the engagement
• based on the information obtained, review selected engagement documentation relating to significant
judgements made and evaluate the basis for making those significant judgements, including the type of
engagement, the exercise of professional scepticism and whether the conclusions reached are
appropriate and supported by the documentation
• evaluate the engagement partner’s basis for concluding that relevant ethical requirements relating to
independence have been fulfilled
• evaluate whether appropriate consultation has taken place on difficult or contentious matters or matters
involving differences of opinion and the conclusions arising from those consultations
• evaluate the engagement partner’s basis for conceding that his/her involvement has been sufficient and
appropriate throughout the audit to allow for the engagement partner to be satisfied that the significant
judgements made and the conclusions reached are appropriate, given the nature and circumstances of
the engagement
• review, for audits of financial statements, the financial statements and the auditor’s report thereon,
including the description of key audit matters, and
• for review engagements, review the financial statements or financial information and the engagement
report thereon, or for other assurance and related services engagements, the engagement report, and
when applicable, the subject matter information.
6.2.8 Monitoring
Audit firms are required to put in place a process for monitoring and remediating their system of quality
management in order to provide information about the design, implementation and operation of the system
and to take appropriate actions to respond to identified deficiencies.
6/8 Auditing Notes for South African Students
Note: This diagram should only be used to obtain an overview of the audit process. The stages of the audit
are not “stand alone units” and the activities within each stage do not always fit neatly into the
order presented. The different aspects or activities within planning are far more interrelated and
dependent on each other, than is reflected in the diagram and the order in which they occur is not as
clear cut.
For example, the audit strategy may change once risk assessment procedures have been carried out. Risk
assessment procedures cannot be planned until a materiality level has been set but the materiality level may
also change once the risk assessment procedures have been carried out, or even as they are being carried
out.
Even when carrying out planned procedures, the auditor might decide to change the plan to respond to
new information. Neither the audit strategy nor the audit plan is static; they will change as the audit
unfolds.
The above chart and brief narrative for each stage below should provide you with a basic understanding
of the audit process; the more detailed discussions that follow in the rest of chapter 6 and in chapter 7 will
then be placed in context.
• evaluating whether the firm is able to comply with the ethical requirements relating to the engagement,
(e.g., is there a threat to independence?), and
• establishing an understanding of the terms of the engagement including confirming that there is a
common understanding between the auditor and management, and those charged with governance, of
the terms of the audit engagement.
• respond specifically to assessed risk at assertion level by carrying out tests of controls and substantive tests
so as to gather sufficient, appropriate evidence that material misstatement has not gone undetected, and
• carry out those “other” procedures that are required to comply with the ISAs. Again these are not clearly
defined “stand alone” steps; they combine with and influence each other.
6.3.2 The role of the International Standards on Auditing (ISAs) in the audit process
South Africa has adopted the IFAC auditing standards (ISAs). The standards provide guidance on how the
audit process is to be conducted. The statements in which the standards are documented do not contain
detailed lists of procedures. They stipulate an objective and provide explanatory comment on how the
standard should be achieved. There are standards that are directly applicable to each stage of the audit, for
example, (this list is by no means exhaustive):
Preliminary stage ISA 210 – Agreeing the terms of audit engagements
ISA 220 – Quality management for an audit of financial statements
Planning stage ISA 300 – Planning an audit of financial statements
ISA 315 – Identifying and assessing the risks of material misstatement
(revised)
ISA 320 – Materiality in planning and performing an audit
Responding to risk stage ISA 330 – The auditors responses to assessed risks
ISA 500 – Audit Evidence
ISA 530 – Audit Sampling
Concluding stage ISA 450 – Evaluation of misstatements identified during the audit
ISA 700 – Forming an opinion and reporting on financial statements
ISA 705 – Modifications to the opinion in the independent auditor’s report
The important thing to remember about the ISAs is that they set the standards to which the auditor must
adhere. If an auditor is accused of being negligent in the performance of his duties, his best defence is to be
able to prove that he complied with the standards in an appropriate manner.
• the auditor obtains the agreement of management, that management acknowledges and understands its
responsibility:
– for the preparation and fair presentation of the financial statements in accordance with IFRS or IFRS
for SMEs, whichever is appropriate for the company
– for such internal control as management determines is necessary to enable the preparation of finan-
cial statements that are free from material misstatement whether due to fraud or error, and
– for providing the auditor with access to all information of which management is aware that is
relevant to the preparation of the financial statements such as records, documentation and other
matters, including additional information that the auditor may request from management for the
purposes of the audit, and unrestricted access to individuals within the company from whom the
auditor determines it necessary to obtain audit evidence.
• determine whether the firm is competent to perform the engagement. This will require an assessment of
whether the audit firm has:
– personnel who have knowledge of the client’s industry and the necessary experience of relevant
regulatory and reporting requirements
– the necessary technical skills and competence within the firm, or the necessary access to other
auditors or experts who do have the skills
– the necessary resources. For example, taking on a new client may mean that the audit firm has to
employ more staff, particularly at busy periods such as year-end. Computer resources may also be an
important consideration. Does the audit firm have sufficient hardware and software, as well as the
technical computer skills, to offer the service?
– the personnel necessary to perform quality control reviews, and
– the combined resources to meet the engagement reporting deadline, and
• determine whether the firm can comply with ethical requirements. This will require that the firm eval-
uate whether:
– there are any (potential) conflicts of interest between the firm and the client, for example, a prospect-
ive client and the audit firm offer the same services to the same market, for example, IT consulting,
software distribution
– there are any threats to the independence of the firm, the engagement partner and the audit team
(including external experts) and if adequate safeguards can be put in place to address any threats, and
– any other situations that might lead to contraventions of the Code of Professional Conduct by any
member of the audit team, for example, possible confidentiality threats where a prospective client is
in direct competition with an existing client.
not be entirely sure of what type of engagement is being undertaken. For example, the client may believe
that an audit engagement that will result in an opinion given in a positive form, is being carried out, when
in fact a review is being undertaken where a conclusion, expressed in a negative form, and not an opinion
will be given. Clients may believe that the objective of an audit is to detect fraud, whilst others may be
confused by terminology, for example, independent review, compilation engagement, agreed upon
procedure engagements and so on! This issue has in prior years been referred to as the “Expectation Gap”;
very simplistically this means that clients often do not understand what the audit, or other services being
rendered, are about and therefore expect certain assurances that they will not receive.
With the introduction of the “public interest score” concept there is likely to be more confusion on the
part of some private company and close corporation clients who don’t understand why they should have to
be audited or, in the case of a private company, whether they are being audited or independently reviewed.
ISA 210 – Agreeing the terms of audit engagements, establishes and provides guidance on the “engage-
ment letter standard” stating that “the auditor shall agree the terms of the audit engagement with management or
those charged with governance”. Note that this does not mean that the client negotiates with the auditor on
what to do or how to do it. It is the right and duty of the auditor to decide on how the audit will be
conducted. The ISA also states that the agreed terms of the audit engagement shall be recorded in an audit
engagement letter.
The engagement letter is not a case of “one document fits all”; audits differ in extent and complexity,
and have different terms and conditions. ISA 210 paragraphs 10, A23, A23a and A24 provide guidance on
what should be included in an engagement letter as well as additional matters that could be included
depending on the circumstances of the audit. The following matters (points (a) to (e)) as a minimum should
be included in the engagement letter:
(a) The objectives of the audit should be clearly stated, namely, to obtain reasonable assurance about
whether the financial statements as a whole are free from material misstatement whether due to error
or fraud and to issue an auditor’s report that includes our opinion.
(b) The scope of the audit should be conveyed by identifying the financial statements on which the opinion
will be expressed and what they comprise, for example, statement of financial position, statement of
cash flows, etc. Reference may also be made to any legislation or regulations that may influence the
scope of the audit, for example, the Companies Act 2008 or the JSE requirements for the audit of
listed companies.
(c) The responsibilities of the auditor, including:
• a statement that the audit will be carried out in terms of the ISAs and that the ISAs require that the
auditor comply with ethical requirements and that professional judgement will be exercised and
professional scepticism will be maintained throughout the audit
• a statement that the audit is planned and performed to provide reasonable assurance about whether
the financial statements are free from material misstatement
• a broad description of the procedures conducted on an audit:
– identify and assess the risks of material misstatement (due to fraud or error)
– design and perform audit procedures responsive to those risks
– obtain audit evidence that is sufficient and appropriate to provide a basis for our opinion
– obtain an understanding of the system of internal control relevant to the audit
– evaluate the appropriateness of accounting policies used and the reasonableness of accounting
estimates and related disclosures
– conclude on the appropriateness of management’s use of the going concern basis of accounting,
and
– evaluate the overall presentation structure and content of the financial statements including the
disclosures and whether the financial statements represent the underlying transactions and events
in a manner that achieves fair presentation
• an explanation that because of the inherent limitations of an audit together with the limitations of
internal control, there is an unavoidable risk that some material misstatements may remain undetected,
even though the audit is properly planned and performed in accordance with the ISAs
6/14 Auditing Notes for South African Students
• a clear statement that whilst the auditor considers internal control in order to design audit proced-
ures, no opinion on the effectiveness of internal control is expressed but that weaknesses (significant
deficiencies) identified in internal control relevant to the audit will be communicated to manage-
ment, and
• in the case of the audit of a listed company, the auditor’s responsibility to communicate key audit
matters in the auditor’s report in accordance with ISA 701.
(d) The responsibilities of management, including a statement that the audit will be conducted on the basis
that management and those charged with governance acknowledge and understand that they are respon-
sible for:
• the preparation and fair presentation of the financial statements in terms of IFRS or IFRS for SMEs
• such internal control as they deem necessary to enable the preparation of financial statements that
are free from material misstatement
• providing the auditor with access to records, documents and other matters including additional
information the auditor might request as well as unrestricted access to individuals within the entity
from whom the auditors deem it necessary to obtain audit evidence
• providing access to all information of which management is aware that is relevant to the prepara-
tion of the FS including information relevant to disclosures, and
• making available to the auditor draft financial statements including all information relevant to their
preparation, including all information relevant to the preparation of disclosures in time for the
auditor to complete the audit on schedule.
(e) Reference to the expected form and content of any reports to be issued by the auditor, for example, we
expect that the report to be issued will state that in our opinion the financial statements, present fairly,
in all material respects the financial position of the company at reporting date, and its financial
performance and cash flows for the year then ended in accordance with IFRS and the Companies Act
of South Africa. The report will be addressed to the shareholders and will contain an introductory
paragraph, a paragraph dealing with the directors’ responsibility for the financial statements and a
paragraph dealing with the auditor’s responsibility.
However, this reference must include a statement that there may be circumstances in which the form
and content of the report may need to be amended in the light of the audit findings.
The following matters may also be raised in the engagement letter (parts (f) to (j)):
(f) the auditor’s expectation of written confirmation of oral representations.
(g) arrangements regarding the planning and performance of the audit, including:
• the name of the designated auditor (s 44(1) of the APA) and the composition of the team for the audit
engagement
• important dates for meetings with key personnel
• inventory counts, and
• audit deadlines.
(h) acknowledgement by management that they will inform the auditor of facts that may affect the finan-
cial statements, of which management may become aware during the course of the audit and during
the period from the date of the auditor’s report to the date the financial statements are issued.
(i) when relevant, arrangements concerning the involvement of other parties in the audit, namely:
• other auditors
• experts
• internal auditors, and
• predecessor auditor.
(j) the basis of fee computation and any invoicing arrangements, for example, fees to be charged monthly.
The letter should conclude with a request to the client to sign and return an attached copy of the engage-
ment letter as an acknowledgement of, and agreement with, the arrangements for the audit and the respect-
ive responsibilities of the auditor and management.
Chapter 6: An overview of the audit process 6/15
6.5 Planning
6.5.1 Introduction
ISA300 – Planning an audit of financial statements, states that the objective of the auditor is to: “plan the
audit so that it will be performed in an effective manner”. This entails developing an audit strategy, supported by
an appropriate audit plan.
ISA 300 also requires that the engagement partner and other key members of the audit team be involved
in planning the audit, as their experience and insight will enhance the effectiveness and efficiency of the
planning process.
The importance of planning cannot be overemphasised:
• proper planning helps to ensure that appropriate attention is devoted to important areas of the audit, for
example, significant risks are identified and addressed
• potential problems are identified and resolved on a timely basis, for example, the client is implementing
new financial reporting systems that may disrupt the current audit
• a competent and capable audit team, including other parties, for example, experts, other auditors, who
may be required on the audit, is assembled
• work can be properly assigned to audit team members, so that:
– the audit is effectively and efficiently performed, and
– audit deadlines are met, and
• proper procedures for direction, supervision and review can be set up to meet quality control standards,
including to the extent they are applicable to component (other) auditors and experts.
As explained earlier in the discussion of the audit process, planning should not be seen as a “stand alone” stage of
the audit; neither the overall audit strategy nor the audit plan is static. As circumstances change on the audit, so
may the overall strategy and audit plan change. For example, unexpected problems encountered on the audit of
work-in-progress may necessitate engaging an expert, something that was not considered when the overall audit
strategy was formulated. This in turn may lead to more intensive audit procedures of a different nature being
carried out. In addition, as the current audit unfolds, planning for the following year’s audit should be underway
as a natural “by-product” of the audit being conducted.
(b) In formulating the audit strategy, key engagement team members should consider matters such as
those listed in 2.3 to 2.5 below (this list is not exhaustive and is for illustrative purposes; reference
should be made to ISA 300).
(c) Characteristics of the engagement that define its scope:
• the financial reporting standards on which the financial information to be audited, has been
prepared
• the expected audit coverage, including the number and locations of components to be included, for
example, divisions, inventory storage locations
• the involvement of other auditors, for example, holding company auditors and their requirements
• the need for specialised knowledge of the client’s industry or reporting
• the availability of the work of internal auditors and the extent of the auditor’s potential reliance on
such work
• the effect of information technology on the audit procedures, including the availability of data and
the expected use of computer-assisted audit techniques, and
• whether the engagement includes the audit of consolidated financial statements.
(d) Matters that will affect the reporting objectives, timing of the audit and nature of communications:
• the company’s timetable for reporting, for example, interim and year-end financial reporting dead-
lines
• the schedule of meetings with management and those charged with governance including the audit
committee, where applicable, to discuss the nature, extent and timing of the audit work
• the expected type and timing of reports to be issued, including the auditor’s report, management
letters and communications to those charged with governance
• communication with component (other) auditors, experts, internal audit, regarding the expected
types and timing of reports to be issued as a result of their work on the audit
• the size, complexity (e.g., complex manufacturing facilities) and number of locations of the client.
This will affect the timing of visits to the client, and
• the extent and complexity of computerisation at the client for example, availability of data and
personnel for assistance with CAATs may also affect the timing of visits to the client.
(e) Matters that determine the focus of the engagement team’s effort and direction of the audit:
• materiality levels, stricter levels result in more audit work
• preliminary identification of areas where there may be a higher risk of material misstatement
• the presence of significant risks
• the impact of the assessed risk of material misstatement at the overall financial statement level on direction,
supervision and review, for example, high risk at financial statement level may require more
experienced staff to be assigned to the audit, and more intense supervision and reviews to be
conducted
• evidence of management’s commitment to the design and operation of sound internal control, for
example, strong commitment may equal more reliance by the auditor on internal controls
• the volume of transactions, that may determine whether it is more efficient for the auditor to rely on
internal control, and that may dictate the use of CAATs
• significant business developments affecting the entity that have recently occurred, including changes
in information technology, in key management, in industry regulations and in applicable
accounting standards
• changes in the accounting standards applicable to the company, and
• the process management uses to identify and prepare disclosures, including disclosures containing
information that is obtained from sources outside the general and subsidiary ledgers.
The initial audit strategy will be set by considering the points above, but do not forget that this
“preliminary” strategy will be influenced by the identification and assessment of the risk of material
misstatement at assertion level as well. This is because the auditor will learn much more about the
client when carrying out these identification and assessment procedures that in turn will enable him to
refine the audit strategy.
Chapter 6: An overview of the audit process 6/17
6.5.4 Materiality
As indicated above, the audit is geared towards identifying the risk of material misstatement. It follows
therefore, that before the audit strategy and particularly the audit plan can be developed, the auditor will
need to give some attention to determining “what is material” for the audit. For example, the audit team
cannot effectively plan procedures to identify and assess risk of material misstatement if they do not have
an idea about what is material. This is discussed in detail in chapter 7.
6/18 Auditing Notes for South African Students
Of course information gathered will frequently relate to more than one assertion and part of the skill of a
good auditor will be the ability to link the information to the risk of material misstatement for all assertions
that may be affected. Also remember that information pertaining to the assessment of material risk at the
financial statement level may influence the assessment at assertion level. For example, if information
gathered suggests that management may be predisposed to manipulate the financial statements, the risk of
material misstatement relating to the occurrence of sales will increase because management could manipulate
the financial statements by including fictitious sales.
6.5.6.1 Some general observations relating to the nature, timing and extent of further audit
procedures
• The nature of an audit procedure relates to its purpose, i.e., test of controls or substantive, and its type,
(i.e., inspection, observation, inquiry, recalculation, re-performance, analytical procedure or external
confirmation).
• Tests of controls can only be carried out where the system is “worthy” of being tested, for example, if
the system by virtue of weaknesses in its design or implementation is not effective, there is little point in
testing it. There must be an expectation that controls are operating effectively before testing them.
• A single test of controls is virtually never sufficient. For example, observing a receiving clerk count goods
received and comparing the quantity to the supplier delivery note, only tells you that the control was
carried out on the occasions that you observed him. Once you leave the receiving bay, he may not carry
out the control procedure. Inquiry conducted in isolation will also provide insufficient evidence. Further
evidence that supports the response to the inquiry is required.
• If the auditor is trying to gain evidence about the effective functioning of controls over a period of time
(this is normally the case), tests of controls will have to be conducted at various times during the period.
It cannot be assumed that because controls were working effectively in April, they will be working
effectively in August. There are of course factors that may reduce the risk that controls are not working
effectively over time, for example:
– where there is a strong ongoing control environment
– extensive monitoring of controls has taken place during the period
– strong general controls, particularly in computerised systems, or
– minimal changes in the business have occurred.
• Irrespective of the assessed risk of material misstatement, the auditor must design and perform substan-
tive tests for each material class of transactions, account balance and disclosure. Tests of controls cannot
in themselves, provide sufficient, appropriate evidence.
• Where significant risks (these are risks that require special audit consideration) are identified, the auditor
must perform substantive tests that specifically address the risk. These tests must include tests of detail
and cannot be purely analytical procedures.
• The auditor’s substantive procedures must include the following in respect of the financial statement
closing process:
– agreeing or reconciling the financial statements with the underlying accounting records, and
– examining material journal entries and other adjustments made during the course of preparing the
financial statements.
• The timing of tests is frequently dictated by key dates at the client and the objective of the test, for
example:
– a tight audit deadline may result in a comprehensive interim audit, supplemented by “roll forward”
tests
– the attendance at an inventory count is obviously determined by the date the client conducts the year-
end inventory count
6/20 Auditing Notes for South African Students
– subsequent events can only be audited in the post-balance sheet period, andd
– the availability of client IT staff may affect the timing of using computer assisted audit techniques
(CAATs).
• In general terms, a greater risk of material misstatement will result in more testing:
– where internal controls prove to be ineffective, the extent (and possibly the nature) of substantive
testing will increase
– the extent of testing is usually expressed in terms of sample size. Sample size can be determined by
professional judgement or more sophisticated statistical sampling plans, and
– the use of CAATs will usually enable the auditor to test far more extensively as a result of the power,
versatility and speed of computers and audit software.
• An effective audit plan will be a combination of tests of controls and substantive tests, as well as a mix
of the different types of test, for example, inspection, analytical review, etc.
• The chart that follows is an attempt to illustrate what the auditor might consider when deciding on the
nature, timing and extent of “further” audit procedures. Do not forget that many of the points raised in
paragraphs (a) to (e) under the overall audit strategy (par 6.5.2) on pages 6/15 and 6/16 will also have a
bearing on the nature, timing and extent of further audit procedures.
Developing an audit plan is not always straightforward, and the larger and more complex the client, the
harder it is. Professional judgement and experience will play a large part in blending tests of controls,
substantive testing and other ISA procedures into a plan that meets the standard, that is, “a plan which will
ensure the audit is performed in an effective manner so as to reduce audit risk to an acceptable level.”
6.6.2 Audit procedures to respond to the assessed risks of material misstatement at the
assertion level (further procedures)
Generally, these procedures will form the major part of any audit although some practitioners might argue
that planning takes up the major portion! They are the procedures to be carried out to respond to the risk of
material misstatement pertaining to the assertions. Remember that the assertions are the representations
applicable to the various account headings, classes of transaction and disclosures that underlie the financial
statements, for example, the valuation of inventory, plant and equipment, the existence of debtors, the
completeness of sales, the presentation of a contingent liability disclosure, etc. The auditor must respond to the
risks by getting the nature, timing and extent of tests of controls and substantive tests correct so as to reduce
the risk of material misstatement going undetected to an acceptable level, and ultimately reducing the risk
of expressing an inappropriate opinion. In other words, the auditor carries out further audit procedures
with the intention of reducing audit risk to an acceptable level.
This is the stage at which the auditor uses the major tools in his toolbox – tests of controls and substan-
tive tests, and it is perhaps useful to recall what these tests entail:
• Inspection: consists of examining records, documents (physical files or electronic storage media), or
tangible assets, for example, inspecting the minutes of directors’ meetings for evidence of the approval
of a major investment transaction, inspecting the client’s machinery for damage (impairment) or
existence.
• Observation: consists of looking at a process or procedure being performed by others, for example, the
observation by the auditor of the counting of inventories by the entity’s personnel or observing the
receiving clerk counting and checking goods being delivered to the company by a supplier.
• Inquiry: consists of seeking information from knowledgeable persons inside or outside the entity:
– inquiries may range from formal written enquiries addressed to third parties, to informal oral
enquiries addressed to persons inside the entity, for example, a receiving clerk may be asked what
controls are exercised when goods are received from a supplier.
• External confirmation: amounts to the obtaining of a direct written response to an enquiry to corroborate
(confirm) information contained in the accounting records, for example, the auditor may seek direct
confirmation of amounts owed, by communication with debtors.
• Recalculation: consists of checking the mathematical accuracy of documents or records or of performing
independent calculations, for example, checking that discounts have been correctly calculated on sales
invoices, or recalculating interest accrued.
• Analytical procedures: consist of the analysis of significant ratios and trends, including the resulting
investigation of fluctuations and relationships that are inconsistent with other relevant information or
that deviate from predicted amounts, for example, comparing the current ratio for the year under audit,
to the prior year current ratio, and seeking an explanation if there is a difference
• Re-performance: is the auditor’s independent execution of procedures or controls that were originally
performed as part of the entity’s internal control, for example, re-performing the year-end bank recon-
ciliation.
In addition to ISA 500 – Audit Evidence, that describes the types of procedures available to gather evidence,
there are numerous statements that give guidance on the audit of specific matters; for example, how to
audit accounting estimates (ISA 540), and how to conduct analytical procedures (ISA 520). Remember the
objective is to gather sufficient (enough) appropriate (relevant and reliable) evidence to reduce the risk of
material misstatement remaining undetected in the account balances, classes of transactions and dis-
closures that make up the financial statements, to an acceptable level. Combinations of procedures are car-
ried out and are often referred to by a collective name, for example, carrying out a debtors circularisation
Chapter 6: An overview of the audit process 6/23
to assist in verifying the existence of debtors, or conducting cut-off procedures on sales at year-end, to test
the assertions of occurrence and completeness.
Also bear in mind that the auditor must conduct substantive procedures related to the financial statement
closing process. The auditor will:
• agree or reconcile the financial statements with the underlying accounting records, and
• examine material journal entries and other adjustments made during the course of preparing the finan-
cial statements.
6.6.3 Audit procedures carried out to satisfy the requirements of the ISAs (other
procedures)
You will recall that in terms of ISA 300, the audit plan must include (the nature, timing and extent of)
procedures that the auditor is required to carry out arising from the important need to comply with the
standards. These procedures do not arise directly from the risk assessment but may be linked to it. For
example, risk assessment procedures may reflect that there is no risk surrounding the going concern ability of
the company. This does not mean that the auditor can ignore ISA 570 – Going concern, and simply accept
that there is no going concern problem based on the risk assessment. The statement requires that the
auditor gather sufficient, appropriate evidence to support management’s decision to use the going concern
assumption in the preparation of the financial statements. Other standards that must be complied with are,
for example, ISA 260 and ISA 265, which deal with communicating with those charged with governance
and communicating deficiencies in internal control to the client.
• In terms of ISA 450, the auditor must document all misstatements in the work papers (audit documen-
tation) and must indicate whether they have been corrected. The auditor must also conclude on whether
uncorrected misstatements are material, individually or in aggregate. Misstatements that are clearly
trivial may be ignored.
• This work paper is often referred to as an “overs and unders” schedule. The figures on the schedule
should be supported by sufficient evidence for the manager or engagement partner to evaluate. Where
necessary, discussions with members or the audit team will be conducted.
• An important distinction has to be made between misstatements that have been specifically identified
and about which there is no doubt (factual misstatements), for example, the total cost of certain inventory
items has been incorrectly calculated, and those that, in the auditor's judgement, are likely to exist
(judgemental misstatements), for example, where estimation is involved such as allowances for inventory
obsolescence. Judgemental misstatements are differences that arise between management’s accounting
estimates and what the auditor considers a reasonable estimate to be, for example, management may
consider that an inventory obsolescence allowance of R500 000 is appropriate but the auditor thinks
that a reasonable allowance would be R750 000. The judgemental misstatement would be R250 000.
Similarly a judgemental misstatement will arise where the auditor thinks that the selection or applica-
tion of a particular accounting policy by management is unreasonable or inappropriate. This only
applies where the accounting policy and its application are open to interpretation. Judgemental
misstatements include differences arising from the judgements of management in respect of presentation
and disclosure.
The differences between the amounts (and disclosures) that the auditor thinks would be reflected in the
financial statements if the appropriate policy was selected and applied, and the amounts and disclosures
that have been reflected will be the judgemental difference(s). If the selection or application is just plainly
wrong, it will be factual misstatement.
The third type of misstatement is termed projected misstatement. A projected misstatement is the auditor’s
best estimate of the amount of misstatement in a population based on the projection of the misstatement
found in a sample taken from that population.
It is important to distinguish between the different types of misstatement because the type of misstate-
ment will affect how the auditor will react:
• Where there is a factual misstatement, the auditor is on solid ground when requesting the client to make
adjustments to the financial statements and, if the adjustments are not made, when modifying the audit
report (qualifying the audit opinion).
• Where there is a judgemental misstatement, the auditor is on far less solid ground. The misstatement
has only arisen because there is an element of interpretation in the facts. The auditor cannot state
categorically that the directors are wrong! As a result the auditor may have to accept a measure of
compromise when requesting adjustment and will have to think very carefully about whether and how
to modify the report.
• Where there is a projected misstatement, the auditor may be in for an even harder time when requesting
amendments or qualifying the audit report. Projecting misstatement over a population based on a
sample can be a very subjective matter. If a proper statistical sampling method has been properly
applied it is less subjective, but there is still plenty of subjectivity in setting the parameters for the
sampling plan. A client is not going to be too happy with an auditor who says “we think, based on a
projection of our sample, that the inventory balance is overstated by R500 000”. The client is going to
want more hard evidence than that! So again the auditor will need to accept a measure of compromise
and think carefully about modifying the audit report.
• The materiality of the audit difference is a very important part of this evaluation. If an audit difference
is regarded as not material (leaving the misstatement uncorrected will not influence a user’s decision),
the auditor will not insist on adjustment being made but will still bring it to the attention of the client
who, of course, may choose to correct it.
Chapter 6: An overview of the audit process 6/25
7
Important elements of the audit process
CONTENTS
Page
7.1 Understanding audit risk ................................................................................................... 7/2
7.1.1 Introduction ........................................................................................................... 7/2
7.1.2 The inherent limitations of an audit ......................................................................... 7/2
7.1.3 The link between audit risk and the audit process ..................................................... 7/2
7.1.4 The components of audit risk .................................................................................. 7/3
7.4 The auditor’s responsibilities relating to fraud in an audit of financial statements ............. 7/30
7.4.1 Introduction ........................................................................................................... 7/30
7.4.2 Auditor’s objective .................................................................................................. 7/30
7.4.3 Terminology – Definitions (compiled from various sources in ISA 240) .................... 7/30
7.4.4 Responsibility of management and those charged with governance ........................... 7/32
7.4.5 Responsibilities of the auditor.................................................................................. 7/32
7.4.6 Responses to the risk of material misstatement due to fraud ...................................... 7/34
7.4.7 Fraud risk factors .................................................................................................... 7/37
7.4.8 Communication with management, those charged with governance and others ......... 7/40
7.4.9 Fraud and retention of clients .................................................................................. 7/41
7.5 Consideration of laws and regulations in an audit of financial statements – ISA 250 .......... 7/42
7.5.1 Introduction ........................................................................................................... 7/42
7.5.2 Important considerations ........................................................................................ 7/42
7.5.3 Auditor’s duties, responsibilities and procedures ...................................................... 7/42
7.5.4 Reporting of non-compliance .................................................................................. 7/43
7/1
7/2 Auditing Notes for South African Students
7.1.3 The link between audit risk and the audit process
The audit process is a combination of stages that the auditor goes through to be in a position to report on
whether the financial statements are fairly presented. As it is today, the audit process has been developed
over time by the profession in such a manner that if the process is followed, audit risk will be kept to an
acceptable level. The International Standards on Auditing (ISAs) direct the audit process so it follows that
compliance with the standards will result in audit risk being kept to an acceptable level. A clearer under-
standing of audit risk will help to put the audit process into context.
Chapter 7: Important elements of the audit process 7/3
• The possibility of circumvention of internal controls through the collusion of a member of management
or an employee, with parties inside or outside the entity.
• The possibility that a person responsible for exercising an internal control could abuse that responsi-
bility, for example, a member of management overriding an internal control.
• The possibility that procedures may become inadequate due to changes in conditions, and compliance
with control procedures may deteriorate (e.g., internal controls cannot handle a huge increase in sales).
It is not sufficient for the auditor simply to identify the presence of weaknesses in a client's system of
internal control; the important exercise is evaluating the effect that the identified weaknesses may have on
the financial statement assertions. To illustrate – your client, a wholesaler, routinely sells its products to
retailers on credit. The internal controls for credit sales are sound. However, over time, the practice of
selling to staff members and street hawkers for cash has crept in without adequate internal control activities
being formalised.
For example, at Gupta (Pty) Ltd, no specific cash sale documentation has been developed, cash is not
adequately recorded and regularly banked, and there is no segregation of duties between recording sales
and banking of cash. What assertions may be affected? The obvious ones are completeness of sales (are all
sales being accounted for?) and completeness of bank/cash on hand (is all the cash received being accounted
for?). Perhaps a less obvious assertion at risk is the completeness assertion for liabilities. If sales are not being
accounted for, profits will be misstated, and hence the liability to SARS for taxation will be understated.
7.1.4.4 Relationships between audit risk, inherent risk, control and detection risk and material
misstatement
• Audit risk and the risk of material misstatement are not the same thing. Diagrammatically we can illustrate
the difference as follows:
Chapter 7: Important elements of the audit process 7/5
• The risk of material misstatement is made up of inherent risk and control risk, for example, the risk of
material misstatement will be highest where there is a high level of inherent risk relating to the assertion
and controls are weak. If controls are very strong (i.e., low control risk) and there is low inherent risk
relating to the assertion, then the risk of material misstatement relating to that assertion will be low.
Here it is important to note that when the auditor does not intend to test the operating effectiveness of
an entity’s controls, the risk of material misstatement will be equal to the assessment of the inherent
risk.
• Audit risk is a function of the risk of material misstatement and detection risk, for example, if there is a high
risk of material misstatement and the auditor does not respond with effective selection and application
of audit procedures, the risk of expressing an inappropriate audit opinion (audit risk) will be very high.
In other words, to keep audit risk to an acceptable level, the auditor must ensure that detection risk is
kept to a low level by sound planning, proper assignment of personnel to the audit team, proper super-
vision, etc.
Think of it another way. If you evaluate inherent risk and control risk at your client as high, it means
that there is a strong possibility of material misstatement being present in the financial statements. As the
auditor, you must minimise the chance of expressing an inappropriate opinion on the financial statements,
in other words, you must reduce this risk (audit risk) to an acceptable level. How do you do that? The
answer is by adopting an appropriate audit strategy and plan and assigning the right staff to the audit team
(experienced and competent), having the audit team exercise professional scepticism and putting in place
proper supervision and review procedures – by doing these things you will be reducing the risk of failing to detect
the misstatements that you expect (due to the high inherent and control risk) to an acceptable level. As the
auditor, you have no control over inherent risk or control risk, inherent risk is “built-in” risk and internal
control is the responsibility of management. All you can do is to respond to these risks by reducing detec-
tion risk. Unlike inherent and control risk, detection risk is controllable by the auditor.
• responding to the assessed risk of material misstatement, including performing further audit procedures,
to obtain sufficient, appropriate evidence, and
• evaluating the sufficiency and appropriateness of audit evidence obtained.
All of the above are fundamental to performing the audit but cannot be achieved without the auditor
having a thorough understanding of the entity.
7.2.2 Conditions and events that may indicate risks of material misstatement
The following list provides examples of conditions or events that may suggest to the auditor that there is a
risk of material misstatement in the financial statements under audit. Of course, such conditions or events
do not mean that there is a material misstatement, but instead there is a possibility of material misstate-
ment, that the auditor should consider. The list is not exhaustive.
1. The company’s operations are exposed to volatile markets and/or are subject to a higher degree of
complex regulation, for example, trading in futures.
2. Going concern and liquidity problems with the corresponding difficulty in raising finance.
3. Changes in the company such as a significant merger or reorganisation or retrenchments.
4. The existence of complex business arrangements such as joint ventures and other related party struc-
tures.
5. Complex financing arrangements, for example, use of off-balance sheet finance and the formation of
special purpose entities.
6. Lack of appropriate accounting and financial reporting skills in the company.
7. Changes in key personnel, including the departure of key executives, for example, the financial
director.
8. Deficiencies in internal control.
9. Incentives for management and employees to engage in fraudulent financial reporting include unfair
remuneration structures, poor working conditions, and an autocratic environment.
10. Changes in the IT environment, including installations of significant IT systems related to financial
reporting, or a weakening of the IT control environment, particularly regarding security.
11. A significant number of non-routine or non-systematic transactions at year-end, for example, inter-
company transactions.
12. The introduction of new accounting pronouncements relevant to the company, for example, IFRS 15.
13. Accounting measurements that involve complex processes, events and transactions that involve
significant measurement uncertainty.
14. The omission or obscuring of significant information in disclosures as presented to the auditor.
15. Pending litigation and contingent liabilities, for example, sales warranties and financial guarantees.
7.2.3.4 Observation
The observation of “what’s going on” can provide a useful backdrop for understanding the client’s oper-
ations.
For example:
• A guided tour of a company’s manufacturing plant will give the auditor a basic understanding of the
production process. This understanding will put the audit of plant and equipment, work in progress, the
allocation of production overheads, etc., into context.
• A tour of the company’s business premises, IT centre, warehousing facilities, will also contribute to a
better understanding of the client.
7.2.3.5 Inspection
Along with enquiry, inspection will be a major provider of information in understanding the entity. At this
stage of the audit, we are not carrying out a detailed inspection of “everyday” documents such as sales
invoices or purchase orders on which we may conduct further audit procedures (substantive tests of detail).
This is more likely to be a detailed review of the following kinds of documents:
• business plans and strategies
• internal control procedure manuals, flow charts, organisational charts
• management reports, minutes of board meetings and board committee meetings
7/8 Auditing Notes for South African Students
7.2.3.8 Gaining the required understanding of the entity and its environment, including the
applicable financial reporting framework and the entity’s system of internal control
In terms of ISA 315 (revised 2019) the auditor must obtain an understanding of:
• the entity and its environment and the applicable financial reporting framework
ISA 315 (revised 2019) provides a basic framework as to what information should be gathered. This has
been used as a basis for the charts and narratives that follow:
• organisational structure, ownership and governance and business model, including the extent to which
the business model integrates the use of IT
• relevant industry, regulatory and other external factors
• measures used internally and externally to assess the entity’s financial performance
• the applicable financial reporting framework and the entity’s accounting policies and reasons for
changes thereto, and
• how, and to what degree, inherent risk factors affect exposure of assertions to misstatements.
7.2.4 The entity and its environment and the applicable financial reporting framework
7.2.4.1 Organisational structure, ownership, governance, and business model
Understanding an entity's organisational structure and ownership may enable the auditor to understand the
complexity and relationships within the structure and ownership. The auditor may use automated tools
and techniques to assist in the understanding of transaction flow and processing. As such, the auditor may
obtain information about the organisational structure of the entity or its vendors, customers or related
parties. The auditor should also obtain an understanding of an entity’s objectives, strategy and business
model. A business sets itself objectives and then puts strategies in place to achieve these objectives.
“Business risk” is the term used to describe those conditions, events, circumstances, actions or inactions
that threaten the company’s achievement of the objectives it has set and its ability to achieve them.
Business risk is broader than the risk of material misstatement of the financial statements; in other words,
business risk includes risks other than the risk of material misstatement. Many of the business risks may
increase the risk of material misstatement in the financial statements. Therefore, the auditor must be
familiar with the client’s objectives and strategies and evaluate whether they will increase the risk of
material misstatement. Consider the following (simplified) examples:
Example 1
Objective: Wearit (Pty) Ltd wishes to increase its market share.
Strategy: Increase sales by making the terms and conditions for granting credit to
customers much less strict.
Business risk: Making sales on credit to customers who will not pay.
Potential material misstatement: Understatement of the allowance for bad debts, resulting in an over-
statement of accounts receivable.
Example 2
Objective: Pills (Pty) Ltd wants to expand its health products business into the
sports market.
Strategy: Import top quality, patented muscle growth and related products and
advertise extensively.
Business risk: Increased product liability, over-estimation of demand, import regu-
lation contraventions, for example, on foodstuffs.
Potential material misstatement: Under-provision for legal claims, over-statement of inventory value (no
demand, or goods cannot be legally sold).
There are any number of business risks – the key is to have experienced audit team members who can
identify them and evaluate whether they will give rise to material misstatement. Some examples of matters
to be considered by the auditor concerning an entity’s organisational structure, ownership and governance,
and business model appear below.
7.2.4.4 The applicable financial reporting framework, and accounting policies and reasons for
changes thereto
Obtaining an understanding of the applicable financial reporting framework may assist the auditor to
identify inherent risk factors that affect the susceptibility of assertions about classes of transactions, account
balances or disclosures, to misstatement.
The auditor will need to consider whether the accounting policies selected by the client are:
• appropriate for the business, and
• consistent with the financial reporting standards relevant to the industry.
7/12 Auditing Notes for South African Students
If the policies adopted do not satisfy the above, the risk of material misstatement is increased. Some
examples of matters to be considered by the auditor follow.
7.2.4.5 How, and to what degree, inherent risk factors affect the exposure of assertions to
misstatement
As discussed earlier, inherent risk factors (on their own or as a combination) increase the inherent risk to
varying degrees. Inherent risk may be higher or lower for different assertions. This is referred to as the
“spectrum of inherent risk” (ISA 315 (revised 2019)). Obtaining an understanding of the entity, its environ-
ment, and its applicable financial reporting framework may assist the auditor in identifying inherent risk
factors that affect the susceptibility of assertions about classers of transactions, account balances or dis-
closures, to misstatement. This understanding may enable the auditor to form a preliminary understanding
of the probability or extent of misstatements. Inherent risk arising due to complexity or subjectivity (often
linked to change or uncertainty) requires a greater need for the auditor to apply professional scepticism.
Some examples of matters to be considered by the auditor follow. Furthermore, these risk factors may
create an opportunity for intentional or unintentional management bias. Some examples of matters to be
considered by the auditor appear below.
Factor Matters to consider
Complexity • operations that are subject to a high degree of complex regulation
• the existence of complex alliances and joint ventures
• accounting measurements that involve complex processes, and
• use of off-balance-sheet finance, special purpose entities, and other
complex financing arrangements.
Subjectivity • applicable financial reporting framework
• a wide range of possible measurement criteria of an accounting
estimate, (e.g., management’s recognition of depreciation or
construction income and expenses), and
• management’s selection of a valuation technique or model for a non-
current asset, such as investment properties.
continued
Chapter 7: Important elements of the audit process 7/13
For example, a creditors clerk whose function is to reconcile the creditors ledger accounts to the creditors
statements, and then take the reconciliation to the financial accountant to be checked before payment is
made, will soon not bother to reconcile properly, if at all, if he knows that the financial accountant does not
check the reconciliation before authorising the payment.
A good control environment will be characterised by:
• communication and enforcement of integrity and ethical values throughout the organisation
• a commitment by management to competent performance throughout the organisation
• a positive influence generated by those charged with governance of the entity, for example, non-execu-
tive directors, the chairperson (i.e., do these individuals display integrity and ethical commitment, are
they independent, and are their actions and decisions appropriate?)
• a management philosophy and operating style that encompasses leadership, sound judgement, ethical
behaviour, etc.
• an organisational structure that provides a clear framework within which proper planning, execution,
control and review can take place
• policies, procedures and an organisational structure that clearly define authority, responsibility and
reporting relationships throughout the entity, and
• sound human resource policies and practices that result in the employment of competent, ethical staff,
provide training and development, fair compensation and benefits, promotion opportunities, etc.
Gathering of evidence relating to the control environment can be achieved by observation of management and
employees “in action”, including how they interact, inquiry of management and employees, for example,
union officials, and inspection of documents, for example, codes of conduct, organograms, staff communica-
tions, records of dismissals, minutes of disciplinary hearings, etc. Obviously, as the client/auditor relation-
ship develops over time, it will become easier to understand and evaluate the control environment.
Generally, a strong control environment will be a positive factor when the auditor assesses the risk of
material misstatements. For example, the risk of fraud may be significantly reduced. A poor control envi-
ronment, or elements of the control environment that are poor, will have the opposite effect, for example,
the company may have excellent human resource policies, but may lack leadership and organisational
skills. Employees may be competent but management may have a “slack” attitude towards controls.
procedures that are described and carried out as control activities are a form of monitoring. For example, a
senior accountant inspects the monthly bank reconciliation carried out by his assistant to ensure that it has
been done, and done correctly. Monitoring as a component of the internal control process looks at all of the
components of the process, not only at the control activity component. For example, management’s
monitoring of disciplinary actions and warnings to employees relating to breaches of the company’s “code
of conduct” may indicate a decline in the control environment, and the ongoing monitoring of the com-
pany’s poor performance on contracts may reveal that the risk assessment component is not effective.
In larger or more complex companies, internal audit departments usually contribute to the effective
monitoring of control activities, and the external auditor will frequently rely on work carried out by the
internal auditor. Monitoring will often take place at a subsequent stage.
For example, they may play back recorded sales transactions to confirm that telesales operators are
“following the rules”, or the IT manager might scrutinise the activity logs/exception reports on a weekly
basis. Information from outside the company can also provide meaningful insights into whether the
“system is working”, for example, monitoring complaints from customers will often give a good indication
of aspects of the business that are not functioning as required. Monitoring the number of bad debts over
time indicates whether creditworthiness checks are effective.
The auditor can obtain information about monitoring by inquiry of management and staff, working with
internal audit and inspecting documentation relating to a monitoring process or performance reviews.
The auditor should be mindful that computerised (IT) systems pose specific risks to an entity’s internal
control. Examples of such risks may include the following:
• A computer will process what is input and will do so in the manner in which it is programmed. For
example, if there is an error in programming, that error will be repeated every time the relevant trans-
action is processed – for example, if a programming error results in the VAT on sales being calculated
on the selling price plus VAT, for example, 14% of 114%, and 5 000 invoices are processed, the com-
puter will make the mistake 5 000 times.
• Unauthorised access to data can result in an instant and huge destruction or contamination of data, for
example, deletion of the debtors master file.
• IT personnel gaining access privileges they should not have, resulting in a breakdown of segregation of
duties, for example, a systems analysts gains access to the salaries master file and alter his salary.
• Unauthorised changes to data in master files, systems or programmes.
• Instantaneous processing of fraudulent transactions such as unauthorised EFTs that instantly move
money out of the company’s bank account.
• Potential denial of access to electronic data, for example, employees/customers cannot get into the
database because of system failure.
The auditor should also be mindful that the information system as a whole, or elements of it, can be placed
at risk, by any of the following (among others):
• New employees who have a different understanding of, or attitude to internal control, for example, a
newly appointed IT manager has a less strict attitude to access controls than his predecessor.
• Rapid growth in the company that places severe strain on the controls, for example, a significant
increase in the demand for the company’s products has resulted in the company letting its credit-
worthiness checks lapse (so as not to lose sales) due to a lack of time and staff to carry out the checks.
Automated (programmed) controls relating to creditworthiness may be overridden permanently or
disabled.
• New technology that can lead to disruption of internal controls – introducing a network system may
result in data being lost or corrupted, or existing controls becoming inappropriate.
• Introducing new business models that may result in the existing internal controls being rendered
inadequate, for example, introducing sales over the Internet to along-established (physical) retail busi-
ness may introduce problems in controls over banking, receipt and dispatch of goods, etc.
• Corporate restructuring may result in staff reductions, new lines of authority, etc., thereby jeopardizing
for example, division of duties and authorisation controls.
The auditor will have to carefully assess whether and how the changes affect the internal control objectives
and the potential for material misstatement.
Details of the information system (including the accounting system) can be gathered by:
• inspection (or creation) of flowcharts of the system, user manuals, etc.
• observation of the system in action, for example, what happens when a supplier delivers goods, what
documents are called up on-screen, what access controls are in place
• inquiry of client staff and the completion of internal control questionnaires
• discussions with prior year audit staff, management and possibly outsiders, for example, application soft-
ware suppliers
• discussions with internal audit staff and review of internal audit work papers
• inspection of exception reports, error reports, activity reports produced by the system, and
• tracing transactions through the information system, sometimes called “walkthrough” tests.
• physical control over assets, for example, restricting access to the warehouse
• comparison and reconciliation, for example, reconciling the bank account monthly
• access controls, for example, access tables, user profiles, IDs and passwords in a computerised environ-
ment
• custody controls over blank/unused documents, for example, order forms, credit notes
• good document design (to achieve accuracy and completeness of information), and
• sound general and automated application controls in IT systems (see chapters 8 and 9).
Information about control activities will usually be gathered in the same way as information about the
information system as a whole is gathered, for example, inspection of control procedure manuals, observation
of controls in action, inquiry of employees as to the procedures they carry out and the completion of
internal control questionnaires.
• Risk related to recent significant economic, accounting or other developments/changes, (the sugges-
tion here is that where there are new conditions at a client that the auditor considers may give rise to
a risk of material misstatement, the risk should be regarded as significant because the condition is
new). For example, a company finds itself in severe financial problems for the first time in its
history, to the extent that its going concern activity is seriously threatened.
• The complexity of the transactions (giving rise to the identified risk). For example, the audit client
commences trading in derivatives and the auditor considers that there is a risk of material misstate-
ment arising from the inappropriate application of the financial reporting standards relating to
derivatives. Due to the complexity of derivative transactions and the fact that trading in derivatives is
new to the company, this may be regarded as a significant risk.
• Risk that involves significant transactions with related parties. Because of the potential for non-
arm’s-length transactions occurring between the company and related parties, there may be a risk of
material misstatement of related party transactions, and where such transactions are material and
frequent, the risk should be regarded as significant.
• The degree of subjectivity in the measurement of the financial information related to the risk. The
greater the subjectivity, the more likely the risk will be significant. For example, the valuation of
plant and equipment for a large manufacturing company that has to account for numerous and
varied impairments of its plant and equipment at year-end, will probably present a significant risk.
• Risk that involves significant transactions that are outside the normal course of the business, or
otherwise appear unusual due to their size or nature. These transactions are unlikely to be subject to
the normal, everyday routine control activities associated with the company’s transactions and,
therefore may well result in a material misstatement. Material loans to directors or sale of some of
the company’s manufacturing equipment might be regarded as significant.
Remember that the reason for identifying and assessing the risk is so that the auditor can determine the
nature, timing and extent of further audit procedures. Grading the risks as higher or lower helps fine
tune the audit plan and respond appropriately. Before the actual determination of the response, the
auditor will obtain an understanding of the company’s controls relevant to the risk identified, as the
company’s controls will affect the auditor’s response. For example, suppose management recognises the
risk of material misstatement arising from related party transactions. In that case, they may have
already implemented strict control activities over these transactions, such as additional authorisation
requirements, monthly reports to the board on all such transactions, and sound procedures for identi-
fying related parties. From an audit perspective this is likely to reduce the “significance” of the risk
associated with related party transactions, but of course, will not eliminate it.
3. There is no unique set of procedures that the auditor carries out to respond to significant risks. By
definition, a significant risk is important and if it is inadequately addressed, could lead to material mis-
statement going undetected. It is logical, therefore, that the engagement partner would concentrate on:
• getting the composition of the audit team right concerning knowledge, experience and attitude (good
level of professional scepticism)
• carefully evaluating the full effect of the significant risk and how it may manifest itself. For example,
if the audit manager thinks that there is a significant risk that management may manipulate the
financial statements, he should consider very thoroughly how this could be done. Fictitious sales,
overstating inventory, making use of related parties, etc., are all methods of manipulating financial
information, and the audit team will need to respond to all these methods, and
• all assertions affected should be identified and the best quality evidence should be sought by the audit
team using normal audit procedures, such as inspection, confirmation, and enquiry.
account balances or disclosures are material if omitting, misstating or obscuring information about them
could reasonably be expected to influence the economic decisions of users taken on the basis of the finan-
cial statements as a whole”.
Note: This is only an illustrative example – other account headings/grouping may be used. Percentages
may also vary and may be presented as a range, for example, Turnover ½ to 1%. Benchmarks may also
vary considerably from industry to industry. For example, benchmarks that may be appropriate for an audit
at a supermarket company may not be appropriate for a company that runs hospitals, as the relationships
between account balances within the financial statements differ from industry to industry – a supermarket
company will have very high turnover and low profit margins, while hospital companies may have lower
turnover but higher profit margins.
Perhaps the most important point to make here is that the vast majority of misstatements affect the
comprehensive statement of income and the statement of financial position but can be material to one and
not to the other.
For example, a company has total assets of R3 000 000 and net income before tax of R250 000. An error
in the calculation of depreciation has resulted in an overstatement of fixed assets of R40 000. If the above
percentages are used, this misstatement would not be material relative to the guideline for total assets (3% of
R3m) but would be material relative to the guidelines for net profit before tax (5% of R250 000).
For this reason, most auditing firms will use net income before tax as the base to measure the materiality
of the misstatement, particularly because net income before tax is an important figure for most users.
7/22 Auditing Notes for South African Students
It is interesting to note that ISA 320 recognises the use of benchmarks but does not prescribe any percent-
ages to be used in setting materiality levels. This serves to emphasise the subjectivity surrounding the
concept and the need to use professional judgement.
Qualitative
Refers to the nature of a trans-
action or amount and includes
Subjective many financial and non-
Conclusions financial items that, inde-
Unstructured data pendent of the amount, may
influence the decisions of a
user of the financial state-
ments.
If users of The Zed Company Ltd’s financial statements insisted that no amount of misstatement was
acceptable in the inventory balance, we would have a materiality level of 0 (zero). To satisfy the users that
there were no misstatements in inventory, we would have to count and price every single inventory item
and ensure that every item was saleable at above cost, and in perfect condition. We would also have to
ensure that every single item of inventory purchased or sold has been accounted for, and so on. Of course,
this is a highly theoretical situation, but it illustrates the point that the extent of audit work would be huge
(extent), every kind of audit procedure would have to be used (nature) and we would take all year to do the
audit (timing)! The cost of the audit would be astronomical. It is an impossible situation.
If the users had decided that they would accept R250 000 of misstatement, it follows that we could test
less extensively. This is because even if R250 000 of misstatement is present but is not identified, users will
not be concerned, as misstatement of up to R250 000 will not influence their decisions. Based on this
premise, if users had decided that R2 500 000 or R5 000 000 of misstatement was acceptable, we could test
even less. The difficulty is that users do not conveniently inform the auditors of what amount of mis-
statement is acceptable – that is left to professional judgement!
Also, just a reminder – performance materiality levels take into account the fact that we test for misstate-
ment that in aggregate might exceed the planning materiality level. Performance materiality will be a lower
amount than planning materiality.
It does not end there – we must also remember that an error in inventory is not going to be confined to
one account balance only and could result in material misstatement elsewhere in the financial statements.
Takenet profit before tax as an example. To illustrate the point very clearly, The Zed Company Ltd
made a net profit before tax of only R2 604 000 in the year 0002 (and a loss in year 0001), so a misstate-
ment in inventory of R2 500 000 or R5 000 000 would have a significant effect on net profit before tax and
the financial statements as a whole, even though the misstatement is a small percentage of current and total
assets. Expressed another way, a misstatement of R2 500 000, that affects both inventory and net profit
before tax could not be regarded as immaterial as it has a significant effect on the company’s profit despite
being “not material” to the inventory balance.
7.3.4.2 Misstatements
• ISA 450 defines a misstatement as “a difference between the reported amount, classification, presenta-
tion or disclosure of a financial statement item and the amount, classification, presentation or disclosure
that is required for the item to be in accordance with the applicable accounting framework”.
• Misstatements (errors) may arise from:
– an inaccuracy in gathering or processing data
– an omission of an amount or disclosure (including inadequate or incomplete disclosure)
– an incorrect accounting estimate arising from overlooking, or clear misrepresentation of, facts
– judgements of management concerning accounting estimates that the auditor considers unreasonable
or the selection of accounting policies that the auditor considers inappropriate
– an inappropriate classification, aggregation or disaggregation of information, or
Chapter 7: Important elements of the audit process 7/27
– an omission of a disclosure that is necessary for the financial statements to achieve fair presentation
but that is not specifically required by the accounting framework adopted for the presentation of the
financial statements.
• Misstatements can arise from error (as described above) or from fraud, that is dealt with later in this
chapter.
• ISA 450 requires that the auditor accumulate (record) all misstatements identified on the audit unless
they are clearly trivial. Clearly trivial should be taken to mean that the misstatement is very small,
insignificant and inconsequential. “Clearly trivial” is not another phrase for not material; because a
misstatement falls below the materiality level it does not mean it is automatically regarded as trivial and
therefore not part of the accumulation of misstatements.
• Uncorrected misstatements that the auditor has accumulated during the audit but have not been
corrected by the client.
(a) Analyse and project the errors in the sample over the population sampled
If a statistical basis has been used for selecting the sample, the appropriate statistical method for projecting
the error in the sample over the population, will be used. Most often however, auditing firms use a propor-
tional projection method, for example:
error value in sample
× total value of population
total value of sample
to obtain an idea of the extent to which the population is misstated.
7/28 Auditing Notes for South African Students
Whatever method of projection is used, if the projected misstatement for the population is unacceptable,
the auditor must:
(b) Decide whether the audit team should carry out further tests, or whether the client should be
asked to check the population in detail for other errors
After this process has been completed, the auditor must:
(c) Discuss all misstatements with management in an attempt to have them rectified
If management refuses to correct misstatements, the auditor is left with what are termed, uncorrected mis-
statements (commonly referred to as unresolved audit differences), and it is at this point that final mater-
iality comes into play. The auditor must now decide whether the uncorrected misstatements are immater-
ial, (i.e., their presence will not influence a user's decision), or whether they are material. If they are
material, failure to correct them will result in financial statements that contain more misstatement than is
acceptable, (i.e., some aspects of the financial statements are not “presented fairly”), and the auditor will
have to modify the audit opinion. Making this decision is not just a matter of deciding that final materiality
will be equal to planning materiality and that any errors over the planning materiality level will be material.
There are several factors to be considered at the evaluation stage. These are discussed in (d) below. At this
point you may be asking yourself why management might not want to correct all misstatement. Most often,
they will, but sometimes they will not. The reasons for this are that management may:
• disagree that there is a misstatement; for example, the client genuinely believes that its estimation of
inventory obsolescence is fair but the auditor thinks it is too low
• not regard the misstatement as material; that is, management does not believe that leaving the misstate-
ment uncorrected will influence a user’s decision
• have ulterior motives; for example, the directors wish to achieve particular ratios based on figures in the
financial statements. If corrections that the auditor requests are made, the ratios that management
wishes to achieve, will not be reflected
• regard it as “too much hassle” to make the changes; for example, the adjustment would mean changing the
income statement, statement of financial position, consolidation, supporting schedules, etc., or
• be unconcerned about receiving a qualified audit opinion.
strong ground if he decides to qualify the audit opinion. Where it is a judgemental or projected misstate-
ment, the auditor will have to be less forceful and open to further discussion and negotiation with
regard to insisting on correction and qualifying the report, because of the error’s subjective nature.
• When evaluating the effect of uncorrected misstatement ISA 450 requires that:
– each individual misstatement of an amount be considered to evaluate its effect on the relevant classes
of transactions, account balances or disclosures, including whether the materiality level for that
particular class of transactions, account balance or disclosure, if any, has been exceeded.
– each individual misstatement of a qualitative disclosure is considered to evaluate its effect on the rele-
vant disclosures, and on the financial statements as a whole. The evaluation of the effect of a
qualitative disclosure misstatement is a matter of professional judgement.
• Offsetting uncorrected misstatements against each other – it is theoretically unsound to offset uncorrected
misstatements against each other to reduce the “effect” of misstatements.
For example, a material misstatement that results in an overstatement of say, R100 000 in inventory
should not be offset against an understatement of say, R120 000 in accounts receivable (or an
overstatement of accounts payable) to reduce the “misstatements” to a net of R20 000. Likewise, as
indicated in ISA 450, if revenue has been materially overstated, the financial statements as a whole will
be materially misstated, even if the effect of the misstatement on earnings has been completely offset by
an equivalent overstatement of expenses.
• Circumstances related to some misstatements may cause the auditor to evaluate them as material even if
they are lower than materiality for the financial statements as a whole. Circumstances that may affect
the evaluation include the extent to which the misstatement:
– affects compliance with regulatory requirements, for example, the misstatement or omission of amounts
relating to directors remuneration may be regarded as material even though the amounts are below
the materiality level
– affects compliance with debt covenants or other contractual requirements, for example, an uncorrected
misstatement in inventory may not be material in terms of the materiality level but may affect
compliance with a requirement (covenant) in a loan contract that inventory does not exceed a certain
amount or percentage of current assets
– impacts on ratios or trends that are “popular” with users of the financial statements in evaluating the
entity’s financial position, results of operations or cash flows, for example, earnings per share
– has the effect of increasing management earnings, for example, a company may pay its management a
bonus based on net profit, before taxation. Therefore, all misstatements that affect net profit before
tax that remain uncorrected will also affect management’s bonuses. Even though management may
be reluctant to correct such misstatements, the audit may “insist” upon the correction of such
misstatements even though they are not quantitatively material. Bonuses paid to management should
be as accurate as possible
– relates to items involving particular parties, for example, contracts entered into by the company in
which a director has a financial interest, should be disclosed. If the company omits this disclosure,
the auditor cannot disregard this misstatement because the value of the contract is below the
materiality level, and
– reflects a level of dishonesty by the directors, for example, if the materiality level is R100 000 for the
accounts receivable balance and the auditor discovers that an unauthorised loan of R75 000 to a
director has been “hidden” in the accounts receivable balance, the auditor cannot regard this as an
immaterial misstatement because it is below the materiality level of R100 000.
The list of circumstances given above is not exhaustive. However, it is sufficient to illustrate that
when evaluating the effect of uncorrected misstatements on the financial statements, both quan-
titative and qualitative factors must be considered by the auditor.
• Misstatements should not be considered in isolation – although each individual misstatement is considered
to evaluate its effect on the relevant classes of transactions, account balances or disclosures, misstate-
ments must be aggregated (added together) for evaluation purposes. Remember that an individual
misstatement in say, inventory may be below the materiality level but when added to other individual
misstatements that are also below the materiality level, the aggregate misstatement may be above the
7/30 Auditing Notes for South African Students
materiality level. Similarly, if misstatements are being measured against a materiality level for total
assets, then the aggregate (total) of uncorrected misstatements relating to account balances making up
total assets must be used for evaluation purposes.
7.3.5 Conclusion
No magic formula tells the auditor what the planning and performance materiality levels should be or how
uncorrected misstatement should be evaluated. It is a matter of judging the circumstances of each client
separately. You will undoubtedly feel uneasy with this topic, but this is not surprising – understanding the
concept is straightforward, its application less so. The entire question of “what is material” and “how
should it be addressed” causes most practitioners some concern, and it is only years of experience that
build confidence and improve professional judgement.
• Management fraud. This term relates to fraud involving one or more members of management or those
charged with governance.
• Employee fraud. This term relates to fraud involving only employees not management or those charged
with governance.
• Fraudulent financial reporting. Fraudulent financial reporting involves intentional misstatements,
including omissions, in financial statements to deceive financial statement users, for example, the
directors deliberately understate the liabilities and overstate the assets of their company to secure a loan
from a bank, or they manipulate earnings either to reduce taxation or increase their own performance-
based remuneration. Fraudulent financial reporting, that will normally be perpetrated by management
or those charged with governance, may be accomplished by the following:
– Manipulation, falsification or alteration of the accounting records or supporting documentation underlying the
financial records.
For example:
o changing the balance on a debtors account to reflect a higher value
o inflating the cost price of inventories, or
o including fictitious sales.
– Misrepresentation in, or intentional omission from the financial statements, of events, transactions or other
significant information.
For example:
o omitting a significant contingent liability from the notes
o underproviding or failing to provide at all for known future losses, or
o failing to reflect the sale of material assets.
– Intentional misapplication of accounting principles to amounts, classification, manner of presentation or dis-
closure.
For example:
o failing to capitalise finance leases, or
o intentionally using an inappropriate policy for revenue recognition to inflate profits.
– Management override (particularly where controls appear to be operating effectively). Fraud can be committed
by management overriding controls using techniques such as intentionally:
o recording fictitious journal entries to manipulate operating results or other balances, for example,
raising fictitious sales by journal entry
o inappropriately adjusting assumptions or changing judgements used to estimate account balances,
for example, understating asset impairments
o omitting, advancing or delaying recognition of events and transactions at reporting date, for
example, recognising profits on a long-term contract prematurely
o omitting, obscuring or misstating disclosures required by the applicable financial reporting frame-
work, or disclosures that are necessary to achieve fair presentation
o concealing facts that could affect the amounts recorded in the financial statements, for example,
remaining silent about a major debtor who has been placed in liquidation
o engaging in complex transactions structured to misrepresent the financial performance or position
of the company, for example, manipulating intercompany balances (in a group) to “reallocate”
profits earned by the related companies, and
o altering records and terms relating to significant or unusual transactions.
7/32 Auditing Notes for South African Students
• Misappropriation of assets. This involves the theft of an entity’s assets and may be perpetrated by employ-
ees or management. It is harder for the auditor to detect where management is involved, as it is easy for
management to conceal or disguise the misappropriation. Misappropriation would include:
– Embezzlement
For example:
o stealing cash sales, and
o stealing receipts from debtors (and writing off the debtor as bad).
– Theft of physical assets or intellectual property
For example:
o stealing inventory for personal use or sale, or
o selling the company’s trade secrets to a competitor.
– Causing the entity to pay for goods and services not received
For example:
o paying wages to fictitious (dummy) employees or
o making payments to a (fictitious) company set up by management for goods that are never
received.
– Using the company’s assets for personal use
For example:
o hiring out the company’s equipment at weekends and keeping the fees charged or using the
entity’s assets as collateral (security) for a personal loan.
The distinguishing feature between fraud and error is intention. In a sense, errors are made in "good faith"
while fraud is in “bad faith”, there is an intention to misrepresent and thereby cause prejudice to some
party. Although the distinguishing feature is intention, it is not always easy for the auditor to determine
the intention of the directors. This is particularly true where there is a high level of subjectivity involved
in the financial statement item in which the suspected misrepresentation has taken place, for example,
an estimate, or where there are options, for example, a range of possible accounting policies that could
be adopted and that produce different results. There is no definite or conclusive way of determining
intention, but obviously, the auditor’s assessment of the integrity of management will be an important
consideration.
of a holding company that demands high levels of performance. Your client’s management may be
tempted into adopting dubious business practices and manipulating financial reports in an attempt to
meet performance targets and avoid losing their jobs.
(b) Facilitate the discussion of a client’s susceptibility to material misstatement due to fraud, amongst the
audit team.
Discussing the susceptibility of the entity’s financial statements to material misstatement due to fraud:
• provides an opportunity of more experienced members of the engagement team to provide insight
as to how and where the financial statements may be susceptible to material misstatement due to
fraud
• assists the auditor to consider an appropriate response to points raised by the experienced members
of the team and to decide on which members of the team will conduct the relevant audit
procedures, and
• enables the auditor to determine how the audit team will use the results of such audit procedures
and deal with any allegations of fraud that may come to the auditor’s attention.
The discussions with the audit team may include such matters as:
• an exchange of ideas about how and where the company’s financial statements (including
disclosures) may be susceptible to material misstatement due to fraud
• how management could perpetrate and conceal fraudulent financial reporting and how assets could
be misappropriated
• circumstances that may be indicative of earnings by management and the practices that man-
agement might follow to manage earnings that could lead to fraudulent financial reporting, for
example, manipulating sales cut-off
• the risk that management may attempt to present disclosures in a manner that may obscure a proper
understanding of the matter by, for example, using confusing and over-technical language
• any internal or external factors (known to, or suspected by, members of the team) that may:
– create an incentive or pressure for management to commit fraud
– provide an opportunity for fraud to be perpetrated, or
– indicate a culture or environment that enables management or others to rationalise committing
fraud, for example, a disgruntled management team at odds with the board
• management’s involvement in overseeing employees with access to cash or other assets susceptible
to theft
• any unusual or unexplained changes in behaviour or lifestyle of management or employees that has
come to the notice of the engagement team, for example, formally co-operative members of
management who have become uncooperative
• the need for team members to exercise professional scepticism
• the types of circumstances that, if encountered, might indicate the possibility of fraud, for example,
evasiveness in responding to questions put to employees, domineering management behaviour
• how to incorporate an element of unpredictability into the nature, timing and extent of the audit
procedures to be performed, for example, not carrying out procedures that are expected at a time
that they are not expected, for example, a surprise, random inventory count of selected items
• the most effective audit procedures to conduct in response to the suspicion/susceptibility of fraud
• any allegations of fraud that may have come to the auditor’s attention, and
• the risk of management override of controls.
(c) Conduct risk assessment procedures and related activities.
• When obtaining an understanding of the entity and its environment (ISA 315 (revised)), the auditor
should enquire of management as to:
– its assessment of the risk that the financial statements will be materially misstated due to fraud
– its processes for identifying and responding to the risks of fraud including details of any fraud
already identified (or that management considers likely)
7/34 Auditing Notes for South African Students
– its processes for responding to alleged fraud: for example, a supplier notifies management that
one of the company’s buyers is taking kickbacks from other suppliers, what action is taken
– its communication with those charged with governance regarding the identification of, and
response to, fraud, and
– how management communicates its stance on ethical behaviour to employees.
• The auditor should make enquiries of management, those charged with governance, internal audit
and others in the organisation (e.g., in-house legal counsel, the ethics officer, human resource
manager, operating personnel not directly involved in financial reporting) to determine whether
they know any actual, suspected or alleged fraud.
• The auditor should obtain an understanding of how those charged with governance exercise their
responsibility to oversee management’s processes for identifying and responding to the risk of fraud
by:
– attending meetings at which such matters are addressed
– reading minutes of such meetings, and
– direct enquiry of those charged with governance.
• The auditor should consider unusual or unexpected relationships when performing analytical
procedures to obtain an understanding of the entity and its environment, for example, unexpected
fluctuations in the gross profit percentage ratio may indicate fraudulent misstatements of the figures
used in calculating the ratio, for example, inclusion of fictitious sales, overstatement of closing
inventory, etc.
• The auditor should consider information from other related activities, for example, information
obtained at an interim audit, while conducting preliminary engagement activities.
• The auditor should consider whether the information gained when obtaining an understanding of
the entity and its environment, indicates that one or more fraud risk factors are present, see fraud risk
factors below.
(d) Identify and assess the risk of material misstatement due to fraud at financial statement level and at
assertion (account balance/transaction/disclosure) level.
(e) Determine an overall (audit) response to address the risk of material misstatement due to fraud at
financial statement level and assertion level.
• review accounting estimates for biases that could result in material misstatement due to fraud, for
example, deliberate understatement of allowances such as obsolete inventory, bad debts, depreciation/
impairment, to intentionally manipulate earnings figures. Consider with professional scepticism any
changes to assumptions used in estimating account balances
• obtain an understanding of the business reasons of significant transactions outside of the normal course
of the company’s business, or that otherwise appear to be unusual, for example, the company suddenly
purchases another company that manufactures a completely different and unrelated product to that
which the company itself manufactures
• pay careful attention to the completeness, relevance, accuracy and understandability of material
disclosures to identify any omission, obscuring or misstating disclosures required by the financial
reporting framework or that are required to achieve fair presentation.
Other
• Unwillingness by management to permit the auditor to meet privately with those charged with govern-
ance
• changes in accounting estimates that do not appear to result from changed circumstances, and
• tolerance of violations of the entity’s code of conduct.
Note: The auditor will also consider whether an identified misstatement (not initially thought to be fraud)
is in fact fraud. In effect this will be an assessment of whether the misstatement is intentional. If so,
the auditor should consider the effect of this (fraud) on the rest of the audit, especially other repre-
sentations made by management.
(b) Opportunities
These factors are examples of conditions/situations that provide the opportunity for management to
engage in fraudulent financial reporting:
• The nature of the industry or the entity’s operations
– significant related-party transactions particularly where the same firm does not audit the related party
– a strong financial presence or ability to dominate a certain industry sector that allows the entity to
dictate terms or conditions to suppliers or customers that may result in inappropriate or non-arm’s
length transactions
– assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judge-
ments or uncertainties that are difficult to corroborate, that can be used to manipulate results
– significant, unusual, or highly complex transactions, that can be used to manipulate results, and
– use of business structures or business methods for which there appears to be no clear business
justification, for example, importing goods indirectly through a neighbouring country.
Chapter 7: Important elements of the audit process 7/39
(c) Attitudes/Rationalisations
These are factors or situations that may indicate that management may be predisposed to fraudulent finan-
cial reporting:
• ineffective enforcement of the entity’s values or ethical standards by management, or the presence of
inappropriate values or ethical standards
• non-financial management’s excessive participation in selecting accounting policies or the determina-
tion of significant estimates (this suggests they have a personal financial interest in reported earnings)
• history of allegations against members of management, etc., for fraud or violations of laws and regula-
tions (e.g., insider trading)
• excessive interest by management in maintaining or increasing the entity’s share price or earnings trend
• an interest by management in employing inappropriate means to minimise reported earnings for tax-
motivated reasons, for example, understating sales
• the owner-manager makes no distinction between personal and business transactions, for example,
takes holidays and charges the cost to the company, and
• the relationship between management and the auditor is strained, for example, domineering or dismis-
sive management attitude towards the audit team.
7.4.7.3 Fraud risk factors relating to misstatements resulting from misappropriation of assets
The presence of the following conditions or factors should alert the auditor to the possibility of misstate-
ment arising from misappropriation of assets:
(a) Incentives/Pressures
These factors provide an incentive for management or employees to misappropriate assets:
• personal financial problems, and
• adverse relationships, between the entity and its employees, including management, for example, dis-
satisfaction with compensation or other conditions of service, or anticipated retrenchments (employee
lay-offs).
(b) Opportunities
These fraud risk factors pertain to the nature of an entity’s assets, the degree to which they are subject to
theft, and the lack of internal control related to it.
Nature
• large amounts of cash on hand
• inventory characteristics, such as small size combined with high value and high demand, for example,
jewellery, iPads
7/40 Auditing Notes for South African Students
Internal control
• inadequate segregation of duties, for example, storeman has “write access” to inventory records
• lack of appropriate management supervision, for example, no supervision and observation of goods
being taken into or despatched from the warehouse
• lack of procedures to screen job applicants for positions where employees have access to assets
susceptible to misappropriation (poor personnel practices)
• inadequate record-keeping for, and reconciliation of assets (theoretical to actual)
• lack of an appropriate system of authorisation and approval of transactions, for example, acquisition of,
and payment for, purchases
• poor physical safeguards over cash, investments, inventory or fixed assets
• lack of timely and appropriate documentation for transactions, for example, allowing customers to take
goods, but doing the paperwork later
• lack of mandatory vacations for employees performing key control functions. Employees who are
involved in fraudulent activities usually do not want to take a holiday, as being absent makes it very
difficult for that person to cover his tracks or conceal her fraudulent activities
• inadequate authorisation and review of senior management expenditures, for example, travel claims,
and
• inadequate management understanding of IT, that enables IT employees, to do “what they like”.
(c) Attitudes/Rationalisations
These are factors that indicate that management/employees have a relaxed, casual or negative attitude
towards controls relating to the prevention of misappropriation of assets, and include:
• poor control environment, for example, ignoring incidents of theft, and overriding controls
• changes in behaviour or lifestyle that may indicate assets have been misappropriated, for example, man-
agement taking expensive holidays, driving expensive cars, etc., and
• behaviour on the part of the employees (including management) that indicates displeasure or dis-
satisfaction with the entity or its treatment of its employees.
7.4.8 Communication with management, those charged with governance and others
7.4.8.1 Introduction
If the auditor identifies misstatement resulting from fraud, appropriate action will need to be taken. Before
proceeding, there are several matters to which the auditor will need to give consideration, to ensure that his
actions are appropriate:
• Confidentiality – the auditor is bound by confidentiality and cannot simply inform all and sundry about
the fraud, for example, it would be inappropriate to make direct contact with SARS, a creditor, a trade
union.
• Management involvement in fraud – fraud is by no means perpetrated only by (non-management)
employees. The majority of large financial frauds are perpetrated by management, often including the
directors. If the auditor believes that management is involved, great care must be taken in deciding to
whom the fraud should be reported.
In principle, fraud should be reported to the level of authority above the level at which it has been
perpetrated or is suspected; for example, if a wage fraud is perpetrated by the paymaster, it should be
reported to the financial accountant. If the financial accountant is also suspected of being involved, it
should be reported to the financial director. If the financial director is also suspected of being involved,
it should be reported to the Chairperson of the Board or the audit committee (those charged with
governance). And of course if none of this proves successful, it may be necessary to report the matter to
the IRBA as a “reportable irregularity.”
Chapter 7: Important elements of the audit process 7/41
• Absolute evidence of fraud? While the auditor does not have to have absolute proof of fraud before taking
action, he should make certain that he has obtained sufficient appropriate evidence to support his
contention and should be careful not to make direct accusations. The entire matter should be docu-
mented.
Note also that for a “reportable irregularity” (which many frauds will be) to become “reportable” in terms
of section 45 of the APA, the auditor needs only to “have reason to believe” that the reportable irregularity
is taking place, not absolute evidence.
7.4.8.2 Parties with whom the auditor might communicate concerning fraud
There are several individuals/parties with whom the auditor may communicate:
• Management (other than the Board of Directors) – as indicated earlier, the general principle is that fraud
should be reported to the level above the level at which the fraud has been perpetrated. The auditor will
need to decide:
– whether the “level above” is sufficiently high in the organisation; for example, a major fraud
conducted by a wage clerk would probably be reported to the financial director, not only the pay-
master, and
– whether the “level above” is in any way involved in the fraud, in which case it should be reported to
a higher level.
• Those charged with governance of the company – while management other than the Board, are responsible
for the day to day implementation and application of practices and procedures that uphold proper
governance, the Board of Directors is ultimately responsible for good governance. In addition, the
Companies Act 2008 requires that public companies appoint audit committees. Audit committees share
the responsibility for good governance. The auditor's decision is whether it is necessary to report the
fraud to the Board and the audit committee. In general terms, the auditor should report the following:
– material weaknesses in internal control (this means management are not meeting their responsibility
and risk of fraud is increased)
– issues regarding management integrity
– fraud involving management, and
– other fraud that results in material misstatement of the financial statements.
• Regulatory and enforcement authorities – once again the auditor’s duty of confidentiality would preclude
reporting fraud to a third party. However, the duty of confidentiality is overridden in certain circum-
stances where:
– a reportable irregularity is reported to the IRBA in terms of section 45 of the APA
– the court or statute requires that such information be disclosed, and
– the client gives permission.
• Proposed successor auditor – the question of whether an auditor who has resigned (or is about to be
replaced) may disclose details of fraud or suspected fraud to the proposed (successor) auditor. The Code
of Professional Conduct requires that the proposed auditor should communicate with the existing
auditor to establish whether it would be appropriate for the proposed auditor to accept the engagement.
The extent to which the existing auditor may discuss the client's affairs will depend on whether the
client has given the existing auditor permission to discuss these affairs with the proposed auditor. If
permission has not been granted, the existing auditor may not discuss the client's affairs with the
proposed auditor, but should convey to the proposed auditor that permission has been refused.
• The auditor should also consider his overriding duty to act in a professional manner, with honesty and
integrity and to fulfil his duty to conclude the audit. The auditor should make every attempt to fulfil his
reporting obligations – that is precisely why he has been appointed. To resign from an engagement,
especially before the expiry of his term of office, should not be an easy option taken simply to avoid
getting into a time consuming, confrontational or otherwise unpleasant situation, and doing so may
have legal consequences for the audit firm.
– material transactions for which there is inadequate or insufficient supporting documentation, for
example, unsupported payments to government employees, related parties
– unusual transactions, for example, what is the reasoning? Is there an attempt to get around the law?
– large cash payments, for example, paying bribes, laundering money, or buying stolen goods?
– purchase at non-market prices, for example, why would the company pay more than the market
price?
– excessive salesperson or agents’ commissions, for example, why are the commissions higher than the
market?, and
– newspaper articles or news reports that suggest the occurrence of illegal practices in the particular
industry in which the client operates, such as the importation of fake brand-name goods.
As mentioned earlier, the auditor should view the presence of any of the above with professional
scepticism.
• If the auditor becomes aware of a possible instance of noncompliance, the auditor should gather
sufficient evidence to evaluate:
– the potential financial consequences, such as fines, damages, litigation, expropriation of assets
– whether adjustment to, or disclosure in, the financial statements, is required, and
– whether failure to adjust or disclose, the financial consequences of non-compliance will result in a
failure on the part of management, to achieve fair presentation of the financial statements.
• All findings should be documented and discussed with management.
8
Computer audit: The basics*
CONTENTS
Page
8.1 Computer auditing ............................................................................................................ 8/3
8.1.1 Introduction ........................................................................................................... 8/3
8.1.2 The components of internal control and information technology systems .................. 8/4
______________
*
For further reading and references on new concepts on internal auditing processes, refer to Internal Auditing: An Introduction
6th ed 2017;Performing Internal Audit Engagements 6th ed 2017, and Assurance: An Audit Perspective 1st ed2018, GP Coetzee, R
du Bruyn, H Fourie, K Plant, A Adams and J Olivier, LexisNexis.
8/1
8/2 Auditing Notes for South African Students
Page
8.4.7 Payroll ................................................................................................................... 8/62
8.4.8 Intercompany ......................................................................................................... 8/63
8.4.9 Creditors ................................................................................................................ 8/63
8.4.10 Statement of profit and loss ..................................................................................... 8/65
8.4.11 Bank and cash ........................................................................................................ 8/65
updates the inventory records, the debtors ledger and general ledger, and have many more control
features for input, processing and output.
• The strategy for the audit of a small company with a bookkeeper or two and a number of PCs will not
require specialist computer skills and will probably be focused on substantive testing.
o A small business may use simple software for each application which is not linked to any other
application, for example, a simple computerised perpetual inventory application may require that all
movements of inventory, for example, receipts, issues of inventory items will be entered onto the
system by keying in the information from hard copy goods received notes (GRNs) and delivery
notes.
• As a final illustrative example, the use of audit software (i.e. software which helps the auditor conduct
the audit or carry out what are termed “computer assisted audit techniques”) will be absolutely critical
on some audits, and hardly critical at all on others. For example, the efficient and effective audit of
debtors for a large company with, say, 5 000 debtors, will not be possible without using audit software
to interrogate the debtors masterfile, extract samples from it, re-perform calculations, analyse it, etc. In
a small business with, say, 200 debtors, this may not be necessary or even possible. In this situation it
may be far more efficient to carry out manual audit procedures.
The difference in the capabilities of the software will directly affect the validity, accuracy and completeness
of the information it produces as well as the way in which the information is audited.
Bear in mind that generally the more sophisticated the software is, the more it costs to purchase and run.
These days software has more features than any business could desire, but many of the features do not
provide any great benefit, so companies use cheaper software and/or “enable” only those controls and
features the business needs. In principle, this is no different from how you use your cell phone, iPad, or
laptop.
Regardless of whether the company is small, medium or large, hardly computerised or extensively
computerised, management is still responsible for implementing and maintaining control, and the auditor
still goes through the audit process as described and discussed in chapters 6 and 7.
One of the specific objectives of internal control is to achieve reliable reporting; in computer “speak” this
is often referred to as the production of information by the information system (of which the accounting
system is part) which is valid, accurate and complete. From the auditor’s perspective, if the information
produced is valid, accurate and complete, the risk of material misstatement in the financial statements is
significantly reduced.
Finally, computer environments are sometimes distinguished as personal usage, small business systems
and large business systems. This is a useful way of classifying them and reminding us that different audit
strategies and plans are required for different businesses.
IT applications relevant to the flow of transactions and information processing in the entity’s information
system. In such circumstances, certain IT applications used in the entity’s business operations may also be
relevant to the preparation of the financial statements. Complex IT environments may also require
dedicated IT departments that have structured IT processes supported by personnel that have software,
development and IT environment maintenance skills. In other cases, an entity may use internal or external
service providers.
ISA 315 (revised) suggests that the auditor must also understand emerging technologies at clients.
Entities may use emerging technologies (e.g., blockchain, robotics or artificial intelligence) because such
technologies may present specific opportunities to increase operational efficiencies or enhance financial
reporting. When emerging technologies are used in the entity’s information system relevant to the
preparation of the financial statements, the auditor may include such technologies in the identification of
IT applications and other aspects of the IT environment that are subject to risks arising from the use of IT.
While emerging technologies may be seen to be more sophisticated or more complex compared to existing
technologies, the auditor’s responsibilities in relation to IT applications and identified general IT controls
remain unchanged. Refer to chapter 9 for more on new/emerging technologies.
Commitment to competence
• The demands of many of the jobs in an IT department with regard to skills and knowledge as well as the
ability to handle pressure can be considerable.
• IT management should be committed to matching these attributes to an individual’s job description.
Again, the consequences of an individual not being able to do his job could be immense. Performance
reviews and regular discussions with employees as well as ongoing training demonstrate a commitment
to competence.
• The chief executive officer should appoint a chief information officer (CIO) who is suitably qualified
and experienced. This individual should interact regularly with:
– the board
– the steering committee and audit committee, and
– executive management.
• Overall, the functions of supervision, execution and review within the department should be segregated
as far as possible.
• Job descriptions, levels of authority and responsibilities assigned to IT personnel should be documented.
A suggested organisational chart for an IT department appears below. The size and complexity will differ
depending on the organisation
Board of Directors
IT risk committee
Steering Committee
Note: There are many variations of organisational structure, for example, a director may be designated as
the CIO and the individual who runs the department may be called the IT manager.
Technical/Administration
• Database administrators have the specialised skills to develop, maintain and manage the database (the
store of information).
• Operating system administrators have the specialised skills to implement, maintain and manage the
operating system and hardware.
• Network administrators have the specialised skills to implement, maintain and manage the company’s
LAN/WAN, etc., (refer to chapter 9 for further details on these).
explains that the information system (relevant to the financial statements) consists of activities and polices,
and accounting and supporting records designed and established to:
• initiate, record, process and report entity transactions, events and conditions and to maintain account-
ability for the related assets, liabilities and equity
• resolve incorrect processing of transactions
• process and account for system overrides or bypasses to controls, for example, by the creation of audit
trail in the form of a log of overrides
• transfer information from transaction processing systems to the general ledger, for example, where the
revenue application software is not integrated with the general ledger, a journal entry will have to be
passed to get sales and debtors totals into the general ledger
• capture information other than transactions, such as depreciation and allowances for bad debts
• confirm information required for disclosure is accumulated, recorded, processed, summarised and
appropriately reported in the financial statements, and
• authorise and process journal entries.
This knowledge provides the auditor with a basis to evaluate both the manual and automated procedures
and controls that make up the next component of the system of internal control, namely, control activities.
Webmaster
Many companies now have websites that can be integral to the company’s business, for example, a com-
pany trading on the Internet. A webmaster should be appointed. Responsibilities will be to:
• design, develop and maintain the company’s website
• regulate and manage the access rights of the users of the site
• set up and maintain website navigation
• deal with complaints and other feedback about the site.
• compulsory leave – employees who are involved in unauthorised activity will often be exposed when
they are not present to cover their tracks
• training and development to keep staff up to date and able to fulfil their functions efficiently and
effectively –this should be accompanied by ongoing evaluation of personnel suitability and competence
for their jobs and their progress down their career paths
• written formalisation of human resources policies to provide employees with terms of reference or
guidelines
• rotation of duties – moving employees between functions is a useful practice as it helps avoid undue
reliance on any individuals by ensuring that each employee has a backup. It may also relieve boredom
as well as encourage employees to develop new expertise and skills. Rotation of duties should not be
implemented to the extent that segregation of duties is compromised, for example, the computer
operator should not be trained as an application programmer and then be placed temporarily in the
programming section
• strict policies pertaining to the private use of computer facilities by IT personnel (and other employees)
should be in place, for example, Internet use and running private jobs.
It needs to be noted that there may be policies and procedures directly applicable to the IT department and
there may be IT policies that are relevant to the whole organisation and all staff members will have to
adhere to, for example, your device policy, privacy policies and access management policies.
8.1.2.3 The entity’s process for monitoring of the system of internal control
This is the third component of internal control as identified by ISA 315 (revised) and concerns
management’s responsibility to assess whether the internal control system is meeting its objectives over
time. It is not solely about monitoring whether the control activities are taking place; it is also about
assessing whether they are effective. Monitoring is also not only about assessing control activities, it is also
about evaluating the other components of the internal control system, for example, the control environ-
ment and the risk assessment process. In a computerised environment the amount and variety of informa-
tion, which can be quickly and accurately obtained from the system, enhances the ability of management,
those charged with governance as well as various bodies, such as the internal audit department, audit and
risk committees, to conduct effective monitoring over time.
8.1.2.7 HelpDesk/Operations
Another good example of monitoring of controls is helpdesk operators.
Helpdesk operators – receive calls from users and log their problems/requests on the HelpDesk System,
resolve “First Tier” problems where possible (i.e. problems that are easy to solve), as well as perform
routine operational duties, for example, checking that backups have been completed successfully and
managing rotation of backup tapes (see 8.2.6.3 for further information on backups).
Note: “Second Tier and “Third Tier” problems would normally be referred by the HelpDesk to the most
appropriate technical administrators/programmers or the vendor concerned.
Also, organisations generally have monitoring reports that manage and report on these controls.
8/10 Auditing Notes for South African Students
8.1.2.8 Security
Security personnel lay down control procedures for access to all computer facilities, monitor security
violations (e.g. logs) and follow these up and issue passwords. The company may appoint an Information
Security Officer to manage and monitor security procedures.
During your period of training as an auditor you may be required to assist in an evaluation of IT general
controls for an organisation and a basic knowledge of what IT general controls actually are will be
beneficial.
For the purposes of this text we have categorised IT general controls as follows:
• Access controls
– Physical access management controls
– Logical access management controls
• Documentation
We have not described IT general controls for a specific size of company (that would be a book in itself!)
but have assumed that the company is large enough to have a separate IT department, a data centre, its
own “technical” IT personnel to undertake systems developments and program maintenance. Obviously, if
a company does not have a data centre, some of the physical controls will not be relevant, or if a company
uses only packaged software, it will not have to worry about certain aspects of system development but will
have to worry about which packaged software to purchase and who will maintain it.
8/12 Auditing Notes for South African Students
The consequences of unauthorised access to a system can be disastrous for a company – uncontrolled
physical access to the hardware has resulted in the theft of, or damage to, expensive equipment and the data
that will be stored on the hardware. Unauthorised logical access (which really means gaining unauthorised
access to data and programs electronically stored through a workstation/terminal) can result in the
destruction of data, the manipulation of data or the theft of data and programs. Rather than having to
implement a “cure” for the theft, destruction, etc., it is far better for the company to prevent these very
negative consequences by implementing strict access control policies and procedures. Again, computer
security is a huge and very complex topic which exercises the minds of the best and brightest. Many
companies are permanently under siege from “hackers” trying to break into their systems, sometimes with
very malicious intent and at other times “just for the challenge” (or so they say!) Measures to prevent/
minimise the negative consequences of terror attacks, natural disasters, etc., must also be implemented. All
of these preventative measures must take into account the important fact that authorised employees must
still have access to the hardware, programs and data they require to do their jobs effectively and efficiently.
Access to all aspects of the system must be controlled:
• hardware
• computer functions at system level (accessing the computer system itself), and computer functions at
application level (accessing a specific application or module within an application)
• data files/databases
• utilities
• documentation (electronic or hard copy)
• communication channels.
8.2.3.2 Terminology
• Logical access: Logical access consists of controls used to manage access to applications, data and
systems and can be embedded within applications and systems.
• Physical access: Physical access refers to the management of access to the actual hardware and network
server rooms.
• Segregation of duties: A user should never have access to an application that gives him/her the rights/
access to manage a single process or task.
Chapter 8: Computer audit: The basics 8/13
• Toxic combinations: Toxic combinations arise when a user profile or profiles have been identified to be
unfavourable and may lead to segregation of duty conflicts. Toxic combinations may also be relevant
for two or more user profiles where the risk of collusion or fraud may exist.
• Privileged user/super user: A super user is a user who has full access to make any changes to a system,
such as a system or network administrator.
• Firewalls: A firewall protects an organisation’s computer network and data from unauthorised access,
such as hackers. This can be in the form of hardware or software.
8.2.3.3 Audit and control procedures
The auditor should test the design adequacy and operating effectiveness of logical and physical access
management controls.
A list of physical controls that can be implemented to prevent unauthorised access (as mentioned above
follows:
• Identification of users and computer resources
– Users – some examples:
o user identification, (user IDs) with staff photo
o magnetic card or tag which can be used to swipe in at security doors
o biometric data, for example, thumbprint, facial recognition.
– Terminals – some examples:
o terminal identification (the system recognises terminal ID number or name).
• Visitors from outside the company to the IT building should:
– be required to have an official appointment to visit IT personnel working in the IT department, for
example, external maintenance personnel
– be cleared on arrival at the entrance to the company’s premises, for example, by a phone call to the
IT department acknowledging the fact that they have been expecting the visitors and are potentially
accompanying the visitors
– be given an ID tag and possibly escorted to the department
– not be able to gain access through the locked door (must “buzz”)
– wait in reception for whomever they have come to see (or be met at the door), and
– be escorted out of the department at the conclusion of their business.
• Company personnel other than IT personnel
There should be no need for other personnel to enter the data centre and access to the IT department
should be controlled in a practical manner as there will be contact between the IT department staff and
users on a regular basis. Ideally, the IT data centre should restrict access and have a visitor register by
the secure (fire-proof) door for all visitors to sign before access. Visitors should be escorted at all times,
even if they are there for maintenance.
• Physical entry to the data centre (dedicated room)
– only individuals who need access to the data centre should be able to gain entry
– access points should be limited to one
– access should be through a door which is locked other than when people are entering or exiting, in
other words, not propped open by, for example, a wastepaper basket for people to come and go
– the locking device should be deactivated only by swipe card, entry of a PIN number, and scanning of
biometric data, for example, thumbprint, and
– entry/exit point may be under closed-circuit TV.
Remember, the data centre is the heart of the company’s information system.
• Remote workstations/terminals
In most businesses, workstations/terminals are distributed around the offices, so centralised control
measures are not possible (other than where, say, a group of telesales operators are sitting in a separate
room). Some physical controls will still be implemented:
– terminals can be locked and secured to the desk
– terminals can be placed where they are visible and not near a window, and
– offices should be locked at night and at weekends.
Consider the following for logical access management controls:
If we make a simple comparison between a standalone personal computer used in a small company’s
accounting department and a large linked network of computers, it is easy to see that in the latter there is
significantly more risk, which must be controlled. It is important that controls be implemented to assist in:
• controlling access to computer resources: Remember that where information is transmitted (data com-
munication), there will be numerous computers that are all linked together. It therefore becomes
“physically” possible to access the system from numerous points and to access the system via the
communication line (just like tapping a telephone)
Chapter 8: Computer audit: The basics 8/15
• maintaining the integrity and security of data which is being transmitted: It will be of little use if data
being transmitted is completely or partially lost, is changed during transmission or its confidentiality is
compromised
• managing segregation of duties, and
• toxic combinations.
At the outset you must realise that the more complex and sophisticated data communication systems are
very technical, but that a detailed knowledge of computer science and communications is not required by
the “everyday” auditor. Certainly, the audit profession, and large firms in particular, will have employees
who are technically excellent and right up to date with developments. What is required by an “everyday”
auditor is a general understanding of the risks and controls, and the sense to realise that expert knowledge
may be required.
Remember also that it is the business world at large that faces these risks, and that there are numerous
companies and groupings of companies, such as banks, etc., that are continually seeking ways of improving
access control, integrity and security in data communication. It is obviously necessary for the audit
profession to keep abreast of technological developments, but it is also important that the profession does
not lose sight of the fact that the audit objectives do not change.
(See the description of computerisation at ProRide (Pty) Ltd at the end of this chapter.)
necessary for proper performance of their duties, the following controls in various forms can be imple-
mented through the access control software and other programs:
• Authentication of users and computer resources
Authentication of the user is used to verify that the user of an ID is the owner of the ID. Authentication
can be achieved in various ways:
– entering a unique password
– entering a piece of information that an unauthorised individual would not know about the genuine
user, for example, the person’s great-grandmother’s first name. This works on the same principle as a
password. The information, say, 10 different pieces of information, is held on the system (securely) as
provided by the user. When the user ID is entered, the system selects one piece of information and
poses a related question to the user. If the answer keyed in is correct, authentication has been
achieved. It is also possible that a single piece of information is stored but regularly changed.
– connecting a device to the USB port of the terminal:
For example, to authenticate the authorisation and release of an EFT, a leading bank requires that
the authorised employees have a device called a “dongle” that must be inserted before the payment
can proceed. This works in combination with a password and both are unique to the user. The
password and dongle are needed to authenticate the user.
Another bank uses a small random number generator device that produces a number that must
also be used in conjunction with the password. It is really a second unique password. In a company a
“one time” password can be generated on a server and sent to the user by SMS. This works on the
same principle.
A combination of the above techniques is called multifactor authentication and is used where very
strict access control is required. The dongle will only work on a terminal on which the bank’s specific
software has been loaded. This is a form of terminal authentication.
The fact that a user ID can be linked to the individual is a strong isolation of responsibility control.
• Authorisation: This means defining the levels (types) of access to be granted to users and computer
resources:
– Once the system has authenticated the user, access will only be given to those programs and data files
the user is authorised to have access to, and, as pointed out, this should be only to programs and data
the user requires to do his work. Users can be given different levels of authority and may be granted a
“single sign on” to access all the programs they are authorised to access.
– Users – some examples:
o a user may be granted “read only” access (this means a file can only be read)
o users may have “read and write” access (this means a file can be read and written to, for example,
the user can add, create, delete).
Note that although a user may be granted “read only” access, there is still a risk, as users can take
screenshots of sensitive information.
– Terminals – some examples:
o although modern software concentrates access privileges around the user, specific terminals can be
linked to specific applications, for example, a warehouse terminal not linked to the wage applica-
tion, or to the EFT facility
o restricted hours of operation, for example, the terminal shuts down at 4pm and comes on at 7 am.
• Root access/system-wide access/super-user access and privileged-user access
This level of privilege gives the user concerned virtually unlimited powers to access and change, without
trace or audit trail, all programs and data, bypassing normal access controls, and therefore should only
be given to a very limited number of IT personnel. Generally, there should be an audit trail review by
senior management for these profiles on a regular basis to assess activity and determine whether there
was any unjustified activity.
The allocation and authorisation of powerful user IDs need to be controlled and monitored.
Chapter 8: Computer audit: The basics 8/17
• Segregation of duties
As the auditor, you may perform the following tests:
– What is the risk that segregation of duties is not adequate to prevent and/or detect errors or
irregularities? This applies to duties of employees within the IT department and between IT and user
functions.
– Does an organisational access chart exist and is it maintained to depict segregation of duties?
– Does business and IT authorise changes to access profiles and do they consider segregation of duties
when changes are made to profiles?
• Identification of/and access to toxic combinations
During the creation of a segregation of duties matrix or framework for an organisation’s user profiles,
an assessment will be made of toxic combinations. These combinations should be preventative in nature
and documented to confirm that no users will be granted or have their access modified to include
specific access.
For example, large applications that are off-the-shelf provide user profile frameworks that provide
companies with guidance on how to set up user profiles that are segregated. Generally, they also
provide guidance on which account transactions and users are ‘toxic combinations’ and should be
avoided because they create risks. For instance, if the same user can create a purchase order and
authorise it.
In addition, there may be certain role profile combinations that are also toxic. The auditor should:
– determine whether management reviews access regularly to ascertain whether the correct users have
been assigned to the correct profiles and if modifications are correct
– determine whether sensitive and conflicting applications, data and transactions have been identified
and documented in a framework.
• Logging: This means recording access and access violations for later investigation.
An access log records the people who accessed the system and, by comparing it to some other piece of
information, may provide evidence of unauthorised access.
For example:
If Willy Worker is logged as having gained access to the system on 10 June, when he was supposed to
be on holiday.
If Danny Doodles has logged in while on maternity leave.
If Tim Trouble left the company on 31December, but his profile shows he logged on, on 5 January.
Clearly, something strange is going on! Logging and following up is essentially a detective control.
The emphasis on access control will be on preventing unauthorised access but logging and following up
is still an essential control. Refer to exception controls in automated application controls.
As the auditor, you must:
– determine whether management reviews access regularly to ascertain whether the correct users have
been assigned to the correct profiles and, if changes have been made, that the modifications are
correct
– in addition, determine whether users that have been terminated had their access revoked timeously as
and when they left the organisation. This will also reduce the risk of unauthorised access should the
staff member be disgruntled.
• Access tables
The computer cannot perform logical access control unless a large number of details are defined in
tables to which the system can refer. These tables identify all “objects” and “conditions” that the
computer has to “know” to be able to control access. These objects include:
– all authorised PCs (PC IDs)
– all authorised users (user IDs)
– all passwords
– all programs
– all possible modes of access (no access, read-only, read and write), time of day (e.g. a bank teller may
only be able to log in between 8.30 am and 4.00 p.m.), etc.
8/18 Auditing Notes for South African Students
Setting up these tables is not technically difficult for a skilled person but requires meticulous care.
Broadly, it happens as follows: when a new employee joins, say, the payroll department, he will need
access to files, etc., which are required to do his job. This detail is provided by the manager of the
payroll department on a written form which describes the employee’s job exactly.
For example, the employee must be able to read the employee masterfile and only be able to change
some fields; he may need to be able to change an employee’s address but not the wage rate field. This,
and everything else the employee must be able to do, has to be reflected in the employee’s user profile
and is related to the access tables.
It is now possible to compile the necessary tables and the user profile which specifies which
combinations of these objects and conditions should be allowed/authorised and which combinations
should be disallowed (access violations) or potential segregation of duty issues. These profiles should be
determined by the IT manager and senior IT staff working in conjunction with senior user personnel
and system design documentation.
A simple example will illustrate user profiles:
Fred Bloggs, the storeman, is to be given access to the inventory masterfile, but this is to be “read
only” access. He has a user identification and a password. For the sake of simplicity, we will say that
Fred needs no access to any other data programs. Once Fred’s needs have been established, senior IT
staff will create Fred’s “user profile”, which will be stored in a secure file on the system. The computer
now has something to refer to. When Fred activates his PC, he will be prompted to enter his user ID
and password. The computer will check against the access table whether Fred’s PC and his user ID are
listed (identified). The computer will check that Fred has proved who he is by matching Fred’s
password to listed passwords in the access tables (authentication). If Fred has entered his password
correctly, the computer will “fetch/consult” Fred’s user profile and display the inventory application
functions that he has access to. The computer may also check that Fred is at a PC that has authorised
access to the inventory application. Fred may now call up the inventory masterfile, but if he tries to
write to that file, the computer will check against his profile and prevent him from doing so as he has
“read only” access.
Access profiles, like the one described above, are usually set up for “user groups” rather than for
individual users, as this is a more efficient way of controlling access. In other words, management
would determine what access privileges a storeman should have and Fred would then be allocated to
the “storeman user group”. If you imagine that Fred’s company may have 500 stores around the
country, each with one storeman, it is easy to appreciate that it would be more efficient to define one
group profile and allocate all 500 storemen to that group, rather than having to define access separately
for each user.
If Fred attempts to get into an application or module, or exercise a privilege he does not have, the
computer will send him a screen message, and he will not be able to proceed (or the computer may just
fail to respond). The system may also be set up in such a way that what appears on Fred’s screen may
not give him the option to click onto what he wants to do. For example, if he is not allowed to give
approval, there will be no approval field for him to click on.
– The first time a new employee accesses the system, he should be prompted to change his initial
password.
– Passwords should not be displayed on PCs at any time, be printed on any reports or logged in
transaction logs.
– Password files should be subject to strict access controls to protect them from unauthorised read and
write access. Encryption of password files is essential.
– Personnel should be prohibited from disclosing their passwords to others and subjected to disci-
plinary measures should they do so.
– Passwords should be changed if confidentiality has been violated, or violation is expected.
– Automatic account lock-out must take place in the event of an access violation, for example, an
incorrect password entered more than three times.
• Firewalls
Once a company’s network is connected to an external network such as the Internet there is an
increased risk of unauthorised access to the company’s network. A firewall is a combination of hard-
ware and software that operates as access control gateways which restrict the traffic that can flow in and
out. This could be as detailed as the prevention of incoming transmissions from undesirable sites and
will include antivirus software and intrusion detection software (which detects malicious behaviour
such as the presence of “worms”) and alerts the company to it. Firewalls should be tested regularly; use
the “most up to date” software, and warnings, etc., must be logged and followed up.
• Libraries
In a computer environment, libraries may be both in electronic form (on the system) and/ or in physical
form. Either way, access to the information in the library must be protected. This is done in the
conventional way, for example, library software will protect backup copies of programs from
unauthorised changes being made, record (log) any authorised access, audit changes and monitor users.
8/20 Auditing Notes for South African Students
A physical library, which may contain documentation relating to the system and data stored on discs,
tapes or other mobile storage devices, should be:
– physically access controlled
– the information on the storage device could also be password protected
– issue (of items) from the library should be authorised and recorded, and
– externally labelled.
unauthorised, modifications could be made negating the effect of the strong controls that were imple-
mented when developing the system. Program changes of an ongoing nature are usually referred to as
program maintenance.
For example, large financial cloud applications continuously release updates for customers to
implement. This is part of their value-added service offering. These updates need to be reviewed and their
impact assessed by the customer, and prioritised according to their requirements to release. These changes
then need to be tested and implemented on an ad hoc basis by the customer. These changes do not
“classify’” as large strategic changes and are deemed “program maintenance” changes.
Other examples include a change to a reference data table, changes to a user profile, changes to a report,
implementation of an exception report, changes to the ledger, etc.
8.2.4.2 Terminology
Change requests: When a change to an application is required, a change request document should be drafted
as part of the change management process. This document will contain the detail of the required change to
the application. These should be allocated in sequential numbers for ease of an audit trail.
Change management: Change management is the process of implementing a strategy, policy and processes
for managing application changes within the organisation.
• Unauthorised changes can be made to system applications if no adequate change management exists.
• If no change management exists, there will be no version control to highlight when, what and by whom
the system changes were made.
• Stakeholders need to initiate a system change by documenting the requirements of the change and they
must have the ability to sign off a system change as well. Without a change management process, the
risk exists that stakeholders constantly change the requirements.
8.2.5.2 Terminology
• Backups: This is the process of keeping a copy of your master data and/or physical files in a secondary
location in case of a disaster. You need to recover your applications from these backups.
• Disaster recovery: Disaster recovery refers to the steps that will initiate normal business operations in
an event such as a fire that caused normal business operations to be disrupted.
• Business continuity: It is the capability of an organisation to continue operating the most essential
functions during and after a disaster.
• Environmental controls: Environmental controls refer to controls over air-conditioning systems, smoke
and gas leak detectors. Smoke and gas leak detectors should be tested regularly as they could be harmful
to humans if they do not function correctly. The hardware and equipment that store the entire
organisation’s data may get damaged if these controls do not function optimally.
• Uninterrupted power supply: It is a device that provides temporary secondary power when the primary
power source fails, also referred to as a UPS.
• Social media: Social media allows the sharing of information and ideas on the Internet and can help
your organisation to build your brand but needs to be managed effectively.
• Business resilience: It is the ability to react to disruptions while continuing business operations and
protecting your assets and overall brand equity.
Environmental controls
These controls are designed to protect facilities against natural and environmental hazards and attack or
abuse by unauthorised people. The auditor should test the design adequacy and operating effectiveness of
the environmental controls. The following pertain more specifically to the data centre:
Disaster recovery
The auditor needs to assess disaster recovery procedures as part of the organisation’s business resilience
procedures as a complete plan. The most dangerous risks to any business are the ones that are not foreseen.
Preparing for something that is not yet tangible takes a progressive and imaginative management style.
The history of modern business is one filled with highly successful companies without a Plan B. The
attrition rate of blue chips so far this century is staggering.
It therefore makes complete sense that planning for the tough times, whatever they may be, is a real source
of organisational strength and shareholder value, inclusive of:
These are controls implemented to minimise disruption due to some disaster that prevents processing
and/or destroys/corrupts programs and data. The auditor should test the design adequacy and operating
effectiveness of the disaster recovery plan. Consider the following:
• Consider the existence of the following:
– a disaster recovery plan, in other words, a written document that lists the procedures that should be
carried out by each employee in the event of a disaster
– the plan should be widely available so that there is no frantic searching if a disaster occurs –time is
usually precious
– the plan should address priorities, that is, the order in which files or programs should be recon-
structed, with the most important being allocated the highest priority, as well as where backup data,
programs, hardware, etc., may be obtained
– the plan should be tested at least annually
– it should be reviewed by management on a frequent basis
– management should consider simulation sessions to test different scenarios to update the disaster
recovery procedures to make them relevant, and
– the plan should detail alternative processing arrangements which have been agreed upon in the event
of a disaster, for example, using a bureau.
Backup strategies
It is imperative that an organisation performs backups of its systems. Organisations need to consider the
following when creating backup strategies:
Identify and
Determine what Determine how
implement a Test and
often data has
data has to be suitable backup monitor the
to be backed
back up. and recovery backup system.
up.
solution.
8/24 Auditing Notes for South African Students
Other measures
There are several other control measures that can be taken which will assist in preventing or alleviating
disaster:
• applying the concept of redundancy (simplistically this means having a “spare” as a backup), for
example, the use of dual power supplies, or as explained above, mirroring
• regular maintenance and servicing of equipment to prevent failure
• adequate insurance cover to provide funds to replace equipment
• avoidance of undue reliance on key personnel by maintaining complete and appropriate documentation
and by training of understudy staff, for example, the disaster recovery plan should not revolve around
one staff member
• arrangements for support to be provided by suppliers of equipment and software, who may even
provide alternate processing facilities
• the use of firewalls and antivirus software.
• Risk that when a disaster causes a system failure or a security breach, and the organisations do not
respond, customers will perceive the company as not trustworthy, which could cause serious reputa-
tional damage.
• If the organisation can’t provide adequate and quick responses to customers, they may seek other
alternatives; therefore there is a risk of losing business.
• A company could lose data in the event of a system failure and it could be very costly to recover this
data, if at all possible.
• Clients won’t know how to respond to either being asked for the content originally generated or being
told that pending content will have to wait while the organisation starts from scratch. Suddenly, the
organisation that worked so hard to keep its reputation will not look so professional, and clients may
begin looking elsewhere for more reliable services.
• Losing critical data can be a violation of federal and state regulations. This will be subject to re-com-
pliance costs and additional fines for the violation. The government also has a justifiable cause to
investigate an organisation for any foul play, causing loss of valuable time and further damage and
brand reputation
• Lack of adequate backups can also lead to compliance breaches with the governing authorities as data
needs to be kept for defined periods and needs to be provided when requested. A risk exists that the
authorities can also impose fines for these regulatory and compliance breaches.
• Lack of environmental controls in the server rooms may lead to damage and loss of data and equip-
ment.
• Lack of environmental controls in the server rooms may lead to injuries or even in severe cases loss of
life.
incorporate the social media response management process in the business resilience strategy and plan.
This will provide the organisation with the opportunity to respond appropriately as and when it happens. It
is advisable to proactively manage and report on social media to key stakeholders. It may also be beneficial
to include a summary of the social media management position within the financial statements to provide
an opinion on the social media readiness of the business.
(b) Audit and control procedures
The effect of a casual social media approach can permanently damage, even sink, a brand or a business.
The social media audit approach should include establishing:
• governance processes
• risk management procedures
• response management strategies to various level alerts, and
• management of responses to adverse communication.
The auditor should test the design adequacy and operating effectiveness of the social media strategy of the
organisation. The objective of the social media audit is to provide management with an independent assess-
ment relating to the effectiveness of controls over the organisation’s social media policies and processes.
The audit should incorporate governance, policies, procedures, training and awareness related to social
media. Consider including the following:
• As part of the entity level controls review, determine whether a social media policy, social media
strategy and social media business response management process is in place.
• Review the policies, strategy and processes and determine whether they are frequently reviewed.
• Assess whether the social media business response management process has been incorporated in the
business resilience plan.
• Determine whether all users have been on social media training.
• Ascertain monitoring processes and how social media activities are reported.
• Exception reports relating to social media are reviewed by senior management and remediated.
• Determine whether logical access management controls have been applied throughout the organisa-
tion’s social media platforms, especially when users that have access, resign or change roles.
• Change management controls have been applied throughout the organisation’s social media platforms.
• Defined governance procedures exist for social media.
• Consider compliance and legislation relating to social media and whether policies have included these
aspects.
• Have responsibilities been defined for the social media process, for example, who posts the social media
comments on behalf of the organisation and who authorises the content?
• Assess whether the organisational risk assessment incorporates social media and the impact thereof.
• Assess impact risks identified during the organisation’s risk assessment process and determine whether
the risk ranking is applicable.
• Validate observations with key stakeholders.
• Inspect minutes of board meetings to determine whether social media and social media crises are delib-
erated at that level.
• Assess whether the social media policy incorporates privacy policies and regulation.
The auditor may be required to assess the social media “crisis management” response process.
It is good practice for an organisation to establish a social media management process in the event of a
social media crisis. The organisation should ideally establish a social media curation team that will manage
and monitor all social media activities inclusive of adverse comments posted by the public about the
organisation.
Ideally the organisation should incorporate the social media response management process in the
business resilience strategy and plan. Consider the following good practices in the attempt to prepare for
the social media response process and detect potential social media crises:
• Consider the following detective controls:
– Regular name searches containing the name of the organisation on all social media platforms in
order to report any posts relevant to the organisation.
Chapter 8: Computer audit: The basics 8/27
– Regular company logo searches on all social media platforms where the organisation’s logo is used
via advanced search options of search engines.
• Consider the following preventative controls:
– Set up a social media policy document for company staff highlighting the rules when engaging on
social media.
– Ascertain which social media platform is most frequently used and if there are users that comment
more frequently than others.
– Set up a social media response team to respond to social media statements pertaining to the organisa-
tion.
– Set up response sessions with the social media response team to advise management in preparation of
a real scenario requiring a response in order to familiarise them on how to respond.
– Do a trend analysis to determine the most common social media scenarios that exist in the market.
– Set up simulations to test responses using a sample public population.
• Define what constitutes as a social media crisis and consider the tier level of the incident using the
following metrics:
– A social media crisis has information asymmetry.
– It has a decisive change from the norm.
– It escalates within hours on multiple social media platforms.
– A social media crisis has a potentially material impact on the company overall considering scope and
scale.
• Determine whether any social media events occurred during the year within the organisation that may
affect the organisation. Ascertain whether the organisation performed a post-mortem on the events with
the following audit procedures to consider:
– Where did the crisis originate, when did it occur and how did it spread?
– How did the organisation find out about the crisis?
– Was there an internal alarm system or did the crisis alert derive from an external source, for example,
a news publication?
– Did the organisation suffer any financial losses due to the social media crisis?
Systems development has to do with significant changes relating to computerised systems. This often
means that most of the following aspects of the system will be new or significantly changed: hardware,
software, communication devices, personnel procedures, documentation, and/or control procedures.
For example:
• A company that has grown considerably and wants to computerise a previously manual payroll system.
• A company that wants to start selling its merchandise over the Internet to remain competitive.
• A company that has been running off an old legacy application and now plans to move to the cloud.
In each case it would probably require new hardware, operating systems, application programs and
procedures to be designed and implemented to achieve these objectives.
It is imperative to have both pre-and post-implementations performed independently when implementing
a new application or making changes to a current application. Also known as program assurance reviews,
these include the management of risks, including the focus on adequate and timeous remediation of risks,
benefits realisation and program management processes. These will include evidence of collaboration
between business and IT, results of user acceptance testing, training and the GO/NO-GO decision proving
the participation of all stakeholders during the process. Changes affect the entire business. Consider the
following:
• legislative compliance
• the impact on business continuity
• the complete decommissioning of the retiring application, and
• the measurement of the benefits that were committed to post the implementation of the project.
8.2.6.2 Terminology
• Aproject is an individual or collaborative initiative that is carefully planned to achieve a particular result.
• Project management – the entire exercise should be run as a project by a team appointed by the steering
committee.
• Project approval – a feasibility study must still be conducted to determine:
– user needs
– specifications (capabilities, functions, controls, ease of use) of packages available in the market
– costs and benefits (costs will include costs of the package itself, running it, appointing and training
staff, purchasing additional hardware, etc.), and
– technical support and reliability of the supplier.
• Approval for the package chosen should be obtained from users, internal audit and the steering com-
mittee, and authorisation for its purchase should be obtained from the CIO and the board.
• Training – all affected IT personnel and users should be trained in the use of the new software.
• Conversion – moving data onto the new system should be controlled as explained under in-house
development.
• Post-implementation review – again IT personnel, users, and internal audit should review the new soft-
ware several months after implementation to determine whether it is operating as intended.
• Documentation – the systems documentation, user manuals, etc., will come from the supplier but the
planning and execution of the project itself should be documented.
• Project team– responsible for the delivery of the program with a combination of IT and business people
ranging from solution architects, business users and testers.
• The project sponsor is the person ultimately responsible for the project or program from a budget and
delivery perspective.
8.2.6.3 Audit and control procedures
The auditor ascertains whether the organisation implemented an off-the-shelf application or completed in-
house development and should test the design adequacy and operating effectiveness of the system
development of an organisation. He/she should consider the overall strategic objectives for the system
development, implementation and the alignment program to confirm that the objectives were met. In addi-
tion, he/she should assess the compliance with project management processes against program delivery,
phases and activities, methods, templates, standards, and roles and responsibilities.
Chapter 8: Computer audit: The basics 8/29
Standards
• All systems development should be carried out in accordance with predefined standards that have been
set for each of the phases described below, for example, components of the ISO 9000 series of
standards.
• Compliance with these standards should be strictly monitored and any deviations thoroughly followed
up by management.
Project approval
• Projects for systems development may arise out of user requests or as a result of strategic planning.
• A feasibility study should be carried out, culminating in either:
– a system specification for an in-house development proposal
– a proposal that involves the purchase of off-the-shelf software (packaged software), or
– rejection of the project with the decision to continue operations as is or to reconsider the strategic
approach.
The feasibility study should include a cost versus benefit analysis which lists and puts a money value to:
– all requirements for the project, such as personnel, hardware, software and running costs, and
– all benefits arising, for example, increased revenue, reduced costs, improved controls.
• The steering committee should give its approval prior to commencement of the project.
Project management
• A project team should be formed by the steering committee to manage the project and should include
IT and appropriate user personnel, including accounting and internal audit personnel.
• The development project should be planned in stages, each stage detailing the specific tasks to be com-
pleted.
• Responsibility for each specific task must be allocated to appropriate staff members.
• Deadlines should be set for completion of each stage and each specific task.
• Progress should be monitored at regular intervals to identify any problems that may affect achievement
of goals set – critical path analysis may be useful here.
• A project risk register should be maintained throughout the process to manage and report risks as they
arise.
• Regular progress reports should be submitted to the steering committee.
8/30 Auditing Notes for South African Students
User requirements
• Business analysts should carefully determine and document all user requirements relating to the system,
for example, input, procedures, calculations, output, reports, financial reporting requirements and audit
trails.
• Special care should be taken to consult both internal and external auditors as to their requirements and
their recommendations concerning internal controls, for example, access controls and validation checks.
• Management of each user department should sign their approval of the specifications recorded to satisfy
the needs of their individual departments.
Testing
• Program coding of individual programs should be tested by the programmers using standard debugging
procedures like program code checking and running the program with test data (program tests and string
tests).
• The system should also be tested to confirm that all programs are integrating properly – this would
normally be done by business analysts in a test environment (systems tests).
• The system should also be tested on an output level by management, users and auditors to establish
whether the system is satisfying the requirements of its users (user acceptance tests).
Final approval
• Results of the above testing should be reviewed by all involved to confirm that necessary changes have
been made and errors corrected.
• The project team should then obtain final approval from the board, users, internal audit and IT
personnel before going ahead with conversion procedures.
Training
A formal program should be devised setting out in detail all personnel to be trained, dates and times for
their training and allocating responsibility for training to specific, capable staff.
• User procedure manuals are updated, and clearly defined job descriptions should be compiled during
the training.
Conversion
Controls are necessary at this stage to confirm that programs and information taken onto the new system
are complete, accurate and valid:
Conversion project: the conversion should be considered as a project in its own right, applying the
principles explained in project management above.
Data clean-up: data to be converted must be thoroughly reviewed and discrepancies resolved prior
to conversion. For example, if a new inventory application is being introduced,
physical inventory should be counted so that correct quantities can be entered onto
the system.
Conversion method: the conversion method must be selected:
• parallel processing of the old and new systems for a limited period, or
• immediate shut-down of the old system on implementation of the new system,
or
• conversion of the entire system at one time, or
• phasing in of different aspects over a set period.
Chapter 8: Computer audit: The basics 8/31
Preparation and entry: controls over preparation and entry of data onto the new system should include the
use of a data control group to:
• perform file comparisons between old and new files and resolve discrepancies
• reconcile from original to new files using record counts and control totals, for
example, if there were 300 employees on the old payroll, there must be
300 employees on the new payroll
• follow up exception reports of any problems identified through use of program-
med checks, for example, no employee identity number
• obtain user approval for data converted in respect of each user department
• obtain direct confirmation from customers or suppliers of balances reflected on
the new system.
Post-implementation review
Users, IT personnel and auditors should review the system several months after implementation to
determine whether:
• the system is operating as intended (all bugs resolved)
• all risks noted during the development and implementation period have suitably been resolved
• the systems development exercise was effective (for future reference), and
• all aspects of the new system are adequately documented in accordance with predetermined standards
of documentation.
Documentation
• The project itself and all the activities which took place in the planning and execution of the project
should be documented.
• Documentation relating to the system itself must also be prepared, for example, systems analysis, flow-
charts, programming specifications, etc.
• Documentation should be backed up on an ongoing basis and stored off-site.
Strategically organisations will continuously assess and prioritise applications to retain, replace and retire
(also referred to as decommission) applications.
There are a number of other reasons why organisations will retire applications. Organisations may
decide for strategic reasons to assess and prioritise applications, and therefore retire others.
For example,
• Retiring an old reconciliation application which has become obsolete, as a new financial application
which has been implemented is faster and more efficient for reconciliations
• Retiring an old legacy financial application as the organisation has successfully migrated to the cloud
version of the application which is offered by the same vendor
• A new asset management application has been developed in-house and all info has been migrated and
historic data archived, therefore the application can be retired
Organisations are encouraged to establish a migration path and application retirement plan as part of the
general policies and procedures. Therefore, when an organisation does decide to renew the IT landscape
and invest in new technologies, it requires an effective strategy that will not expose the business to potential
financial losses or reputational risk. Retiring applications need a rigorous process and structure if the
applications are currently in use and support the day-to-day business activities. Applications that are
integrated and form part of an integrated business system will require more planning and will be more
difficult to retire due to the process mapping change that will have to be completed to confirm complete
and accurate data flow with minimal interruptions.
8.2.7.2 Terminology
Retiring/decommissioning of applications is the practice of shutting down redundant or obsolete business
applications while retaining access to the historical data.
Stage gates are when retirement projects are divided into distinct stages or phases, separated by decision
points. At each gate, continuation is decided by management, a steering committee, or the governance
board. The decision is made on progress, risk analysis and any other factors that may impact the successful
retirement of the application.
Retirement of application benefits results in quantitative and qualitative benefits when retiring
applications.
The retirement of applications often results in the following quantitative benefits especially if the
applications have been deemed obsolete:
• cost savings through software licences
• cost savings through maintenance costs, and
• cost savings through increased resource efficiencies.
There will, however, be costs associated with the retiring of assets as historic information will be required
to be safeguarded and stored in a cloud or alternative solution.
Qualitative retirement benefits include the following:
• revamp of the architecture plan to a cloud solution
• rationalise and renew the landscape
• regulatory requirements and compliance to regulation
• integrated business software solution
• organisational structure changes and mergers may require consistency with regard to applications being
used
• growth within the business and the current application/s may not cater for sophistication required
• reduction in power consumption
• old legacy applications may have to be switched off as they are not supported and new enterprise appli-
cation solutions are required to transform the business
• simplification of applications to streamline financial applications and reporting
• old legacy applications increase the risk of control deficiencies, and
• virtual storage, because legacy applications frequently take up loads of space due to the nature and age
of the applications and decades of information they may host.
8/34 Auditing Notes for South African Students
Risk implications
Decommissioning of applications and databases inherently exposes an organisation to many risks. The
primary risks for an auditor are the migration of data and the cut-off thereof. There are, however, other
risks to consider that are indicative of the company’s policies, procedures and governance when decom-
missioning that will need to be considered when auditing. The following risks may exist when
decommissioning:
• data losses/duplication of data could occur during migration to another application or archiving facility
• incorrect timing of decommissioning
• duplication of data while running parallel with replacement application
• unauthorised access to retired applications
• historical data is not available for regulatory, statutory and auditing purposes
• no governance relating to the retirement of application process
• the retiring of application process impacts on day-to-day business and causes major interruptions
• lack of effective communication and transparency to external stakeholders, and
• decommissioned assets and e-waste are not disposed of in a safe manner in accordance to the Privacy
Act and may cause reputational risk.
and test all interfaces where data is moved from application to application to verify complete and accurate
transfers. As the auditor, you need to satisfy yourself that controls exist to identify any data loss or
duplication that may occur during application interfaces. If controls do not remediate the risk or exposure
identified, control failure (manual or automated) needs to be reported to management.
Interface examples:
• Online banking user interface, gives customers the platform to link to bank servers and conduct
transactions over the Internet.
• An organisations’ mobile application interfaces with the financial application to enable online sales.
• Sub-ledgers and general ledger interfacing.
These applications all direct financial information, and ultimately the data is consolidated to draft the
financial statements. All interfaces referred to below include mobile applications interfacing with the
organisation. Therefore, it is important to assess the controls that manage the completeness and accuracy of
data interfaces to detect financial data leakage and/or duplication, termed interface management.
Effective testing can prevent:
The transfer of data between applications is termed interfacing. Data will be sent (mostly an automated
process) from one application to another application, requesting information, sending the information and
then updating the information.
8.2.8.1 Terminology
• Interface management: Implementing an interface management process on a project streamlines commu-
nication, identifies critical interfaces, and monitors ongoing work progress while mitigating risks.
• Exception reports: An exception report is a document that states those instances in which actual
performance deviated significantly from expectations, usually in a negative direction. The intent of the
report is to focus management attention on just those areas requiring immediate action.
• separate supply chain management applications may be hosted on a different application than the
warehouses are hosted on
• payment gateways, such as mobile payment application interfaces and contactless card point of sales
devices, and
• human resource management applications may be hosted on a different application due to sensitivity.
As part of the entity level controls assessment, the auditor will need to perform the following tests:
• Review the IT landscape to identify and characterise interfaces.
• Identify risks associated with these interfaces within the value chain.
• Identify critical applications that share data within the value chain (consider whether the data is
financial and/or operational).
• Discuss data transfers with key stakeholders to corroborate whether all interfaces have been identified.
• Gain an understanding of the type of interfaces that exist within the landscape batch versus real time.
• Establish whether all interfaces have been documented depicting the process map, the type of interface,
the known risks and mitigating controls, associated exception reports, interdependencies, timing, custo-
dian and security/access rules.
• Determine how management has addressed these risks and identify relevant controls to mitigate the
risks.
• Establish how the risks of duplication, data loss or routing to the incorrect database are addressed.
• Establish if interface process maps are reviewed annually.
• Establish the change procedure to update interface settings, in other words, who is authorised to make
changes and who performs independent reviews.
• Determine if any key man dependencies exist.
• Obtain a comprehensive list of all the interface exception reports.
• Determine whether the exception reports are reviewed manually and whether discrepancies on the
reports are resolved.
Entity level controls are controls implemented within the IT governance environment, which have a
pervasive impact on the IT controls environment including those at the transaction or application level.
The auditor needs to perform a review of the interface design and control environment.
It is important that you, as the auditor, gain an understanding of the data flow through applications
throughout the organisation as well as the time and effectiveness of the data interfaces. Changes in the
business structure during the financial year may also lead to changes in the data flow.
For example:
• A merger or acquisition may result in new or more complex interface.
• A new payroll system will result in a new interface with the financial applications.
Ascertain whether the organisation improves data integrity through effective automated controls and, if
authorised, sources may result in more reliable data. Frequent exception reports to message and display
accuracy throughout various stages will aid in identifying interface errors and correcting them in a timely
manner. Confirm that access and security to application program interface data, processes and parameters
are appropriately restricted. Confirm that changes to interfaces are appropriately managed and reported
through exception reports. Ultimately the auditor should confirm the timely, accurate and complete
processing of data between applications and reliability of data reported to legislative and regulatory bodies.
Automated control tests will determine whether the applications were configured correctly to send and
receive data and whether the transfers are accurate and complete.
Configurations to interface
• Identify the key critical interfaces that fall within the scope of the audit.
• Inspect the validity and completeness parameters and configuration settings.
• Review the access controls to determine who has access to set and amend configurable parameters on
interfaces.
• Have any changes been made to the configuration during the period under review?
• Have the changes been authorised in the application?
Chapter 8: Computer audit: The basics 8/37
8.2.10.2 Terminology
• Computer systems: These are several computers that are connected and share central storage and devices,
such as printers and scanners.
• Computer programmer: This is a person who codes, tests and debugs code written to achieve a certain
computing task.
• Computer application: This is a computer program written with the aim to achieve a certain outcome
and where the program can perform one or more tasks.
8.2.11 Documentation
8.2.11.1 Introduction
Sound documentation policies are essential, because documentation can be critically important in:
• improving overall operating efficiency
• providing audit evidence in respect of computer-related controls
• improving communication at all levels
• avoiding undue reliance on key personnel, and
• training of users when systems are initially implemented.
There are two major objectives to bear in mind regarding documentation:
• all aspects of the computer system should be clearly documented, and
• access to documentation should be restricted to authorised personnel.
8.3.1 Terminology
• An application is a set of procedures and programs designed to satisfy all users associated with a specific
task, for example, the payroll cycle. Other examples include making sales, placing orders with suppliers
and receiving or paying money. Application controls are very closely linked to the cycles described in
chapters 10 to 14.
• An automated application control therefore is any control within an application which contributes to the
accurate and complete recording and processing of transactions that have actually occurred, and have
been authorised (valid, accurate and complete information).
• The stages through which a transaction flows through the system can be described as input, processing
and output and automated application controls can be described in terms of these activities, for example,
an automated application control relating to input.
• In addition to implementing controls over input, processing and output, controls must be implemented
over masterfiles. A masterfile is a file that is used to store only standing information and balances, for
example, the debtors masterfile will contain the debtors name, address, contact details, credit balance,
and the amount owed by the debtor. The masterfile is a very important part of producing reliable
information and must be strictly controlled.
For example, if a salesperson wants to make out an invoice for a credit sale on the system, the first
thing he will do is enter the customer’s name or account number to see if the customer is a valid
customer. The system checks the account number (or name) against the masterfile and if there is no
match, the salesperson cannot proceed. If the customer is a valid customer, the order can be taken, but
the system will automatically check the total value of the goods bought against the customer’s credit limit
on the masterfile. If the limit has been exceeded, the sale will not be permitted until it has been cleared
(approved) by the credit controller.
This illustrates the importance of protecting the masterfile. If the debtors masterfile is not protected,
unauthorised changes to it could be made, for example, a customer who has not been checked for
creditworthiness could be added, or a credit limit could be changed, resulting in losses from bad debts.
Controls over the masterfile are application controls and are referred to as masterfile maintenance
controls.
Occurrence and authorisation are concerned with ensuring that transactions and data:
• is not fictitious (this has occurred) or fraudulent in nature, and
• is in accordance with the activities of the business and has been properly authorised by management.
Accuracy is concerned with minimising errors by ensuring that data and transactions are correctly captured,
processed and allocated.
8/42 Auditing Notes for South African Students
Completeness is concerned with ensuring that data and transactions are not omitted or incomplete.
Therefore, application controls can further be classified in terms of input, processing and output, for
example, authorisation controls over input, authorisation controls over processing, completeness controls
over input and the completeness controls over processing. However, this can be confusing and over
analytical particularly because in current computerised applications, input, processing, and output are
merged into one. It is more important to understand what the control does and how it is carried out. If you
understand that, you will understand the objective of the control.
As we noted earlier in this text, preventing errors from entering the system is far better than detecting them
later on. However, systems are not perfect, so, while the main focus of automated application controls will
be on prevention of errors, a good system will also have strong detection controls. If errors are detected,
they must be corrected so there will be correction controls for correcting errors which have been identified by
the detection controls. These are usually manual review controls of exception reports produced by the
application where remediation needs to occur.
8.3.3.1 Introduction
Before moving on to discussing specific techniques in the next section of the chapter, we will discuss the
control activities identified in chapter 5 and referred to in ISA 315 (Revised) in the context of a
computerised application. This will give you a better understanding of how control techniques and specific
application controls are implemented.
It is also important to remember that application controls are a combination of manual and automated
(programme) procedures. We can also refer to manual controls as user controls, that include all the controls
which people carry out, for example, authorising a document, performing a reconciliation, checking goods
delivered by a supplier against the delivery note, etc.
exactly what that employee must be given access to and what he can do when he has access, for example,
read a file, write to a file, make an enquiry, authorise a transaction, etc.
For example, an order clerk will be allowed access (by his user profile) to the module to create an
onscreen purchase order, but his profile will not allow him to approve the purchase order. This must be
done by his supervisor, whose user profile gives him that ability/privilege. See “approval” (2.4) for an
explanation of how this is achieved.
The access to programs and files granted to an employee is based on the user’s functional responsibility.
supporting evidence and signs the document. In a computerised system approval can be given on the
system itself. How this is done may vary (depending on the software) but the principle is as follows:
Employee A prepares the documents on the screen. On completion, Employee A selects the send option
and his terminal transmits a message to Employee B’s terminal (the authorising employee), alerting him to
the fact that the (computer) file containing the documents is ready for authorisation/approval. Employee B
accesses the file, carries out whatever checking procedures are necessary and, if satisfied, selects the approve
option on the screen. Once the approve option has been selected, the file cannot be written to at all. This
prevents Employee A (or anyone else) from adding to the file after it has been approved. A refinement of
on-screen approval is that Employee B should not have write access to the file; any changes should be
referred back to Employee A to make the changes and resubmit the file for approval. This is good division
of duties and isolates responsibility.
Consider the following example:
• Joe Bigg, the order clerk, prepares a batch of purchase orders on the system which must be reviewed/
approved by the chief buyer.
• Once Joe has created the file of all the purchase orders on the screen, he selects the send option and a
message is sent to the chief buyer’s (Chas Chetty) computer alerting him to the fact that the file of
purchase orders is ready for his review and approval. From this point there will be no write access to the
file.
• Joe’s user profile allows him to create a purchase order but not to approve it. This restriction is enforced
by the system not providing an approve option on Joe’s screen. The only thing that Joe can do is send the
file on to Chas. Chas conducts his reviews and if he is satisfied, selects the approve option.
• Because Chas has the power to approve in terms of his user profile, his screen will display an approve
option, but he will not be able to change the file as he has not been granted write access. The computer
will simply not respond if he attempts to alter a figure or detail on the purchase order.
• When Chas selects the approve option, the file is transferred back to Joe, who can then proceed with
distributing the purchase orders to suppliers by printing hard copy, faxing or e-mailing the purchase
orders. As write access to the file of purchase orders is not available, Joe cannot add or change the
purchase orders after they have been approved by Chas.
• If Chas requires changes to the purchase orders, for example, he may want to reduce the quantity
ordered, he will select an option that returns the file to Joe and simultaneously lifts the “no write”
restriction on the file. Joe makes the corrections and repeats the procedures to get the file approved.
• Until the file has been approved, the purchase orders cannot be printed or sent electronically.
In a manual system, Joe would have to write out the purchase orders in multicopy form (lots of potential
mistakes in this procedure!) and physically take them to the chief buyer who would probably sign each
purchase order.
Another advantage of approval on the system is that the parties involved do not have to be
geographically close. Joe could be sitting at a division of the company in Durban and Chas could be sitting
at head office in Johannesburg and the approval could take place on the company’s wide area network.
One potential risk with regard to approval/authorisation in a computerised system is that the initiation
and execution of transactions may be automatic with no visible or actual authorisation of the transaction.
For example, the rate of interest paid on a savings account at a bank, or the rate of interest charged on a
debtor’s account by a company, may automatically increase when the savings balance reaches a specified
amount or the debt has been outstanding for a specified period of time.
These automatic transactions should be logged by the computer and reviewed by a suitable employee, for
example, in the case of the debtors interest charge, by the credit controller.
8.3.3.5 Custody
Application controls play an important role in the custody of the company’s assets, particularly the
company’s cash in the bank and other assets held in electronic form such as the debtor’s masterfile. In
reality, all information on the database should be considered as an “asset” that needs to be strictly
controlled as without its information, a company is in serious trouble. You can see soon enough that if a
company does not have automated application controls (both user and automated) in place to prevent and
detect certain invalid actions, the asset is under serious threat.
Chapter 8: Computer audit: The basics 8/45
For example:
• In the case of cash in the bank, the company does not have physical control over the cash, but must control
unauthorised removals from its bank account. When cheque books were still in use, this was done by
controlling the company cheque book itself, limiting signing powers to senior officials (preventive
controls) and reconciling the company’s cash book with the bank statement (detective controls). In a
computerised payment system, for example, EFT for the payment of creditors and employees, far stricter
application controls must be implemented over access to the EFT facility (the equivalent of the cheque
book) and authorising and releasing the funds (the equivalent of signing a cheque). Reconciliation of the
company records and bank statement will still be an important control but can be done much more timeously
as bank statements can be downloaded from the bank instantly shortly after the EFT payments have been
made, and any problems can be followed up immediately. Failure to adequately protect an “on-line”
bank account would probably have greater consequences than losing a cheque book or having a cheque
signature forged (a cheque could be “stopped” but an EFT cannot), so controls to prevent invalid EFTs
must be comprehensive. There will also be detective controls, but these may be “too little, too late” as
the money will be long gone.
• In the case of protecting debtors it is a matter of protecting the information about the debtor held in the
masterfile, transactions files and supporting documentation. If the electronic information is corrupted or
destroyed, the company is going to find it very difficult to reconstruct its records. In addition, if a debtor
is not sent an up-to-date statement or request to pay (difficult to do if the company doesn’t have
records), a percentage of debtors won’t pay.
In a manual system, protection will come down to keeping the accounting records under lock and key
when they are not in use and filing at least two copies of the sales invoices securely and in different places.
In a computerised system, the electronic data is protected by a combination of general and automated
application controls. While hardcopy documentation such as sales invoices, etc., can be physically
protected, electronic files will be protected by a whole range of controls, including controlling unauthorised
access of the system at systems level and application level (preventing unauthorised people from getting
onto the system and, if they are authorised to be on the system, from gaining access to the debtor’s appli-
cation), as well as adequate continuity of operations controls. These will include physical controls to
protect the system as a whole, as well as disaster recovery controls.
Modern software will also have features that protect the debtor’s information.
For example:
Current software will not permit a person who has access to the debtors masterfile to simply delete a
debtor without trace. The debtors balance would first have to be reduced to nil by valid means, for
example, processing a payment from the debtor or processing a credit note. Removal of the debtor’s record
could then take place but this privilege would be restricted to a minimum number of employees and the
removal would be logged. The most important application controls, however, will probably be those
implemented over masterfile amendments (see 8.3.3.4).
Do not forget that these principles and controls will apply to all the company’s financial information,
both electronic and physical.
For example:
– at systems level, access to a particular application may be restricted to particular users
– at application level, access to specific program functions may be restricted to particular users on the
“least privilege” basis, for example, sales order entry is limited to telesales operators.
• PC timeout facilities and automatic shutdown in the face of access violation will prevent continued
attempts to access the system, as well as the threat of employees leaving their terminals unattended.
Note (a): Physical access to computer facilities in general and access controls at system level are covered
under general controls. The above access controls relate to controls at the application level.
Note (b): Once a user or personal computer has been granted access to a particular application, the “least
privilege” principle may be implemented in a number of ways to restrict such access to the
minimum possible privileges necessary for proper performance of the duties concerned:
• Restrictions on access to a module or program function, for example, masterfile amend-
ments.
• Restrictions in terms of mode (type) of access, for example, read-only.
• Restrictions in terms of time of day (e.g. working hours – only as in a bank or telesales call
centre – assist in ensuring access is supervised).
• Extent of access to data (e.g. allowing only restricted views of certain data so that sensitive
data fields are hidden to users of lower privilege levels).
Note (c): Access at application level should be logged so that details of the activity carried out are recorded
together with the user ID responsible for that activity (such logs can be selectively set so that only
specific types of activity that have been identified as high risk are monitored). In other words, access
to the configuration settings.
Summary: In effect a user:
• must identify himself to the system with a valid user ID
• must authenticate himself to the system with a valid password, and
• will only be given access to those programs and data files that he is authorised to have access to in terms
of his user profile.
Once the user has logged onto the system, access is usually controlled by what appears or does not appear
on the user’s screen.
For example, only modules of the application to which the user has access will appear on the screen, or,
alternatively, all the modules will be listed but the ones the user has access to will be highlighted in some
way, for example, a different colour. If the user selects (clicks on) a module to which he does not have
access (this is determined by his user profile), nothing will happen and/or a message will appear on the
screen saying something like “access denied”.
In another similar method of controlling access, the screen will not give the user the option to carry out a
particular action – certain sales orders awaiting approval from the credit controller are listed on a suspense
file. Although other users may have access to this file for information purposes, when they access the file
their screens will not show an approve option, or the approve option will be shaded and will not react if the
user clicks on it. Only the credit controller’s screen will have an approve option that can be activated.
Along with the ability for a good computerised system to produce any number of reports, including those
that can be printed and used for physical comparisons, its ability to instantly compare any data on the
system makes comparison and reconciliation a valuable and effective control activity.
8.3.4.1 Batching
Batching is a technique that assists in controlling an activity which will be carried out on a batch of
transactions with the intention of making sure that all transactions in the batch were subjected to the
activity, that the activity was carried out accurately and that no invalid transactions were added to the
batch. Batching can be manual (user) or automated, or a combination of both.
In the context of accounting systems, batching can be used at the input stage, processing stage or output
stage. However, modern accounting software is designed around real-time input and processing in terms of
which individual transactions are captured and processed almost instantaneously (real time). As up-to-date
information is required, it is no longer a case of accumulating the day’s sales invoices, entering them onto
the system at 4pm where they are stored on the system, and then processing them over the weekend. If the
company does this, the debtors masterfile, the inventory masterfile and other related information will be
out of date by a week and will not be much use to users of that information. For example, checking an
order from a customer against the customer’s credit limit cannot be done effectively because that
customer’s balance owing may be understated because credit sales made to him during the week, are not
reflected.
8/48 Auditing Notes for South African Students
However, batching does still have a place, for example, in a wage system, where up-to-date information
is only needed at, say, two weekly intervals. The daily hours worked by each employee will be
accumulated and then entered individually as items in a batch and processed in a batch. The batch could be
designed as a convenient numerical number or by some other means, for example, employees in a cost
centre. Batches are processed in order. The following description of batching illustrates the principle of
batching at the input stage.
• Source documents are grouped into separate batches, for example, 50, and the following control totals are
manually computed:
– financial totals: totals of any fields holding monetary amounts
– hash totals: totals of any numeric fields, for example, invoice number (meaningless other than as a
control total)
– record counts: totals of the number of records (documents) in the batch, for example, 50.
• A batch control sheet should be prepared and attached to each batch. The batch control sheet should
contain:
– a unique batch number, for example, batch 3 of 6, week ending 31/7/01
– control totals for the batch
– identification of transaction type, for example, invoices
– spaces for signatures of all people who deal with the batch, for example, prepared by: . . . , checked
by . . . , reviewed by. . .
• A batch register should be used to record physical movement of batches; the register should be signed by the
recipient of the batch after checking what is being signed for, . . . transfer batches of clock cards to the
payroll department.
• The batch control system works as follows:
– The details of the batch (e.g. batch description and control totals) are keyed into the computer to
create a batch header label.
– Information off each record in the batch is keyed in and subjected to relevant automated validation
checks. . . valid account number, limit check.
– When all records have been entered, the computer calculates its own control totals based on what has
been keyed in and compares these totals to the manually computed totals input earlier to create the
header label (off the batch control sheet).
– If the totals agree and no other type of error was detected, the batch is accepted for processing.
– If not, the batch is rejected and sent for correction.
– Once the control totals have been “attached” to a batch, they can follow the batch throughout the
process, for example, if there are 50 clock cards in a batch, the computer will record whether 50 were
keyed in, 50 were processed and output for 50 was created.
Note (a): Batching assists with the following:
• identifying data transcription errors (e.g. incorrect values keyed in due to transposition errors)
• detection of data captured into incorrect field locations, and
• detection of invalid (e.g. duplicate) or omitted transactions or records for a batch, for example, if a clock
card is entered (keyed in) twice, the control totals will not balance.
The following summary should clarify batching in the context of transactions flowing through the system.
Remember that the control hinges around creating totals “before”, and “after”, and then comparing these
to each other.
• These transactions are then processed as a batch when it is efficient/convenient to do so and the rele-
vant masterfiles are updated to reflect the effect of the entire batch on affected masterfile balances.
Control totals before and after processing are compared.
• Not common, particularly as it is slow and information is not up to date.
(b) On-line entry, batch processing/update (also referred to as an on-line entry with delayed processing)
• Transaction data is entered via a keyboard immediately as each transaction occurs. For example, a sales
order is placed by telephone and the operator keys in the details as the conversation with the customer
takes place. Relevant program checks take place as information is keyed in (for simplicity sake, assume
an invoice is created immediately and not only after goods have been dispatched).
• The transaction information is converted into machine readable form as each transaction occurs and is
held on a transactions file on the computer system.
• Control totals are created by the computer on the batch for the transaction file.
• The transactions are then processed as a batch and the relevant masterfiles are updated to reflect the
effect of each transaction in the batch on affected masterfile balances, for example, they could be
processed at the end of each day (daily batch update).
• Entry of the transaction is efficient, but information is not immediately up to date. The longer the
period that the batch of transactions is not processed, the less up to date the information will be.
• Extensive use of screen dialogue and prompts. These are messages sent to the user to guide him, for
example, a prompt may appear on the screen reminding the user to confirm and re-enter a field.
• Mandatory fields: Keying in will not continue until a particular field or all fields have been entered. Such
fields may be highlighted in red or identified by a star, or there may even be a prompt if the user misses that
field and moves on to the next field.
• Shading of fields, which will not react if “clicked on”, for example, if an on-screen sales order may have the
customer’s account number and details shaded, the user completing the sales order will not be able to
change these fields.
For example:
If a normal order from a customer for an inventory item is 100 units, and a clerk enters 1 000, the
screen will display a message querying the entry of 1 000, although there is no limit on the quantity
ordered. (The computer does an “instant” check on the quantity that the client normally orders.)
Of course, this type of check takes processing resources, so will only be used if there is a real
benefit.
• Dependency checks
An entry in a field will only be accepted depending on what has been entered in another field.
For example:
The acceptability of entering a credit limit of R100 000 on a debtors account will depend on the status
allocated to the debtor. If the debtor’s credit status rating is A+ (very good), the credit limit of R100 000
will be acceptable. If the status is only B+, the credit limit will not be acceptable.
• Format checks
– Alpha-numeric checks prevent/detect numeric fields that have been entered as alphabetic, and vice
versa, for example, when entering an employee’s identity number, all digits must be numeric.
– Size checks detect when the field does not conform to pre-set size limits, for example, an identity
number entered must have 13 digits.
– Mandatory field/missing data checks detect blanks where none should exist; if a quantity is not entered
in a quantity field on an internal sales order, data capture cannot continue. (This is also discussed
under screen aids.)
– Valid character and sign check. The letters, digits or signs entered in a field are checked against valid
characters or signs for that field, for example, a minus sign (–) could not be entered in a quantity
order field.
• Check digits
A check digit is a redundant (extra) character added to an account number, part number, etc.
For example:
The character is generated by manipulating the other numerical characters in the account number.
When the account number is keyed in, the computer performs the same manipulation on the numerical
characters in the account number and if it has been entered (keyed in) correctly, the computer will come
up with the same check digit which was added to the account number originally. If it does not match,
the computer sends a screen message to inform the operator that the account number has been
incorrectly entered.
Check digits use up processing resources and therefore are limited to critical fields. They cannot be
used on financial fields.
• Sequence checks
Detect gaps or duplications in a sequence of numbers as they are entered.
For example:
If numbered masterfile amendment forms are being keyed in, a sequence check will alert the user if
there is a gap or duplication in the numerical series.
Note: The controls which follow are not program controls, but where information is entered off a
source document, the source document should be:
– pre-printed, in a format which leaves the minimum amount of information to be filled in manually
– pre-numbered– sequencing facilitates identification of any missing documents
– designed in a manner that is logical and simple to complete and subsequently enter into the
computer, for example, key pieces of information should have a prominent position on the document
– designed to contain blank blocks or grids that can be used for authorising or approving the document.
Unused source documents should be kept under lock and key by an independent person and a register
of receipt and issue of the document should be kept. If the source document is freely available, it is
easier to create fraudulent transactions.
8/52 Auditing Notes for South African Students
Note: The reliability of the hardware itself will also play an important part in processing. Modern
computer equipment is very reliable, and the hardware will have its own range of hardware
controls, such as the following:
– Valid operation code: The processor checks if the instruction it is executing is one of a valid set of
instructions.
For example, bank reconciliations.
– Echo test.
For example, the processor sends an activation signal to an input/output device. That device returns
a signal showing it was activated. Echo tests can also be used to detect corruption of messages in
transit by bouncing the signal back from the recipient of the message to the sender, so that the sender
can compare it against the original message for any errors that may have occurred during trans-
mission.
Evaluating hardware is the domain of the expert, not the general auditor, and will be considered
when conducting risk assessment procedures.
Note: Interruptions in processing, that could lead to errors in processing, will be logged on activity
reports and followed up by operations staff.
The controls are based on the principles discussed in this chapter and will be a combination of a user and
program controls, and will include both preventive and detective controls (and correction controls when
applicable). As usual, the focus will be on preventive controls.
An example of the controls over a debtors masterfile amendments follows:
Note (a): Modern accounting packages do not allow balances in a masterfile to be adjusted other than
through a subroutine (sub-journal), for example, it is not usually possible to go into the
masterfile via the masterfile amendment module and reduce or delete a debtor’s balance. This
would have to be done through a transaction file, for example, credit notes, journal entries or
receipts.
Note (b): Unused MAFs and other important supporting documentation should be subject to stationery
controls as it is more difficult to create an invalid masterfile amendment without the source
document.
Note (c): A masterfile amendment should be carefully checked in all respects before it is authorised, for
example, the validity of credit terms and limits to be entered, so there should not be too many
errors or invalid conditions having to be identified by the program controls. Each company will
decide for itself the extent of program controls they wish to implement.
8.4.1 Inventory
Inventory formulae
• Determine the cost formulae and whether the rules have been configured in the application.
• Determine whether the inventory formulae/rules align with the policy.
• Determine who has access to the inventory formulae configuration in the application and whether the
access is limited to authorised personnel only.
• Have changes been made to the inventory formulae/rules in the application during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the inventory formulae/rules are accurate.
Master data
• Determine who has access to the inventory masterfile/cost price and whether the access is limited to
authorised personnel only.
• Have changes been made to the masterfile in the application during the period under review?
• Have changes been authorised in the application?
• Perform a comparison test to compare inventory prices year on year and review significant dis-
crepancies.
Inventory aging
• Stratify the age analysis through analytics.
• Review the inventory age analysis for inconsistencies and aged inventory.
Inventory impairment
• Perform analysis of inventory listing and determine inventory that should be classified as “obsolete” or
slow moving.
• Assess whether the application has been configured to perform inventory impairment.
• Determine whether the inventory impairment rules align with the policy.
• Determine who has access to the inventory impairment configuration in the application and whether
the access is limited to authorised personnel only.
• Scrutinise the write-off report to determine whether inventory was written off by authorised individuals
and whether there are inconsistencies with the write-offs.
• Have changes been made to the configured impairment rules in the application during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether impairment rules are in actual fact working
Impaired inventory
• Determine what the inventory write-off process is. Is there is a possibility that the inventory can be
written off and sold for own profit?
Journals
• Determine who has authorisation to process journals relating to inventory within the application.
8/58 Auditing Notes for South African Students
Foreign inventory
• Foreign/imported inventory has been captured at the correct forex rate, at spot on the first day the
recognition should have occurred.
• Determine whether the application has been configured to receive daily currency exchange rates that
would have been applied to imported inventory.
• Who has access to change the currency exchange rate configuration in the application?
• Have any changes been made to the configuration during the period under review?
• Perform a walkthrough of one inventory item to determine whether the forex calculation is accurate.
Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
8.4.2 Debtors
Debtors age analysis
• Test whether the debtors aging that is documented in the policy aligns with the aging in the system.
• Have changes been made to the debtors age analysis configuration settings embedded in the application
during the period under review?
• Have changes been authorised in the application?
• The aging has remained static during the course of the year and the audit trail does not depict any
changes to the application.
• Determine who has access to the debtors age analysis configuration in the application and whether the
access is limited to authorised personnel only.
• Perform a walkthrough of one to determine whether the aging is accurate.
Debtors’ impairment
• Assess whether the application has been configured to perform debtors’ impairment.
• Determine whether the debtors’ impairment rules align with the policy.
• Determine who has access to the debtors’ impairment configuration in the application and whether the
access is limited to authorised personnel only.
• Have changes been made to the configured impairment rules in the application during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether impairment rules are accurate.
Interest
• Determine whether the application calculates interest on long overdue debtors.
• Determine whether the debtors’ interest aligns with the policy and terms and conditions.
• Determine who has access to the debtors’ interest configuration in the application and whether the
access is limited to authorised personnel only.
• Have changes been made to the interest raised on long overdue debtors configured in the application
during the period under review?
Chapter 8: Computer audit: The basics 8/59
Discounts
• Determine whether the application calculates discounts for early payment or for specific debtors.
• Determine whether the discount rules align with the policy and terms and conditions.
• Determine who has access to the debtors’ discount configuration in the application and whether the
access is limited to authorised personnel only.
• Have changes been made to the debtors’ discounts on long overdue debtors configured in the
application during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the discount rules are in actual fact working.
Journals
• Determine who has authorisation to process journals relating to debtors within the application.
Other tests
• Perform analytical analysis on the register to determine large outstanding numbers, debtors that are also
creditors and to determine whether there are any trends.
• Stratify the age analysis through analytics.
• Determine whether the client has configured the transaction trail accurately within the application.
8.4.3 Revenue
Invoice prices vs masterfile prices
• Perform analytics on the revenue data to determine whether prices charged on the invoices align with
the price on the masterfile. Review significant discrepancies.
VAT
• Confirm that the VAT was correctly configured within the application.
• Determine who has access to the VAT configuration in the application and whether the access is limited
to authorised personnel only.
• Have changes been made to the VAT configured in the application during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one determine whether the calculation is accurate.
Credit notes
• Determine who had the rights to authorise credit notes during the period under review.
• Determine who has access to the credit notes configuration in the application and whether the access is
limited to authorised personnel only.
• Have changes been made to authorisation levels configured in the application during the period under
review?
• Have changes been authorised in the application?
Master data
• Determine who has access to the masterfile price list and whether the access is limited to authorised
personnel only
• Have changes been made to the masterfile in the application during the period under review?
• Have changes been authorised in the application?
• Through analytics, perform a comparison of prices year on year.
• Assess client master data and determine whether all clients have an indicator for payment terms – either
“IMMEDIATE”/“CASH SALE”/“COD” or “DEBTOR”/“CREDIT SALES”.
Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
Componentisation
• Assess whether the system has been configured for componentisation rules for assets.
• Access to the componentisation rules configuration settings in the system is limited and only authorised
personnel have access.
• Have changes been made to the componentisation rules embedded in the system during the period
under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the calculation is accurate.
Disposals of assets
• Ascertain who had access to dispose of assets during the period under review.
• Ascertain whether there are specific criteria configured in the system to dispose of assets.
• Determine whether the disposal of asset calculation has been configured correctly in the system and
includes the data trails to the capital gains calculation should profit be made.
• Perform a walkthrough of one to determine whether the calculation is accurate.
• Determine whether the depreciation of new assets have been calculated correctly if purchased during
the period.
• Perform a walkthrough of one to determine whether the calculation is accurate.
Impairment
• Ascertain who has access to write off or impair assets.
• Ascertain whether there are specific criteria configured in the system to impair assets at a certain point.
Impaired assets
• Determine what the asset impairment process is. Is there is a possibility that the assets can be written off
and sold for own profit?
Journals
• Determine who has authorisation to process journals relating to asset entries within the application.
Capital gains
• Is the capital gains tax configuration correct in the system?
• Access to the capital gains tax configuration settings in the system is limited and only authorised
personnel have access.
• Have changes been made to the capital gains configuration settings embedded in the system during the
period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the calculation is accurate.
Wear-and-tear allowances
• Are the wear-and-tear allowance configurations correct in the application?
• Access to the wear-and-tear tax configuration settings in the system is limited and only authorised
personnel have access.
• Have changes been made to the wear and tear configuration settings embedded in the application
during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one of each asset class/category to determine whether the calculation is
accurate.
Foreign exchange
• Foreign/imported assets have been captured at the correct forex rate at spot on the first day the
recognition should have occurred.
• Determine whether the application has been configured to receive daily currency exchange rates which
would have been applied to imported assets.
• Who has access to change the currency exchange rate configuration in the application?
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one asset to determine whether the forex calculation is accurate.
Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
8.4.5 Tax
• Determine whether the tax rules align with national tax laws.
• Determine who has access to the tax configuration settings in the application and whether the access is
limited to authorised personnel only.
8/62 Auditing Notes for South African Students
• Have changes been made to the tax configurations configured in the application during the period under
review (technically changes should only occur annually – also review whether the changes were made
timeously)?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the tax rules are accurate.
• Review whether settings have been enabled to overwrite tax calculations.
Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
8.4.6 VAT
• Determine whether the VAT rules align with national tax laws.
• Determine who has access to the VAT configuration settings in the application and whether the access
is limited to authorised personnel only.
• Have changes been made to the VAT configurations configured in the application during the period
under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the VAT rules are accurate.
• Review whether settings have been enabled to overwrite VAT calculations.
Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
8.4.7 Payroll
Payroll applications
• Determine whether the payroll function is performed on the same financial application where all other
financial functions are performed.
• If payroll is completed on a different application, interface management controls need to be reviewed to
confirm that the payroll data is transferred completely and accurately and not intercepted when
transferred.
• Review exception reports to determine whether the data interfaces are reported upon and reviewed. In
addition, determine whether exception reports are followed up and remediated.
Payroll calculations
• Determine whether the application has been configured accurately for statutory deductions.
• Perform a walkthrough of one to determine whether the payroll calculation is accurate.
• Determine who has access to change the employee tax rules configured in the application.
• Have any changes been made to the configuration during the period under review (technically changes
to the configuration should only occur annually, review whether the changes were made timeously)?
• Have changes been authorised in the application?
Time-capturing system
• If the company operates on a time-captured system and employees are paid accordingly, determine the
interfaces with the time management application, and the payroll application and related exception
reports that are produced.
• Review exception reports to determine whether the data interfaces are reported upon and reviewed. In
addition, determine whether exception reports are followed up and remediated.
• Determine who has access to the time-capturing application configurations.
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
• Are validity checks built into the time application system to test limits, namely, maximum hours of
work per week, overtime permitted, public holidays, etc.?
Pay rate
• Determine who has access to change rates within the application or make changes on the master file.
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
• Determine whether these rate changes were approved by the authorised individual.
Other tests
• Determine whether the system has been configured to perform an edit check when a duplicate bank
account is entered; alternatively, perform analytics to test for duplicate bank account details.
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
8.4.8 Intercompany
Foreign exchange
• Determine whether foreign/imported transactions have been captured at the correct forex rate.
• Determine whether the application has been configured to receive daily currency exchange rates which
would have been applied to forex transactions, namely, Reuters rates.
• Determine who has access to change the currency exchange rate configuration in the application.
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
Intercompany journals
• Determine who has authorisation to process journals relating to intercompany transactions within the
application.
Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
8.4.9 Creditors
Purchasing approval levels
• Determine whether the application has been configured to incorporate specific approval limits and
different authorisation levels when purchasing.
• Determine who has access to change the limits within the application.
• Have any changes been made to the limit configuration during the period under review?
• Have changes been authorised in the application?
8/64 Auditing Notes for South African Students
Unmatched invoices
• Determine whether the application has been configured to match invoices to purchase orders when
purchasing.
• Determine who has access to change the configuration within the application.
• Have any changes been made to the configuration during the period under review”
• Have changes been authorised in the application?
• Review report for unmatched purchase orders for trends and inconsistencies.
Creditors masterfile
• Determine who has access to change the vendor masterfile within the application.
• Have any changes been made to the vendor masterfile during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to assess the authorisation process of adding a new vendor.
Exchange rate
• Determine whether the application has been configured to calculate foreign purchases at spot.
• Determine whether foreign/imported transactions have been captured at the correct forex rate.
• Determine whether the application has been configured to receive daily currency exchange rates which
would have been applied forex transactions, namely, Reuters rates.
• Determine who has access to change the currency exchange rate configuration in the application.
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one transaction to determine whether the forex calculation is accurate.
Preventing duplicate vendors by comparing VAT and bank account number
• Determine whether the application has been configured to only enter a vendor once off and that a
validity check is performed when a new vendor is captured to identify a duplicate VAT and or bank
account number.
Journals
• Determine who has authorisation to process journals relating to creditors within the application.
Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
Provisions
• Determine who has authorisation to process journals relating to provisions.
• Obtain a list of the year-end journals and stratify to determine whether there are any non-routine
journals.
Chapter 8: Computer audit: The basics 8/65
Foreign exchange
• Determine whether foreign payments have been captured at the correct forex rate.
• Determine whether foreign accounts have been captured at the correct rate.
• Determine whether the application has been configured to receive daily currency exchange rates which
would have been applied forex transactions, namely, Reuters rates.
• Determine who has access to change the currency exchange rate configuration in the application.
• Have any changes been made to the configuration during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one transaction to determine whether the forex calculation is accurate.
Other tests
• Determine whether the client has configured the transaction trail accurately within the application.
Review system documentation and automated journals that are processed when entries are made.
• Perform a walkthrough of one to determine whether the transaction reflects accurately.
The following IT general controls should be considered when performing audit procedures but not restricted
to the test and reliance of control testing above:
• default account procedures
• there is a formal process in place to validate user accounts on the database
• users are restricted from viewing the text and stored procedures
• privileged user activity is reviewed
• monitoring of user access violations
• terminated employees with active user accounts
• lack of periodic user validation
• generic accounts are not used to access the database
• super user access is restricted
• user activity logs are reviewed on a regular basis
• segregation of duties within the application, and
• toxic combinations have been assessed and restricted.
these call accounts (as well as various other savings accounts, fixed deposits, etc.) has been correctly
calculated, as reflected in the financial statements at R71 587 200.
• Imagine trying to obtain printouts of all 22 371 account holders and each of their daily balances for
365 days and then trying to test enough of these on our calculator, to form a representative sample of
interest calculations – clearly impractical, tedious, inefficient, very expensive and a high probability that
our audit staff would make many mistakes themselves along the way!
• Instead we are able to use audit software, which can re-perform all of these daily balance calculations
and provide an independently calculated total for interest payable by the bank for the year. Powerful
CAATs packages are able to perform a 100% of the population incredibly quickly thus providing huge
benefits to auditors by significantly reducing audit risk (100% testing rather than sample testing),
providing more reliable evidence (no human errors) and increasing audit efficiencies (millions of
calculations can be re-performed in a matter of minutes and hours rather than days and months).
• Advantages
– The software has already been loaded on the client's hardware.
– They are relatively simple to use.
– They perform many of the tests which GAS packages offer.
– The cost of using these packages is generally lower than using GAS.
• Disadvantages
– Many utility and report writers are available that may cause time delays seeing that the auditor will
have to assess how unfamiliar clients’ utilities and report writers function.
– These forms of CAAT may not be as well documented as GAS packages, and may not quite meet the
auditor’s requirements.
8/70 Auditing Notes for South African Students
8.5.5.7 Compatibility of the firm’s hardware and software with the client’s hardware
and software
The audit firm’s hardware and software is unlikely to suit every single client’s hardware and software so it
will need some adaptation, for example, additional software may be required (cost) in order to run audit
programs on client systems/files (see note below).
10. Extract a listing of items where either the date of last sale or date of last purchase falls after the
inventory masterfile date (see connector 7/0002).
11. Extract a random sample of items to be counted at the inventory count (after summarising by location,
quantity and value).
12. Cast the value field to obtain the total value of inventory for comparison to the figure used in the trial
balance.
Having mature data and analytics in place requires the translation of business needs into practical steps and
initiatives. At the same time, it requires a solid foundation to support these steps and initiatives. In order to
accomplish this, organisations need to consider organising themselves in the following way and drive the
following structures within data management:
Chapter 8: Computer audit: The basics 8/73
Companies have to define, at a corporate level, a data privacy strategy that meets the requirements of the
countries where the organisation has a footprint. If the company’s operation is only based in South Africa,
then that simplifies the strategy. If, however, the organisation operates across a number of countries, it will
need to consider tailoring the strategy to meet all the privacy laws across all the countries it operates in.
Below are the key focus areas an organisation needs to consider when drafting a data privacy strategy:
8.6.2 Terminology
• Patterns: A pattern is a set of data that follows a recognisable form, which analysts then attempt to find
in the current data.
• Trends: A trend is when a set of data constantly displays similar patterns over a given period of time.
• Data relationship: A data relationship exists between two relational database tables when one table has
a foreign key that references the primary key of the other table. Relationships allow relational databases
to split and store data in different tables, while linking disparate data items.
• Algorithms: An algorithm is the way computers process data. Many computer programs contain algo-
rithms that detail the specific instructions a computer should perform (in a specific order) to carry out a
specified task.
• Data strategy: The vision that supports an organisation’s ability to manage and exploit data. It creates a
direct link between strategic goals and data assets. It also provides an umbrella for all domain-specific
strategies, such as analytics, big data and data governance.
• Driving data value: Unlocking the value within ever-growing volumes of data is key to a competitive
advantage. The value of data is derived from the insight it can provide, enabling organisations to make
better decisions.
• Data asset management: To gain as much value from the data as possible, it should be of high quality
and readily accessible in the right format.
There are various types of Big data – the following explains the key categories:
9
Computer audit: New technology*
CONTENTS
Page
9.2 The use of mobile information and communication technology on audits.......................... 9/10
9.2.1 What this technology can do ................................................................................... 9/10
9.2.2 Security implications of using mobile information and communication
technology on audits ............................................................................................... 9/12
______________
*
For further reading and references on new concepts on internal auditing processes, refer to Internal Auditing: An Introduction
6th ed 2017, Performing Internal Audit Engagements 6th ed 2017 and Assurance: An Audit Perspective 1st ed 2018, GP Coetzee,
R du Bruyn, H Fourie, K Plant, A Adams and J Olivier, LexisNexis.
9/1
9/2 Auditing Notes for South African Students
Page
9.1 Introduction
9.1.1 General
The previous chapter dealt with the basics relating to computer auditing. This chapter deals with more
complex issues and focuses on new technology that inevitably will have an impact on the audit.
With the rapid speed of technology many organisations have chosen to embrace the technology era and
have in some form adopted IT within their businesses. Large corporates have embarked on extensive
technology journeys, spending millions on transforming the way they work. Although organisations have
made significant investments in IT some have overlooked the detailed risks that IT may pose to their
business.
Ultimately, the auditor will play an integral role having to provide assurance over these new technologies
and assess the potential impact and risk that these technologies expose an organisation to.
This chapter discusses several new technologies you may come across at your audit clients but consider-
ing the rapid speed of technology, they are not limited to.
The innovative way mobile applications are developed will create the need for increased rigor relating to
governance, risk management and transparency within an organisation.
Mobile applications are the future and can have a significant financial benefit and competitive advantage
when implemented and managed appropriately. In addition, to mobile devices, take cognisance of the fact
that smartwatches also support the same applications.
The audit of mobile applications is necessary to confirm the confidentiality of sensitive information that
is handled by both internal and external applications.
These applications are available on two platforms, Google’s Android or Apple’s iOS mobile operating
systems. Therefore, when applications are being developed by an organisation, they need to be compatible
for both Android and Apple iOS development, their respective controls and compliance requirements.
Auditors have to test the implementation of mobile applications, the on-going governance thereof
and the protection of sensitive data (inclusive of interfaces). Mobile application audits are necessary to
confirm the confidentiality of sensitive information that is handled by both internal and external business
applications.
There should be no debate about whether mobile applications should be tested as part of the audit, and
auditors should understand the associated risks to ultimately allow them to test mobile application controls.
In addition, due to the nature of the information and the resources that are accessed, third-party business
mobile application security audits are also required for all applicable platforms.
Several examples of mobile applications that may exist within organisations or where organisations have
been established due to a very successful application follow:
1. Lifestyle mobile applications promoting: fitness, dating, food, music and travel, such as Spotify, Trip-
advisor, Apple Music and Uber.
2. Social media mobile applications: building social networks. Many applications, including Facebook.
Instagram, Pinterest and Snapchat allow you to share photos, products, high scores, or news items with
your social network.
3. Games/entertainment mobile applications: these apps, such as Angry Birds, Clash of Clans and Sub-
way Surfer, are popular among developers because they bring users back multiple times each week,
sometimes multiple times per day.
4. Productivity mobile applications: these applications, such as Docs, Sheets, Wallet/Pay, Evernote and
Wunderlist, help their users accomplish a task quickly and efficiently, making what are sometimes
mundane tasks easier and perhaps a little more fun.
5. News/information mobile applications supply their users with the news and information they’re look-
ing for in a user-friendly layout that efficiently navigates them to the things they care about most. They
include Buzzfeed, Smartnews, Flipboard and Google Weather.
9.1.3.2 Terminology
• Smartphone: A mobile device that performs several of the functions of a computer, generally has a
touchscreen, Internet access, and an operating system capable of running downloaded apps.
• Mobile application: A mobile application (app) is a software application developed specifically for use
on small, wireless computing devices, such as a smartphone, rather than a desktop or laptop computer.
• iOS operating system: iOS is a mobile operating system created and developed by Apple Inc. Apple
iOS is considered a closed source and is solely “subscribed to” by Apple products.
• Android operating system: The Android OS is an open source operating system mainly used in mobile
devices. It is written in Java and based on the Linux operating system. It was initially developed by
Android Inc. and was eventually purchased by Google in 2005.
• Smartwatch: A computing device worn on a person’s wrist that offers functionality and capabilities
similar to those of a smartphone. Smartwatches are designed to, either on their own or when paired
with a smartphone, provide features like connecting to the Internet, running mobile apps, making calls
and more. A number of companies currently have smartwatches on the market, including Google, Sam-
sung and Apple (the iWatch).
Chapter 9: Computer audit: New technology 9/5
Organisations should therefore consider the following when mobile devices are integrated to the network
including security aspects:
• a BYOD policy defining the allowed use of mobile devices and the remote wiping of the information on
mobile devices and mobile applications in the event of the device being stolen
• guidelines relating to the respective measures taken by the organisation to secure access to company
assets through BYOD devices
• the sensitivity of data that will be available on the mobile applications and devices, and the impact of
the reputational damage in the event of the data leaking
• the sensitivity of data that will be available on the mobile applications and devices, and the impact of
privacy laws, and
• network architecture caters for mobile devices accessing the organisation.
9.1.4.3 Terminology
• Bring your own device (BYOD), also referred to as bring your own technology (BYOT), bring your own phone
(BYOP) or bring your own personal computer (BYOPC), refers to the policy of permitting employees to
bring personally owned devices (laptops, tablets and smartphones) to their workplace, and to use those
devices to access privileged company information and applications. The phenomenon is commonly
referred to as IT consumerisation.
• IT consumerisation is the proliferation of personally owned IT at the workplace (in addition to, or even
instead of, company-owned IT), that originates in the consumer market, to be used for professional
purposes.
• The employee is expected to use his or her devices in an ethical manner at all times and to adhere to the
company’s acceptable use policy, as outlined above.
• The employee assumes full liability for risks including, but not limited to, the partial or complete loss of
company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or
other software or hardware failures, or programming errors that render the device unusable
The organisation reserves the right to take appropriate disciplinary action up to and including termination
for non-compliance of the BYOD policy. The employee’s device may be remotely wiped if:
• the device is lost
• the employee terminates his or her employment, or
• IT detects a data or policy breach, a virus or similar threat to the security of the company’s data and
technology infrastructure.
9.1.5 Cryptocurrencies
9.1.5.1 Introduction
Cryptocurrencies use very intricate and complex encryption, acting as an exchange medium in order to
conclude financial transactions. Cryptocurrencies rely on decentralised control and the decentralisation is
controlled by synchronised digital data that contains the relevant details for every transaction that has ever
been processed. This is distributed across multiple locations known as a blockchain that acts as a public
financial transactional database. Bitcoin was the first decentralised cryptocurrency.
Examples of cryptocurrencies include:
• Bitcoin – The original fiat cryptocurrency
• Bitcoin Cash – Similar to Bitcoin with some technical differences
• Litecoin – Often referred to as the silver to Bitcoin’s gold
• Monero – A cryptocurrency that provides additional anonymity and security for users
9.1.5.2 Terminology
• Blockchain: Blockchain is a decentralised public digital ledger that is used to capture transactions involv-
ing multiple computers to confirm that records are not updated without the updating of all subsequent
blocks.
• Encryption: Encryption is used to secure data so that only authorised users can access and read the
encrypted data. It uses an algorithm to encrypt and a key to decrypt the data.
• Decentralisation: Decentralisation is a process involving planning and decision-making that is distributed
away from a central location.
• Digital data: Digital data is represented in the form of machine language that can be interpreted by
several technologies. A binary system is the most common example that stores information using a
combination of ones and zeros.
9.1.6.2 Terminology
• Storage: Data from applications, databases, data warehouses, archiving and backups are stored via a
process called storage. It is a mechanism that enables computers to keep data.
• Network: A network is two or more connected devices that can communicate with each other. A net-
work comprises several computer systems that can be connected by physical or wireless connections. It
can be a personal computer sharing data to global data centres or even to the world-wide web itself.
Networks have the capability to share information and resources.
9/10 Auditing Notes for South African Students
• Software-as-a-Service (SaaS): This is a software distribution model in which a third-party provider hosts
applications and makes them available to customers over the Internet. SaaS is one of three main categories of
cloud computing, alongside infrastructure as a service (IaaS) and platform as a service (PaaS).
• Infrastructure-as-a-Service (IaaS): This is a form of cloud computing that provides virtualised computing
resources over the Internet.
• Platform-as-a-Service (PaaS): This is a cloud computing model in which a third-party provider delivers
hardware and software tools, usually those needed for application development. A PaaS provider hosts
the hardware and software on its own infrastructure.
• Copies of standard audit programmes/prior year audit programmes can be tailored as and when neces-
sary, for use on the current engagement.
• Spreadsheets can be used for the preparation of detailed time and money budgets so that actual audit
times can be loaded at regular intervals in order to allow audit supervisors to effectively monitor pro-
gress and costs.
• Industry-specific information can be downloaded from the Internet to assist the audit team in gaining an
understanding of the entity.
9.2.2.1 Security over “work papers” – controls to restrict unauthorised access to the firm’s
computers and storage devices
• All audit staff must be thoroughly briefed on the importance of maintaining the confidentiality of the
data on their computers and storage devices.
• Computers should be switched off when not in use and time-out facilities should be enabled.
• User IDs and passwords should be required to start up the computers and to access applications. Sound
password controls should be adhered to.
• The audit senior should act as a “mobile librarian” and should, for example, be responsible for:
– ensuring all computers/storage devices left on the client’s premises are locked away securely (audit
team members will usually be responsible for their own laptops)
– ensuring backups are taken and kept secure, and separate from computers, especially overnight and
over weekends
– monitoring the use of storage devices by the staff under his/her supervision
– returning all storage devices that are no longer required to the audit firm’s office.
• Sensitive information, such as evaluations of management, should not be taken to the client’s premises
at all.
• There should be a library system at the audit office under the control of a designated librarian or admin-
istration manager. Sound controls should be put in place including control over the movement of (hard
copy) files and multimedia/storage devices.
• Controls over files/storage devices should confirm that they are signed out by the person withdrawing
them for use.
• All backup copies should be equally well protected.
Developments in technology and other more technical developments have helped facilitate the ability of
businesses to handle huge transactional volumes and to communicate globally in an instant.
Data storage refers both to a user’s data generally and to the integrated hardware and software systems
used to capture and manage data. This includes data in applications, databases, data warehouses, archiv-
ing, backups and cloud storage.
9.3.2 Terminology
• Databases: A database is an organised collection of data, generally stored and accessed electronically
from a computer system. Where databases are more complex, they are often developed using formal de-
sign and modelling techniques.
• Data warehouses: A data warehouse is a system used for reporting and data analysis, and is considered a
core component of business intelligence. They store current and historical data in one single place and
are used for creating analytical reports.
• Archiving: Data archiving is the process of transferring data that is no longer actively used to a separate
storage device for long-term retention. Archive data consists of older data that remains important to the
organisation or must be retained for future reference for a required period of time for regulatory compli-
ance reasons.
• Backup appliance: Backup appliance is a data storage device that accumulates the backup software and
hardware components within a single device. It is a type of turnkey and all-inclusive backup solution
that provides a central interface for backup processes, tools and infrastructure.
• Cloud storage: Cloud storage is a service model in which data is maintained, managed, backed up
remotely and made available to users over a network – normally the Internet. Data is stored in global
data centres with storage data spread across multiple regions or continents.
• The move from mainframes to personal computers: This trend is well established. Improvements in technol-
ogy have brought about huge increases in processing power and data storage capacity. As a result, there is
a move away from centralised data processing units towards “end-user computing”, that has significant
implications for the internal controls of the company and for the extent to which the auditor can rely on
these controls. To be more specific, employees in all sectors of a company have PCs on their desks that
potentially give them access to all the data, programmes, masterfiles, etc., on the system.
Division of duties is placed under threat, and data integrity and confidentiality can be compromised if
the correct control techniques are not put into place. The auditor has also benefited from the reduction
in size of computing devices. It is now common practice for auditors to use a laptop computer to docu-
ment their work in electronic work papers in the field.
• Client/server systems architecture: The term “architecture” refers to the way in which the hardware and
software is configured or set up. The simplest version of client/server architecture is a local area net-
work (LAN) configured to promote the sharing of files, printers and other computer resources.
Machines that use these resources are known as “clients”, and machines that offer these resources are
known as “servers”. Critical computer resources, such as operating systems, application programmes
and databases, are distributed among various processors, that can themselves be scattered throughout
the organisation’s premises. Again, this has significant internal control implications for the company
and the auditor, for example, breakdown in division of duties, integrity and confidentiality of the IT sys-
tem being compromised.
• Open systems: This term refers to a drive to promote interoperability and transportability between soft-
ware and hardware. This aim can only be made possible through the application of common standards
among all manufacturers and developers of hardware and software. Open systems result in greater ease
of access by all who use resources that comply with open system standards. Again, this has internal con-
trol implications for the company and the auditor.
• Image processing: As computers increase their processing and storage capabilities and become more cost
effective, so image processing, for example, scanning, will become more common. Where image pro-
cessing is used, there is increased reliance on the backup of electronic information to prevent the loss of
audit trails – again, this may pose risk to the auditor.
• Multimedia, USB and memory devices: Several small effective data storage media devices have been
developed in recent years. These devices present both an opportunity and a threat. They facilitate the
sharing of information and facilitate the backup of data. For example, auditors can use these devices to
9/14 Auditing Notes for South African Students
obtain large quantities of data from their clients to analyse or to back up their electronic work papers
when in the field. However, these devices also present a security threat as they make it easy for an unau-
thorised individual to copy or steal large quantities of sensitive data if no password protection or
encryption exists on these devices. Organisations should implement policies and processes within the
end-user computing controls environment to manage this risk. Refer to end-user computing (para-
graph 8.2.10 in chapter 8). The auditor should consider which policies, processes and controls the
organisation has in place to manage IT general controls over devices that carry end-user data, namely,
encryption and password protection regarding storage media devices.
• Smartcards: A smartcard contains a micro processing chip, as opposed to the magnetic strip of a normal
swipe card. Smartcards therefore possess storage space as well as intelligence and can be used to en-
hance identification and authentication procedures, for example, through storage of biometric data (like
retina scans). The improvements in access control, that are possible using smartcards, have positive
implications for the auditor, as better controls over access to the system make the system more secure
from both the company’s and the auditor’s perspective.
• Communications technology: The last decade has seen rapid advances in communication technologies.
Electronic funds transfer (EFT), the Internet, electronic data interchange (EDI), all of which are cov-
ered in this chapter, are now common in business. Wireless communication has facilitated mobile busi-
ness people, for example, sales staff, to have access to real-time information and to submit orders while
on the move dealing with customers.
• Web enabled: Many business applications are becoming “web enabled”. This term refers to the ability
for users to interface with the application concerned via their web browser. As a result, these applica-
tions can be accessed from outside the organisation, (i.e., over the Internet).
• Cloud computing: Simplistically, this is the term used to describe the practice of storing a company’s (or
an individual’s) data and programmes on a storage device that is deemed “remote” and that is accessed
via the Internet. Service providers who offer this service have termed this as “cloud computing”. Of
course, this does not mean that the data is stored in a “cloud”, but it does mean that it is stored on giant
servers in some super secure facility somewhere in the world and often hosted by a third-party service
provider.
• Historic data storage: Due to regulatory requirements, such as tax, data storage of historic data is required. As
mentioned in the retiring of application section (refer to chapter 8 para 8.2.7) maintaining old applications
that are deemed obsolete is not cost efficient but, in most scenarios, they are not retired due to the data they
host. It is therefore important to note that it may be more cost efficient to host historic data in a cloud solu-
tion; in addition. It may simplify the architecture solution and limit interfaces. The IT controls over this data
needs to be established to confirm no unauthorised access and changes occur.
• When sensitive data is passed to the cloud you could lose control over data privacy as multiple clients
have access to these servers.
• In the cloud you don’t need to manage your data. If your cloud storage provider gets impacted by a
hardware outage, access to your data is impacted and compromised.
9.4 Networks
9.4.1 Introduction
It is thought that networks originated through a desire to share printers among several people in an organi-
sation. Instead of having numerous printers that all cost money, but that lie idle for a lot of the time, it
made sense to think of a way to link the users to one printer that could be more productive for much longer
periods of time. This idea has progressed significantly so that networks are now used to promote the shar-
ing of virtually any resource linked to the network concerned. The term “resource” is used to refer to
hardware (such as printers and processors) as well as software (such as application programmes and data-
base management systems) and data (such as masterfiles and databases).
9.4.2 Terminology
9.4.2.1 LAN
A local area network (LAN) is a data communications system that links several independent resources,
normally by means of a cable, within a small geographic area (e.g., a building). LANs are commonly used
to allow communication and sharing of resources among employees in a department or area of a build-
ing/organisation.
For example:
9.4.2.2 WAN
A wide area network (WAN) is similar in concept to a LAN but extends over a wider geographic area.
Usually, additional hardware and software are required, such as bridges, routers and gateways, to make
links over a wide area possible.
There are additional considerations regarding the communication channels themselves in a WAN,
namely:
• whether to use a leased line (a line dedicated solely for electronic communication), or
• whether to use a switched line (a dial-up facility with more subscribers than lines), or
• whether to use lines that communicate in analogue or digital form.
If in analogue, then modems are necessary for conversion from the digital form used by computers to the
analogue form used by telephone lines. If in digital form, then Diginet connections would be used rather
than telephone lines.
Each of these options have different implications in terms of cost, security and access control.
WANs are commonly used to link an organisation to its remote branches, its service providers (the
banks), or its trading partners (where EDI is used).
9/16 Auditing Notes for South African Students
For example:
For example:
9.4.2.6 Internetworks
This is the term used to signify the linking up of LANs, WANs, etc. Internetworks exist both within and
among organisations. They arise because of links from PCs to mainframes, mainframes to other main-
frames, LANs to LANs, LANs to WANs, WANs to WANs and many other possible combinations of
these linkages. There are many combinations, but the risks remain the same – increased opportunity for
unauthorised access to the system and all the problems which that brings, as well as the potential for data
to be lost or changed during transmission. Hence the validity of the data is also at risk.
9.4.2.7 Server
A server is an important part of the network. It is a powerful microcomputer that controls the usage of a
particular resource available to the users of the network. The print server controls the use of the printer, the
file server controls the use of data files and application programme files so, just as the name suggests, a
server “serves” the network with the resource it controls.
The effectiveness of security/access controls are therefore of critical importance to the company and the
auditor, and becomes increasingly so, as the client environment:
• becomes more highly networked, and
• tends more towards distributed processing.
Unauthorised access to the network may be gained:
• via a bona fide network PC, or
• via connecting an unauthorised PC to the network (e.g., plugging a laptop into a network socket).
The auditor therefore needs to test access controls in accordance with the IT general controls. Refer to
chapter 8 paragraph 8.2 to confirm that all users have allocated roles and profiles and that these have been
assigned to access authorisation levels. Access management tests include granting access to resources,
authorising modification of access and termination of access when users leave.
• The use of a call-back facility. A call-back facility works as follows: when a valid user dials into a com-
puter system and is identified, the computer cuts the connection and immediately redials the number
that is stored in the computer for that specific user. This protects the system against hackers posing as
authorised PCs, because reconnection will be with the authentic terminal rather than the poser. How-
ever, hackers have found ways around this control.
• Automatic lockout of a user account after more than three unsuccessful attempts to log in. This would
assist in guarding against hackers using password cracking programmes to access the network.
• The application of industry standards that prescribe that the network is developed and controlled the
right way.
• The use of sophisticated user authentication techniques specially designed to cope with the complexities of
controlling access in a networked environment where distributed processing takes place.
• The use of encryption methods to protect sensitive data against access while it is being transmitted, for
example, public key, private key.
• The use of network monitoring devices that are can inspect activity taking place on the network, termin-
ate sessions with vulnerable devices and log unauthorised access.
• a secure network architecture using devices, such as firewalls, that help secure networks from external
threats and can be used to segregate areas within a network to promote a secure environment.
Do not lose sight of the fact that this is a very technical aspect of computing and that the points above
present an overview only.
9.5 Databases
9.5.1 Introduction
A database is a pool of interrelated data, that is managed, structured and stored in such a way that:
• duplication of data is minimised
• it contains all necessary information that is needed to provide for sharing of common data among
different programmes and users
• the data is quickly accessible by all authorised users, and
• many users can access the same data simultaneously and will be provided with the same view of the
data at any one time, despite updates that may be in progress.
A database therefore provides for sharing of common data among different programmes/users, and so is a
prime example of a resource that is particularly suited to a networked environment. Examples include
common databases such as Microsoft SQL and Oracle.
9.5.2 Terminology
• A database administrator (DBA) should be appointed to manage the database. Duties include:
– defining access privileges of database users
– design, definition and maintenance of the database, and
– defining and controlling backup and recovery procedures.
• Database structure may be hierarchical, network or relational. No further details regarding these struc-
tures are considered necessary for a general understanding of audit implications of databases. Most
financial database systems are structured as relational databases.
• Data ownership is a term that relates to the administration of data, rather than the management/admin-
istration of the database. Responsibility for defining access and security rules for specific data elements
within the database is delegated by the DBA to appropriate individuals (e.g., the credit controller may
be data owner of customer credit limits and therefore responsible for advising the DBA as to who
should be granted access privileges to this data). Data ownership therefore promotes the integrity of the
database.
• Data sharing. The ability of users involved in different applications to use the same data for different
purposes, for example, the quantity on-hand information for an item of inventory may be used by the
buyer as a basis for purchasing more inventory, while the inventory controller may use the same infor-
mation to produce a “value of inventory on hand” report.
• Data independence. This means that the data is independent of a specific application. It can be shared by
other applications as described in data sharing above.
• Data warehouse is a term commonly used for a very large database that usually consolidates information
from several different sources (applications) within an organisation and is used to provide management
reports.
Chapter 9: Computer audit: New technology 9/21
9.6.1.1 Benefits
The characteristics of electronic messaging systems are speed, minimal use of paper and less repetition of data
that results in a more efficient business practice (e.g., lower costs, quicker response times, and fewer errors).
9/22 Auditing Notes for South African Students
9.6.1.2 Risks
These include:
• system failure, that could result in the business being brought to a standstill, losing customer confidence,
failure to meet supply deadlines, etc.
• a loss of confidentiality of the data being “interchanged”
• the opportunity to introduce manual controls may be reduced, for example, stopping an invalid pay-
ment that has got through the system. An invalid cheque payment could have been “stopped” from
going through by contacting the bank. An electronic transfer cannot be stopped easily (note: cheques are
no longer an accepted form of payment in South Africa)
• increased reliance on networks and data communications
• loss of audit trail – no paper, and
• difficult legal liability issues, for example, if confidential information about a supplier is obtained illegal-
ly off the system at large, who is responsible? Company A? Company B? The VAN, or the communica-
tion channel provider?
As with all risks, controls can be put into place to address them. These controls are what the auditor will be
interested in.
Company X Company Y
Electronic Orders
Bank A Bank B
Company X
Bank A Bank B
VAN
Company Y
Company Z and
others
continued
9/26 Auditing Notes for South African Students
Example 1
Boomtown (Pty) Ltd, a small company, has 30 suppliers that it wants to pay by EFT. It will also need to
make three or four once-off payments for other items purchased. Not all creditors are paid every month.
1. To set up payment by EFT, the financial manager will have to visit the company’s bank and provide
extensive evidence of his identity, the existence of the company, his authorisation to use the service, etc.
The facility will then be activated specifically for the company’s bank account from which EFT pay-
ments will be made. He will also provide the bank with his mobile number.
2. Once the financial manager has set up the facility with the bank, his first task will be to list the 30 sup-
pliers on the system. To do so he will access the bank’s site on the Internet. He will then log into the
website by entering the Boomtown (Pty) Ltd’s bank account number and PIN supplied by the bank. If
this is successful, the screen will request the entering of a confidential password. On successful entry of
the password, the bank’s system will automatically send an SMS to the mobile number provided by the
financial manager. This alerts him to the fact that someone has accessed the bank account and is just a
precautionary control.
3. Following on screen instructions, the financial manager creates a list (profile) of the 30 regular suppliers
that Boomtown (Pty) Ltd intends to pay by EFT. The list will contain the name and full banking details
of the suppliers, for example, bank, branch, account number.
3.1 To enter a supplier onto the list (initially or in the future), the financial manager must select the
“add beneficiary (payee)” option. At this point the bank’s system will send another SMS that con-
tains a one-time password consisting of numeric and alphabetic characters. This password can be
used only once and must be entered by the financial manager for him to be able to add a supplier
onto the list of payees (suppliers). Once the list has been created, it remains on the bank’s system.
4. When the financial manager actually wants to pay suppliers on the list, say at the end of the month, he
accesses the bank account (gets an SMS to alert him that someone has accessed the account), and fol-
lowing the prompts, selects each supplier to be paid, and enters the amount each is to receive (all the
other information, e.g., bank details, etc., is already on the system), and sets the transfer in motion by
selecting the appropriate option, for example, proceed, or next. The transfer will then go through.
5. The procedure for making once-off payments is slightly different. Once-off payments are made to
payees who are not on the profile and to which the company is unlikely to make regular payments. On
accessing the company’s bank account (SMS is received as usual), the financial manager will select the
once-off payment option, and at this point will receive a one-time password via SMS.
Chapter 9: Computer audit: New technology 9/27
5.1 Once this password has been entered, the financial manager will be taken through a series of
screens onto which he enters details of the payee (beneficiary) and the payee’s bank, account num-
ber, branch code, reference and amount to be paid.
5.2 On selecting the proceed option, a second one-time- password will be sent via SMS, which the
financial manager must enter before the transfer will be activated. Note: Two one-time passwords
are required for once-off payments as added security.
6. When payments are made in this manner directly via the terminal by an employee, the procedure is
independent of the company’s financial accounting system in the sense that there is no preparation of a
file of EFT payments created on the company’s computer system and transferred to the bank as a file.
7. It is important to note that the bank’s controls do not prevent the financial manager from adding invalid
payees, such as himself or an associate in an attempt to defraud the company. The bank requires a PIN
and normal password, and also adds protection against unauthorised transfers by sending additional
once-off passwords to a specified mobile number, but it will be the responsibility of Boomtown (Pty) Ltd
to make sure that only valid payees are added to the profile and only valid once-off payments are made.
7.1 The risk in this situation arises because of a lack of segregation of duties. The financial manager
has access to the PIN and password for the company’s bank account and the one-time passwords
come to his mobile phone. This lack of segregation of duties will be made worse if confirmation of
the payment is also sent to the financial manager and even more so if he reconciles the bank state-
ment, which may well be what happens in a small company.
7.2 The nature and extent of controls that a company like Boomtown (Pty) Ltd will be able to imple-
ment to address this risk will depend upon the number of employees it has, as segregation of duties
will be the best preventive control. Controls over EFT payments should focus on prevention but
must be supported by detective controls. Possible controls are:
Preventive
• All EFT payments should be documented on preprinted, sequenced EFT payment vouchers.
• Each EFT payment voucher should be authorised by two employees (preferably independent of
the individual making the EFT payment).
• EFT payment vouchers should be sequenced checked, and verified against supporting docu-
mentation, before being authorised. The banking details of payees receiving once-off payments,
should be verified independently.
• The financial manager should log onto the bank’s website and an SMS should be sent to his
mobile phone, but the password to access the facility to make EFTs should not be known to
him. Another senior employee should have this password and must enter it (note: the financial
manager’s profile should allow him to do other things on the site, e.g., download bank state-
ments).
• The PIN and passwords should be strictly confidential, and the financial manager should not
leave his mobile lying about.
• A limit on the amount that can be transferred in a single 24-hour period or in a single EFT
payment should be agreed with the bank.
• The terminal should shut down after three unsuccessful attempts to access the bank
account/EFT facility.
• The ability to access the Internet should be restricted to the PCs of those employees who need it
to do their jobs to the extent that it is practical to do so.
Detective
• Confirmation of all EFT payments sent by the bank should be printed, matched to the EFT pay-
ment voucher and attached to it.
• From time to time a senior manager (or the person to whom the financial manager reports)
should access the list of payees on the payee file and reconcile it to an audit trail of payees added
and/or removed over the preceding period.
• Security violations should be logged and followed up.
• The cash book reconciliation should be carried out regularly, and by someone independent of
the payment process.
9/28 Auditing Notes for South African Students
Example 2
Marathon Ltd is a wholesale company that pays its creditors by EFT. The company has many creditors.
1. A company that makes a large number of payments would want to prepare a file of payments on its
system that they can transfer to the bank over the Internet to pay creditors (and salaries).
2. To facilitate this, Marathon Ltd’s bank would load its EFT software on a limited number of terminals at
Marathon Ltd so that the access to the bank via the terminals is more secure, and the two systems can
communicate with each other.
3. Access to the bank’s site on the web will be gained in the normal manner via the Internet, but once the
Marathon Ltd employee gets onto the site, an additional PIN and password, unique to that user, will
have to be entered.
4. If this identification and authentication process is accepted, a menu of the functions available will
appear, for example:
• balance enquiry
• download bank statement, and
• make EFT payment.
Access to any of these functions will be directly linked to the employee’s user profile, for example, some
employees will be able to download bank statements, and a (very) limited number will be able to make
EFT payments. Remember that the employee has already identified and authenticated himself to the sys-
tem, so an additional password may not be required. The employee will then click on the function he
requires to exercise his privileges. If the user profile does not allow access to the function “clicked on”,
there will either be no response and/or a screen message “access denied” will be sent.
5. Obviously the function that must be most protected is the EFT payment function, and the bank will
require that additional controls be implemented.
5.1 The first additional control is to require an additional “password” from the user. This is achieved
in different ways by different banks.
Example 1
• A leading bank requires that a (physical) device, called a dongle, be inserted into the USB port of
a PC that has had the bank’s software loaded on it.
• A dongle is given only to those employees of Marathon Ltd who are authorised to make EFT
payments.
• The dongle is unique to that employee and must be kept safe and secure at all times. It is in
effect a “physical” password that communicates with the bank’s software on the terminal.
Example 2
• Another leading bank gives the authorised employees at Marathon Ltd a random number gen-
erator. This is a small device that provides a one-time password.
• Each random number generator is unique to the person whom it is issued to.
• The device has its own unique registration number and, when it is issued, the registration num-
ber is linked to the employee’s user profile on the bank’s software.
• Once the employee has logged onto the site to make an EFT payment, the screen will request
the employee to enter his one-time password. The employee presses a little button on the device
and a random number appears. Remember that the employee has already identified and
authenticated himself to the system, so the system can link the random number to the employee
who entered it
• Of course, the employee must not give his password and number generator to anyone.
5.2 The second additional control is to require two employees to effect (put in motion) an EFT.
• One employee is to authorise the payment file and another to release the payment file.
• The payment file will not go until both authorise and release functions have been activated, and
they must happen in the correct order.
• Once the first employee has selected the authorise option, nobody can write to the file of pay-
ments (including the employee who will release the file).
Chapter 9: Computer audit: New technology 9/29
• If the releasing employee requires changes, he will have to return the file to the authorising
employee who will make the change and start the process again.
• Both parties will need to have their own additional password to carry out their functions, (i.e.,
the release employee will also have a dongle or a unique random number generator).
6. In addition to the controls over actually making the EFT payment, there must be good controls over the
preparation of the file to be transferred. This will be achieved by conventional access controls and care-
ful checking of the content of the file, for example, confirming payments to creditors against supplier
invoices, etc. Of particular importance will be controls over masterfile amendments.
In a large company like Marathon Ltd, control over EFT payments should be very strict. Controls
should include:
Preventive
• Strict controls over the compilation of the payments file to be transferred, for example, authority for
masterfile changes (adding a creditor, changing a bank account number).
• Bank software is to be loaded on the minimum number of terminals necessary to facilitate EFT pay-
ments efficiently and securely.
• Only more senior employees are to be authorised to effect an EFT.
• Only a limited number of employees are to be given privileges to make EFT payments.
• Once access to the bank account has been granted, further access should be given on the “least priv-
ilege” principle, for example, some employees can download bank statements but not make pay-
ments.
• User IDs, PINs, passwords are to be subject to sound password controls (see chapter 8).
• Devices such as random number generators and dongles are to be the responsibility of the authorised
employee at all times, for example, not left with an assistant or left lying about.
• The “two signatories” principles (authorise and release) must be applied.
• The terminals on which the EFT software is loaded should shut down after three unsuccessful at-
tempts to access the bank account.
• An arrangement may be made with the bank to transfer the money from the company’s main bank
account to another clearing account and then to creditors’ (or salary earners’) bank accounts. Limit-
ing the accounts to which transfers from the main bank account can be made, protects the main bank
account, as attempts to transfer electronically to accounts other than the designated clearing accounts
will not be successful.
• The amount that can be transferred within a 24-hour period can be limited.
• Data can be encrypted.
Detective
• A log of authorised access and access violations should be kept and reviewed; problems should be
followed up.
• An audit trail of all EFT payments should be downloaded the following day and checked against the
payments file.
• The audit trail should be independently reviewed by a senior official and payments randomly
checked against source documentation.
• All bank accounts should be regularly reconciled in a timely manner by an employee independent of
the EFT function.
9.7.1 Introduction
The Internet began as a single network (ARPANET) that originated in the United States of America in the
late 1960s as part of a defence research project. It has since been used to connect to hundreds of thousands
of other networks in countries throughout the world. It may therefore be described as a huge network of
networks all connected to make up the largest network in the world. Any company that uses the Internet
9/30 Auditing Notes for South African Students
takes on the risks of any network, namely an increase in the risk of unauthorised access to its own system
and its resulting problems, including loss of confidentiality, corruption of data and programs, and the
introduction of viruses.
Use of the Internet for commercial purposes is growing at a phenomenal rate. This has a direct effect on
the auditor because more and more clients are using the Internet to conduct their normal business activ-
ities.
In the same way as a LAN allows employees in an office to share computer resources in that office, the
Internet allows users throughout the world to share services and resources made available on millions of
computers worldwide.
A wide variety of services are available on the Internet. Different protocols are associated with each ser-
vice and some protocols are recognised as being more reliable and secure than others. A protocol is simply
a standard way of doing things, or to be more precise, a set of procedures, requirements and regulations for
each service. The most important services, for commercial purposes, are explained by the terminology that
follows.
9.7.2 Terminology
• The World Wide Web (WWW): This is the fastest growing aspect of the Internet and offers the greatest
attraction for business. It uses a concept known as hypertext technology to link documents located at
different websites. These documents are known as web pages and may include text, graphics, sound and
video files. It is controlled by a protocol called hypertext transfer protocol (http). There is a more secure
protocol, called https, that should be used when communicating sensitive information (e.g., credit card
details) – the additional security includes encryption.
Web pages can be used:
– to market and advertise products to an audience of millions of people
– to offer customers “24/7” service (i.e., access 24 hours per day, 7 days a week for every day of the
year) to information, products and facilities for placing of orders and/or making payments
– as a valuable source of information for businesses, and
– to facilitate the download of products, for example, music, articles and information.
• Electronic mail: Provides users with the ability to communicate quickly and economically, using text or
graphics, with other Internet users throughout the world. Email is controlled by the simple mail transfer
protocol (SMTP).
• File transfer: This is similar to email, but is used to look for, as well as to transmit, large files as opposed
to short email messages. This is controlled by file transfer protocol (FTP). It is worth noting that there is
a more secure, encrypted version, called SFTP.
• Remote terminal access and command execution: This service allows access to a remote system as if you
were on a terminal/PC that was directly attached to that system. Use of this service could therefore
provide an organisation with access to powerful processors, large databases, useful programmes and
other resources that it may not otherwise be able to access.
Control: Appointing/consulting personnel with the necessary legal and computer skills to implement
the requirements of the Act and to monitor compliance on an ongoing basis.
(b) Risk: By connecting to the Internet, the company creates a channel or link to the outside world that
could facilitate unauthorised access to the company’s computer system. This could lead to service dis-
ruption, virus contamination, data destruction or corruption, and the loss of confidential information.
Control: A number of controls could apply, including:
• Configuring the company’s own system to restrict the access that the Internet link provides to only
those resources that need to be linked.
• Processing and storing particularly sensitive applications on separate systems (systems not linked to
the Internet), for example, a computer that is not physically connected to the other computers
linked to the Internet.
• Providing a means of restricting traffic to and from the Internet so that it all has to go through a
carefully controlled route. This is achieved by introducing what is termed a firewall – specialised
hardware and software that is configured with sets of rules that dictate the permitted protocols,
source and destination locations. The firewall is placed between the Internet network and the com-
pany’s system.
• Installing Internet and email monitoring software, for example, Web Marshall and Mail Marshall.
These products can:
– log the sites on the WWW that have been accessed by employees (this will dissuade staff from
accessing illegal or unacceptable sites from the office, and wasting time on the Internet)
– prevent users from accessing certain websites
– control the addresses, length and content of emails by monitoring the email protocol (smtp),
thus, emails to or from certain specified addresses or over a certain length or containing attach-
ments (e.g., video footage), may not be allowed to pass
– pass all incoming files through a virus scanner
– encrypt emails that are sent to specific sites, and
– control the delivery of messages to specific PCs.
(c) Risk: Orders may be accepted, and the goods dispatched but payment may not be received from the
customer.
Control: Before the company fills any orders, it needs to be satisfied that it is dealing with a genuine
customer and that there is a very high expectation that the customer will pay. Essentially the customer
needs to be identified and authenticated. This can be achieved as follows:
• The company can obtain personal details about the client (over the Internet) including citizen
identification numbers, or credit card details that can be authenticated. The customer can then be
provided with a password that must be kept secret and used by the customer when placing an order
to identify and authenticate him- or herself.
• If further authentication is required, the customer can be subjected to “challenge-response” where,
before transacting, the user is required to provide answers to questions about details that were pro-
vided when the customer opened his account, for example, what is the name of the family pet? The
computer then compares the answer given by the user to the customer’s file.
• An email address can be requested. This provides an additional way of tracing a transaction and
allows the company to contact the address to confirm the order. It is not foolproof, but may alert a
person whose email address has been used fraudulently to the transaction.
• Restricting the method of payment to credit card only. The system should obtain clearance on the credit
card details supplied by the customer. A direct link with the bank will provide the supplier with confir-
mation that the card is genuine, not reported stolen or expired and that the account contains the neces-
sary funds. Before the goods are despatched, the funds transfer should have been authorised. Of course,
genuine card details do not mean that the owner of the card consented to its use (it may have been sto-
len) but that is the concern of the card owner. Passwords, pins and cards must always be kept secure. An
additional point to remember is that if a person is trying to obtain goods fraudulently over the Internet,
he has to gain physical access to the goods, so a delivery address must be provided. This will leave a trail,
but it will be time consuming and costly to follow this up if the sale proves to be fraudulent. It is far
more efficient to prevent the situation from arising.
9/32 Auditing Notes for South African Students
Note: A company trading over the Internet may accept orders from a customer and charge the sale to
the customer’s account (i.e., like a normal credit sales/debtors transaction). In this case all the normal
controls for extending credit should be adhered to, for example, creditworthiness checks, credit limits,
as well as identification and authorisation of the user prior to accepting the order.
(d) Risk: Information keyed in by the customer may be inaccurate or incomplete, resulting in orders that
cannot be filled, for example, if the customer does not indicate the quantity required, the order can’t be
filled. This will lead to customer dissatisfaction and lost sales.
Control: This risk is reduced (eliminated) with adequate input validation and reasonableness checks,
for example, web pages that:
• are properly designed to display spaces for all information required and are easy to follow, and
• require the customer to key in the absolute minimum.
For example:
instead of keying in the description of the item required, the customer will simply select and click
against a list of goods available that appears on the screen (drop-down lists).
• contain programme checks that enhance accuracy and completeness.
For example:
alphanumeric or number fields and a mandatory field check on the quantity ordered field where an
item has been selected
• all other information.
For example:
The item number pertaining to the item ordered will be linked to the description and will not have
to be entered.
(e) Risk: Unauthorised disclosure of confidential customer information (by hacking, eavesdropping)
and/or loss of data integrity (data is changed in some way), once transmission of the transaction is
underway.
Control: The inclusion and enabling of transport layer security techniques (e.g., secure socket layer)
that:
• encrypts sensitive data to confirm confidentiality
• authenticates the user (thus ensuring authorised access)
• implements programmed checking that tests the completeness of data as well as any changes thereto
(integrity). For example, details of the order are relayed back (on screen) to the customer by the
sales system for final acceptance. The customer is required to select and click on the desired option,
for example, “confirm amount” or “cancel”, and
• transaction logs and transmission logs are produced and reviewed to confirm that all transactions
sent were received.
(f) Risk: Potential customers may be lost (and the reputation of the company damaged) if customers are
not satisfied that the website does not contain malicious code or content, and that the company is a
legitimate business.
Control:
• Confidence in the site can be enhanced by having the site verified (on an ongoing basis) by a reput-
able certificate provider; for example, Thawte and Verisign, and displaying the company’s privacy
policy on the site.
• Web applications should be designed to be secure. Adequate input validation, reasonableness
checks and user authentication techniques must be implemented. This is a highly specialised area
where specialists should be used.
(g) Risk: By selling over the Internet, the company becomes a 24 hour a day, 7 days a week, 365 days a
year business. Any lack of availability or functioning of the site will result in lost sales and may affect
the company’s reputation.
Control: A reputable service provider must be used, and the company must employ staff with the
necessary computer and website maintenance skills to confirm that the website is always available and
fully functional (and that the website is up to date, attractive and user-friendly). Adequate redundancy
and disaster recovery that is commensurate with the needs of the business/website should be imple-
mented.
Chapter 9: Computer audit: New technology 9/33
9.8.2 Terminology
A bureau may provide several different levels of service, including:
• facilities management – in which computers are housed at the bureau and the bureau staff may provide
infrastructure support for the hardware, operating system and database, but applications are managed
by the business itself
• application service providers (ASPs) – the entire service related to a particular application is provided by
the bureau, or
• full outsourcing – in which case all IT services are provided by the bureau.
the above. The auditor should also observe the relationship between his client and the bureau to gain the
above insights.
Some bureaux will arrange independent evaluations of their business from time to time. It is in their
interests to do so as the evaluation report can be used to promote the bureau. If such an evaluation exists,
the auditors of the bureaux’s clients should make use of it; for example, a report, that provides an inde-
pendent opinion on the operating effectiveness of the key controls operating at the bureau. See page 17/23
in this regard.
(c) An evaluation of the controls put in place at the client over the functions that are the responsibility of
the client
This will involve performing conventional tests of controls (observation, enquiry, inspection, etc.) over the
functions that are the responsibility of the client, for example, gathering data for processing or reconciling
output.
Remember that the use of a bureau takes care of only certain functions within a cycle. The other func-
tions must still be controlled as they would be if computing took place at the company itself. For example,
a bureau may process a client’s wages, but the client is still responsible for the personnel function, time
9/36 Auditing Notes for South African Students
keeping, and possibly making the relevant EFT payments to employees, all of which will still be evaluated
and tested by the auditor. Equally, substantive tests will still be performed as required on transactions,
balances and totals.
Assurance reports
The bureau/service management organisation will have to obtain an ISAE 3402 report from its auditors
that provides its clients with an assurance report over the controls. As the auditor, you may consider the
ISAE 3402 report as part of your audit where the client has outsourced its controls to a service manage-
ment organisation.
9.9 Viruses
Viruses are possible in virtually any computer environment, but the risk is increased in highly networked
end-user computing environments (especially the Internet) in which large numbers of relatively uninformed
users, who are not adequately control conscious, have access to computer resources.
• Logic or time bomb – code that sets off an action when a specific condition or date occurs, for example,
“on 1 April delete . . . ”
• Trapdoor – code that allows access other than in the conventional manner (almost like a secret pass-
word).
• Worm – code that spreads itself through a network.
• Spyware – a programme that “steals” information from the system on which it is running, such as user
names, passwords, credit card numbers, etc.
10
Revenue and receipts cycle
CONTENTS
Page
10.1 Accounting system and control activities ......................................................................... 10/3
10.1.1 Introduction ....................................................................................................... 10/3
10.1.2 Objective of the first section of the chapter ........................................................... 10/3
10.1.3 Characteristics of the cycle .................................................................................. 10/3
10.1.4 Basic functions for any revenue and receipts cycle ................................................ 10/4
10.1.5 Documents used in the cycle ............................................................................... 10/5
10.1.6 Narrative description of a manual revenue and receipts cycle by function .............. 10/6
10.1.7 Flow charts for a manual revenue and receipts cycle............................................. 10/9
10.1.8 Computerisation of the revenue and receipts cycle ............................................... 10/19
10.1.9 Internal control in a cash sales system .................................................................. 10/32
10.1.10 The role of the other components of internal control in the revenue and
receipts cycle ...................................................................................................... 10/35
10.2 Narrative description of the revenue and receipts cycle at ProRide (Pty) Ltd.................... 10/36
10.2.1 Introduction ....................................................................................................... 10/36
10.2.2 Background to the company ................................................................................ 10/36
10.2.3 Overall control awareness ................................................................................... 10/36
10.2.4 Computerisation in this cycle .............................................................................. 10/36
10.3 Sales – How the system works at ProRide (Pty) Ltd .......................................................... 10/36
10.3.1 Receiving orders ................................................................................................. 10/37
10.3.2 Opening an account ............................................................................................ 10/39
10.3.3 The production of picking slips ............................................................................ 10/39
10.3.4 Picking the goods ................................................................................................ 10/40
10.3.5 Despatch ............................................................................................................ 10/41
10.4 Receipts – How the system works at ProRide (Pty) Ltd..................................................... 10/41
10.4.1 Recording and entering receipts from debtors ....................................................... 10/42
10.4.2 Credit notes and adjustments to debtor’s accounts ................................................ 10/43
10.4.3 Monitoring ......................................................................................................... 10/43
10.4.4 Conclusion ......................................................................................................... 10/44
10/1
10/2 Auditing Notes for South African Students
Page
10.5 Auditing the cycle ............................................................................................................ 10/44
10.5.1 Introduction ....................................................................................................... 10/44
10.5.2 Auditing the revenue and receipts cycle ............................................................... 10/45
10.5.3 Important accounting aspects of the revenue and receipts cycle ............................. 10/45
10.5.4 Financial statement assertions and the revenue and receipts cycle ......................... 10/46
10.5.5 Fraud in the cycle ............................................................................................... 10/47
10.6 The auditor’s response to assessed risks .......................................................................... 10/48
10.6.1 The auditor’s toolbox .......................................................................................... 10/48
10.6.2 Overall responses to risks of material misstatement at financial statement level ..... 10/48
10.6.3 Responding to risks at the assertion level ............................................................. 10/48
10.6.4 Other audit procedures ........................................................................................ 10/48
10.7 Audit procedures – Test of controls and substantive procedures ........................................ 10/50
10.7.1 Tests of controls .................................................................................................. 10/50
10.7.2 Substantive procedures........................................................................................ 10/52
10.7.3 Substantive procedures of transactions in the revenue and receipts cycle ............... 10/53
10.7.4 Substantive procedures on the trade receivables balance ....................................... 10/56
10.7.5 Substantive procedures for the audit of bank and cash .......................................... 10/59
10.7.6 The use of audit software(substantive procedures) ................................................ 10/61
10.7.7 Automated application controls in the revenue and receipts cycle ......................... 10/62
Chapter 10: Revenue and receipts cycle 10/3
10.1.3.4 Legislation
For companies that sell and provide services to consumers, for example, retailers and service providers, the
Consumer Protection Act (CPA) is an important Act which must be complied with.
10.1.4.2 Warehouse/despatch
• Processing the order: This involves the manual process of gathering together (picking) the goods from the
stores to fill the order.
• Despatch: This is the manual process of releasing the goods ordered to the customer. The customer may
collect the goods; the goods may be delivered by the company’s own delivery vehicle or by a transport
company, for example, railways, courier service.
10.1.4.3 Invoicing
• This is the very important step of notifying the customer of the amounts owed for goods purchased. The
invoice may be sent with the goods, or at a later stage. There is no fixed rule, but generally the sooner
the invoice is sent, the sooner the customer pays.
For example:
A debtor may have a credit limit of R1000 purchases, but intends to purchase items worth R1 500.
Will the sale be approved? A further example where credit terms may be extended is during Covid-19,
where debtors may be allowed an extended period to pay back their debts.
• Collecting amounts owed: These are the activities carried out to ensure amounts owed by debtors, are
paid when they are due.
10.1.5.4 Invoice
This is the document that is sent to the customers to notify them of the quantity and price of the goods sold
to them, the total amount of the sale, discounts and VAT.
10.1.5.6 Statement
This is a summary of all of the transactions for a period, usually a month, sent by the company to the
customer. The statement reflects the opening balance, sales made, payments received, other adjustments,
such as credit notes, and the closing balance, as well as a breakdown of the periods for which the total
amount owed has been outstanding, for example, 30 days, 60 days, 90 days and over.
10.1.5.8 Receipt
The receipt records details of payments received from customers.
10.1.6.2 Warehouse/despatch
• The warehouse/despatch function is required to select the goods to be sent to the customer in terms of
the ISO/picking slip. (In multipart stationery, the second copy of the ISO can be headed “picking slip”.)
This function will also be responsible for controlling the removal of the goods from the warehouse to
the despatch area for delivery to, or collection by, the customer (i.e. the goods should be signed out of
the custody section of the warehouse and into the despatch section).
• In a manual system, the ISO/picking slip sent to the warehouse will be given to a warehouse employee
to select (pick) the goods listed on the ISO/picking slip.
• This employee will tick off the goods picked on the picking slip and mark clearly any items that are not
available (note: inventory availability checks carried out in the order department are not foolproof and
some companies may choose to make out the ISO without carrying out the inventory availability test.
Using this method, “out of stock” items will be identified at the “picking” stage.)
• A warehouse clerk will then manually complete a preprinted, multipart, sequenced delivery note,
detailing the goods picked.
• Once the delivery note has been completed, the goods will be moved to the despatch area with the
supporting documentation where they will be checked, boxed or packaged. The despatch clerk will sign
the documentation (copy of the delivery note or picking slip) to acknowledge the transfer of the goods
into his custody.
• When the goods are despatched to the customer, they will be accompanied by two copies of the delivery
note. Both copies will be signed by the customer, one of which will be retained by the customer and the
other returned to the company.
• Where goods are to be delivered to the customer (not collected), delivery lists will be compiled and the
goods loaded onto the delivery vehicle under supervision. The driver will acknowledge taking custody
of the goods by signing the delivery list.
10/8 Auditing Notes for South African Students
10.1.6.3 Invoicing
• The objective of invoicing is to notify the customer promptly of the amount due and when to pay it.
• Accounting employees will collect the supporting documentation for the sale that has been made, for
example, the ISO and the copy of the delivery note signed by the customer. They will check all the de-
tails of the sale and create an invoice.
• A copy of the invoice will be sent to the customer. (Note: in some systems the invoice is made out at the
same time as the delivery note. This may lead to more errors in invoicing because the invoice is made
out before the customer has checked and accepted the goods, but does have the advantage of getting the
invoice to the customer sooner.)
• A preprinted, multicopy, sequenced invoice will be made out manually, taking the details from the
supporting documentation.
• Debtor details, pricing, discounts, casts and extensions and VAT will be checked, and a copy of the
invoice sent to the customer.
• In a manual system, all documentation will be hard- These are areas that students struggle with
quite often Are you able to draw up your
copies and the follow-up of information supplied by a
own flow diagrams to assist in your founda-
prospective customer in the credit application form, will tional know-ledge of the cycles? Use these
be followed up by a phone call or letter. The credit limits sections as a basis to build on more infor-
and terms will need to be recorded on a schedule or in mation that is needed later.
the debtors ledger. Authorisation of a customer order
(ISO) will be a manual exercise.
+
Pick goods Signed delivery
from stores note
Sales order Enter in sales
2
Picking slip journal
3
Internal sales
2 order
Match and
1 check above
3 documents
Delivery Invoice Post to general
2 note ledger and debtors
1 2 ledger
3
Invoice
2
Both sent with
N 1
goods to N
customer N
With
One delivery picking
note signed and slip A
returned by To customer
customer
2 With ISO and
delivery note
Goods returned
Enter in cash receipts journal 2 voucher GRV
1
Prepare
remittance
register Deposit slip Post to general
2 ledger and
1 debtors ledger Transfer goods and
documents to store
Prepare debtors
Debtors statement
2 statement
1 Authorised GRV
Remittance Cash and deposit and customer
register slip to bank documentation
N
Bank stamped
deposit slip To customer Credit note
2 2
1
A To customer
Note: Deposit slip 1 kept by bank
10/11
10/12 Auditing Notes for South African Students
The series of tables that follow expands on the functions, risks and control activities in the cycle. For each
function, the documents that may be used are identified. Further, the business risks that may exist in each
functionare described.
Something to consider . . .
For each of the control activities above, identify which control objectives
these activities are trying to achieve? Is it validity, accuracy of complete-
ness?
Perform the same exercise for each of the control activities described in the
series of tables that follows.
Chapter 10: Revenue and receipts cycle 10/13
Warehouse
Documents
Function Risks
records
To fill accepted orders promptly and accu- Picking slip • Valid ISO/picking slips may not be acted
rately and to ensure only authorised orders Delivery note upon.
are acted upon. Back-order note • Goods may be removed (picked) from inven-
This is the manual function of picking the tory for fictitious/unauthorised sales.
goods from the warehouse using a signed • Incorrect items and quantities may be picked.
copy of the ISO (picking slip), and creating a • Inaccurate and incomplete delivery notes may
delivery note. be made out, resulting in loss of revenue.
Goods that cannot be picked because they • “Out of stock” items may not be identified on
are sout of stocks will also be identified and a the picking slip.
back order note created.
• Customer not notified of “out of stock” items
resulting in loss of the sale and customer
goodwill.
10/14 Auditing Notes for South African Students
Despatch
Documents
Function Risks
records
To ensure that only goods supported by Delivery note • Theft may be facilitated by uncontrolled
properly authorised picking slips, and List of deliveries despatch.
accompanied by accurate and complete • Despatch errors may occur:
delivery notes, are despatched. – incorrect goods or quantities despatched
To ensure prompt despatch of goods that – goods delivered to wrong customer.
have been picked to the correct customer.
• Customers may deny having received goods.
Once the goods have been picked and
• Goods released from the warehouse are never
delivery notes made out, they are transferred
despatched.
to despatch to be packed, labelled and
delivered.
Controls must be sound because, by this
stage, the goods have left the custody of the
warehouse and are thus susceptible to theft.
In addition, the goods are moving between a
number of parties, so isolation of responsibil-
ity is very important.
Chapter 10: Revenue and receipts cycle 10/15
Invoicing
Documents
Function Risks
records
To notify the customer promptly of amounts Sales invoice • Goods despatched may not be invoiced,
due for goods supplied. Price lists resulting in revenue not being recorded
On return of the signed delivery note from the • Invoices may be inaccurately prepared/mis-
customer it should be matched with the sales stated (prices, quantities, descriptions, dis-
order and an invoice should be generated. counts, VAT).
Recording of sales
Documents
Function Risks
records
The purpose of this function is to record the Invoice • Invoices are omitted from the sales journal.
sales made and to raise the corresponding Sales journal • Invoices are duplicated in the sales journal.
debtor promptly. Debtors ledge • Invoices are inaccurately entered in the sales
Invoices must be recorded accurately and General ledger journal, for example, R4 325,50 entered as
entered against the correct debtor in the R432,55.
debtors ledger. Total sales for the period • Invoice entered against incorrect debtor when
must also be posted to the sales and debtors posting (transferring) to the debtors ledger ac-
control accounts in the general ledger. counts.
Recording of receipts
Documents
Function Risks
records
The role of this function is to record the Bank deposit slip • Deposits may never be recorded/not recorded
receipts from debtors in the cash receipts Cash receipts timeously.
journal and credit the debtors’ accounts Journal (CRJ) • Recorded deposits may be:
promptly. Receipts must be recorded accu- Debtors ledger – inaccurate (errors)
rately and entered against the correct debtor.
General ledger – overstated (fictitious deposits), or
The total amount received from debtors for
– credited to the wrong debtor.
the period must also be posted to the debtors
control account in the general ledger.
Credit management
Documents
Function Risks
records
The purpose of this function is to limit the All records in the • Debtors do not pay at all or pay late.
loss from bad debts and to encourage debtors cycle are relevant • Debtors are prematurely or inappropriately
to pay promptly. Monthly state- written off.
The function is closely linked to sales auth- ments • Debts are written off without authority.
orisation and as explained under that func- Age analysis
tion, the process begins with sound controls Credit bureau
over the acceptance of new customers and information
the extent of credit granted to them.
Credit management should also identify
debtors to be handed over to lawyers and
subsequently written off if necessary.
Chapter 10: Revenue and receipts cycle 10/19
10.1.8.1 Access
Many businesses will run their accounting systems on a local area network (LAN). Simplistically speaking,
this means that there will be a number of terminals, usually from different departments, “linked” together
and sharing resources. Therefore, access to the network and to individual applications, must be carefully
controlled:
• access to the network should only be possible through authorised terminals, and
• only employees who work in the various functions of the cycle need access to the revenue and receipts
application and only to those modules or functions of the application necessary for them to do their jobs
(least privilege/need to know basis). Certain managers will have read only access for supervisory and
review purposes.
Various techniques are used to control access.
For example, the user:
• must identify himself to the system with a valid user ID (e.g. using the employee staff number as a valid
user ID)
• must authenticate himself to the system with a valid password, and
• will only be given access to those programmes and data files to which he is authorised to have access in
terms of his user profile.
Once the user has got onto the system, access is usually controlled by what appears or does not appear on
the user’s screen. For example, only the modules of the application to which the user has access will appear
on the screen, or alternatively, all the modules will be listed, but the ones the user has access to will be
highlighted in some way, for example, a different colour.
If the user selects a module to which he does not have access (this is determined by his user profile),
nothing will happen and/or a message will appear on the screen that says something like “access denied”.
In another similar method of controlling access, the screen will not give the user the option to carry out a
particular action. For example, certain sales orders awaiting approval from the credit controller are listed
on a suspense file. Although other users may have access to this file for information purposes, when they
access the file, their screens will either not show an “approve” option, or the “approve” option will be
shaded and will not react if the user “clicks” on it. Only the credit controller’s screen will have an approve
option that can be activated.
Remember that access controls are a very effective way of achieving sound segregation of duties and iso-
lation of responsibilities.
10/20 Auditing Notes for South African Students
10.1.8.2 Menus
Current software is all menu-driven and generally easy to use. Menus can be tailored to the specific needs
of a user (based on the user profile) and “items” can be selected by a simple “click of the mouse”. Menus
facilitate access control and segregation of duties.
10.1.8.3 Integration
The extent to which the accounting system is integrated will vary, but most systems these days are integrat-
ed in the sense that a transaction entered onto the system, will instantly update all the records it affects.
For example, the processing of a sales invoice will simultaneously update the sales account, debtors mas-
terfile, inventory masterfile and possibly the general ledger. This significantly improves the accuracy of the
records but makes the control over input extremely important.
sale reflected in the general ledger and trace it back to the order received from the customer. A system
where there is a poor audit trail will be a weak system. The trail will often be a combination of electronic
and hardcopy data.
Ordering
All orders from customers need to be entered into the system accurately and completely and subjected to credit-
worthiness and inventory availability checks.
Only orders from approved customers should be accepted. Remember that for the purposes of this illustration, orders
are taken over the phone. A number of automated checks will be in place as the objective is to prevent errors in the
information entered. The system will not allow the order clerk to continue taking the order if (programmed) automat-
ed checks are not satisfied. All employees in the cycle who make use of the computer to fulfil their functions will have
user IDs and unique passwords and their screens will be “linked” to their user profiles. They will log onto the system
in the normal manner.
Activity/procedure Control, comment and explanation
1. Access the order system. 1.1 All incoming sales order calls are directed to a telesales order clerk (a
We will assume that telesales queuing system will direct the call to the next available operator).
operators (order clerks) each 1.2 Write access to the sales order module will be restricted to order clerks.
have their own terminal 1.3 The order clerk’s user profile gives him read only access to the debtors
in a secure telesales area. masterfile and the inventory masterfile.
1.4 As there is a dedicated telesales area, taking of orders may be restricted to
terminals in this area (access controls are more commonly centred around
users as opposed to terminals).
2. Identifying and authenticating 2.1 On receiving a phone call, the order clerk should request the customer’s
the customer account number and key it in; a programmed (automated) verification
check will take place. If it is a valid account number, the details of the cus-
tomer will appear on the screen, for example, name, delivery address, etc.,
formatted as a sales order. The computer has satisfactorily matched the ac-
count number against the masterfile.
2.2 The order clerk should then request the caller to provide other information
that has appeared on the screen to authenticate the customer. Note: the or-
der clerk should not give the information to the caller and ask him to con-
firm it – the caller must provide the information.
2.3 If the account number is a match to the debtors masterfile, the system will
automatically allocate a unique transaction number that will identify the sales
order as it progresses through the system.
2.4 If the customer does not have an account, he will not be on the debtors
masterfile and will be referred to the credit management department. The
system will not allow the order clerk to proceed with an order.
continued
10/24 Auditing Notes for South African Students
Warehouse/despatch
The picking, packing and despatch of goods are manual procedures. Pickers need a document to indicate which items
they must pick.
Activity/procedure Control, comment and explanation
1. Obtaining the hard copy 1.1 Access to the sales order file will be restricted:
picking slip: • no write access to anyone
• The warehouse administra- • no access to pickers
tion clerk will access the sales • read only access to the warehouse administration clerk
order file from his terminal in
• read only access to warehouse supervisory employees
the warehouse. This will
reveal a list of sales orders • read only access to appropriate management staff, for example, the sales
identified by their transaction manager. This privilege gives management and supervisory staff the
number. The clerk will opportunity in a real-time system to trace an order from their terminals as
“click” on the sales orders he it moves through the process. This may be in response to a customer
wants to select for picking. query about an order, or may be to find out if the warehouse personnel
are carrying out their duties promptly.
1.2 The sales orders selected will automatically be transferred from the sales
order file to the picking slip file. In effect the sales order has “become” a
picking slip and at the same time, a hard copy picking slip is printed.
1.3 The sales order will not necessarily be transferred to another file. A com-
mon technique is for the system to automatically allocate (attach) a status
code to the sales order that indicates that it has been selected for picking
and is now at the picking slip stage. Anyone accessing the sales order file
will be able to see the status of the original sales order. The code will also
prevent the sales order from being selected again for picking.
continued
10/26 Auditing Notes for South African Students
Invoicing
As discussed in our manual system description, a sales invoice can either be made out and sent with the goods, or it
can be made out after the goods have been delivered to the customer. Because controls over accepting and processing
orders in an up-to-date computerised environment are generally very good, there are few problems with delivering the
wrong goods or the wrong quantities. This means that businesses can safely invoice the goods before the customer has
actually taken delivery. Any delivery problems can be resolved at a later date. In general, the sooner the customer is
invoiced, the sooner the business will be paid. In this example, we have assumed that the invoice is made out and sent
with the goods. There will usually still be a despatch/delivery note of some kind for the customer to sign in order to
acknowledge acceptance of the goods, and an additional copy of the invoice will normally be sent to the customer as
well (email or hard copy).
continued
Chapter 10: Revenue and receipts cycle 10/27
continued
Chapter 10: Revenue and receipts cycle 10/29
Credit management
Computerisation does not change the objectives of credit management, but it can make it far more efficient and
effective than in a manual system. The computer is used in a number of ways.
For example, the credit application from the applicant and the following up of the information can be done online,
and the efficiency in the day-to-day management of debtors can be improved. This may involve resolving sales orders
and receipt queries on pending files, sending statements by email, identifying slow-paying debtors and reconciling
accounts. In addition, the computer’s ability to produce analytical and other reports, for example, aging schedules,
ratios, will be of huge benefit.
Activity/procedure Control, comment and explanation
1. Granting of credit terms 1.1 Regardless of how it is done (online, personal visit), a credit application must
and limits (new customers) be submitted. The application must contain customer banking details, trade
references, financial information:
• All details should be followed up with bureaus such as Transunion or
Credit Secure, which will supply an assessment of the applicant’s credit
rating.
continued
10/30 Auditing Notes for South African Students
Processing controls
As mentioned in chapter 8, the accuracy, completeness, etc., of processing is evidenced by reconciliation of output
with input and the detailed checking and review of output by users, on the basis that if input and output can be recon-
ciled and checks and reviews reveal no errors, processing was carried out accurately and completely, and only trans-
actions that actually occurred and were authorised, were processed. To make sure it does its job, the computer will
perform some internal processing controls on itself, but the user will not even be aware that these are going on. The
users within the cycle make use of the logs and reports that are produced relating to their functions, whilst the IT
systems personnel make sure that processing aspects of the system are operating properly.
Summary
The description of the system above provides an illustration of how the control activities described in chapter 5 (and
referred to in ISA 315 (revised)), can be implemented. It also provides an illustration of how specific automated
(programme) controls can be introduced, for example:
Segregation of duties • Separation of functions, for example, ordering, warehouse,
processing receipts.
• Separation of responsibilities within functions, for example,
receiving order, picking, picking control, invoicing.
Isolation of responsibilities • Isolating responsibilities through granting access privileges, for
example, only credit controller can approve sales orders in the
pending sales order file.
• Having pickers, the picking control clerk and despatch control-
ler sign the picking slip.
Approval and authorisation • A sales order clerk is prevented from proceeding with a sales
order unless the customer satisfies the preset credit worthiness
requirements.
• The financial manager and credit controller approve the
credit application.
Custody • Access to the bank account (custody of the company’s money)
and the functions that can be performed via the Internet, is
strictly controlled by user IDs, PINs and passwords.
continued
10/32 Auditing Notes for South African Students
Custody(continued )
• The information on the debtors masterfile (which is an asset)
is also protected by user IDs and passwords to restrict unau-
thorised amendments.
Access controls • All users on the system must identify and authenticate them-
selves by IDs and passwords, and what they are authorised to
do is reflected in their user profiles.
Comparison and reconciliation • The system reconciles the allocation of receipts to debtors in
the debtors ledger, to the total amount of the deposits into the
company’s bank account downloaded onto the system.
• The system compares current period information about sales
and debtors with corresponding prior period information and
produces reports.
Performance review • The real-time processing system allows supervisory and man-
agement staff to go into the pending sales order file to see how
a sales order is progressing, for example, to determine whether
there is a backlog in picking.
• The sales manager accesses the “sales order pending file” to
determine whether pending sales orders are being speedily
dealt with by the credit controller.
• Reports containing information about debtors, for example,
aging, days outstanding, etc., are produced to be compared to
performance targets set by the company to measure the per-
formance of credit management.
Control techniques and application controls • Screen aids and related features
– minimum entry: keying in customer’s account number
brings up all other detail
– screen formatting: the picking slip
– mandatory fields: customer purchase reference.
• Programme checks
– validation check on customer number
– alphanumeric on quantity field.
• Output control
– masterfile amendment logs are checked against source doc-
uments
– access to debtor information on the system is restricted on a
“need to know basis”.
Logs and reports • Log of changes made by picking control clerk to picking slips
on the system.
• Daily reports of sales orders received, debtors exceeding credit
limits or terms.
This does not cover every control, policy or procedure that could be in place, and is not intended to. This knowledge
will only be acquired when you go into different companies and work with their systems.
For example:
In the case of collusion with another employee, a salesman may make a cash sale to a customer, not
enter it, and share the proceeds with the security guard whose duty it is to check the goods against a
sales docket (in this case there will not be one) before the goods are taken out of the shop. A customer
can also easily be drawn into a theft of cash by answering “no” to such questions as “do you want/need
a receipt” or answering “yes” to a question such as “do you want to pay cash, because if you do, we
don’t have to charge VAT”. A customer may knowingly or unknowingly answer “yes”!
• The control of cash can be particularly difficult in smaller businesses that don’t have the resources to
have a strong division of duties or purchase equipment that can assist in preventing some forms of cash
theft, for example, surveillance cameras or sophisticated point-of-sale systems.
• In a smaller business, say an owner/managed business, the extent of the desire of the owner/manager
to control cash will be a major factor in how well it is controlled. Remember that the owner/manager
may be keen to understate his cash sales so as to reduce tax. This attitude also affects the control envi-
ronment and other employees will soon notice and may even exploit it.
• There is also the risk of armed robbery and injury to employees, so cash (at all stages, see 9.2) should be
physically safeguarded.
– If the system is manual, a cash sale invoice should be written out in an invoice book; one copy given
to the customer, one copy retained.
– In some businesses a counter of some kind may keep an independent total related to the number of sales
that take place, for example, a car wash bay may keep a running total of cars entering the bay.
• The independent record should not be alterable
– There should be no access to the till roll (or other record) in the cash register in a supermarket, other
than to supervisory/management employees.
– Handwritten invoices are only protected by the fact that alterations will be visible.
– Access to reading, recording and resetting an independent counter (as in a car wash) should be
restricted to the manager/owner.
• The independent record should be sequenced so that missing records can be identified.
For example:
– Till rolls or equivalent should be date sequenced (and should identify the cash register they came
from).
– Cash sale invoices should be numerically sequenced.
• Cash should not be allowed to accumulate for too long in the cash till (or equivalent).
For example:
– In a supermarket, cash tills should be emptied regularly during the day and taken to a secure area.
This activity may coincide with the changing of the cashier.
– A car wash manager/owner should ensure that cash is banked every day.
• Whenever cash is transferred from the custody of one person to another, it should be counted, reconciled,
documented and signed for by both parties in a safe location.
For example:
– When cash is to be removed from a cash register, the till lane will be closed. The cash drawer will be
removed by the cashier in the presence of the supervisor and taken to a secure back office by the two
of them.
– The two individuals should then count the cash and total the credit card slips and reconcile them to
the independent record that, in this case will be the locked-in till roll (or similar) that will be accessi-
ble only to the supervisor. The cash reconciliation would take into account the cash float given to the
cashier (and signed for) at the start of the shift.
– The reconciliation should be recorded on a multicopy, preprinted, sequenced document and should
contain information, such as date, time, till, cashier name, the actual reconciliation showing any
“overs” or “unders”, any relevant comments and the signatures of both parties.
– At no stage during the reconciliation exercise should either of the parties leave the room.
– Where multiple reconciliations are carried out, to a secure back office lots of tills, the individual
reconciliations should be consolidated onto a “daily cash sales” summary.
– The same principles will apply when armed security removes cash for banking.
– In the car wash business, the manager/owner should count the money with the employee responsible
for handling the cash, agree the total to the cash sales invoices for the day and the independent coun-
ters on the car wash equipment.
• Cash should be banked regularly (at least daily) and intact, in other words, cash should not be removed to
pay wages or other expenses.
For example:
– A deposit slip should be made out by the supervisor and agreed to the daily cash sale summary.
– A second senior staff member should agree the bank deposit slip to the supporting reconciliations and
daily summary sheets and sign the documentation.
– The same principles will apply in a smaller business, to the extent possible. A manager/owner is
likely to be involved in reconciling and banking of cash.
• The cash receipts journal should be written up promptly.
• The financial accountant should regularly inspect the cash receipts journal to confirm that the daily
receipts are being banked promptly, and completely, and that the amounts agree with the deposit slips
Chapter 10: Revenue and receipts cycle 10/35
and supporting documentation. The financial accountant will also carefully check the monthly bank
reconciliation. All procedures will be acknowledged by signature.
Note 1: Cash registers and point of sales systems have numerous features that assist in the control of
cash sales (and other sales). These features relate to some of the principles discussed above, for
example, keeping independent totals and, in addition, will frequently provide reports that can
be used for analytical purposes. Reports of cash sales by shift, cashier, salesperson, day of the
week, etc., can be produced. Comparison and analysis may reveal trends that should be investi-
gated, such as more frequent discrepancies for a particular cashier, or generally lower sales on
the till manned by a particular cashier regardless of which till it is. These modern systems will
also produce reports of the activities that have taken place on the till, such as supervisor overrides,
correction of ringing up errors, which can be followed up if they look suspicious, for example,
a supervisor who appears to “override” far more than another supervisor.
Note 2: In some businesses the relationship between cash sales and inventory can provide a good indi-
cation of theft of cash. For example, the owner/manager of a fast food outlet may require that,
at the end of the business day, cash in the till be reconciled with movement in “food” invento-
ry. If the cash register is able to record separately the different products sold (very common),
the number of each product sold can be reconciled with the corresponding inventory on hand.
If the outlet started with 500 hamburger patties on hand and ended the day with 100, the cash
register should have recorded the sale of 400 hamburgers. If it only shows 390 sold, 10 ham-
burger patties are unaccounted for. The cash in the till will agree with what has been rung up,
so it suggests that some sales are not being rung up.
In our car wash business, the manager/owner may be able to pick up variances between the month’s water
and electricity expenses and the number of car washes recorded as sales. More water and electricity used
should equal more cars washed. Surprise visits by the manager/owner and cash reconciliations may also
reveal irregularities.
These analytical control activities, which are in fact performance reviews, are not foolproof in themselves,
but when combined with further techniques, may become very effective. For example, further analysis may
reveal that inventory shortages occur consistently when a particular supervisor is on duty at the fast food
outlet.
The point is that where a business has cash sales, a full range of formal controls should be put in place,
supported by innovative analysis and follow up.
10.1.10 The role of the other components of internal control in the revenue and receipts
cycle
This chapter has concentrated on the information system and control activities components of internal control.
However, these components are affected by the other components and a brief mention of the other compo-
nents is appropriate.
meeting the function’s specific risks as described in the chapter. In smaller entities, it is the owner/man-
ager’s informal assessment and response to risks identified in his involvement with the cycle (that is not
likely to be particularly strong on formal controls) that will make the difference.
10.1.10.3 Monitoring
Monitoring is about “looking in” on the cycle to determine, over time, whether the internal control system
as a whole, is achieving its objective and adequately addressing the risks facing the company. In the context
of the revenue and receipts cycle, there are a number of monitoring activities that can take place. Broadly
stated, the objectives of the cycle will be to supply customers promptly with the correct goods at fair prices,
to collect amounts owed by debtors according to the terms of the sale and to limit losses from bad debts.
These can be monitored by:
• period-based comparisons of ratios and statistics, such as “debtors days outstanding”, bad debt write-
offs, etc.
• assessing customer satisfaction by customer complaints, the number and reasons for the issuing of credit
notes, analysis of the buying patterns of major customers, and indirectly by changes in turnover
10.2 Narrative description of the revenue and receipts cycle at ProRide (Pty) Ltd
10.2.1 Introduction
The following narrative description is designed to give you an idea of how the revenue and receipts cycle
functions in an actual operating company. The name of the company has been changed as have the names
of the staff involved. Certain aspects of the company and its systems have been simplified for the purposes
of this narrative but in essence, we have described “how it actually happens”. Before reading this narrative,
we suggest that you read chapter 9 – Computerisation at ProRide (Pty) Ltd.
• Order clerks are regarded as sales personnel. With many hundreds of different inventory items, custom-
ers are frequently not aware of the precise inventory codes and descriptions of what they require despite
having access to catalogues, a website, etc.
For example:
A dealer might wish to order bicycle spokes; at this point Jazelle will access the inventory masterfile
(read access only) and, making use of her “enquiry” privilege, will enter “bicycle spokes”. This brings
up a list on screen that contains a description of each of the different types of bicycle spoke ProRide
(Pty) Ltd carries, the inventory item code, description, number of items in inventory and the selling
price. Line items appear as follows:
BS 123 Stainless steel 700c 48 R17,50
BS 149 Galvanised Black 700c 26 R13,20
With this information Jazelle is able to establish exactly what the customer requires, whether it can be
supplied (in stock) and the selling price. As each item is agreed, she manually records the item code and
quantity on the ISO, and before moving onto the next item, confirms with the customer.
• All order clerks receive ongoing training relating to the products the company sells. This sound personnel
practices control enables the order clerks to promote sales rather than just take orders.
For example:
If a customer wants an item but it is “out of stock”, Jazelle is competent to offer alternatives. The in-
ventory masterfile also has a field into which additional information can be added (not by Jazelle) to
indicate inventory items that may be “on special” at a reduced price. With this information the order
clerks can offer these items to the customer.
• Once the order details have been taken, a customer order reference is obtained, and all details of the
order are confirmed. The customer is given the ISO number as his reference to the order placed and the
telephone conversation is then terminated. Jazelle will then promptly complete the ISO (checking
details to the inventory masterfile where necessary) and sign it (isolating her responsibility for taking the
order.)
10.3.1.2 Backorders
If an item is “out of stock” and a satisfactory alternative cannot be agreed upon, Jazelle will ask the cus-
tomer whether he wishes his order to be placed on “back order”. If so, she will manually record the details
on a back-order list. Each week she will access the inventory masterfile to determine whether any inventory
items appearing on her back-order list have been received into inventory. Once an inventory item is availa-
ble, she will phone the customer. An ISO is not automatically compiled. If the customer wishes to place the
order, the normal procedure is followed.
field that may be necessary. Although an inventory availability check is done at the order taking stage,
situations do arise where the theoretical “inventory on hand” quantity in the masterfile is greater than the
actual number of items on hand. This could occur where inventory items have been stolen or placed in
the wrong inventory location.
• Alterations to other fields on the picking slip cannot be made. For example, additional items cannot be
added and any amendment to the quantity field for a quantity that is greater than the quantity field on
the picking slip, will be rejected.
• The result of entering the actual quantity of items picked is that the invoice produced agrees exactly
with the goods that have been picked for despatch. As you would perhaps expect, details of any quanti-
ty reductions entered are automatically written to a report by the computer. The report is used to notify
the customer of the problem and for Reg (the warehouse manager) to investigate before the “stock on
hand” field is corrected in the inventory masterfile. Reg does not have the necessary access privilege to
make the alteration in the inventory masterfile as this would amount to a poor division of duties
between custody and record keeping relating to inventory.
• Access to the “prepare invoice” module is restricted to Dalene, with Rushda Devon as backup. Once
Dalene is satisfied that the “on screen” invoice is in agreement with the hardcopy picking slip, she
selects the confirm option. This immediately updates the debtors masterfile and quantity field on the in-
ventory masterfile and the general ledger accounts. The applicable picking slip on the picking slip file is
coded to indicate that the goods have been picked and invoiced. She then prints the invoice in triplicate.
The picking slip and invoice have the same document number, but the invoice contains the additional
information necessary to record the sale, for example, prices, extensions, value of the sale, VAT, settle-
ment terms, etc.
– Copy 1 is filed numerically in the debtors section with the picking slip.
– Copies 2 and 3 are sent directly to Reg Gaard (warehouse manager).
• Upon receipt of the two invoices, Reg and Patrick supervise the packing of the items in each designated
section of the picking area, into boxes, checking the goods picked to the invoice. Both copies of the
invoice are signed by either Reg or Patrick. One copy of the invoice is placed in the box with the goods,
and the second copy is used as a delivery note (see despatch below).
10.3.5 Despatch
ProRide (Pty) Ltd does not make its own deliveries. The company uses a road transport company (Road-
line) that delivers countrywide on a daily basis. Roadline has a small office staffed by two of their employ-
ees situated in ProRide (Pty) Ltd’s despatch area (see diagram in chapter 12). The despatch area is
physically very secure using conventional methods. The boxes for delivery are moved from the picking area
into despatch under the supervision of Reg or Patrick and one of the Roadline employees. Taking the
details off the “delivery note/invoice”, the second Roadline employee generates a sticker and waybill (four
copies). Each box is sealed and the sticker, with the customer and delivery details (including the number of
boxes in the consignment and the relevant invoice number), is stuck onto the box.
The Roadline waybill contains a waybill number, the customer’s name and address, the ProRide (Pty)
Ltd invoice number and the number of boxes to be delivered to that customer. The four copies of the
waybill are used as follows:
• Copy 1: filed in numerical sequence by Roadline with the ProRide (Pty) Ltd invoice/delivery
note.
• Copy 2: filed in numerical sequence by ProRide (Pty) Ltd. Before the boxes for delivery are
finally released to Roadline, Reg or Patrick checks the details on the waybill to the
sticker on the box in the presence of the Roadline employee. Both sign the waybill as
evidence of this check.
• Copy 3 and 4: go to the customer who signs them to acknowledge receipt of the delivery and returns
one to Roadline as proof of delivery.
10.4.3 Monitoring
As we mentioned earlier, the control environment in the company is very strong. Over and above the
involvement of senior management explained above, the control exercised by Brandon Nel is very signifi-
cant. He is able to keep his eye on the system by making use of the up-to-date information that the
JD Edwards system can provide. This information is supplied by accessing the system (read access only!)
or by the scrutiny of various printouts presented to him, some every day, others every Thursday, and others
at month end. The examples given below are not exhaustive but are sufficient to illustrate the point being
made.
10/44 Auditing Notes for South African Students
10.4.3.2 Debtors
A great deal of information is instantly available about debtors:
• new accounts opened
• debtors who have exceeded their credit limits
• a weekly age analysis
• an analysis of the sales
For example:
An analysis of the sales made to the top 200 customers (debtors). Any amount of detail can be
extracted, for example, total value of sales month-to-date, year-to-date and comparisons to the prior
year. In addition, a breakdown of what items are being purchased by the customer, by description,
quantity, value and gross profit margin can be obtained instantly. Brandon Nel uses this to monitor
trends. If, for example, sales to a particular debtor are falling, he will attempt to establish why – is the
debtor in financial trouble, has he moved his business to another supplier, is he dissatisfied with the
treatment he is receiving from ProRide (Pty) Ltd?
• Brandon Nel also receives a weekly report of credit notes that have been entered, broken down into
categories (by codes).For example, if a large number of “Code 1” credit notes that result from incorrect
goods being supplied have to be passed, an investigation into the picking of goods will result. Similarly,
“Code 2” credit notes that result from damaged goods being returned, may indicate a packing, delivery
or quality problem.
10.4.4 Conclusion
It is as a result of these controls that the revenue and receipts cycle at ProRide (Pty) Ltd produces up-to-
date, valid, accurate and complete information relating to the totals and balances produced by the cycle,
namely, the sales, debtors and inventory.
• The contract has commercial substance. A company is highly unlike to start providing a service or sell
goods at a loss as that would not have commercial substance. Commercial substance looks at the busi-
ness as a whole. A transaction where perishable goods are sold the day before they would expire, at a
price below their cost, still has commercial substance, as they would not have sold any of these perisha-
ble goods the next day.
• It is probable that the payment will be collected. A company is highly unlikely to sell goods to an entity
from which it knows they cannot recover the money. Recording a fictitious sale would contravene this
requirement.
10.5.4 Financial statement assertions and the revenue and receipts cycle
Sales
Occurrence: Sales that have been recorded have occurred (they are not fictitious), and such
sales pertain to the company.
Completeness: All sales that should have been recorded have been recorded, and all related
disclosures that should have been included in the financial statements have been
included.
Accuracy: The amounts of sales and other data relating to recorded sales have been recorded
appropriately and related disclosures have been appropriately measured and
described.
Cut-off: Sales have been recorded in the correct accounting period.
Classification: Sales have been recorded in the proper accounts.
Presentation: Sales are appropriately aggregated or disaggregated and clearly described, and
related disclosures are relevant and understandable in the context of the applic-
able financial reporting framework.
Accuracy, valuation
and allocation: Trade and other receivables have been included in the financial statements at
appropriate amounts and any resulting valuation or allocation adjustments, for
example, allowance for bad debts have been recorded, and related disclosures
have been appropriately measured and described.
Classification: Trade and other receivables have been recorded in the proper accounts.
Presentation: Trade and other receivables are appropriately aggregated or disaggregated and
clearly described, and related disclosures are relevant and understandable in the
context of the applicable financial reporting framework.
10.6.2 Overall responses to the risk of material misstatement at the financial statement
level
In terms of ISA 315 (revised), the auditor shall identify the risks of material misstatement at the overall
financial statement level and at the assertion level for transactions, account balances and disclosures.
Further, a significant risk is an identified risk that, in the auditor’s judgement, requires special audit con-
sideration. This does not mean that the auditor needs to be familiar with a whole new range of audit pro-
cedures (have additional tools in his toolbox), but it does mean that he will look closely at the nature,
timing and extent of the further audit procedures that will be conducted, as well as the skills and experience
of the audit team.
In the context of this cycle, significant risks may include:
• fraudulent financial reporting (understatement or overstatement of sales)
• revenue recognition for complex “sales” transactions, such as long-term contracts
• completeness of cash sales in a cash-orientated business (supermarket), and
• extensive sales to related parties.
In terms of ISA 330, the auditor must implement overall responses to address the risk of material mis-
statement at the financial statement level.
For example:
• assigning more experienced staff to the audit, for example, in response to an assessed risk that manage-
ment may manipulate the financial statements by the inclusion of fictitious sales with related parties
• emphasising to the audit team the need to maintain professional scepticism, for example, to be alert to
the risk of unrecorded sales
• providing more supervision
• carrying out procedures in a different manner to prior audits, for example, carrying out an “early verifi-
cation” positive debtors circularisation for the current audit when only subsequent receipt testing has
been undertaken in the past.
charged with governance. The following paragraphs provide a broad outline of what is required to comply
with this statement:
(b) Deficiencies
A deficiency in internal control exists when:
• a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and
correct, misstatements in the financial statements on a timely basis, or
• a control necessary to prevent, or detect and correct, misstatements in financial statements on a timely
basis is missing.
Inquiry
• Inquire of the despatch clerk as to what happens if goods are transferred from the warehouse to the
despatch area for delivery without a picking slip.
• Inquire of the invoicing clerk as to what procedures he actually follows to ensure that all despatches/
deliveries of goods result in invoices being made out.
10/52 Auditing Notes for South African Students
• Inquire of the credit manager as to what use he makes of daily reports that are generated on the system,
of credit notes and other adjustments processed against the debtors masterfile.
• Inquire of the financial accountant as to whether and how sales to related parties (e.g. companies within
the same group) are identified.
Note: Questions put to employees should be expressed in a way that requires more than a “yes” or “no”
response. In this way the auditor will learn more about the effectiveness of the control and may be
provided with information he least expected.
Observation
• Observe the despatch clerk counting and checking goods against the picking slip/despatch note before
packing items into boxes for delivery.
• Observe the procedures undertaken at the counter when a cash sale is made, for example, if the sale has
been rung up.
• Observe whether gate control personnel actually check goods leaving the premises (being delivered)
against the delivery note/invoice.
Note: Observation is not a very convincing procedure as the employee is likely to do what he is supposed
to do because he knows that the auditor is watching! Observation would always be matched with other
procedures.
For example:
In addition to observing the despatch clerk counting and checking, the auditor might ask the despatch
clerk how he resolves a situation where the physical goods for despatch do not agree with the picking slip.
With regard to the testing of controls over the accuracy and completeness of processing and recording of
sales transactions and receipts from debtors promptly and in the correct accounts, the auditor takes into
consideration that modern software is very fast, efficient and reliable. It is more likely that, instead of re-
performing numerous calculations and tracing postings through the system, the auditor will concentrate his
tests of controls on the effectiveness of the authorisation/approval of transactions and the effectiveness of
controls over reviewing and reconciling the results of processing, for example, logs, day-end reports, list-
ings, etc. This is perfectly acceptable because if the client is using up-to-date, well-supported reputable
software, the auditor is most likely to assess the risk of material misstatement arising out of inaccurate or
incomplete processing and recording (accuracy and classification, cut-off and completeness) as low.
and follow up on any strange fluctuations. He may also analyse the accounts receivable balance in terms of
the age of debtors’ (days outstanding) average amount of debt outstanding, and compare the results to the
same ratios and breakdowns for the prior year.
In terms of ISA 330, the auditor must design and perform some substantive procedures for each material
class of transaction, account balance and disclosure, regardless of the assessed risk of material misstate-
ment. In other words, the auditor cannot decide that there is no need to do any substantive testing because
he has assessed the risk of material misstatement for the account heading, class of transactions or disclo-
sures as low, and because his tests of controls provide persuasive evidence that controls had operated
effectively for the period under review. The reasons for this are that:
• risk assessment is judgmental and the auditor may not have identified all risks, and
• internal control has inherent limitations, including management override, for example, a member of
management may simply override the credit manager and write off a bad debt that should not actually
be written off.
However, the auditor does not necessarily have to carry out both tests of detail and analytical procedures. If
assessed risk is judged as low and tests of controls indicate that controls are operating effectively, the
auditor may decide that all that is required to reduce audit risk to an acceptable level is the performance of
analytical procedures. In practice it is more common for the auditor to use a combination of tests of detail
and analytical procedures when conducting substantive tests.
10.7.3.1 Occurrence – Recorded transactions have occurred and they pertain to the company
• To obtain evidence that recorded sales actually occurred, the auditor would need to trace a sample of
recorded sales transactions back to the source and inspect the supporting documentation for the invoice,
to confirm:
– that an order was received from an approved customer
– that a picking slip and despatch note for the goods invoiced, duly signed by the picker and despatcher
(and possibly the customer to acknowledge receipt) exist, and
– that the goods invoiced to the customer were of a type sold by the company.
10/54 Auditing Notes for South African Students
• The auditor should also trace each sale in the sample through to the cash receipts journal/bank state-
ment and customer remittance advice and, by inspection, determine whether a payment of the correct
amount for each invoice was received. (If a payment has not been received, the auditor would trace it
through to the debtors account in the debtors ledger.)
• The results of tests of controls will have a significant effect on the extent of these tests. If, for example,
tests of controls reveal that the sales initiating and approving controls make it virtually impossible to in-
clude a sale that did not actually occur in the accounting records, the auditor’s substantive procedures
as described above will be reduced.
• In certain instances the auditor may need to give specific consideration to whether the performance
obligations per the contract have been met, for example:
– where the goods are supplied to the customer on approval (that means that the customer may return
the goods by a specified date if he does not want them). A sale should not be recognised until the
buyer has “approved the goods” or the specified date has been reached
– where goods have been placed with an agent on consignment, a sale should not be recognised until
the agent has sold the goods, and
– where a buyer purchases goods but requests that the supplier delays delivery, the sale can only be
recognised when the contractual performance obligation has been met. Therefore, whether delivery
was an aspect of the contractual obligation will need to be considered.
• With regard to cash sales, there is usually very little risk that cash sales that have been recorded have
not occurred. There is a far greater risk that cash sales made will not be recorded. This relates to the
completeness assertion. However, to test occurrence, the auditor may choose to select a small sample of
recorded cash sales and trace them to the relevant deposit slip/cash book/bank statement and to the
original cash sale invoice/receipt, till roll or daily cash sales spreadsheet.
10.7.3.3 Cut-off – The sales transactions have been accounted for in the correct accounting period
The testing of cut-off of sales is designed to establish whether the sales around the year-end were accounted
for in the correct period, i.e., sales made after year-end have not been recorded as if they had been made
before year-end, or sales that were made before year-end were not recorded until after year-end. The audit-
or should be aware that management may deliberately manipulate cut-off at year-end to overstate sales or
understate sales, depending on their motives. Cut-off can be tested in various ways but will hinge on
obtaining evidence about the dates when the risks and rewards of ownership actually transferred. The
auditor should:
• at year-end obtain the document numbers of the last documents used in the financial year, for example,
sales invoices, and despatch notes
Chapter 10: Revenue and receipts cycle 10/55
• at a later stage he should agree this number to the last entry in the sales journal and sequence test, say,
the last two weeks of invoices before year-end, for any missing invoice numbers (these may represent
sales that have been made but not entered prior to year-end)
• scrutinise the subsequent month’s sales journal for any invoice numbers lower than the cut-off number
(none should be found)
• select, say, the first 20 invoices (or invoices for material amounts) entered in the sales journal for the
month after year-end and trace them to the supporting despatch notes/delivery records and by inspect-
ing dates on the documents, confirm that the goods were not actually delivered prior to the year-end,
and
• select, say, the last 20 despatch notes prior to the year-end cut-off despatch note number and by inspec-
tion of the sales journal, confirm that the corresponding sale was raised prior to year-end.
Note:
– If the company receives an order before year-end but only processes (picks and delivers) and records
it in the following year, there is no “cut-off” issue.
– If the company receives an order before year-end, processes it (picks and delivers it) before year-end
but only records it after year-end, there is a “cut-off” issue.
– If the company receives an order before year-end, records the sale before year-end but only processes
(picks and delivers) it after year-end, there is a “cut-off” issue.
• inspect the cash sales records (e.g. till slips, cash receipts) for, say, the two or three days either side of
the financial year-end and confirm by inspection of the cash sales ledger account and dates on deposit
slips, that the sale and the asset were raised in the correct accounting period.
10.7.3.4 Classification – All sales have been recorded in the proper accounts
• See comments on “accuracy” above.
• The auditor may also choose to
– test transfers of amounts from the monthly sales journals (both cash and credit sales) to the sales and
VAT accounts in the general ledger to confirm that the amounts were posted to the correct account,
and
– inspect the sales account for the inclusion of any amounts that are recorded as revenue, but do not
constitute sales, for example, interest, income, dividend income.
10.7.3.5 Completeness – All sales that should have been recorded, have been recorded
The testing for the completeness of sales is difficult because as explained earlier, the auditor is looking for
sales that are not recorded in the accounting records. (The completeness of cash sales can be particularly
difficult to audit.) When the auditor conducts tests of controls on the sales cycle, he may select a random
sample of despatch notes (or even ISOs) and follow them through to confirm that they gave rise to an
invoice. This is a completeness test but not one that will help to identify sales that were not even initiated.
The substantive procedures that the auditor will conduct for completeness testing will be analytical.
For example:
• analysis of gross profit fluctuations
• comparisons of sales/debtors to prior periods
• analysis of recorded sales by characteristic for comparison to prior periods, for example, by product,
branch, region, month, customer, and
• comparison of sales ratios to prior periods, for example, sales commission to sales, cash sales to credit
sales.
10.7.3.6 Presentation
Inspect the financial statements to confirm that:
• sales are reflected as a single aggregated line item in the statement of comprehensive income
• any disaggregation of sales in the disclosure notes is accurate, relevant and clearly described, for example,
where sales have been broken down (disaggregated) to reflect sales by product, location or division, and
• the accounting policy is clearly expressed and understandable.
10/56 Auditing Notes for South African Students
10.7.4.2 Assertion: Existence –trade receivables included in the balance actually exist,
they are not fictitious
The two major procedures for existence testing are:
• debtors circularisation by which, with the consent of management, independent confirmation is sought
from the debtor
• the matching of amounts owed at year-end (receivables) to payments from debtors received after year-
end. (This is termed subsequent receipt testing.) The principle is simple; if a debtor is listed as “in
existence” at year-end, and a payment is received after year-end from that debtor, the existence of the
debtor at year-end is confirmed, provided the amount paid subsequent to year-end is in respect of the
amount owed at year-end, and not for sales made after year-end.
• The auditor thereafter monitors all replies to the circularisation, following up all disagreements and
“addressee unknowns” (positive and negative circularisation) and “no replies” (positive circularisation
only) so as to collect evidence relating to existence and to a lesser extent valuation:
– disagreements should be followed up by reference to relevant source documentation, discussion with
credit controller, and, if necessary, follow up with the client’s attorneys, and
– “no replies” (positive)and “addressee unknowns” should be followed up by re-circularising the debtors
concerned (after correcting the address if necessary), telephone/fax enquiries, and reference to re-
ceipts after year-end for evidence of subsequent payment of balances that have not been confirmed.
• Errors identified through the circularisation should then be projected over the entire population of
debtors to establish the extent of possible misstatement of the overall debtors balance.
10.7.4.3 Assertion: accuracy, valuation and allocation (gross amount) trade receivables
are included in the financial statements at appropriate amounts and related disclosures
have been appropriately measured and described
This assertion for trade receivables consists of two parts, namely the “gross” amount and the allowance for
bad debts.
10.7.4.4 Assertion: Completeness – all trade receivables that should have been recorded have
beenrecorded and all related disclosures that should have been included have been
included
Completeness of debtors is not normally a major concern for the auditor. However, “cut off” testing to
confirm that sales, and hence debtors, were correctly raised at year-end should be conducted. It is possible
that the company delays invoicing to the new year to “get off to a good start”, particularly if sales targets
for the month prior to year-end, have been achieved. Analytical procedures conducted on the debtors
figures and related accounts also supply evidence of completeness. (See “cut-off” and “completeness”
testing dealt with in para 10.7.3.)
The spreadsheet will be cast and cross-cast, and a deposit slip will be made out. A security company usually
collects the takings for banking. If the auditor decides that the cash on hand should be verified, he should
• be present at the time(s) the cash in the tills is counted:
– he should make sure that he is not left on his own with an open till at any time (could be accused of
theft if there were a shortfall)
• observe the counting of cash closely, ensuring that cash and credit card slips are separately identified
• confirm that the totals of the different types of sales (cash or credit card) counted agree with the totals
recorded on the (independent) till roll total and that any differences are recorded on the till reconcilia-
tion document and that the cashier and the controller (person doing the counting) sign the till roll and
the reconciliation
• ensure by observation that the cash from the first and subsequent tills counted is kept separate and
secure and cannot be included in the cash counted for other tills, and that the tills that have been count-
ed are closed/deactivated
• confirm by inspection that the takings for each till (per the reconciliation) were entered accurately on
the daily spreadsheet and re-perform the casts and extensions
• obtain the spreadsheet for the two trading days prior to the current trading day and confirm that takings
for these days were banked prior to the year-end
• inspect the bank deposit slip for the current day’s takings and agree the totals to the daily spreadsheet
• inspect the bank statement subsequent to the year-end and confirm that the deposit went through the
bank
• a work paper should be created that records the balances and other details, and
• confirm by inspection of the respective ledger accounts that these cash sales/VAT were included at the
year-end.
10.7.5.6 Presentation
The disclosure of bank balances and cash on hand is relatively straightforward:
• The total will be shown on the face of the statement of financial position under current assets (other
than bank overdrafts) under the heading “cash and cash equivalents”.
• This will be supported by a note, that will distinguish between the different categories, for example,
cash on hand, current account balances and call account balances.
• The details of any security, pledge, etc., offered and attached to a bank overdraft will also be disclosed.
(f) Lists of debtors who have exceeded their credit limits or terms, or a particular threshold, can be
extracted.
APPENDIX 1
A SCHEDULE OF INDIVIDUAL DEBTORS EXTRACTED FROM THE DEBTORS MASTERFILE OF DO-IT (PTY) LTD AT 30 APRIL 2020
Account Account Address and contact Account Credit Credit *Statu
Current 30 days 60 days 60+ days
number holder details balance limit terms Code
Ab01 Able CC 4 Pan Rd, Ptown, etc. (1 000,00) 2 525,01 (3 625,01) 100,00 5 000 30 2
Am06 Amic (Pty) Ltd 63 Nail Drive, Dbn, etc. 6 332,25 3 332,25 800,00 2 200,00 5 000 60
Bo21 Bow (Pty) Ltd 9 Rep Rd, Dbn, etc. 30 046,98 5 870,00 24 176,98 50 000 30 2
Ed07 Edz CC 2 Crox Str, Ptown, etc. 78 842,13 47 909,80 15 617,24 12 234,29 3 079,80 75 000 60
Fi04 Fitt (Pty) Ltd 14 West Street,
Westmead, etc. 1 097,70 1 097,70 c.o.d.
Fy01 Fylta CC 221 Box Rd, Dbn, etc. 430,94 430,94 500 30
Ri06
i06 R Ltd 12 Wrong Rd, Umbilo, 3
etc. 21 090,00 20 040,00 162,01 887,99 20 000 30
Ru02 Rubb CC 42 001,50 35 050,00 6 951,50
Sk13 SK (Pty) Ltd 24 Moon Rd,
Chatsworth 93 009,40 49 808,20 43 201,20 100 000 120
Su06
u06 S Ltd 92 Gate Rd, Hillcrest,
etc. 14 267,00 14 267,00 15 000 30 2
Wi14 Wish CC 41 Golf Rd, Pmb, etc. 114 298,00 14 100.00 100 198,00 100 000 60
Ze09 Zed (Pty) Ltd 21 Penn Rd, Bluff, etc. 3 269,18 3 269,18 4 000 30 1
* Status code 1 Handed to attorneys
2 Current correspondence
3. New account
Auditing Notes for South African Students
APPENDIX 2
PROCEDURES THAT MAY BE CONDUCTED ON THE DEBTORS MASTER FILE OF DO-IT (PTY) LTD USING AUDIT SOFTWARE
Procedure Assertions EXAMPLE/NOTES
1. Stratify population by amount and express as a percentage of the total population. – Amounts : R100 000 and above
: between R75 000 and
R100 000, etc.
2. Scan the entire master file and produce reports of “error conditions”:
2.1 blank fields (selected fields) Existence, valuation Fi04,Ru02
Chapter 10: Revenue and receipts cycle
11
Acquisitions and payments cycle
CONTENTS
Page
11.1 The accounting system and control activities ................................................................... 11/3
11.1.1 Introduction ....................................................................................................... 11/3
11.1.2 Objective of this section of the chapter ................................................................ 11/3
11.1.3 Characteristics of the cycle ................................................................................. 11/3
11.1.4 Basic functions for any acquisitions and payments cycle ...................................... 11/3
11.1.5 Documents used in the cycle .............................................................................. 11/4
11.1.6 Narrative description of a manual acquisitions and payments cycle
by function ........................................................................................................ 11/5
11.1.7 Flow charts for a manual acquisitions and payments cycle .................................. 11/7
11.1.8 Computerisation of the acquisitions and payments cycle ..................................... 11/13
11.1.9 The role of the other components of internal control in the acquisitions
and payments cycle ............................................................................................ 11/25
11.2 Narrative description of the acquisitions and payments cycle at ProRide (Pty) Ltd ........... 11/26
11.2.1 Introduction ...................................................................................................... 11/26
11.2.2 Suppliers ........................................................................................................... 11/26
11.2.3 Purchases .......................................................................................................... 11/26
11.2.4 Frequency of orders ........................................................................................... 11/27
11.2.5 Computerisation ................................................................................................ 11/27
11.3 Acquisitions – How the system works at ProRide (Pty) Ltd ............................................... 11/27
11.3.1 Initiating orders ................................................................................................. 11/27
11.3.2 Purchases from local suppliers ............................................................................ 11/27
11.3.3 Purchases from foreign suppliers ........................................................................ 11/28
11.3.4 Receiving the goods ........................................................................................... 11/31
11.3.5 Costing the inventory ......................................................................................... 11/32
11.3.6 Recording the cost of the goods received in the inventory masterfile .................... 11/32
11.3.7 Payment of creditors – Local suppliers ................................................................ 11/33
11.3.8 Payment of creditors – Foreign suppliers............................................................. 11/34
11.3.9 Updating the general ledger on the AS 400 system .............................................. 11/34
11/1
11/2 Auditing Notes for South African Students
Page
11.5 The auditor’s response to assessed risks ............................................................................... 11/37
11.5.1 The auditor’s toolbox ......................................................................................... 11/37
11.5.2 Overall responses to risks of material misstatement at financial statement level .... 11/37
11.5.3 Responding to risks at assertion level .................................................................. 11/38
11.5.4 “Other” audit procedures ................................................................................... 11/38
11.6 Audit Procedures – Test of controls and substantive procedures ........................................ 11/38
11.6.1 Tests of controls ................................................................................................. 11/38
11.6.2 Substantive procedures....................................................................................... 11/40
11.6.3 Substantive procedures of transactions in this acquisitions and payments cycle..... 11/41
11.6.4 Substantive procedures on the trade and other payables balance .......................... 11/43
11.6.5 The use of audit software (substantive procedures) .............................................. 11/46
11.6.6 Automated application controls in acquisitions and payments cycle ..................... 11/47
Chapter 11: Acquisitions and payments cycle 11/3
11.1.5.10 Receipt
A document provided by the supplier to acknowledge that a payment of Rx has been received.
11.1.6.1 Ordering
The purpose of this function is to place approved orders with suppliers to obtain goods (and services) that
the company requires. The majority of goods ordered will be either inventory for resale or raw materials for
manufacture. However, other departments such as maintenance, accounting, sales and security, also
require items on a regular basis and these should also be ordered through the company’s purchasing
system. The ordering function is essentially responsible for obtaining the correct type and quantity of goods
at the best price and desired quality. Many companies have what are termed “approved suppliers” from
whom goods are purchased. Before being placed on the approved supplier list, the supplier will be
thoroughly investigated for reliability of delivery, quality and price. Company buyers also build up relation-
ships with particular suppliers who become “informally” approved suppliers over time.
Besides the obvious problems that arise out of inaccurate or late ordering, management needs to be
aware of the risk of buyers deliberately placing orders that are not at the best price and quality from the
company’s perspective, so as to earn “kickbacks” or “commissions” for themselves, at the expense of the
company. Buyers may also place orders at inflated prices with their own businesses, or those of a family
member or friend, again at the expense of their employer.
• In a manual system, hard copy requisitions from departments requiring goods of some kind will be
delivered to the buying department.
• The buying clerk will manually complete a multicopy preprinted, sequenced purchase order after
checking with the supplier as to availability and price of the goods to be purchased, and referring to
supplier catalogues for descriptions and codes.
• The buying clerk may refer to a hard copy list of approved suppliers or may choose a supplier himself.
• A chief buyer may scrutinise all purchase orders and approve them by signing the document.
• The order will often be placed by phone, and a hard copy sent as confirmation by fax or post.
11/6 Auditing Notes for South African Students
11.1.6.2 Receiving
• The role of the receiving function is to accept goods from suppliers and acknowledge receipt thereof.
Only goods for which valid purchase orders have been placed should be accepted. In the real world, the
receiving function often proves to be the weakest link. The usual way of perpetrating fraud in this area is
for the supplier’s delivery personnel to deliver only, say, half of the truckload, but for the receiving clerk
to sign for a full truckload. The goods that remain on the truck are then driven off the premises and sold
cheaply for cash, before the supplier’s driver returns to the supplier’s depot. The receiving clerk and
supplier’s driver share the proceeds from the sale of the stolen goods. Obviously this requires collusion
between the supplier’s delivery personnel and the company’s receiving and warehouse personnel, and
perhaps highlights collusion as the major limitation of internal control.
• A copy of all purchase orders will be sent to the receiving bay and filed in numerical sequence.
• On arrival of the goods from the supplier, the receiving clerk will match the purchase order reference on
the supplier’s delivery note to the purchase order to determine the goods to be received.
• The receiving clerk should count the goods received against the delivery note and purchase order and
should perform at least a superficial check of the quality of the goods. It is usually not practical to
quality check the contents of boxes, but obviously damaged or wet boxes should be rejected. Any
deliveries that are incorrect or rejected will be clearly marked on both copies of the supplier’s delivery
note and the amendment signed by the supplier’s employee and the receiving clerk.
• The receiving clerk will make out a sequenced goods received note for the goods actually received, cross
referencing it to the purchase order and delivery note.
• The goods will then be transferred from the receiving bay that should be a physically separate section of
the warehouse, to the inventory department, which is responsible for the custody of the inventory.
Something to consider . . .
These are areas that students struggle with quite often. Are you
able to draw up your own flow diagrams to assist in your
foundational knowledge of the acquisition and payments cycle?
Use these sections as a basis to add on more information that is
needed later.
11/8 Auditing Notes for South African Students
Chapter 11: Acquisitions and payments cycle 11/9
11/10 Auditing Notes for South African Students
The series of tables that follows expands on the functions, risks and control activities in the acquisitions
and payments cycle. For each function, the documents that may be used are identified. Further, the
business risks that may exist in each function are described.
Something to consider . . .
For each of the control activities above, identify which control
objectives these activities are trying to achieve? Is it validity,
accuracy or completeness?
Perform the same exercise for each of the control activities
described in the series of tables that follow.
Chapter 11: Acquisitions and payments cycle 11/11
Receiving of goods
Function Documents records Risks
The purpose of this function is to accept and Supplier delivery • Acceptance of:
acknowledge deliveries of valid orders from note (DN) – short deliveries as full deliveries
suppliers and to record the delivery (goods Goods Received – damaged and broken items
received note). Note (GRN) – items not ordered, and
Prior to acceptance, physical checks on quan-
– goods not of the required type or
tity, quality and description of goods should be
quality.
carried out.
• Goods received notes not made out accu-
rately or completely.
• No goods received note made out.
• Theft by employees or outside parties, for
example, collusion with supplier delivery
personnel.
Recording of purchases
Function Documents records Risks
The purpose of this function is to raise the Purchase invoice (PI) • The recording of incorrect amounts arising
purchase and the corresponding liability in Credit note CN) from incorrect purchase invoices:
the accounting records. Creditors statements – quantity, quality and type not as
The recording of all purchases and trade Purchases journal ordered or received
liabilities should be carried out by the – prices of goods not as quoted
Purchases returns and
(creditors) recording function so that controls – calculation errors, for example, casts,
allowances journal
are not bypassed, for example, by the raising extensions, VAT.
of liabilities through the general journal by Creditors ledger
General ledger • The raising of fictitious purchases/cred-
other departments.
itors by the introduction of invoices that
are for goods never ordered or received by
the company (results in invalid flows of
cash leaving the company).
• Delays, misallocation and posting errors
when entering details into accounting
records resulting in reconciliation prob-
lems and failure to make use of favourable
settlement terms.
Note: As previously mentioned, the preferred method of paying creditors is payment by EFT. Paying by EFT does not mean
that the controls that must be in place before and after a payment is made, for example, scrutiny of supporting
documentation, two individuals to authorise payments and reconciliations and review of cash journals and bank
statements subsequent to payment, can be ignored; they will be implemented but in another form (this is explained
later in the chapter).
11.1.8.1 Access
Many businesses will run their accounting systems on a local area network (LAN). Simplistically speaking,
this means that there will be a number of terminals, usually from different departments, “linked” together
and sharing resources. So access to both the network and individual applications must be carefully
controlled:
• access to the network should only be possible through authorised terminals, and
• only employees who work in the various functions of the cycle need access to the acquisitions and
payments application and only to those modules or functions of the application necessary for them to
do their jobs (least privilege/need to know basis). Certain managers will have extensive read only access
for supervisory and review purposes.
Various techniques are used to control access, for example, the user:
• must identify himself to the system with a valid user ID
• must authenticate himself to the system with a valid password, and
• will only be given access to those program and data files that he is authorised to have access to in terms
of his user profile.
Once the user is on the system, access is usually controlled by what appears or does not appear on the
user’s screen.
For example:
Only the modules of the application the user has access to will appear on the screen, or alternatively, all
the modules will be listed, but the ones the user has access to will be highlighted in some way, such as a
different colour.
If the user selects a module that he does not have access to (this is determined by his user profile),
nothing will happen and/or a message will appear on the screen that says something like “access denied”.
In another similar method of controlling access, the screen will not give the user the option to carry out a
particular action.
11/14 Auditing Notes for South African Students
For example:
Certain purchase orders awaiting approval from the chief buyer are listed on a pending file. Although
other users may have access to this file for information purposes, when they access the file their screens will
either not show an “approve option”, or the “approve option” will be shaded and will not react if the user
“clicks” on it. Only the chief buyer’s screen will have an approve option that can be activated.
Remember that access controls are a very effective way of achieving sound segregation of duties and
isolation of responsibilities.
11.1.8.2 Menus
Current software is all menu-driven and generally easy to use. Menus can be tailored to the specific needs
of a user (based on the user profile) and “items” can be selected by a simple “click of the mouse”. Menus
facilitate access control and segregation of duties.
11.1.8.3 Integration
The extent to which the accounting system is integrated will vary, but most systems these days are
integrated in the sense that a transaction entered onto the system will instantly update all the records it
affects.
For example,
The processing of a payment to a supplier will simultaneously update the cash records and creditors
masterfile. This significantly improves the accuracy of the records but makes the control over input
extremely important.
For example:
When a goods receiving clerk keys in a purchase order number on receiving a delivery, the full details of
the order will appear on the screen. The speed, accuracy and completeness of input are enhanced.
Ordering of goods
A purchase order clerk needs to know what goods to order. How this is done in practice varies, and will depend on
the size of the business, the products it sells, or whether there is a manufacturing process.
One of the ways that a requisition for goods to be ordered can be initiated is by the setting of reorder levels and
reorder quantities and then entering them in the inventory masterfile. This means that when the quantity field on the
inventory masterfile gets down to a predetermined level, the system will alert the inventory controller/buying
department. There are a number of interrelated activities that make up an acquisitions and payments system and
these are described below.
Procedure/activity Control, comment and explanation
1. Setting and protecting reorder 1.1 These levels should be set by experienced personnel for each item the com-
levels and reorder quantities pany purchases and are based on such things as supplier lead times, sales
recorded in the inventory forecasts, average sales over preceding months, etc.
masterfile. 1.2 The pre-set levels should be regularly reviewed.
1.3 The ability to change a level will be restricted to the chief buyer, and all
changes will be logged.
1.4 Levels will only be used as a guide for determining quantities to be pur-
chased.
2. Initiating a purchase order. 2.1 At regular intervals, say every Monday morning, a purchase requisition
report will be generated from the inventory masterfile of items that have
reached their reorder levels. The report printed out will contain:
• the company’s inventory code for each item that has reached its
reorder level
• a brief description of the item
• the recommended reorder quantity from the masterfile, and
• a space for the inventory controller to add in any additional comments
pertaining to the purchase, for example, changes to the recommended
reorder quantity, additional inventory items to be purchased.
2.2 The report itself should be clearly headed, dated, page sequenced, for
example, page 5 of 5, and clearly laid out.
2.3 The inventory controller should review the report, add comments and
meet with the chief buyer to discuss the purchase requisition report before
signing it.
2.4 Once the chief buyer has reviewed the schedule and added any comments,
he should sign it before passing it onto the buying clerk. A copy of the
report will be retained by the chief buyer.
2.5 The chief buyer has read access to the creditors masterfile so that for
urgent or large orders he can determine whether the account is up to date
etc., before the order is sent to the supplier.
3. Creating a purchase order: 3.1 Access to the “create purchase order” module should be restricted to the
• purchase orders are made purchase order clerk.
out only for goods that are 3.2 On accessing the module, the screen will come up formatted as a purchase
sold by the company order.
• purchases are only made 3.3 Valid goods: on keying-in the inventory item code in the designated field
from approved suppliers (taken from the requisition report) the description of the goods and the
• all details pertaining to the supplier’s inventory item code will appear. If the item code is not a valid
order are entered accurately inventory code, the order clerk will not be able to proceed.
and completely 3.4 Approved supplier: when the item code is entered, details of the supplier of
• an appropriate quantity is the item as listed in the inventory masterfile/creditors file will appear. The
ordered system will not allow the order clerk to enter any supplier who is not
• all goods on the purchase approved. The controls in 3.3 and 3.4 can be regarded as verification checks
requisition, and only goods and are also a form of data approval/authorisation check. The entry of the
on the purchase requisition inventory item code to bring up all related inventory details is an example
report are ordered. of the minimum entry principle.
continued
11/18 Auditing Notes for South African Students
Processing controls
As mentioned in chapter 8, the accuracy, completeness, etc., of processing are evidenced by reconciliation of output
with input and the detailed checking and review of output by users, on the basis that if input and output can be
reconciled and checks and reviews reveal no errors, processing was carried out accurately and completely and only
transactions that actually occurred and were authorised, were processed. To make sure it does its job, the computer
will perform some internal processing controls on itself, but the user will not even be aware that these are going on.
The users within the cycle make use of the logs and reports that are produced relating to their functions, while the IT
systems personnel make sure that processing aspects of the system are operating properly.
Summary
The description of the system described above, provides an illustration of how the control activities described in
chapter 5 (and referred to in ISA 315 (revised)), can be implemented. It also provides an illustration of how specific
automated application controls can be introduced.
For example:
Segregation of duties • Separation of functions, for example, ordering, receiving goods, pro-
cessing payments.
• Separation of responsibilities within functions, for example, gener-
ating purchase requisition report, initiating purchase orders, author-
ising purchase orders.
Isolation of responsibilities • Isolating responsibilities through granting access privileges, for
example, only the chief buyer can approve purchase orders.
• The goods receiving clerk signs the supplier delivery note that isolates
his responsibility for accepting the delivery of goods from a supplier.
Approval and authorisation • The system will not allow the order clerk to place an order with a
supplier who is not on the creditors masterfile.
• The creditors’ section head approves the schedule of EFT payments
to creditors.
Custody • Access to the bank account (custody of the company’s money) is
strictly controlled by user IDs, PINs and passwords (those with
authority to make an EFT are effectively the custodians of the com-
pany’s cash).
• Goods received by the goods receiving section are kept securely until
they are transferred to the warehouse.
Access controls • All users on the system must identify and authenticate themselves by
IDs and passwords and what they are authorised to do is reflected in
their user profiles.
• Additional access controls such as terminal shut down and logging of
access violations are in place.
Comparison and reconciliation • The system reconciles the total amount (and number) of invoices
selected for payment with the reduction in the total and number of
invoices on the unpaid invoices list.
• The creditors’ clerk reconciles the supplier’s statement with the cred-
itor’s (supplier’s) account in the creditors masterfile.
Performance review • Supervisory and management staff can access the purchase order file
to see how efficiently approved purchase orders are being executed.
• Reports on inventory ageing (number of days inventory items are
held) can give an indication of the appropriateness of reorder levels
and the performance of the chief buyer and inventory controller.
• Monitoring complaints from the sales manager relating to sales lost
because of inefficient purchasing.
continued
Chapter 11: Acquisitions and payments cycle 11/25
Summary (continued )
Control techniques and application controls • Screen aids and related features:
– minimum entry: keying in the inventory code of an item on the
purchase order brings up the supplier, description, cost, etc., of
that inventory item
– screen formatting: purchase order, and
– mandatory fields: branch code for new customer banking details.
• Program checks:
– validation check on supplier number, and
– limit checks/reasonableness checks on quantity ordered field.
• Output control:
– masterfile amendment logs are checked against source documents
and
– bank statement checked against EFT payments entered onto the
system.
Logs and reports • Log of and changes to existing creditors banking details.
• Weekly reports of long outstanding purchase orders or of GRNs for
that there is no invoice.
This does not cover every control, policy or procedure that could be in place, and is not intended to. This knowledge
will only be acquired when you go into different companies and work with their systems.
11.1.9 The role of the other components of internal control in the acquisitions
and payments cycle
This chapter has concentrated on the accounting system that is part of the information system and control
activities components of internal control. However, these components are affected by the other components,
so a brief mention of the role of the other components is necessary.
Again, in a smaller entity it will be the owner/manager’s informal, but ongoing, assessment of risk that
will be important.
11.1.9.3 Monitoring
How is the cycle doing over time in meeting its objectives? That is the question that monitoring seeks to
answer. To express these objectives simplistically, we might describe them as, ensuring optimal quantities
of inventory are held, costs of items purchased is as budgeted, suppliers are reliable and that only valid
creditors are paid accurately and on time. These can all be monitored by period based comparisons (and
industry comparisons, if available) of such matters as:
• delays in production or sales lost because of inappropriate inventory holdings
• instances of the inability of suppliers to supply goods as required (price, time and quality)
• actual purchase costs compared to budgeted costs
• complaints from suppliers or letters from suppliers demanding payment
• losses from EFT fraud
• reductions in theft of inventory.
Monitoring can be carried out by the board through the scrutiny of reports on the above matters or by visits
from an internal audit team. Owner/managers pretty much monitor internal control themselves and may
do it very well, particularly if they are very involved in the day-to-day running of the business.
11.2 Narrative description of the acquisitions and payments cycle at ProRide (Pty)
Ltd
11.2.1 Introduction
At ProRide (Pty) Ltd, the acquisitions and payments cycle is taken very seriously. The basic principle (that
is followed in all cycles) is that if the initiation of the transactions in the cycle is carefully controlled, then
problems arising later in the cycle are kept to a minimum. As you will see, the two most senior members of
staff (the managing director and the financial director) are closely involved in initiating and authorising
purchase transactions.
Both the managing director (Peter Hutton) and the financial director (Brandon Nel) have extensive
knowledge of the bicycle industry. Great care is taken to ensure that inventory of the required quality, price
and saleability is obtained. There are two major reasons for this. Firstly, ProRide (Pty) Ltd’s largest
customers are the major chainstores, and failure to deliver the right product, at the right price, on time, will
result in the loss of an important market. Secondly, the company does not want to purchase inventory that
it cannot sell.
11.2.2 Suppliers
Each and every supplier to ProRide (Pty) Ltd is carefully evaluated by Peter and Brandon. They require
suppliers who are reliable with regard to delivery, who are consistent with quality and who are reasonable with
price. Suppliers are evaluated on an ongoing basis and a sound business relationship is built up with them.
This evaluation includes regular visits to the suppliers’ premises, a number of which are as far afield as
Taiwan and China.
Prices for each inventory item are negotiated and agreed with local and foreign suppliers, usually for the
following six months.
11.2.3 Purchases
As indicated in chapter 10, ProRide (Pty) Ltd wholesales bicycles and related spares and accessories. In
addition to goods purchased for resale, the company like any other company, purchases other items such as
stationery, consumables, minor tools and equipment, etc. While these “non-trading” items are also subject
to sound internal controls, they are not the concern of the two directors.
Purchases are made from both local and overseas suppliers. The basic controls over purchases from both
sources are the same. However, in respect of imported purchases, additional procedures arise as goods have
to be shipped in containers, and must be cleared through customs, etc., before being delivered. Payments to
foreign suppliers must be subjected to foreign exchange regulations. Foreign purchases far exceed local
purchases.
Chapter 11: Acquisitions and payments cycle 11/27
11.2.5 Computerisation
As indicated in chapter 9, the company uses JD Edwards’ application software run on an IBM AS 400
system. However, ProRide (Pty) Ltd has not integrated its acquisitions and payments cycle into this system
as the number of purchases made does not warrant the cost of integration. (You will recall from the
discussion in chapter 10 that the cashbook function is not integrated for the same reason.)
indicating contact details, terms and a sequence number appears. Zodwa enters all the details of what is to
be ordered from the foreign inventory order report onto the MF. The MF is printed in duplicate and passed
to Tania Koetzee who checks it for accuracy and completeness against the foreign inventory order report.
The MF is then passed to Ruth Taylor (purchases manager) who authorises it. The MF is stamped with a
grid stamp to facilitate this process as follows:
Prepared by
Checked by
Authorised by
• Final invoice.
• Shipping file.
At this stage a (physical) shipping file is opened for each order. The file is very important as it will become
the final destination of all the documents and will provide a comprehensive audit trail for each foreign
order. Thus a completed shipping file will contain:
• foreign inventory order report
• master form
• pro forma invoice
• letter of credit
• bill of lading
• packing list
• final invoice
• any other correspondence
• goods received note (added once the goods have been cleared and delivered)
• clearing agents documents.
The preparer signs the schedule and Ruth Taylor checks the costing from the supporting documentation
and also signs it. It is then placed in the Shipping File.
Note 1: ProRide (Pty) Ltd buys forward cover to pay for its foreign purchases and complies with the Inter-
national Accounting Standards when selecting the appropriate conversion rate for costing the
inventory.
Note 2: If the shipment contains a number of different items (which is usually the case) the total cost is
allocated to the different items purchased in terms of their value on the supplier’s invoice. For
example, if invoice 1237 (above) had been for 300 Raleigh RC bicycles at $338.75 each, and 200
Raleigh Bombers at $169.38, the total cost of R1 393 690 would have been allocated as follows:
$101 630
Unit price: Raleigh RC × R1 393 690 ÷ 300 = R3 484 (rounded)
$135 507
Unit price: Raleigh Bomber $33 877 × R1 393 690 ÷ 200 = R1 742 (rounded)
$135 507
11.3.6 Recording the cost of the goods received in the inventory masterfile
Tania Koetzee (purchases clerk) will enter the cost of the goods received onto the masterfile that is resident
on the AS 400 system. This is done as soon as the costing has been carried out so that the masterfile is kept
right up to date. Note that the quantity field has already been updated by the GRN. At the end of each day,
a dated inventory transaction report is generated. This report is a list of all inventory items that have had their
quantities increased, by how much, and the unit cost price entered. The report is handed to Zodwa
Mashego who checks it for accuracy and completeness against the relevant GRNs and costing schedules
where applicable. She signs to acknowledge this check. As a double control, Ruth Taylor re-checks the
inventory transaction report to the GRNs the following day.
Chapter 11: Acquisitions and payments cycle 11/33
Payment preparation
This is a “manual” procedure conducted by Zodwa Mashego or Tania Koetzee. Whoever is preparing the
schedule on that day will compile a list of suppliers to be paid that includes the amounts that are to be paid,
the invoices that are being paid, and the name and account number of the supplier. The schedule is
prepared on the screen with the information being taken from the creditors masterfile. The schedule is
printed out, checked by the other purchases clerk, signed by both clerks and Ruth Taylor (purchasing
manager), and given to Johan Els (the financial manager), along with the supporting documentation.
None of the terminals in the purchasing section have the bank’s software loaded on them and EFT pay-
ments cannot be made from them. On receipt of the schedule, Johan will carefully check the detail on the
schedule to the supporting documentation (initialling it as he does so). He will then access the EFT
creditor’s payment module and enter the detail of the payments to be made. ProRide (Pty) Ltd has a full
range of controls over EFT payments as described in a number of chapters in this text and they will not be
repeated here. (You can refer to the description of ProRide’s payroll system for of the detailed controls.)
Obviously, companies do not only buy goods for resale or manufacture. Depending on the nature of the
company’s business, there will be expenditures on advertising, travel, consumables, entertainment, station-
ery or items of plant and equipment. However, whatever the “acquisition” is, the principles of controlling
the expenditure remain the same, that is, only expenditure relating to the business should be incurred, it
should be authorised before it is incurred, it should be appropriately recorded, and the payment for the
acquisition should be the correct amount and should be authorised. The authority for incurring the
expenditure may differ.
For example:
For an inventory item it may be a requisition signed by the warehouse manager, and a purchase order
signed by the chief buyer. For travel expenses, it may be an authorised budget and a travel approval form
signed by a department head, and for the acquisition of an item of equipment, it may be an authorised
budget and a directors’ minute.
Payments are usually authorised by the signature of a department head on supporting documentation
after suitable scrutiny. Payments of different amounts may be authorised at different levels.
In most reasonably sized businesses, the vast majority of acquisitions (other than for large items of plant
and equipment that are financed in a variety of ways) will be made on “credit”, which simply means that
the goods or services etc., will be paid for some time after the goods are received, say 30 days or 60 days
later, depending on the terms agreed with the supplier. This means that at any point in time the company
will have creditors. So in effect, the acquisitions and payments cycle gives rise to transactions and an account
balance both of that will need to be considered by the auditor in carrying out the audit of the cycle.
The audit of the cycle consists of two parts. In terms of ISA 315 (revised), the auditor is required to
identify and assess the risk of material misstatement at both financial statement level and at account
balance and transaction level. This means that in the context of this cycle, the auditor will need to evaluate
whether there is anything in the assessment of risk at financial statement level that may filter down into the
audit of the cycle and whether there are specific risks pertaining to the creditors balance in the AFS or to
the recorded purchase or payment transactions.
For example:
• at financial statement level: if there is an incentive for the directors to manipulate the financial state-
ments, one of the ways they may do so is by understating the accounts (trade) payable balance
• at account balance level: there may be an identified risk that the creditor’s balance is understated due to
a failure to raise the liability for goods received just prior to year-end
• At transaction level: risk assessment procedures may have revealed that purchase orders can be made
out and placed by the purchase order clerk without authority, or that employees authorised to make
EFT payments share passwords for “convenience’s sake” and that there is no independent recon-
ciliation of EFT payments after they have been made to source documentation.
Once the cumulative effect of the identified risk has been assessed, the auditor will be in a position to plan
“further” audit procedures and “other” audit procedures. Before moving onto the second part of the audit
of the cycle (i.e. the response to assessed risk), it is perhaps necessary to remind ourselves of the assertions
relating to the transactions in the cycle and the related balance, (i.e. accounts payable).
11.4.2 Financial statement assertions and the acquisition and payments cycle
Purchases
Occurrence: Purchases that have been recorded have occurred (they are not fictitious), and such
purchases pertain to the company.
Completeness: All purchases that should have been recorded have been recorded.
Accuracy: The amounts of purchases and other data if applicable, relating to recorded
purchases have been recorded appropriately.
Cut-off: Purchases have been recorded in the correct accounting period.
Classification: Purchases have been recorded in the proper accounts.
11/36 Auditing Notes for South African Students
Payments to trade
creditors
Occurrence: Payments that have been recorded have occurred (they are not fictitious), and such
payments pertain to the company.
Completeness: All payments that should have been recorded have been recorded.
Accuracy: The amounts of payments and other data, if applicable, relating to recorded pay-
ments have been recorded appropriately.
Cut-off: Payments have been recorded in the correct accounting period.
Classification: Payments have been recorded in the proper accounts.
Trade payables
Existence: Trade payables exist at year-end.
Obligations: Trade payables included in the balance represent obligations of the company.
Completeness: All trade payables that should have been recorded, have been recorded and all
related disclosures that should have been included in the financial statements, have
been included.
Accuracy, valuation Trade payables have been included in the financial statements at appropriate
and allocation: amounts, and related disclosures have been appropriately measured and described.
Classification: Trade payables have been recorded in the proper accounts.
Presentation: Trade payables are appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and understandable in the context of
the applicable financial reporting framework.
• Company claims VAT to which it is not entitled (completeness of liabilities): This is very often a “by-
product” of the frauds described above.
• Directors or employees accepting bribes from suppliers as an inducement to purchase goods from that (supplier)
company: This is a difficult situation because from a financial reporting perspective there may be abso-
lutely no problem. The goods purchased may be of the required quality and price, the order properly
authorised etc. The payment of the bribe may well be a problem in the supplier’s business but is in effect
“outside” the business of the company at which the person receiving the bribe is employed. Accepting
this type of inducement is likely to be in contravention of the company’s employment policies. In terms
of section 45 of the Auditing Profession Act, where directors receive such inducements, there may be a
reportable irregularity. Directors or employees setting themselves, family or friends up as suppliers and
then directing business to those entities is a variation of this practice and is effectively, a related party
transaction.
• Theft of goods at the receiving stage (existence of inventory): This will normally be an employee fraud,
and amounts to receiving clerks signing for goods received but not taking custody of all the goods
signed for. The goods that are stolen are sent out on the truck in which they were delivered and off-
loaded elsewhere. Collusion with the supplier delivery staff is required.
11.5.2 Overall responses to the risk of material misstatement at the financial statement
level
In terms of ISA 315 (revised), the auditor shall identify the risks of material misstatement at the overall
financial statement level and at the assertion level for transactions, account balances and disclosures.
Further, a significant risk is an identified and assessed risk that, in the auditor’s judgement, requires
special audit consideration. This does not mean that the auditor needs to be familiar with a whole new
range of audit procedures (have additional tools in his toolbox), but it does mean he will look closely at the
nature, timing and extent of the further audit procedures as well as the skills and experience of the audit
team.
In the context of this cycle, significant risks may include:
• the risks of fraudulent practices as discussed in point 11.4.3 above
• significant acquisitions being made from related parties, for example, companies within the group or
entities owned by a director
• the risk of the understatement of trade and other accounts payable.
In terms of ISA 330, the auditor must implement overall responses to address the assessed risk of material
misstatement at the financial statement level.
For example:
• assigning more experienced staff to the audit. This could be a response to the risk of manipulation of the
financial statements by understatement of the trade payables balance
• emphasising to the audit team the need to maintain professional scepticism, for example, to be alert to
the possibility that management may be having personal expenditures paid for by the company, and
• providing more supervision.
11/38 Auditing Notes for South African Students
Inspection
• A sample of recorded purchases could be selected and the supporting requisition and purchase order
could be inspected for an authorising signature.
• A sample of purchase orders could be compared to the list of approved suppliers to confirm that pur-
chases are made only from approved suppliers. This procedure may be supplemented by inquiry and
inspection of supporting documentation that provides evidence that a supplier is only added to the list
of approved suppliers after a thorough and independent evaluation of the supplier. This reduces the risk
that purchases can be made from businesses connected to the company’s order clerk, buyer or members
of management, and that purchase of goods that are not for the company’s use, can be made.
• Inspect the masterfile amendment log and supporting documentation for indication of approval for the
addition of a supplier to the creditors masterfile during the year.
Note: In some systems there may be no visible indication of approval of say, the purchase order as it is
given “on the system”. This on-screen approval might be effected by the purchase order clerk being
unable to print or email a purchase order until approval has been given by the employee (chief
buyer) whose access profile permits approval of purchase orders. The appropriate test may be for
the computer audit division to look at and test user profiles as part of a system orientated CAAT.
Alternatively, the auditor may be able to infer (assume) that approval of the purchase order does in
fact take place if other tests of controls in the process, for example, controls over payments to
creditors, prove to be effective.
Inquiry
• For example, inquire of the receiving clerk as to:
– the procedures he follows when goods are delivered
– what happens to goods that are delivered but are not as listed on the purchase order (wrong goods,
short delivered, over delivered).
• Inquire of the purchase order clerk as to what procedure is followed for placing an order if there is no
purchase requisition provided, for example, he gets a verbal instruction to place an order.
• Inquire of the financial accountant (or similar) as to what happens when a payment by EFT must be
made and one of the individuals required to “authorise” a payment, is not available.
Note: Questions put to employees should be expressed in a way that requires more than a “yes” or “no”
response. In this way the auditor will learn more about the effectiveness of the control and may be
provided with information he least expected.
Observation
• Observe the procedures that are carried out by the receiving clerk when a delivery is received from a
supplier.
• Observe the “authorise” and “release” procedures being undertaken for the payment of a creditor.
Note: Observation is not a very convincing procedure as the employee is likely to do what he is supposed
to do because he knows the auditor is watching! Observation would always be matched with other
procedures, for example, when observing the receiving of goods, the auditor may request the
receiving clerk to insert an invalid purchase order number into the system to see what happens (it
should be rejected).
Re-performance
The auditor may choose to re-perform a sample of creditors’ reconciliations.
With regard to accuracy and completeness of processing and recording of transactions promptly and in
the correct accounts, especially in integrated real-time systems, current accounting software is very fast,
efficient and reliable. The auditor is likely to concentrate tests of controls on controls over the authorisation
11/40 Auditing Notes for South African Students
of transactions and the controls over reviewing and reconciling the results of processing, for example, logs,
reports, listings, etc. If these controls appear to be operating successfully, the auditor can assume that
processing controls are effective.
at year-end. These tests, that will be a mix of tests of controls and substantive tests, are termed “roll
forward tests”.
– Inspect the purchase journal (and invoice) to confirm that VAT has been correctly allocated and
posted.
– Inspect the supplier’s account in the creditors ledger to confirm that the purchase was correctly
posted from the purchase journal.
• Completeness (all purchases that should have been recorded have been recorded)
– To test the completeness of purchases, the auditor will test from a document recording the receipt of
the item purchased to the recording of the purchase in the records. The auditor may choose a random
sample of GRNs from the sequence of GRNs and trace them through to the corresponding invoices.
Tests of detail would then be carried out as described above. If there was no corresponding invoice,
the purchase may not have been recorded.
Note (a) Strong corroborative evidence for the occurrence assertion is obtained if a properly authorised
payment for the purchase is recorded. The auditor is likely therefore, to extend the testing of his
sample of purchases to include the testing of the corresponding payment.
Note (b) Some of the procedures described above may be regarded as “tests of controls”, for example,
inspecting the purchase order to confirm that it was made out to an approved supplier,
or checking for authorising signatures. This is not an issue as the auditor frequently carries
out “dual purpose tests” that provide some evidence of the effectiveness of controls and some
substantive evidence. In the context of the audit, this may be an efficient way of gathering
evidence.
Note (c) For some of the purchases made by the company, there may be no specific purchase order or
goods received note to tie to the invoice, for example, the purchase of a service or a non-physical
item that is not “delivered”, such as travel expenses or delivery charges. In these instances, the
auditor will still test the accuracy of the invoice but will seek alternative source documentation
to support the purchase.
11.6.3.2 Payments
Tests of detail on payments will again concentrate on the assertions relating to transactions. As indicated
earlier, a payment in the context of this cycle is normally linked directly to a purchase and the auditor may
extend his tests of detail on purchases to the corresponding payment. However, the auditor also wants
evidence that payments recorded in the cash book were in respect of actual valid purchases that occurred.
The auditor may therefore select a sample of payments from the cash payments journal and test as follows:
• Occurrence
– Obtain the invoice supporting the payment.
– Inspect the invoice to confirm that:
o it is made out to ExWhy (Pty) Ltd
o is for goods, services or other expenditures normally used or incurred by the company and is from
a supplier on the approved supplier list.
– Inspect the authority for the payment, for example:
o appropriately approved purchase order, GRN
o appropriately approved expenditure requisition or claim, for example, travel expenses authorisa-
tion
o approved payment requisition.
• Accuracy (the amount of the payment has been recorded appropriately)
– Re-perform the casts and calculations on the invoice.
– Agree the amount of the invoice to the payment in the cash payments journal.
• Cut-off (the payment has been recorded in the proper accounting period)
– Inspect the dates on the payment, the invoice and supporting documentation to confirm they fall
within the period under audit and are reasonable in relation to each other.
• Classification (the payment has been recorded in the proper accounts)
– Trace the payment to the general ledger and creditors ledger to confirm that the posting has been
made to the creditors control account and the correct creditor in the creditors ledger.
– Where “the purchase” has not gone through the purchase journal (not raised as a creditor), confirm
by inspection of the description on the invoice or payment requisition, that the payment has been
allocated and posted to the correct account in the general ledger, for example, travel expenses.
Chapter 11: Acquisitions and payments cycle 11/43
• Completeness (all payments that should have been recorded, have been recorded)
The situation where a payment has been made but has not been entered in the cash payments journal
should be revealed by inspection or re-performance of the bank reconciliation statement.
Note: The auditor may also wish to perform tests of detail on a sample of payments reflected in the
individual creditors’ accounts. Similar tests to those described above would be carried out.
Where payment was by EFT, the auditor will inspect the applicable schedule of EFT payments for
authorising signatures and will inspect the audit trail/bank statement/remittance advice, to confirm that
the EFT was made to the correct payee. The auditor will also consider the extent to which he can rely on
those senior officials who have the “authorise” and “release” privileges for EFTs to carefully check the pay-
ment details before the EFT is made.
11.6.4.2 Assertion: Existence – trade payables included in the balance actually exist,
they are not fictitious
The existence assertion for trade payables is usually a low risk assertion as companies do not normally wish
to overstate their liabilities, so in the absence of any contrary evidence, the auditor can assume that the
trade payables (and other liabilities) that appear in the statement of financial position, do actually “exist”.
The auditor will however, perform “cut off” tests at year-end, to confirm that purchases and creditors have
not been overstated and have not been prematurely raised. Bearing in mind that if management are intent
on overstating purchases/creditors to manipulate the financial statements, they would do it for material
amounts, the auditor should:
• record the number of the last GRN for the year (cut-off number)
11/44 Auditing Notes for South African Students
• select from the purchase journal, material purchases entered during the last two weeks of the year and
trace to the relevant GRN and supplier delivery note (via the invoice), and
• inspect these documents to confirm that the GRN number is lower than the cut-off number and that the
documents are dated prior to the year-end date.
These tests should reveal whether the company is holding the purchases journal “open” into the next
financial year in an attempt to manipulate the figures at financial year-end. (Note: The intention of these
tests is to determine whether the liability existed at year-end.)
11.6.4.3 Assertion: Accuracy valuation and allocation – trade payables are included
in the financial statements at appropriate amounts and related disclosures
have been appropriately measured and described
The carrying value of trade payables will in effect be the total amount of trade payables (and accruals)
because, unlike asset accounts, there is no need to write-down the balance (make allowances) for obsoles-
cence, depreciation, impairments or bad debts.
• Agree the list of individual creditor’s balances to the balance on the creditors control account.
• Agree a sample of individual creditor’s balances on the list to the individual creditor’s account in the
creditors ledger.
• Agree the total of the accrual and creditors control accounts in the general ledger to the trial balance.
• Re-perform casts of the creditors control account, and the creditors list.
• Identify any debit balances on the creditors list, establish the reason with the purchases manager and
consider whether the balances should be transferred to debtors.
• Select a sample of creditors (that includes the company’s major suppliers) from the creditors list and
obtain the year-end creditors reconciliations performed by the creditors clerks:
– re-perform the casts of the reconciliation
– agree balances on the reconciliation to the creditors statement and creditors listing
– test the logic of the reconciliation
– by inspection of the supporting documentation and by inquiry and confirmation, confirm the validity
of reconciling items
• If applicable, select a sample of foreign creditors from the creditors list and by scrutiny of the supporting
documentation (invoice), determine the amount owed to the creditor in the foreign denominated
currency.
• Obtain from a financial institution or suitable publication, the applicable currency exchange rate at the
financial year-end (spot rate), and
– using the spot rate, compute the amount owed to the creditor at the financial year-end in local cur-
rency (rand)
– compare this amount to the amount recorded for the creditor on the creditors list and, if necessary,
request adjustment. The foreign creditor will have been raised initially at the rate ruling at transaction
date i.e. the date on which the risks and rewards of ownership passed, and may require adjustment
for any change to the exchange rate.
Note: The creditors balance will be written up or down, and the corresponding entry will be to an
exchange loss or gain.
• Obtain a list of accruals from the client:
– Cast the list.
– Agree the total on the list to the account in the general ledger, the trial balance and the statement of
financial position (the amount will be included in creditors).
• Agree amounts recorded on the accrued list to invoices, statements, etc., and re-perform any calcula-
tions, for example, leave pay accrual.
Chapter 11: Acquisitions and payments cycle 11/45
11.6.4.4 Assertion: Completeness – all trade payables and accruals that should have been
recorded have been recorded, and all relevant disclosures that should have been
recorded have been recorded
It is generally considered that completeness is the assertion most at risk of material misstatement as the
company is more likely to understate its liabilities than overstate them. The auditor is therefore concerned
about what is not in the account but should be, so completeness tests are focused on identifying unrecorded
liabilities:
• Compare the list of creditors at the current year-end to the previous year-end, to identify:
– creditors on the previous list who do not appear on the current list
– creditors balances that are significantly smaller at the current year-end, and
– by enquiry and inspection, determine and evaluate the reason.
• Inspect the creditor’s correspondence file for correspondence relating to unsettled disputes with sup-
pliers, and by discussion with management, determine whether any adjustments to creditors are requir-
ed, for example, the audit client may be disputing the actual delivery or condition of the goods delivered
and may not have raised the liability.
• If available, inspect the list of GRNs that were unmatched to invoices at year-end. (This list should have
been obtained by the auditor at year-end when document cut-off numbers were taken.) Confirm, by
inspection, that a journal entry raising the corresponding creditors at year- end has been passed, and
that the amounts raised are correctly computed by:
– obtaining the price of the goods received (from the order or pricelist or corresponding invoice if it has
arrived), and
– recomputing the amount owed.
• Select a sample of material purchases from the purchase journal for the month following the year-end
and trace to the goods received note applicable to the purchase, to confirm that:
– the GRN number is greater than the GRN “cut-off” number (see 11.6.4.2)
– the dates on the GRN and supplier delivery note are after the financial year-end.
• Select a sample of large payments from the cash payments journal for the month(s) after the financial
year-end and, by inspection of the GRN and delivery note, confirm that if the payment relates to goods
or services received prior to year-end, the corresponding creditor had been raised at year-end.
• Inspect the work papers relating to creditors’ reconciliations to identify any instances of reconciling
items that result in understatement of the creditors balance, for example, a disputed amount pre-
maturely written off, and follow up with management.
• Inspect the work papers from attendance at the inventory count and investigate any instances of
physical inventory materially exceeding recorded inventory. This may indicate deliveries received prior
to year-end that have been included in physical inventory but for which no entries in the records have
been made (i.e. no goods received note or invoice from which to raise the liability).
• Inspect the general ledger accounts for periodic expenses to determine whether all amounts have been
correctly accrued, for example, rent, electricity, have 12 debits to the expense accounts.
• Perform analytical procedures and follow up on any material fluctuations, for example:
– current year purchases, creditors and accruals at year-end to prior years
– trade payables as a percentage of current liabilities
– trade payables days outstanding compared to prior years.
• Enquire of the financial accountant whether suppliers of services (as opposed to goods) who provided
the service prior to year-end, have been raised as creditors.
• Inspect the creditors control account for unusual debit entries.
• If necessary, obtain confirmation of balances direct from a sample of creditors (i.e. conduct a positive
creditors confirmation). It may be appropriate to obtain direct confirmations of:
– nil balances
– major creditors (to confirm that the balance is not understated despite being large)
– balances that have significantly reduced since the prior year
– creditors for whom there are no statements.
11/46 Auditing Notes for South African Students
• Include reference to the completeness assertion for trade payables and accruals in the management
representation letter.
Unmatched invoices
• Determine whether the application has been configured to match invoices to purchase orders when
purchasing.
• Determine who has access to change the configuration within the application.
• Have any changes been made to the configuration during the period under review”
• Have changes been authorised in the application?
• Review report for unmatched purchase orders for trends and inconsistencies.
Creditors masterfile
• Determine who has access to change the vendor masterfile within the application.
• Have any changes been made to the vendor masterfile during the period under review?
• Have changes been authorised in the application?
• Perform a walkthrough of one change to a vendor masterfile assess the authorisation process of adding
a new vendor.
CHAPTER
12
Inventory and production cycle
CONTENTS
Page
12.1 Accounting system and control activities ......................................................................... 12/3
12.1.1 Introduction ....................................................................................................... 12/3
12.1.2 Objectives of this section of the chapter................................................................ 12/3
12.1.3 Characteristics of the cycle .................................................................................. 12/3
12.1.4 Basic functions for any inventory and production cycle ........................................ 12/5
12.1.5 Documents used in the cycle ............................................................................... 12/5
12.1.6 Warehousing: Function, documents, risks and control activities ........................... 12/7
12.1.7 Production: Function, documents, risks and control activities ............................... 12/8
12.1.8 Inventory counts: Cycle counts and year-end counts............................................. 12/9
12.1.9 Computerisation of the inventory and production cycle ........................................ 12/12
12.2 Narrative description of the inventory cycle at ProRide (Pty) Ltd ..................................... 12/13
12.2.1 Introduction ....................................................................................................... 12/13
12.2.2 Segregation of duties ........................................................................................... 12/13
12.2.3 Approval and authorisation and isolation of responsibility.................................... 12/13
12.2.4 Access/custody controls...................................................................................... 12/14
12.2.5 Comparison and reconciliation ............................................................................ 12/15
12.2.6 Performance reviews and the use of logs and reports ............................................ 12/15
12.2.7 Conclusion ......................................................................................................... 12/16
12/1
12/2 Auditing Notes for South African Students
Page
For example:
A strong control environment must be maintained and physical access controls must be in place. Many
businesses have collapsed because they failed to control their inventory.
C C C
Raw material and Production Finished goods
component store warehouse
Receiving Despatch
manufactured goods
• No materials should be issued from inventory without a materials requisition that has been checked against the
authorised job card.
• While the job is in production, the job card should be held in a pending file and updated for labour hours as they
are incurred.
• On completion of the job, a sequenced “transfer to finished goods form” should be made out. This will:
– accompany the goods to the finished goods store
– be cross-referenced to the job card
– be used to write up the finished goods perpetual inventory.
• The job cards for completed jobs should be removed from the pending file and “costed”, for example, material
prices and labour costs allocated and an overhead allocation made.
• All calculations should be checked by a second clerk.
• The job card should then be filed numerically.
• On a frequent and regular basis, supervisory staff or the production manager should sequence test the completed
job card file to confirm that:
– each card is cross-referenced to a “transfer to finished goods note” and to a sales invoice, and
– missing job cards are for jobs still in the production stage.
• Management should compare completed job cards to quotes and costing schedules, and investigate variances.
3. For process costing:
• All process runs must be recorded on manufacturing or production schedules that are:
– sequenced and dated
– cross-referenced to production plans
– cross-referenced to material requisitions, and
– authorised by the production manager.
• As items come off the production line, a sequenced “transfer to finished goods form” should be completed for
each day’s production or for every, say, 100 items produced. The “transfer to finished goods note” should:
– accompany the goods to the finished goods store
– be cross-referenced to the production schedule, and
– be used to write up the finished goods perpetual inventory.
• Performance reports should be used to measure performance by production shift, for example, wastage, quanti-
ties produced, damaged items.
• Completed production schedules and performance reports should be sent to “costing” for the allocation of la-
bour and overhead costs as well as for pricing of materials. (The normal method for doing this is by the alloca-
tion of standard material, labour and overhead costs.)
• On a frequent and regular basis, management should date and sequence test the costed production schedules to
confirm that:
– the full quantity of production has been cross-referenced to “transfer to a finished goods form”, and
– missing schedules are for goods still in production.
• Management should review performance reports to evaluate the production activity and should follow up on
inefficiencies, wastage.
• Actual costs should be compared to standard costs and variances should be evaluated.
• The following posting should be made from signed, costed production schedules:
– raw material costs, direct labour and manufacturing overheads to the debit of work-in-progress, and
– cost of goods manufactured to the credit of work-in-progress and the debit of finished goods.
• All casts, extensions and calculations should be checked before posting.
Note: Again, this may be a computerised system, but the principles described above remain the same.
For example:
If the quantity on hand of a (physical) item of inventory does not agree with the perpetual inventory rec-
ords, there has either been a misplacement of the item, the item has been lost or stolen or the perpetual
inventory records are incorrect because a receipt of goods has not been recorded. A follow-up may reveal
that inventory is being stolen by sending out additional items when official orders are dispatched. Addi-
tional supervisory checks will then have to be put in place.
Companies that have large quantities and numerous items of inventory will normally perform what are
referred to as cycle counts. Cycle counts amount to the ongoing comparison of physical quantities of inven-
tory on hand, to theoretical quantities in the perpetual inventory records. It is essential that the company
operates a perpetual inventory system of quantities of inventory so that actual inventory can be compared
to theoretical inventory. The procedures to be adopted to conduct cycle counts are as follows:
• The timing of each count should be planned at the start of the year, for example, two days every three
weeks, or at the end of every third month. (In very large companies, such as motor manufacturers, cycle
counting can be almost a daily exercise.)
• The items to be counted must be identified. There are a number of ways in which this selection can be
done:
1. Random samples can be selected from the perpetual inventory records.
2. Items that are susceptible to theft or have some other identifying characteristic can be chosen.
3. High-value items can be selected, or
4. The entire inventory population can be divided into sections so that all items are counted at regular
intervals during the year.
5. A particular section of the warehouse may be chosen.
• Once these matters have been settled, the physical inventory will be counted using an acceptable method
of counting and sound count controls (see 8.2 below).
• The physical count quantity (actual) for each item counted will be compared to the theoretical quantity
on the perpetual inventory records and all count discrepancies will be entered onto a sequenced inven-
tory adjustment form.
• All discrepancies must be thoroughly investigated preferably by internal audit and the inventory control-
ler.
– Results of the investigations should be recorded on the inventory adjustment form.
– The warehouse manager should review the forms and authorise the adjustments by signing the form.
– Inventory adjustment forms should be filed numerically and should be sequenced checked regularly.
• The adjustment to the records should be made by a clerk who is independent of inventory custody,
receiving and issue.
• Senior warehousing personnel should review the perpetual inventory records periodically and adjust-
ments to the records traced back to the authorised inventory adjustment form.
• An overall analysis of the discrepancies over a period should be conducted to identify any trends, for
example, frequent discrepancies in a particular section of the warehouse, so that suitable preventive
measures can be put in place.
Planning and preparation – this must take place timeously and should cover:
• date and time of the count
• method of counting: how the inventory will be counted and recorded, for example, tag system, all items
counted twice
• staff requirements: how count teams are made up, for example, one person from the warehouse, one
person independent of the warehouse (e.g., accounting department), how many teams are necessary as
well as how many people are necessary
• supervision: who will act as count controller
• preparation of the warehouse: tidying racks, packing out half empty boxes onto racks, marking dam-
aged goods, stacking like goods together, etc.
• drafting of warehouse floorplan to identify count areas for count teams, and
• identifying all locations and categories of inventory.
Design of stationery – various documents are used, and they should be designed along standard stationery
design principles:
• inventory sheets: printed, numerically sequenced, reflect the inventory item number, category and loca-
tion of the inventory in the warehouse, and have columns for first count, second count, discrepancies,
and columns for prices and extensions (In many companies, counters may need to insert descriptions,
etc., particularly where there is no form of perpetual inventory)
• in theory, quantities per the perpetual inventory should not be entered on the inventory sheet prior to
the count (this forces counters to actually count to arrive at a quantity) but it may not be practical due to
time constraints
• inventory tags: see explanation under “documents” earlier in this chapter, and
• inventory adjustment forms.
Written instructions – count information and instructions should be provided (in writing) for all members
directly and indirectly involved in the count. The written instructions should cover:
• the identification of count teams and the responsibilities of each member of the team
• the method of counting to be used, for example, tags, double counts, marking counted inventory in two
colours with chalk (reflecting the double count)
• identification of slow moving or damaged inventory as well as consignment inventory
• controls over issues to and returns of inventory sheets to the count controller
• procedures to be adopted if problems arise during count, for example, particular inventory items cannot
be found, deliveries of inventory during the count, and
• detailed instructions concerning dates, times, locations.
Conducting the count – there are a number of variations on how the inventory count should be conducted
but the following procedures should be followed:
• The count staff should be divided into teams of two, with one member of the team being completely
independent of all aspects of inventory.
• All teams should be given a floor plan of the warehouse that should clearly demarcate the inventory
locations for which they are to be held accountable.
• All inventory should be counted twice. One of the following methods can be adopted:
– one member of a team counts and the other records, swapping roles thereafter and performing a
second count in the same section to which they were assigned, or
– count teams complete their first counts, hand their inventory sheets back to the count controller and
sign for the inventory sheets of another section, thereby doing their second counts on a section al-
ready counted by another count team.
• As items are counted, they should be neatly marked by the counters, for example, second counters
should use a different coloured marker. Alternatively, the tag system described under “documentation”
can be used.
12/12 Auditing Notes for South African Students
• Where count teams identify damaged inventory or inventory in an area of the warehouse that appears
unused/excessively dusty, these inventory items must be marked as such on the inventory sheets (poten-
tial write-downs):
– the contents of boxes where the packaging appears to have been tampered with, should be counted
and the details noted on the inventory sheet.
• A few boxes should be selected at random in each section and the contents compared with the descrip-
tion on the label to confirm that the contents have not been changed/removed and the seal replaced.
• The count controller (and assistants) should:
– walk through the warehouse once the count is complete and make sure all items have been marked
twice or that the detachable portions of all tags have been removed
– examine the inventory sheets to make sure that first and second counts are the same and agree to the
quantities recorded on the perpetual inventory if there is one, and
– instruct the count teams responsible for sections where discrepancies are identified to recount the
inventory items in question.
• The count controller should obtain the numbers of the last goods received note, invoice, delivery note
and goods returned note used up to the date of the inventory count.
• No despatches of inventory should take place on the date of the inventory count.
• Any inventory received after the count has begun should be stored separately in the receiving bay, until the
count is complete and must not be put into the warehouse. This inventory must be counted and added to
the inventory sheets after the count is complete.
• The counters responsible for the count sheets should:
– draw lines through the blank spaces on all inventory sheets, and
– sign each count sheet and all alterations.
• The inventory controller should check that this procedure has been carried out and should sequence test
the inventory sheets to ensure that all sheets are accounted for.
• Count teams will only be formally dismissed once the count is complete and all queries have been
attended to.
2. All adjustments to the masterfile arising out of the cycle counts must be approved by the warehouse
manager and the financial manager.
3. The responsibility for receiving and despatch is isolated to the despatch controller as nobody else has
access to the necessary applications and by the requirement that all relevant documentation be signed
by him.
4. All employees are required to sign the document related to the procedure they have carried out to
acknowledge having done so, thus isolating their responsibility for the procedure.
For example:
• pickers must sign the picking slip for the goods they have picked so any mistakes or problems can be
tied back to the picker, and
• the warehouse foreman must also sign the picking slip to acknowledge (isolate his responsibility) for
checking what has been picked before it is packed and transferred to despatch.
D = Despatch area
D1 = Roadline office (delivery company)
R = Receiving depot
P = Picking area
S = Storage areas
EG = Expensive goods store
U = Stairs to upper level
O = Warehouse staff offices
• The ProRide (Pty) Ltd warehouse is located in one large structure adjoining (by controlled access) the
administration building. As can be seen from the diagram, the warehouse has distinct areas for both
“despatch” (D) and “receiving” (R) of inventory. Access to and from the outside is controlled by large
steel roller doors that remain locked at all times other than when despatching or receiving takes place.
The keys to these doors are under the control of Reg Gaard (warehouse manager) or Patrick Adams
(foreman) at all times.
• The “despatch” and “receiving” areas are physically separated from the picking area and stores by one-metre
high walls with glass to the ceiling. (This method of construction, that also applies to the warehouse staff of-
fices, enables warehouse management to see what is going on within all areas of the warehouse at all times.)
Access to the despatch section is from the picking area, not from the storage area, which makes it far more
difficult to steal inventory by “sneaking” it from stores onto a delivery van.
• The picking area (where picked goods are placed prior to final checking and despatch) is separated from
the storage area by brick and glass walls but the access between the two is not controlled. This is simply
for practical purposes as pickers move from one area to another throughout the day.
• The expensive goods store is completely secure and is locked at all times. When expensive goods need
to be “picked”, Patrick Adams (warehouse foreman) will unlock the store and observe the picking.
Only he and Reg have access to the keys.
Chapter 12: Inventory and production cycle 12/15
• The upper level is used exclusively for storing bicycles (in their boxes). A forklift is used to move boxes
to and from this level. Storage of bicycles on the upper level has been done deliberately as it makes it
extremely difficult for anyone to steal a boxed bicycle.
• Access to the warehouse for warehouse staff is via the controlled access (key pad) from the main
administration building. Other employees are not allowed in the warehouse.
• The warehouse is not air-conditioned (the inventory does not require it!) but it is protected against fire
by smoke detectors and sprinkler systems.
• Windows are kept to a minimum and are protected by grids and bars (so items cannot be thrown out of
the warehouse). There is no camera surveillance as it is not considered necessary.
• Inventory is kept in clearly designated areas, for example, tyres, saddles, clothing and the various items
are placed in suitably designated bins or boxes or on shelves. The item’s inventory code is entered on
the bin, box or shelf to facilitate accurate picking and inventory counts.
12.2.6.1 Targets
To be in a position to review performance, targets are set by Brandon and Reg on an ongoing basis for
activities in the inventory cycle. These include:
• Setting time limits for the despatch of goods from the time the sales order is put on the system. As the
sales system is a real-time system, management can access the sales order file at any time to determine
the status of a sales order. Complaints from customers are also closely monitored.
• Setting an “acceptable” margin for incorrectly picked goods (tracked through reports on the number of
and reason for credit notes being issued).
12/16 Auditing Notes for South African Students
• Setting “acceptable” margins for goods lost, stolen or damaged (tracked through logs on inventory
adjustments).
12.2.6.2 Information
In addition to the information extracted to determine whether targets are being met, Brandon Nel will also
extract a number of reports that help with the general management of inventory, including:
• total inventory holding
• details of inventory in transit
• actual inventory levels for any item
• actual gross profit margins made on sales, per inventory item, per inventory category
• anticipated gross profit margins on inventory held, per inventory item per category
• quantity of items sold to date including a breakdown of those sales by distinguishing feature, for exam-
ple, make and model, colour (red bicycles may sell better than blue bicycles), and
• aging of inventory on hand, highlighting inventory that has been on hand beyond predetermined limits
(say 90 days).
12.2.6.3 Meetings
As we have mentioned on many occasions, reports and logs are not much use if there is no follow-up on
the information they contain. A weekly meeting between Brandon Nel (financial director), Johan Els
(financial manager) and Reg Gaard (warehouse manager) is held to discuss any queries that Brandon might
have arising out of the inventory information that is available to him.
12.2.7 Conclusion
The success of the control activities implemented can partially be measured in terms of the percentage of
total inventory lost as a result of theft or damage and the efficiency of filling and despatching orders. At
ProRide (Pty) Ltd this percentage is reasonably constant at less than half a percent of the total inventory
value. Goods are despatched within 24 hours of a sales order being received.
12.3.2.1 Definitions
• Inventories consist of:
– assets held for sale in the ordinary course of business (finished goods and goods purchased for resale)
– assets held in the process of production (work-in-progress), and
– materials or supplies to be consumed in the production process (raw materials).
• Net realisable value is the estimated selling price in the ordinary course of business less the estimated
costs of completion and the estimated costs necessary to make the sale.
Chapter 12: Inventory and production cycle 12/17
12.3.2.2 Inventory should be presented at the lower of cost and net realisable value
This acknowledges the important principle that the asset (inventory) should not be carried at an amount
greater than is expected to be realised from the sale of the asset. Such a situation could arise where:
• inventory has been damaged
• inventory has become obsolete, or
• the selling price has declined to below the cost of the asset due to a drop in demand.
This has a direct effect on the auditor, who will need to perform procedures to determine whether inventory has
been written down adequately to reflect any or all of the above.
either be understated or overstated. The principle that inventory be presented at the lower of cost and net
realisable value still holds, and if there is a problem with the “standard” cost, it must be addressed by
scrutiny of the variances relating to the inventory. The following points are relevant:
• only variances that relate to inventory actually on hand at year-end can affect the value of that invento-
ry (some of the variances will relate to inventory already sold), and
• variances that are a result of incorrect standard setting should be debited or credited to inventory and
cost of sales to approximate actual cost (to comply with the requirements of IAS 2).
For example:
If, at reporting date, a company has an adverse material price variance (i.e., goods purchased at a price
higher than standard), must the variance be written off as an expense or can it be added to the cost of
inventory (that is at standard)? Any portion of the variance pertaining to inventory that has been manufac-
tured or sold must be written off. If the remaining portion of the variance arises because the standard was
incorrectly set, the cost of inventory should be adjusted to arrive at the true cost.
What about a situation where the standard is correct, but a variance has arisen as a result of an abnormal
price having been paid for material?
For example:
Assume that a shortage of the material has temporarily pushed up the price and that such material was
purchased just before year-end and will only be used in the new year. In terms of IAS 2, the standard cost
can be used if it approximates actual costs. It would seem therefore that the price variance arising from this
abnormal cost would have to be added to the cost of inventory at standard for financial reporting at the
year-end.
12.3.3 Financial statement assertions and the inventory and production cycle
The auditor’s main concern with this cycle is that the asset (various categories of inventory) associated with
the cycle is fairly presented in the financial statements. Earlier in the chapter we indicated that any material
misstatement in the inventory balances will have a significant effect on fair presentation of both the state-
ment of comprehensive income and the statement of financial position.
12.3.3.1 The assertions that apply to the inventory account balances and related disclosures
Inventory
Existence: Inventories exist at year-end.
Rights: The company holds the rights to the inventories.
Completeness: All inventories that should have been recorded have been recorded and all related
disclosures that should have been included in the financial statements, have been
included.
Accuracy, valuation
and allocation: Inventories have been included in the financial statements at appropriate amounts
and any resulting valuation or allocation adjustments, for example, impairment
losses have been recorded, and related disclosures have been appropriately meas-
ured and described.
Classification: Inventories have been recorded in the proper accounts.
Chapter 12: Inventory and production cycle 12/19
12.4.2 Overall responses to the risk of material misstatement at the financial statement
level
In terms of ISA 315 (revised), the auditor shall identify the risks of material misstatement at the overall
financial statement level and at the assertion level for transactions, account balances and disclosures.
Chapter 12: Inventory and production cycle 12/21
Further, a significant risk is an identified and assessed risk that, in the auditor’s judgement, requires special
audit consideration. This does not mean that the auditor needs to be familiar with a whole new range of
audit procedures (have additional tools in his toolbox), but it does mean he will look closely at the nature,
timing and extent of the further audit procedures as well as the skills and experience of the audit team.
In the context of this cycle, significant risks may include:
• the risks of fraudulent practices as discussed in point 12.3.4 above
• the risk that inventory is not valued correctly, and
• the risk of the overstatement of inventory balance at year-end.
In terms of ISA 330, the auditor must implement overall responses to address the assessed risk of material
misstatement at the financial statement level.
For example:
• Assigning more experienced staff to the audit. This could be a response to the risk of manipulation of
the financial statements by overstatement of the inventory balance.
• Emphasising to the audit team the need to maintain professional scepticism, for example, to be alert to
the possibility that inventory may not exist as it is stored at various locations.
• Providing more supervision.
addition, the reasonableness of any write-downs of inventory must be evaluated. All of this will be
achieved by the application of substantive audit procedures on the year-end inventory account balances.
The performance of year-end procedures is usually broken down into two distinct phases, namely:
• attendance at the year-end inventory count (mainly existence, but some evidence of completeness and
valuation is gathered), and
• the subsequent audit of the carrying value (accuracy, valuation and allocation, rights to the inventory and
the presentation of inventory).
(a) Attendance at the inventory count is both a test of controls and a substantive procedure. The auditor
will be gathering evidence about the effectiveness of the control procedures put in place to establish the
quantity of inventory actually held (test of controls). At the same time, the auditor will be gathering
substantive evidence about:
• the existence of the quantity of inventory recorded, by testing from the records to the physical inventory
• the condition of inventory (valuation) by inspecting and looking for damaged/obsolete items, as well
as evidence of slow-moving inventory, and
• the completeness of inventory by testing from the physical inventory to the inventory records.
(b) The subsequent audit procedures, (i.e., after the inventory count), will be substantive in nature.
(c) Another important procedure that is carried out at the inventory count will be the recording of the last
document numbers for all documents used, for example, goods received notes, issue notes, delivery
notes, etc., to facilitate “cut-off” testing. From an inventory perspective, it is important that the recorded
movement of inventory matches the physical movement of inventory up to reporting date.
(d) A list of goods received notes numbers that have not been matched to suppliers’ invoices at the year-
end should be obtained. This will be used later for testing the completeness of creditors.
• Test the numerical sequence of the inventory sheets both before and at the conclusion of the count
to ensure that all inventory sheets are accounted for.
• Confirm by enquiry of inventory counters and inspection of the inventory sheets that inventory that
should not be included in the client’s inventory has been excluded.
(c) At the conclusion of the count, the auditor should do the following:
• Inspect inventory sheets to confirm that:
– lines have been drawn through blank spaces (so that items cannot be added)
– alterations/corrections have been signed, and
– inventory sheets have been signed by the counters responsible.
• Create audit records in respect of the inventory count attendance by:
– taking copies of all inventory sheets (hardcopy or digital)
– recording observations as to the client’s count procedures
– recording results of all test counts performed by the audit team, and
– recording any damaged, obsolete or slow moving inventory.
• Record cut-off numbers for all documents used in the inventory and production cycle.
• Compile a list of goods received notes that have not been matched to supplier invoices.
The next stage in the year-end audit of inventory can commence at any time depending on the reporting
deadline for the audit. The important point is that the inventory count must have provided sound evidence
that the quantities and description of inventory that was on hand at reporting date are accurate. The client
will now be in a position to make any adjustment necessary to the perpetual inventory records and “price”
the inventory on hand.
12.5.4.1 Assertion: Rights – the company holds or controls the rights to the inventory
• Enquire of management as to whether any inventory is held on consignment for other parties.
• Obtain a listing of inventory of goods in transit at the financial year-end and inspect relevant
orders/contracts to determine whether ownership has passed to the client by scrutiny of the terms of
purchase, for example, FOB, CIF.
• Establish whether inventory is in any way encumbered (e.g., offered as security) by:
– discussion with management
– inspection of bank confirmations
– review of directors’ minutes, and
– review of correspondence/contracts with suppliers and credit providers.
• When performing the pricing procedures for the valuation assertion (see below), inspect invoices to
ensure that they are made out to the client (this will also have been done when testing purchase transac-
tions).
12.5.4.2 Assertion: Accuracy, valuation and allocation – inventory is included in the financial
statements at appropriate amounts
To establish the value of inventory, the client will have to multiply the quantities confirmed at the invento-
ry count by the cost price of the item, using the correct cost formula. Once this is done the allowance for
inventory obsolescence must be established.
Arithmetic accuracy
• Compare the quantities of inventory items on the auditor’s copies of the inventory sheets to the client’s
priced inventory sheets (to confirm that the client has not altered the quantities).
• Test the arithmetical accuracy of the inventory sheets by re-performing all extensions (quantity × cost)
and casting the extension column (total inventory value).
12/24 Auditing Notes for South African Students
• Review inventory sheets for any negative “inventory item values” (should not be any).
• Compare the total inventory value per the inventory sheets to the general ledger and trial balance.
• Confirm that costs that do not qualify as costs of conversion have not been included, for example:
– administration overheads
– selling expenses, and
– abnormal amounts of wasted material, labour or other production costs.
• Confirm that under and over recoveries of production overheads are correctly treated in terms of IAS 2
(through the statement of comprehensive income).
• Re-perform all casts and calculations.
Note: The same procedures will need to be adopted to value work-in-progress at reporting date. However,
there is the additional problem of establishing the stage of completion of the goods being produced. It is
possible that there will be numerous items still in production and at various stages in production. Consider
a motor assembly line that may have 500 vehicles on the production line at the “close of business” on
reporting date. For financial reporting purposes, the value of materials, labour and overheads expended on
those cars in their various stages of completion, for example, engine assembly, trim, paint shop, etc., at
reporting date will have to be calculated. It is the client’s responsibility to produce a schedule of work-in-
progress and the audit thereof will be performed using conventional tests of controls (to test the way in
which the client “puts the figure together”), and substantive tests.
In addition, complex work-in-progress may require that reliance be placed by the auditor on the work of
an expert or internal audit. This is covered in chapter 16.
12.5.4.3 Assertion: Completeness and existence (all inventory that should have been recorded,
has been recorded, and inventory included in the statement of financial position actually
exists, i.e. is not fictitious)
The primary evidence for these two assertions is gathered when attending the inventory count as described
earlier. Additional but superficial evidence will be provided by analytical review. “Cut-off” tests performed
when auditing the revenue and receipts cycle and the acquisitions and payments cycle will provide evi-
dence that all inventory that was purchased has been included and inventory that had been sold, has been
excluded.
A SCHEDULE OF INDIVIDUAL INVENTORY ITEMS EXTRACTED FROM THE INVENTORY MASTER FILE OF DO-IT (PTY) LTD AT 31 MAY 0003
2.5 quantity field is zero but date of last purchase is more recent than date of last sale Completeness/valuation cost G126
2.6 items with amounts in the value field but 0 in the quantity field, and Valuation cost Nil
2.7 date of last sale or last purchase is after year-end Existence/completeness T0301
3.. Selec samples:
3.1 pricing, and Valuation cost 1.. ndom
3.2 inventory count Existence, valuation (cost and 2.. H h value
write down) 3. High quantity
4.. ported
5.. Old invent y
4. Re-perform
4.1 quantity × unit cost calculation and compare to value field for each item (report of differences), and Valuation cost T461
4.2 cast of value field for entire file
5. Analyse inventory master file by extracting listings of:
5.1 inventory items for which unit cost exceeds selling price 5.1 to 5.4 provide evidence for G093
5.2 inventory items for which date of last sale is, say, 9 months prior to year-end and date of last determining write-downs TO301
purchase is within two months of year-end (valuation)
5.3 inventory items for which date of last sale and date of last purchase are, say, 9 months prior to year- G093, T461
end
5.4 inventory items where quantity on hand is, say, 5 times greater than “quantity sold to date” T0491, G093
12/29
12/30 Auditing Notes for South African Students
Master data
• Determine who has access to the inventory masterfile/cost price.
• Have changes been made to the masterfile in application during the period under review?
• Have changes been authorised in the application?
• Perform a comparison test to compare inventory prices year on year and review significant discrepan-
cies.
Inventory ageing
• Stratify the age analysis through analytics.
• Review the inventory age analysis for inconsistencies and aged inventory.
Inventory impairment
• Perform analysis of inventory listing and determine inventory that should be classified as “obsolete” or
slow moving.
• Assess whether the application has been configured to perform inventory impairment.
• Determined whether the inventory impairment rules align with the policy.
• Determine who has access to the inventory impairment configuration in the application and whether
the access is limited to authorised personnel only.
• Scrutinize the write-off report to determine whether inventory was written off by authorised individuals
and whether there are inconsistencies with the write-offs.
• Have changes been made to the configured impairment rules in the application during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether impairment rules are working
Chapter 12: Inventory and production cycle 12/31
Impaired inventory
• Determine what the inventory write-off process is. Is there a possibility that the inventory can be written
off and sold for own profit?
Journals
• Determine who has authorisation to process journals relating to inventory within the application.
Foreign inventory
• Foreign/imported inventory has been captured at the correct forex rate, at spot on the first day the
recognition should have occurred.
• Determine whether the application has been configured to receive daily currency exchange rates that
would have been applied to imported inventory.
• Who has access to change the currency rate configuration in the application?
• Have any changes been made to the configuration during the period under review?
• Perform a walkthrough of one inventory item to determine whether the forex calculation is accurate.
CHAPTER
14
Finance and investment cycle
CONTENTS
Page
14.1 The accounting system and control activities ................................................................... 14/3
14.1.1 Introduction ....................................................................................................... 14/3
14.1.2 Characteristics of the cycle .................................................................................. 14/3
14.1.3 Compensating controls........................................................................................ 14/4
14.2 Narrative description of the finance and investment cycle at ProRide (Pty) Ltd ................ 14/5
14.2.1 Introduction ....................................................................................................... 14/5
14.2.2 Planning ............................................................................................................. 14/5
14.2.3 Authorisation and implementation ...................................................................... 14/5
14.2.4 Review and approval .......................................................................................... 14/5
14.2.5 Other controls..................................................................................................... 14/5
14.2.6 Investment of surplus funds ................................................................................. 14/6
14.2.7 Long-term loans ................................................................................................. 14/7
14.4 ISA 540 Auditing accounting estimates and related disclosures ....................................... 14/8
14.4.1 Assessment of inherent risk ................................................................................. 14/9
14.4.2 Responding to the assessed risk ........................................................................... 14/10
14/1
14/2 Auditing Notes for South African Students
Page
14.6 Audit procedures – The investment cycle ........................................................................ 14/23
14.6.1 Property, plant and equipment ............................................................................ 14/23
14.6.2 Investments in shares .......................................................................................... 14/32
14.6.3 Long-term loans made by the company ............................................................... 14/34
14.6.4 Intangible assets .................................................................................................. 14/35
Chapter 14: Finance and investment cycle 14/3
14.1.3.2 Authorisation
• Authorisation of material finance and investment transactions should be at the highest level. This could
be by way of resolutions of a fixed asset committee, a steering committee, an investment committee or
the board of directors.
• The resolutions should be minuted.
• The resolutions may be subject to authorisation requirements in
– – the company’s MOI
– – the company’s policies, and
– – the Companies Act where applicable.
• Legal advice should be obtained to consider the implications for the entity before concluding any mater-
ial agreement.
• Signed agreements should be entered into and should include all relevant terms and conditions.
14.1.3.3 Implementation
Where the implementation of the transaction is other than straightforward, it should be carried out by com-
petent staff and properly controlled. For example, the installation of a new production line should be
regarded as a project and sound project controls must be implemented. If a public share issue is to be
undertaken, merchant bankers, lawyers and other experts should be involved.
Security
• All material tangible assets should be physically secured to avoid theft of assets and loss to the entity.
• A detailed fixed assets register should be kept and at least once a year a physical count should be per-
formed where the physical condition is assessed for any indication of impairment.
• The assets should be serviced regularly in order to maintain their functionality.
Chapter 14: Finance and investment cycle 14/5
14.2 Narrative description of the finance and investment cycle at ProRide (Pty) Ltd
14.2.1 Introduction
As with many businesses of the size of ProRide (Pty) Ltd, not many “finance and investment” decisions are
made in a single year. However, this does not mean that controls are weak in the cycle – on the contrary.
Finance and investment decisions are subject to a full range of compensating controls and other controls.
14.2.2 Planning
14.2.2.1 Budgets
All transactions in this cycle are carefully planned. The annual budget forms the basis of planning. In put-
ting together their annual budgets, department heads (e.g. Reg Gaard, warehouse manager, Gary Powell,
IT manager) must indicate and motivate for any new capital expenditures they require. As part of their
motivation, they must obtain estimates (quotes) from various suppliers on price, and any service contract
costs, for example, should Reg Gaard require a new forklift, he must present quotes from three suppliers.
All capital expenditure is subjected to the same budgetary process regardless of the value, i.e. department
heads are not given permission to make acquisitions up to, say, R10 000 without committee consent.
14.2.2.3 Financing
All three members of the committee have financial qualifications and are quite capable of deciding on the
best method of financing the purchase. Where they require any particular expertise with an asset financing
decision, they will obtain assistance from their bankers and external auditors.
• Understating or omitting provisions/allowances, for example, not providing for long-term environmental
damage that the company has an obligation to rectify.
• Omitting or inadequately disclosing contingent liabilities, for example, the company makes no mention in
the notes of a pending lawsuit that may have grave consequences for the company.
Note that any manipulation of the statement of comprehensive income by the directors will also affect the
capital section of the statement of financial position.
The same broad approach would be adopted, but the extent of substantive testing would be influ-
enced by the outcome of the tests of controls, and samples of transactions relating to the account head-
ing would be extracted for audit.
In the planning stage, when conducting risk assessment procedures and planning further audit procedures,
the auditor will perform the following at an assertion level:
• Obtain an understanding of the entity and its environment as follows:
– the transactions or events that give rise to the estimate
– the requirements of IFRS in relation to the estimate
– the requirements of regulations related to the estimate, for example, in the financial services industry,
the actuarial valuation of a pension fund is required at least once every three years by the Pension
Funds Act of 1956, and
– the disclosures made in the financial statements regarding the estimate.
• Obtain an understanding of the IFRS requirements for the fair value measurement and disclosure of the
accounting estimate. Accounting estimates will be audited at the assertion level.
• Obtain an understanding of the entity’s internal control as follows:
– the nature and extent of supervision over management’s process for accounting estimates
– how management identifies and addresses risks related to accounting estimates, including the need to
use a management expert
– how risks related to accounting estimates are addressed by the entity, and
– how management reviews previous accounting estimates made.
Where information technology or systems are used, an understanding of the following is necessary:
– the financial statement items that relate to the information systems
– how management determines the methods, assumptions and sources of data used in the information
system
– identify if any change to the method, assumptions and sources of data is necessary
– how management understands and addresses estimation uncertainty for the estimate
– control activities covering the process to make an estimation by management.
• Perform analytical procedures and inquire with management about prior year accounting estimates as
compared to the related current actual amounts (or “outcome” as it is referred to in the Standard).
Where there are differences between the estimate and the outcome or actual amount, the guidance of
the financial reporting framework will determine whether there is a misstatement. For example, the dif-
ference between what is paid to a pensioner, and the amount that was expected to be paid to a pension-
er (the estimate), is an actuarial gain or loss per IAS 19. Where the difference arises from information
that was reasonably obtainable as at the prior year reporting date, this could indicate a misstatement.
• Determine whether specialised skills or knowledge is required to perform these risk assessment proced-
ures, in which case an expert may be engaged.
Methods
Selection Influenced by
Assumptions inherent risk
Application factors
Data
The auditor would need to address the selection of the valuation method, the assumptions implied in the
method and the selection of the data. The auditor would also be required to assess the application of meth-
ods, assumptions and data used in the in the valuation. If management had used an expert in the valuation,
the auditor would need to comply with both ISA 540 and the requirements of ISA 500 in order to rely on a
management expert. The third alternative is for the auditor to estimate an amount or a range of amounts.
For this, the auditor could use a variety of acceptable methods.
For example:
The auditor could use recent selling prices of investment property in the immediate area around the
building to calculate a “selling price per square metre” (selling price of property divided by the number of
square metres of the property), then use this estimated selling price per square metre multiplied by the
square metres of the property being valued. The auditor has therefore calculated a point estimate. In esti-
mating a range, the auditor may take the lowest selling price per square meter of a recently sold investment
property in the area, and the highest selling price per square meter of a recently sold investment property in
the area, and use that as a reasonable range for estimating the investment property’s selling price per square
metre.
Diagrammatical summary of ISA 540
This diagram is based on guidance issued by the IAASB on the ISA 315 (Revised) Exposure Draft in 2018.
Through the performance of risk assessment procedures, obtain an understanding of: The stand back requirement is
para. 13–15 an overall evaluation of risks
identified and how they were
assessed and responded to (i.e.
The entity and its Entity’s system of internal after all relevant evidence has
environment control been obtained). This evaluation
could lead to the identification
of more risks (represented by the
Identify risks of material misstatement (ROMM) at the assertion level dotted arrow) or to additional
para. 16 responses to the risks already
identified (represented by the
Chapter 14: Finance and investment cycle
solid arrow).
Stand back
para. 33–36 Inherent risk and control
required must be assessed
separately. Only inherent risks
Assessing inherent risk Assessing control risk
that are on the higher end of the
by assessing likelihood and If plan to test operating effectiveness – control risk less than
spectrum of inherent risk can
magnitude of inherent risk factors on maximum. If not planning to test OE – control risk at
lead to significant risks.
spectrum para. 16 maximum Based on ISA 315 (Revised)
14.5.2.2 Occurrence
• Inspect the MOI and any relevant shareholder resolutions:
– for any conditions with which the issue must comply,
– to establish that the company has the necessary authorised (but unissued) share capital to make the
issue (note, the board may resolve to issue shares at any time, but they must be authorised shares and
the MOI may include conditions).
• If any shares were issued to the directors (or a person related to the director or a nominee of such direct-
or), inspect the minutes of meetings of shareholders for a special resolution approving the issue to the
director. Note that in certain circumstances this authority is not required, for example:
– where the director is exercising a pre-emptive right
– the issue is made in proportion to existing holdings on the same terms and conditions as has been
offered to all shareholders of the company or to all shareholders of the class of shares being issued.
• Confirm by inspection of the minutes of the meetings of shareholders, communications with the share-
holders, or inquiry of the directors that the requirements relating to any pre-emptive rights (to the new
shares) were satisfied.
Chapter 14: Finance and investment cycle 14/13
14.5.2.3 Completeness
Confirm with the directors that no other share issues have taken place during the current year.
14.5.2.6 Presentation
• The auditor must inspect the financial statements to confirm that:
– share capital appears as a separate line item on the face of the statement of financial position
– the disclosure in the notes include, for example, for each class of share:
o its description, number of shares authorised and issued
o the rights preferences and restrictions attaching to that class of share
o details of authorised but unclassified shares, and
o movements in the share capital balance (statement of changes in equity)
• By inspection of the annual financial statements (AFS) and reference to the application financial report-
ing standards and the audit documentation, confirm that:
– disclosures are consistent with the evidence gathered (amounts, facts, details)
– any disaggregation of the balance reflected in the statement of financial position is relevant and
accurate, for example, share capital may have been broken down in the notes into different classes of
shares, for example, A shares and B shares, and
– the wording of disclosures is clear and understandable, and all required disclosures have been included.
14.5.3 Debentures
The audit of debentures, which are regarded as loan capital, attracts a mix of procedures similar to the
audit of share issues and long-term liabilities. Again, we deal only with the issue of debentures in a private
company. If debentures are offered to the general public, they are almost like shares issues and are con-
trolled by the relevant Companies Act sections, including the issuing of a prospectus.
14/14 Auditing Notes for South African Students
Note: The directors do not need shareholder approval to issue debentures, except where the directors
intend to issue debentures convertible into shares, to themselves. If this is the case, section 41 of the Com-
panies Act will apply (basically special resolution from shareholders unless exceptions apply).
• Inspect the register of debenture holders to confirm that the addition of new debenture holders and
adjustments to the holdings of existing debenture holders have been made according to the authority
granted for the issue.
• Inspect the cash receipts journal, deposit slip/bank statements for evidence of the receipt of the correct
amount.
14.5.3.5 Completeness
Confirm by inquiry of the directors and scrutiny of the minutes that no other debenture issues have taken
place during the year.
14.5.3.7 Presentation
See Notes 1 and 2 on page 14/12.
the end of the loan term. Such a loan would have to be amortised at the effective interest rate to spread the
full cost of the loan over the term of the loan (very similar to a debenture redeemable at a premium).
14.5.5 Leases
Leasing is another very common form of “acquiring” an asset. The distinction between operating and
finance leases is eliminated for lessees (previous IAS 17 standard), and a new lease asset (representing the
right to use the leased item for the lease term) and lease liability (representing the obligation to pay rentals)
are recognised for all leases. A lessee should initially recognise a right-of-use asset and lease liability based
on the discounted payments required under the lease, taking into account the lease terms as determined
according to the new standard. The audit of a lease is therefore difficult and requires that both the asset
raised and the corresponding liability be audited. The assertions that pertain to assets and liabilities as well
as to transactions all apply, sometimes overlapping with each other.
Lease asset
The right-of-use asset is initially measured at the amount of the lease liability, adjusted for lease prepay-
ments, lease incentives received, the lessee’s initial direct costs (e.g. commissions) and an estimate of
restoration, removal and dismantling costs.
Lessees are permitted to make an accounting policy election, by class of underlying asset, to apply a method like
IAS 17’s operating lease accounting and not recognise lease assets and lease liabilities for leases with a lease term of
12 months or less (i.e., short-term leases). Lessees also are permitted to make an election, on a lease-by-lease basis, to
apply a method similar to current operating lease accounting to leases for which the underlying asset is of low value
(i.e., low-value assets).
The lessee shall recognise the lease payments associated with the “short term” and “low-value assets” leases as an
expense on either a straight-line basis over the lease term or another systematic basis. The lessee shall apply another
systematic basis if that basis is more representative of the pattern of the lessee’s benefit.
Subsequent measurement
Lease liability
• Lessees accumulate (accrete) the lease liability to reflect interest and reduce the liability to reflect
lease payments made.
• Lessees remeasure the lease modification (i.e., a change in the scope of a lease, or the consideration
for a lease that was not part of the original terms and conditions of the lease) that is not accounted for
as a separate contract, that is generally recognised as an adjustment to the right-of-use asset.
• Lessees are also required to remeasure lease payments upon a change in any of the following, which
is generally recognised as an adjustment to the right-of-use asset:
– the lease term
– the assessment of whether the lessee is reasonably certain to exercise an option to purchase the
underlying asset
– the amounts expected to be payable under residual value guarantees, and
– future lease payments resulting from a change in an index or rate.
Lease asset
• The related right-of-use asset is depreciated in accordance with the depreciation requirements of
IAS 16 Property, Plant and Equipment.
– If the lease transfers ownership of the underlying asset to the lessee by the end of the lease term, or
if the cost of the right-of-use asset reflects that the lessee will exercise a purchase option, the lessee
depreciates the right-of-use asset from the commencement date to the end of the useful life of the
underlying asset. Otherwise, the lessee depreciates the right-of-use asset from the commencement
date to the earlier of the end of the useful life of the right-of-use asset or the end of the lease term.
• Lessees apply alternative subsequent measurement bases for the right-of-use asset under certain
circumstances in accordance with IAS 16 and IAS 40 Investment Property.
• Right-of-use assets are subject to impairment testing under IAS 36 Impairment of Assets.
Presentation
• Right-of-use assets are either presented separately from other assets on the balance sheet or disclosed
separately in the notes. Similarly, lease liabilities are either presented separately from other liabilities
on the balance sheet or disclosed separately in the notes.
• Depreciation expense and interest expense cannot be combined in the income statement.
• In the cash-flow statement, principal payments on the lease liability are presented within financing
activities; interest payments are presented based on an accounting policy election in accordance with
IAS 7 Statement of Cash Flows.
Lessor accounting is substantially unchanged from current accounting. Lessors will classify all leases
using the same classification principle as in IAS 17 and distinguish between operating and finance leases.
14/18 Auditing Notes for South African Students
• Determine by enquiry of the directors whether the “significant part” method of depreciation is applic-
able and if so, whether the allocation of costs of the components is appropriate (independent enquiry of
the supplier may be required).
• Enquire of the directors as to whether the depreciation method, for example, straight line, units pro-
duced, is appropriate, and confirm by reference to the minutes that the method has been reviewed by
the directors (must be done annually).
• Re-perform the depreciation calculation.
• Enquire of production director as to whether any impairment of the right-to-use asset is required.
(c) Lease payments
• Re-perform the implicit interest rate calculation.
• Re-perform the apportionment calculation of the leased payments and trace the posting of the amounts
apportioned to the liability account (and finance cost account).
• Re-perform the “current portion of the lease liability calculation” and trace the reclassification to the
general ledger/trial balance/financial statements.
(d) General
• Cast the lease liability account.
• By scrutiny of dates on documentation confirm that the leases, repayments, etc., relate to the account-
ing period under audit.
(d) Commitments
Companies are also required to make disclosures pertaining to “commitments”. To identify any commit-
ments that should be disclosed, the auditor will perform very similar procedures to those conducted for
provisions and contingent liabilities, for example, enquiry of the directors and scrutiny of the minutes of
directors’ meetings may reveal commitments for capital expenditure, contracted and approved, that must
be disclosed. The assertions applicable to presentation and disclosure will apply to commitments.
Contingent liabilities are not recognised in the statement of financial position but are disclosed in the
notes. The applicable assertions relating to this disclosure are:
completeness – all contingent liabilities have been included in the notes
obligation – the contingent liabilities disclosed pertain to the entity
occurrence – the event giving rise to the contingent liability has actually occurred (it is not
fictitious)
presentation – the disclosures pertaining to the contingent liabilities are appropriately
described, understandable and clearly expressed in the context of the applic-
able financial reporting framework, for example, IFRS, and
accuracy valuation – information provided in the disclosure is fair and accurate and values included
are appropriate.
14.5.6.4 Existence/classification
Under normal circumstances a company will not wish to include provisions and contingent liabilities that
are fictitious. However, there is the possibility that provisions that do not meet the definition criteria are
included in the account heading, or that the directors wish to manipulate the financial statements by the
inclusion of fictitious provisions or contingent liabilities. Procedures to test the existence of provisions and
contingent liabilities are as follows:
• Evaluate the company’s procedures for identifying provisions and contingent liabilities.
• Inspect the supporting documentation that management provides for each provision recognised, and
– evaluate whether there is a legal or constructive present obligation arising out of a past event that
actually occurred
– evaluate the probability that an outflow of resources will be required to settle the obligation, and
– evaluate the basis on which the amount of the obligation was determined to decide whether a reliable
estimate could be made
• Inspect the documentation that management supplies in support of contingent liabilities disclosed and
evaluate whether there is a possible obligation whose existence will only be confirmed by the occurrence
or non-occurrence of an uncertain future event.
• Consider the process used to authorise the recognition/disclosure of provisions and contingent liabilities
(authority minuted by the Board may reduce the risk of invalid provisions).
• Discuss any uncertainties or concerns arising out of the above evaluations with the directors.
• If necessary, seek legal counsel or the advice of an expert (e.g. in industry-specific matters, such as
provisions for environmental damage).
14.5.6.5 Valuation
The value at which the provision is recognised is the “reliable estimate of the amount of the obligation”.
The auditor is thus auditing an estimate. ISA 540 – Auditing accounting estimates, including fair value
accounting estimates and related disclosures, provides guidance. The auditor should assess the risk of
material misstatement of the entity’s accounting estimates (in the normal manner) and design and perform
further audit procedures to obtain sufficient appropriate evidence as to whether the accounting estimates
are reasonable in the circumstances and, where necessary, appropriately disclosed.
The statement requires the following:
• The auditor must identify and assess the risk of material misstatement of accounting estimates.
• When performing risk assessment procedures (at the understanding the entity phase), the auditor should
obtain an understanding of:
– the requirements of the applicable accounting framework relevant to accounting estimates (e.g.
IFRS/IAS 37)
– how management identifies transactions, events and conditions that may give rise to the need for
accounting estimates, and
14/22 Auditing Notes for South African Students
– how management makes the estimate, for example, use of a model, use of an expert, the assumptions
underlying the estimate and the effect of estimation uncertainty (this is defined as “the susceptibility
of an accounting estimate and related disclosures to an inherent lack of precision in its measure-
ment”).
• The auditor must review the outcome of prior year accounting estimates (in effect this provides infor-
mation as to the effectiveness of the company’s estimate setting procedures).
The auditor should
• review and test the process used by management to develop the estimate including the approval/author-
isation procedure (internal controls over the procedure)
• evaluate the data on which the estimate is based for accuracy, completeness and relevance
• evaluate the reasonableness and consistency of any assumptions that have been used in developing the
estimate:
– reasonable in the light of actual prior performance, and
– consistent with the assumptions used for other similar estimates
• re-perform any calculations pertaining to the estimate
• compare the amount of the estimate to similar estimates, and
• compare the amount of the estimate made in prior periods with actual results for that period, i.e.,
estimates of warrantee claims compared to actual warrantee claims.
The auditor may also make his own estimate or obtain an independent estimate from an expert. In this case
any differences with the client’s estimate should be discussed with management and resolved if possible.
The value at which the contingent liability is disclosed would have to be evaluated by reference to the
supporting documentation and enquiry of management supplemented by evidence gained when conducting
the procedures above.
14.5.6.6 Obligation
As with the existence assertion, under normal circumstances it is unlikely that the company will include
provisions or contingent liabilities that are not obligations of the company itself. If the auditor considers
that there is a risk of this occurring, he would need to satisfy himself, by enquiry of the directors, experts or
legal counsel, and inspection of the supporting documentation, that the provisions recognised are obliga-
tions of the company, and not of the directors, related parties or anyone else.
14.5.6.7 Completeness
As indicated earlier, this assertion probably represents the most significant risk for the auditor – the risk
that the company will understate/omit provisions either intentionally or unintentionally. Material inten-
tional understatement by the directors would amount to fraudulent financial reporting (as would material
overstatement, but this is generally a lesser risk) and may be very difficult to uncover. The following pro-
cedures should be carried out:
• Evaluate the company’s processes and procedures for identifying the need for provisions.
• Compare the schedule of provisions for the current year to that of the prior year and follow up on any
that are not included on the current year’s list or that have reduced significantly.
• Compare the contingent liabilities currently disclosed to those disclosed at the prior year-end and follow
up on the status of contingent liabilities disclosed at the prior year-end.
• Enquire of the company’s legal advisers as to whether the company is involved in any disputes/defend-
ing any legal action and request them to provide details of the probable or possible losses arising from
such actions and also of the legal costs involved.
• Inspect the minutes of directors and shareholders’ meetings for evidence of the need for provisions, for
example
– warrantee claims
– guarantees
– environmental damage
– refund policies, and
– closure of a division of the company.
Chapter 14: Finance and investment cycle 14/23
14.5.6.8 Presentation
• The auditor must inspect the financial statements to confirm that:
– provisions have been presented as a separate line item in the statement of financial position under
current liabilities or non-current liabilities as appropriate
– contingent liabilities have been disclosed (only) in the notes, and
– contingent assets have been disclosed (only) in the notes.
• By inspection of the AFS, and reference to the applicable financial reporting standard, IAS 37 and the
audit documentation, confirm that:
– the disclosures are consistent with the evidence gathered (amounts, facts, details)
– for each class of provision the following has been disclosed:
o amount and nature of the obligation
o expected timing of outflows and any uncertainties relating to amount or timing
o major assumptions concerning future events, for example, interest rates, and
o a reconciliation between the opening carrying amount and the closing carrying amount for each
provision.
– the disaggregation of the amount reflected for provisions in the statement of financial position for dis-
closure in the notes is relevant and accurate
– for each contingent liability the following has been disclosed:
o description of its nature
o estimate of the financial effect
o uncertainties relating to the amount of timing of outflows
o possibility of any reimbursements
– for each contingent asset the following has been disclosed:
o description of its nature, and
o an estimate of its financial effect
• the wording (of all disclosures, provisions, contingent liabilities and gains) is understandable, and
• all disclosures have been made.
and accuracy valuation and allocation, and classification. In addition, the auditor must consider the presentation
of property, plant and equipment.
Remember that when the movement (additions and disposals) on the account is audited, you will be au-
diting the assertions relating to transactions, primarily occurrence and accuracy, classification and cut-off. Pro-
cedures for auditing the carrying value of the asset will include procedures relating to the depreciation
allowance and any impairment.
For example:
Most clients will present the auditor with schedules for the asset accounts and related accumulated de-
preciation accounts, that reflect:
Cost:
Provision/
Opening balance disposals closing balance
impairment
R542 813 274 601 113 816 703 598
The example contains only totals. Each column will be broken down into the individual assets making up
the total. For example: the “additions” column may be made up of the cost price of six new assets, and the
“disposal” column may be made up of the cost of three assets disposed of.
The schedules may also contain columns that deal with adjustments, for example, revaluations.
The auditor’s task is essentially to audit these schedules. Companies are also obliged to keep fixed asset
registers that are very useful to the auditor when gathering evidence about fixed assets.
14.6.1.4 Depreciation
IAS 16 requires that “each part of an item of property, plant and equipment with a cost that is significant in
relation to the total cost of the item shall be depreciated separately”. Expressed differently this means that the
directors should allocate the cost of the item to its significant parts and depreciate each part separately. This
should happen where:
• the cost of the part is significant in relation to the total cost of the item
• the part and the remainder of the unit have different useful lives, or
• different residual values.
For example:
Ultrasize Ltd, a large manufacturing company, uses a steel press it originally purchased as one piece of
machinery, but which consists of two components, namely a hydraulic power press and a steel pressing
platform. Both parts of the machine are in themselves very expensive, but the hydraulic power press has a
useful life of 10 years, while the pressing platform will last for 30 years. Total cost of the machine is
R10 million with the press as a separate unit costing R4 million and the platform R6 million. Instead of
depreciating the steel press as a single item, the two components are depreciated separately.
Note that if the points above apply, the “significant parts” policy must be applied. There are however
difficulties. For example, how is the residual value of each significant part established, particularly if there
is no market in which to sell the significant part? Should the company use a residual value of nil? Can the
useful life of the “significant part” and the remainder be separately determined?
From a practical point of view, this kind of problem is only likely to occur in large companies with huge
investments in PPE. However, this does have implications for the audit, as the auditors are required to
assess whether IAS 16 has been applied and that it has been applied correctly.
Where the item has been broken down into significant parts, each part will be recorded in the fixed asset
register separately.
IAS 16 states that the depreciable amount of an asset shall be allocated on a systematic basis, over its
useful life. IAS 16 provides the following definitions:
• depreciable amount is the cost/revalued amount, less the residual value
• residual value of an asset is the estimated amount that an entity would currently obtain from the disposal
of the asset, after deducting the estimated costs of disposal, if the asset were already of the age and in
the condition expected at the end of its useful life, and
• useful life:
– the period over which an asset is expected to be available for use by an entity, or
– the number of units expected to be obtained from the use of the asset, by the entity.
IAS 16 requires that the depreciation method used must reflect the pattern in which the assets future eco-
nomic benefits are expected to be consumed, for example, straight-line method, diminishing balance, unit
of production method.
IAS 16 states that the residual value and useful life shall be reviewed at least at the end of each financial
year-end, and, if expectations differ, changes should be accounted for, as per IAS 8 – Accounting Policies,
Changes in estimates and Errors.
(b) Completeness
• Inspect repairs and maintenance and similar accounts for material items that may represent acquisitions
of plant and equipment, but that may have been erroneously charged as an expense.
• When physically verifying the assets for existence, select a sample of fixed assets and trace to the fixed
asset register agreeing description, asset number, etc.
• Review payments for fixed asset purchases and confirm that they are recorded as fixed assets in the
register.
• Review all lease agreements and enquire of senior personnel for evidence of any assets that have been
leased, but that have not been capitalised.
(c) Rights
• For assets owned at the beginning of the financial year (opening balance), determine whether there has
been any change in the rights to the asset, for example, sale and leaseback, by
– enquiry of management, and
– inspection of directors’ minutes.
• For additions, inspect purchase documentation and documents of title to confirm that they are in the
name of the client:
– for motor vehicles, inspect the registration document and licence renewal receipt to confirm that they are
in the name of the client
– for land, inspect the title deeds/deeds of transfer, mortgage bonds and sale agreements, and
– for other assets, inspect sales agreements and invoices.
• Where assets are still being paid for, confirm that the client is not behind with payments, (thus jeopard-
ising rights), by inspection of payment records and supplier statements and enquiry of the financial
manager (if appropriate the supplier can be contacted).
• Where leased assets have been capitalised, inspect the lease agreements.
• Inspect the lease agreements by enquiry of management and inspection of
– prior year working papers
– minutes
– loan agreements, and
– bank and other third-party confirmations.
• Obtain evidence of any encumbrances on fixed assets, for example, offered as security.
Chapter 14: Finance and investment cycle 14/27
carrying value). The auditor will probably be largely dependent on the directors to identify and quantify the
impairment and there may well be a fair amount of subjectivity involved. The auditor should do at least the
following:
• Evaluate the process by which the company itself identifies and quantifies impairments.
• Inspect and evaluate any documentation that might support the directors on impairments with regard to:
– assumptions made
– methods or bases of quantification
– rates or percentages used.
• Discuss with management:
– any assets whose market value has declined significantly more than would be expected as a result of
the passage of time or normal use
– any significant changes that might have taken or might be about to take place that would adversely
affect the entity in the technological market, economic or legal environments in which the company
operates
– any evidence obtained on the obsolescence or physical damage to assets identified during the audit
– assets lying idle, plans to discontinue certain operations, etc.
– evidence from internal reports, for example, monthly management reports that suggest that economic
performance of an asset is worse than expected.
(i) Revaluations
A company can choose the cost model (i.e. the asset is carried at its cost, less any accumulated depreciation
and any accumulated impairment losses) or the revaluation model (i.e. any item of property, plant and
equipment whose fair value can be measured reliably) shall be carried at a revalued amount, being its fair
value (the amount for which an asset could be exchanged between knowledgeable willing parties in an
arms-length transaction) at the date of the revaluation, less any subsequent accumulated depreciation and
impairment losses. Although the audit procedures relating to the substantive testing of property, plant and
equipment will basically be the same, the choice of the revaluation model will have some implications for
the auditor.
Frequently, particularly with land and buildings, the revaluation is determined from market-based evi-
dence evaluated by an expert, for example, a property valuator. Where this is the case, the auditor will
follow the guidance given in ISA 620 – Using the work of an Auditor’s Expert, which is covered in chap-
ter 16, to assist in the audit of the revaluation.
For other classes of PPE there may be reliable external sources to which the auditor can refer to gather
evidence about fair value of the asset. For example, there are numerous sources that provide the fair value
of used motor vehicles and heavy equipment, such as front-end loaders, etc.
Where the revaluation has been carried out internally (e.g. by the directors), the auditor would have to
audit the supporting documentation to evaluate the reasonableness of the methods used, the assumptions
made and the interpretations by the directors of any available data. Of course the auditor would need to
verify data used whenever possible.
In addition to the above, the auditor would pay careful attention to the treatment of accumulated depre-
ciation at the date of revaluation and subsequent thereto. All calculations would be checked as would the
treatment in the financial statements of any increases or decreases in the carrying value. If the asset’s
carrying value increases, the increase would first be recognised in profit or loss (as a credit to income) to the
extent that it reverses a previous decrease that was recognised in profit or loss. Any increase that does not
reverse a previous decrease recognised in profit or loss is recognised in other comprehensive income (as a
credit to revaluation surplus). If the asset’s carrying value is decreased, this decrease must first be debited to
the revaluation surplus account (if any) before being expensed as a revaluation expense in profit or loss.
The auditor would also confirm that all items in the class of assets (not only particular ones) had been
revalued, and that details of the revaluations had been properly disclosed.
– depreciation, impairments and losses on disposals are reflected in the statement of comprehensive
income.
• By inspection of the AFS, and reference to the applicable reporting standard IAS 16 and audit docu-
mentation, confirm that:
– the disclosures are consistent with the evidence gathered (amounts, facts, details).
• The disaggregation of the balance reflected in the statement of financial position, for example, into the
different class of PPE, for example, land and buildings, plant and machinery, tools and equipment is
relevant and accurate.
• The note reflects for each class of PPE:
– a reconciliation between the net carrying amount at the beginning and end of the period including,
additions, disposals, depreciation, impairment losses, etc.
• The note reflects restrictions on title, capital commitments and accounting policies adopted.
• The wording is understandable.
• All required disclosures have been made.
• Inspect whether the access to the fixed asset register configuration settings in the system is limited and
only authorised personnel have access.
• Perform a walkthrough of one of each asset class/category to determine whether the calculation is accu-
rate.
(b) Componentisation
• Assess whether the system has been configured for componentisation rules for assets.
• Access to the componentisation rules configuration settings in the system is limited and only authorised
personnel have access.
• Have changes been made to the componentisation rules embedded in the system during the period under
review?
• Have changes been authorised in the application?
• Perform a walkthrough of one to determine whether the calculation is accurate.
Current-year movements
Occurrence
• Inspect minutes of directors and investment committee meetings for authority to purchase or sell in-
vestments.
• Inspect brokers’ notes for evidence of purchase and sale of listed investments, noting descriptions of
shares and that brokers’ notes are addressed to the client.
Chapter 14: Finance and investment cycle 14/33
• Inspect contracts and correspondence in respect of purchase or sale of investments in non-listed compa-
nies noting description of shares and that contracts are between client and investee and are duly
authorised.
14.6.2.3 Accuracy valuation – Closing balance (note in terms of IAS 32, shares in other companies
must be valued at “fair value”)
• For listed shares, confirm the market value at the financial year-end of the client by inspection of rele-
vant stock exchange publications.
• Re-perform the client’s calculation of number of shares × market price.
• Determine by inquiry of the financial director, scrutiny of minutes and/or inspection of the prior year
working papers whether the shares have been categorised as financial assets at fair value through profit
and loss, or financial assets at fair value through other comprehensive income.
• If the company has elected recognition through other comprehensive income, confirm that the directors
have taken and minuted the decision that the share investment is not held for trading.
• Where there have been gains or losses, confirm by inspection that they have been taken to profit or loss
(fair value through profit or loss) or to other comprehensive income (fair value through other compre-
hensive income) according to the categorisation adopted by the company and that the treatment is con-
sistent with prior years. (Note: If the company chooses to adopt the other comprehensive income route,
it is an irrevocable decision.)
• For unlisted investments, discuss with the directors the possibility of obtaining an independent “fair
value”. Failing this, request that directors provide a “fair value” and assess the reasonableness of their
valuation by:
– inspection of and enquiry about their valuation method and assumptions
– re-performance of their calculations, and
– inspection of latest financial statements of the investee company
Note: If an independent fair value is provided, the evidence will be audited in terms of ISA 620 – Using
the work of an auditor’s expert (see chapter 16).
• Re-perform the casts on the investment schedule as well as the general ledger accounts and register of
investments.
14.6.2.4 Completeness
• Compare the current year-end schedule to the prior year-end schedule and for any decreases in hold-
ings, confirm that there is a disposal recorded under “movement for the year”.
• Obtain a representation from management in respect of the completeness of investments.
• Match any dividends received during the year to the list of investments.
• Obtain a summary of dealings in listed shares for the year from the company’s brokers.
14.6.2.5 Presentation
See Notes 1 and 2 on page 14/12 and 14.5.2.6 on 14/13
14/34 Auditing Notes for South African Students
14.6.3.3 Repayments
Occurrence, accuracy, cut-off and classification
• Inspect cash receipt records/bank statements/deposit slips for evidence of repayments received.
• By inspection of the dates on the receipts, confirm that the repayment has been recorded in the correct
accounting period.
• Re-perform calculations of allocation of repayments into capital and interest portions.
• Re-perform posting to confirm correct allocation.
Chapter 14: Finance and investment cycle 14/35
14.6.3.5 Completeness
• Review payment records, minutes and correspondence for any evidence of loans advanced that may
have been misclassified, particularly in respect of loans to directors.
• Send a written request to all directors asking them to confirm details of any loans they or any person/
company "related" to them may have received (even if repaid) during the year.
• Obtain a written management representation on the completeness of loans advanced.
14.6.3.6 Presentation
See Notes 1 and 2 on page 14/12 and 14.5.2.6 on 14/13.
• The company has the ability to reliably measure expenditure attributable to the intangible asset during its
development.
IAS 38 also provides guidance on the amortisation of the intangible asset. An intangible asset should be
amortised in a manner that reflects the asset’s economic benefits to the entity. If this is not readily deter-
minable, the straight-line method may be used. Both the amortisation period and the amortisation method
must be assessed at each reporting date and any changes must be accounted for as a change in accounting
estimate. Only intangible assets with finite lives are amortised. Intangible assets with indefinite useful lives
are not amortised; however, these assets must be reviewed annually for impairment and whether the assess-
ment that they have indefinite useful lives is appropriate.
Note: While IAS 38 does permit intangible assets to be carried under the revaluation model, they seldom
are. This is due mainly to the fact that one of the criteria for use of the model is “an active market” that will
often not exist. Further guidance on this can be found in IAS 38.
The following procedures provide guidelines for the audit of intangible assets. As there are many differ-
ent types of intangible assets, the procedures deal with principles.
14.6.4.3 Completeness
The risk of understatement is reasonably low so completeness tests may be limited to:
• enquiry of management about research and development projects underway
• review of minutes, correspondence and disbursement records to identify expenditure on intangibles, and
• obtaining written representation from the directors.
14.6.4.6 Presentation
See Notes 1 and 2 on page 14/12 as well as 14.5.2.6 on 14/13.
CHAPTER
15
Going concern and factual insolvency
CONTENTS
Page
15/1
15/2 Auditing Notes for South African Students
15.1.1 Introduction
If a company is trading as a “going concern”, it means that the company can continue its operations for the
foreseeable future.
(a) Under normal circumstances, the company's directors will present the financial statements on the
“going concern basis”. This means that assets and liabilities are recorded on the assumption that the company
will continue its operations for the foreseeable future. Accordingly, assets and liabilities are recorded on the
basis that the entity will realise its assets and discharge its liabilities in the normal course of business.
(b) The responsibility for the preparation of the financial statements lies with the directors through
management. It follows that management should assess the entity’s ability to continue as a going
concern when preparing the annual financial statements and in terms of International Accounting
Standard IAS 1, management is actually required to make this assessment.
(c) Management’s assessment of the entity’s ability to continue as a going concern requires that judge-
ment must be made about the future of the company and the multitude of factors that can affect its
operations. In other words, judgement must be made about inherently uncertain future outcomes.
(d) The extent of management's assessment of “going concern” will vary considerably from entity to
entity. Many entities are historically sound and suffer no short-term threat to their continued
existence. Many others face uncertain futures and extensive assessment of their ability to continue as a
going concern may be necessary. This is not to assume that large companies are immune to
uncertainties concerning their futures. The financial crises (of 2007–2008), which devastated many
successful international companies and the global COVID-19 pandemic in 2020, which has
contributed to the woes of many industries, is testimony to this. So, the message is clear; while it is
acceptable that judgements about the future are based on information available when the judgement is
made, directors cannot assume that because the company is “strong today” it will be “strong
tomorrow”. In reality, most large companies (and many other companies) will be very aware of
sustainability issues and there will be risk committees that will monitor “going concern” on an on-
going basis.
15.1.2 The auditor’s interest in the going concern ability of the client
15.1.2.1 The going concern assumption
As stated above, the going concern assumption is fundamental to the preparation of the financial state-
ments. While the going concern itself is not stipulated as an assertion in ISA 315 (revised 2019), the
assumption of going concern in preparing the financial statements directly affects many assertions.
For example:
Jonas Ltd is being liquidated. The company's inventory is being sold at below cost to create a cash flow
(forced sale). The value of inventory presented on the going concern basis will thus differ from the value of
the same inventory presented on the liquidation basis.
The product that West Ltd manufactures and sells has become obsolete in the market place and as such,
West Ltd is no longer a going concern. Since it is no longer useful, the plant and equipment which manu-
factures the product can no longer be valued on the going concern basis.
In both of the above examples, the valuation assertion is directly affected.
However, it must also be understood that the auditor does not have special powers which enable him to
predict the future. The same uncertainties which affect management’s ability to predict the future, affect the
auditor. The auditor carries out the procedures he considers necessary, adopting the appropriate level of
professional scepticism, to be in a position to form an opinion on the entity’s ability to continue as a going
concern. It should be noted that an unmodified audit report is not a guarantee provided by the auditor that
the company will continue as a going concern.
15.1.2.4 When does the auditor consider the appropriateness of “going concern”?
Throughout the audit, the auditor should remain alert to evidence, events or conditions which may cast
significant doubt on the entity’s ability to continue as a going concern. The audit is an ongoing evidence
gathering exercise and pieces of evidence relating to going concern will be obtained at all stages of the
audit:
• During planning (risk assessment procedures): In terms of ISA 570 (revised) – Going Concern, the auditor
must carry out risk assessment procedures specifically relating to the going concern ability of the entity.
This will be part of identifying and assessing the risk of material misstatement (ISA 315 (revised 2019)).
In particular, the auditor should consider any material uncertainties regarding events or conditions and
related business risks that may cast significant doubt upon the entity's ability to continue as a going
concern.
An important risk assessment procedure will be to determine whether management has performed a
preliminary assessment of the company’s “going concern” ability and:
– if so, to discuss the assessment with management including any plans to address any significant
doubts about the company’s going concern ability, and
– if not, to discuss with management whether conditions or events which cast doubt about the
company’s ability to continue as a going concern do exist.
• During the performance of further audit procedures: if the risk assessment procedures have raised concerns
about “going concern”, the auditor will carry out specific further audit procedures to respond to the
risk. In addition, when carrying out further audit procedures not specific to going concern, the auditor
should be alert to events or conditions that provide evidence (negative or positive) relating to going
concern. For example, when auditing accounts payable, the auditor might notice increasing complaints
from creditors about slow or erratic payment from the client. This suggests cash flow/liquidity
problems. It does not mean there is a going concern problem, it simply provides an additional piece of
evidence that may cause the auditor to reassess the risk relating to going concern.
• As part of the review of subsequent events: The auditor will identify and evaluate the effect, if any, which
subsequent events may have had on going concern. For example, if the client’s primary market
collapses during the post reporting period, it will certainly influence the auditor’s opinion on whether
the going concern basis is appropriate. The post-reporting period may also provide further evidence of
events or conditions affecting going concern, identified prior to year-end.
• At the evaluating and concluding stage: The auditor considers all the individual pieces of evidence
gathered relating to going concern, collectively.
with future events increases, the further management looks into the future. Management’s assessment will
play a central role in the audit plan for going concern.
Essentially the audit of going concern follows the established process (i.e. risk assessment procedures
followed by further audit procedures to respond to the assessed risk and other procedures which may be
required to comply with the ISAs).
• Other
– pending legal proceedings against the entity, which may, if successful, result in judgements that
cannot be met, for example, extensive damages awarded against the client
– changes in legislation or government policies, for example, withdrawal of tax concessions, banning
of client’s product
– negative perceptions about the company’s product in the marketplace (reputational damage), and
– negative publicity due to social media which may cause lasting damage to an organisations’ reputa-
tion (also refer to chapter 8),
– failure to satisfy Black Economic Empowerment requirements leading to the loss of contracts.
• Mitigating factors
– plans made by management to counterbalance the effects of negative events or conditions, for
example, detailed, achievable cash flows reflecting a return to profitable trading, the planned sale of
redundant assets to create a cash flow, other methods of maintaining cash flows by alternative means
– potential support from a holding company or fellow subsidiary
– a record of managing going concern crises successfully, and
– the availability of alternative sources of supply.
• Extent: The extent of testing will vary directly with the "certainty" of the company’s ability to continue
as a going concern. Little detailed going concern audit work will be required for a sound, liquid and
solvent company, whereas a great deal of going concern audit work may be required where the com-
pany is facing an uncertain future, and where there are material uncertainties. The extent of going
concern procedures will be directly influenced by the outcome of the risk assessment procedures. As a
general rule “the greater the risk, the greater the extent of testing” holds true.
It is also important to remember that even if the assessment of the risk of material misstatement is low,
some further audit procedures will need to be conducted. These may be very simple and quick but in
terms of the auditing standards, sufficient appropriate evidence must be gathered to support the “low
risk” assessment.
• Timing: The timing of testing will of necessity centre on the financial year end and the post reporting
date period. This is due to the fact that the auditor in interested in the most current up to date
information about the company’s going concern ability.
Note: In terms of ISA 300 – Planning an audit of financial statements, the auditor must plan, in addition
to risk assessment procedures and further audit procedures, other procedures that are required to be
carried out so as to comply with the ISAs. Other procedures are not a response to the risk assess-
ment they are a response to the requirement of compliance with the ISAs. In the case of “going
concern” an other procedure may be “communicating with those charged with governance” to
comply with ISA 260 (revised), or “obtaining written representations” pertaining to going concern
to comply with ISA 580.
Read the example below and see if you can identify events or conditions (financial, operation or other) that
may indicate a going concern risk. Read the scenario again and try to identify mitigating factors (which
reduce the risk.):
Alpha (Pty) Ltd is experiencing cash flow difficulties. In order to alleviate the pressure, the managers of
Alpha (Pty) Ltd has changed its debtor repayment policy from 30 days to 15 days. Unfortunately, the
company’s customers did not take well to this change, and this, combined with a steep increase in
competitors that have entered the market, has caused sales to drop by nearly 15%. To make matters
worse, two of the company’s largest suppliers have indicated that they are no longer willing to provide
credit to Alpha (Pty) Ltd, as the company has fallen into arrears with its payments. As Alpha (Pty) Ltd
is struggling to obtain further finance from its bank, it is considering factoring its debtor’s book. The
cash generated from the factoring would mainly be applied to pay increases to employees to avoid
further strike action. Management is also hoping that this would stop the exodus of some of Alpha
(Pty) Ltd’s most skilled employees (who have left to join competitor companies, due to their
unhappiness with the company’s inability to pay market-related salaries.) Besides generating cash from
debtor factoring, management has also put aggressive cost cutting plans into place, which should
significantly decrease overheads. The company is also closing down its loss-making KZN branch, and
the disposal of the related assets would also bring some financial relief.
15.1.6 The auditor’s report (assuming there are no other reporting issues)
Note: To be able to understand “reporting on going concern”, you will need to understand the statements
which deal with forming an opinion and reporting on financial statements. These are covered in chap-
ter 18.
Essentially in assessing the implications of the company’s “going concern status” on the audit report, the
auditor must consider three situations.
Situation 1 The use of the going concern basis of accounting is appropriate.
Situation 2 The use of the going concern basis of accounting is not appropriate.
Situation 3 The use of the going concern basis of accounting is appropriate but a material uncertainty
exists.
Situation 1
This situation presents no complications and an unmodified audit report will be given.
15/8 Auditing Notes for South African Students
Situation 2
This situation will give rise to an adverse opinion. It arises when the client has prepared the financial
statements on the going concern basis, but this basis is inappropriate in the auditor’s judgment. An adverse
opinion is a clear statement by the auditor that the financial statements do not “fairly present”. The auditor
is reporting that by using the going concern basis of accounting the financial statements are materially
misstated and the effect thereof is material and pervasive. If, based on the procedures carried out and all the
information obtained, including the effect of management's plans, the auditor's judgment is that the entity
will not be able to continue as a going concern, the auditor must express an adverse opinion, regardless of
whether or not the disclosure of the going concern problem has been made.
Situation 3
This situation is a little more complicated and requires the auditor to decide on whether the material uncer-
tainly has been adequately disclosed before he can decide on the appropriate report.
• If the disclosure is adequate the auditor will express an unmodified opinion (remember that the auditor
has decided that the going concern basis is appropriate) but will add a separate paragraph to the audit
report headed “Material Uncertainty Related to Going Concern”. This additional paragraph will:
– draw attention to the note in the financial statements which deals with the material uncertainty
– state that the events or conditions described in the note indicate that a material uncertainty exists that
may cast significant doubt on the company’s ability to continue as a going concern, and that
– the auditor’s opinion is not modified in respect of the matter.
The intention of including this additional paragraph is to bring an important matter (the material
uncertainty) to the attention of users of the financial statements.
• If the disclosure is not adequate the auditor is required to express either a qualified opinion (except for) or
an adverse opinion and in the basis for qualified (adverse) opinion paragraph of the auditor’s report,
state that a material uncertainty exists that may cast significant doubt on the company’s ability to
continue as a going concern and that the financial statements do not adequately disclose this matter.
This situation amounts to a disagreement with the directors resulting in material misstatement of the
financial statements, and only an “except for” or “adverse” opinion can be given (a disclaimer of
opinion will not be suitable).
A difficulty which the auditor may encounter when the inadequacy of the disclosure of the material
uncertainty is the problem is the decision as to whether the effect of the inadequate disclosure is (only)
material (an except for qualification) or is material and pervasive (adverse). Neither ISA 570 (revised) or
ISA 705 (revised) are particularly forthcoming on how the auditor distinguishes between material and
material and pervasive in this situation, but the following “points” are relevant:
– the decision is a matter of professional judgement and will be the responsibility of a senior member of
the audit team
– the except for qualified opinion will be given wherein the auditor’s judgement, the effect of the
inadequate disclosure on the financial statements is not so material and pervasive as to require an
adverse opinion
– the adverse opinion will be given when the effect of the failure to disclose or adequately disclose the
going concern problem is so material and pervasive that the auditor concludes that an “except for”
qualification is not adequate to reflect the misleading and incomplete nature of the financial state-
ments
– by definition, a material uncertainty gives rise to significant doubt about the company’s going concern
ability, and it would seem reasonable that the complete omission of disclosure of the material
uncertainty would warrant an adverse opinion. A significant piece of information has been omitted,
which means that fair presentation has not been achieved, and
– the extent of the disclosure may be relevant. If say, 60% of the relevant facts about the going concern
problem have been disclosed, an “except for” qualification could be given, whereas, if say only 20%
of the facts have been disclosed, an adverse is given. The reasoning here is that 60% disclosure, while
inadequate, alerts the user to the problem, but 20% disclosure results in financial statements which
are incomplete and misleading, and therefore should not be relied upon because the seriousness of
the going concern problem has not been adequately conveyed to the user.
Chapter 15: Going concern and factual insolvency 15/9
15.1.8.2 Unmodified opinion – Material Uncertainty Related to Going Concern section added
This report is given when:
• the going concern basis of presentation is appropriate, but
• a material uncertainty that may cast significant doubt about the company’s ability to continue as a going
concern exists, and
• the material uncertainty is properly (adequately) disclosed (see 15.1.6 Situation 3 above).
Note: The following examples deal only with the wording directly related to the going concern modi-
fication/qualification. The standard wording required in the various reports refers to ISA 570
(revised) and ISA 705 (revised).
Appendix 2: Examples of the going concern related sections in the applicable audit reports
1. Example 1 – Unmodified opinion but a material uncertainty, which has been properly disclosed
1.1 Included in a section headed: Material Uncertainty related to Going concern.
We draw attention to note 10 in the financial statements, which indicates that the company incur-
red a net loss of R7,3 million for the financial year ended 31 March 202x due primarily to the
collapse of the company’s major supplier and the difficulties the company continues to experience
in finding a suitable replacement supplier. As stated in note 10, this situation indicates that a
material uncertainty exists that may cast significant doubt on the company’s ability to continue as a
going concern.
2. Example 2 – Qualified opinion: material uncertainty inadequately disclosed, the effect of which is
considered to be material only
2.1 Included in the qualified opinion section
In our opinion, except for the incomplete disclosure of the information referred to in the basis for
qualified opinion section of our report, the accompanying financial statements present fairly in all
material respects, the financial position of the company as at 31 March 202x and its financial
performance and its cash flows for the year then ended in accordance with International Financial
Reporting Standards.
2.2 Included in the basis for qualified opinion section
As discussed in note 10, most of the company’s long-term financial obligations must be settled on
31 May 202x. The directors have been unable to renegotiate (extend) these loans or obtain replace-
ment financing. This situation indicates that a material uncertainty exists that may cast significant
doubt on the company’s ability to continue as a going concern. The financial statements do not
adequately disclose this matter.
3. Example 3 – Adverse opinion: No disclosure of material uncertainty, the effect of which is considered to
be material and pervasive
3.1 Included in the adverse opinion section
In our opinion, because of the omission of the information mentioned in the basis for adverse
opinion section of the report, the accompanying financial statements do not present fairly, the finan-
cial position of the company at 31 March 202x and its financial performance and its cash flows for
the year then ended in accordance with International Financial Reporting Standards.
3.2 Basis for adverse opinion section
During the period between the financial year-end (31 March 202x) and the date of our report, the
company continued to make significant losses because the directors have been unable to replace the
company’s liquidated major supplier of components used in the manufacture of its products. The
directors are considering placing the company in liquidation. This situation indicates that a
material uncertainty exists that may cast significant doubt on the company’s ability to continue as a
going concern. This situation has not been disclosed in the financial statements.
4. Example 4 – Disclaimer of opinion: Disclosure of material uncertainties, including the directors’ plans to
address the going concern issues, but the auditor denied access to necessary information relating to the
material uncertainties and the directors’ plans.
4.1 Included in the disclaimer of opinion section
We do not express an opinion on the financial statements of the company at 31 March 202x.
Because of the significance of the matter described in the basis for the disclaimer of opinion section
of our report, we have not obtained sufficient, appropriate audit evidence to provide a basis for an
audit opinion on these financial statements.
4.2 Basis for disclaimer of opinion
As stated in note 15 of the financial statements, the company is facing material uncertainties that
may cast significant doubt on the company’s ability to continue as a going concern. The note also
indicates that the directors have plans to address these uncertainties. However, we were not
Chapter 15: Going concern and factual insolvency 15/13
allowed access to any documentation relating to the material uncertainties themselves or to any
documentation or information supporting the directors’ plans to address these uncertainties. As a
result, we cannot form an opinion on whether the presentation of the financial statements on the
going concern basis is appropriate.
15.2.2 The irregularities which may arise when a factually insolvent company
continues to trade
15.2.2.1 Common law fraud
The crime of fraud includes unlawfully making, with intent to defraud, a misrepresentation that causes actual
prejudice to another. In the context of this topic, the directors of a factually insolvent company may be guilty
of fraud, if, for example, they enter into a contract with a supplier of goods knowing that the goods
supplied will not be paid for.
15.2.2.3 Summary
Where a company is factually insolvent, there is a greater risk that common law fraud, recklessness or
gross negligence could occur. If any of the above have occurred (or are occurring) an unlawful act will have
taken place. If the other requirements for a reportable irregularity are present (s 1 – definitions. Auditing
Profession Act 2005) a duty in terms of section 45 will have arisen. The auditor must report accordingly to
the IRBA.
15.2.5.2 Size
The auditor must be satisfied that the claim that is backranked (subordinated) is sufficient to create a
situation where an exception cannot be taken to a continuation of trading. Remember: Backranking intends
to give the company a realistic chance to recover – not simply to get the “accounting” right. The back-
ranking creditor (the amount back ranked) must be large enough for this concession to have some effect.
Note: We are dealing here with the insolvency of the party, which is subordinating (back ranking) its claim.
In effect by subordinating its claim, this party is “disposing” of its right to one of its assets and if no
value is received in return, the disposition may be set aside under the circumstances outlined above.
(This is a principle in insolvency law.)
15.2.5.7 Documentation
The original of the subordination agreement should be retained by the provider of the agreement and a true
copy by the client company. The auditor should also retain a copy in the audit documentation.
15.2.5.8 Disclosure
The entire matter should be fully disclosed by way of note and suitably described in the statement of
financial position. Usually this will mean that the back-ranked creditor will be shown as a separate long-
term liability (non-current liability) in the company whose creditor is back ranked, and as a separate “long-
term” debtor in the company which is back ranking its claim. As the subordination agreement relates to
going concern, failure to make proper disclosure of the situation, will result in a qualified or adverse
opinion.
16
Reliance on other parties
CONTENTS
Page
16.1 Introduction .................................................................................................................... 16/2
16.3 ISA 610 (revised) – Using the work of internal auditors with reference to
the King IV Report ........................................................................................................... 16/5
16.3.1 Introduction ...................................................................................................... 16/5
16.3.2 Definition of the Internal Audit Function – ISA 610............................................ 16/6
16.3.3 External auditor’s objectives ............................................................................... 16/6
16.3.4 External auditor’s responsibility ......................................................................... 16/6
16.3.5 Evaluating the internal audit function ................................................................. 16/6
16.3.6 Determining the nature and extent of work of the internal audit function
that can be used ................................................................................................. 16/8
16.3.7 Using the work of the internal audit function ...................................................... 16/8
16.3.8 Determining whether, in which areas and to what extent, internal auditors
can be used to provide direct assistance............................................................... 16/9
16.3.9 Using internal auditors to provide direct assistance.............................................. 16/10
16.3.10 Documentation.................................................................................................. 16/10
16.4 ISA 620 – Using the work of an auditor’s expert ............................................................... 16/10
16.4.1 Introduction ...................................................................................................... 16/10
16.4.2 Definition of an auditor’s expert ......................................................................... 16/11
16.4.3 Determining the need for an auditor’s expert ...................................................... 16/11
16.4.4 Determining the need to use an auditor’s expert when management has used a
management’s expert in the preparation of the financial statements ..................... 16/11
16.4.5 Nature, timing and extent of audit procedures ..................................................... 16/12
16.4.6 Reference to the auditor’s expert in the auditor’s report ....................................... 16/13
16/1
16/2 Auditing Notes for South African Students
16.1 Introduction
There are many instances where an auditor appointed by a client to provide audit assurance will find it
effective and efficient to engage other parties to gather evidence on which he can rely when forming the
audit opinion. However, it is important to remember that the auditor has sole responsibility for the audit
opinion, and that responsibility is not reduced because another party was involved in obtaining evidence.
Therefore, the auditor needs to take certain precautions and perform specific procedures when relying on
the work of such a party. Common examples of parties on which an auditor may rely are:
• Internal auditors
Many companies, particularly large companies, have highly competent internal audit departments that
operate independently of management and carry out functions that can be of real assistance to the external
auditor. For example, modern internal audit is risk-based which requires that internal audit has a detailed
knowledge of the risks faced by the company. External audit is also risk-based, so although internal and
external audit does not have exactly the same objectives, there is plenty of common ground between the
two. It makes sense that if the external audit strategy can justifiably include some reliance on internal audit,
a more effective and efficient audit may result.
• An auditor’s expert
In some situations, an auditor may need the expertise of another individual to assist him in gathering
sufficient appropriate evidence pertaining to a particular assertion relating to the financial statements. For
example, the valuation of inventory in a chemical company, or the legal interpretation of a contract, may
be beyond the auditor's expertise and may require that the auditor rely on the expertise of a chemical engin-
eer or a lawyer.
Remember, the auditor does not escape responsibility for assessing the suitability of the evidence provided
by another party (other auditor, internal auditor or auditor’s expert), he/she must therefore assess both the
party and the evidence provided. In effect, the other party can be regarded as an extension of the audit team
and must possess the same professional attributes as the auditor. The evidence gathered by the other party
must be sufficient and appropriate.
This means that the work carried out by the other party, for example, an auditor’s expert, must be
performed or supervised by a person having adequate skills and competence and who meets the professional
requirements of independence, objectivity, confidentiality and professional behaviour. This also means that the
evidence gathered must be sufficient, relevant and reliable.
The three International Standards on Auditing relevant to reliance on other parties are dealt with below.
for the exemption in terms of paragraph 10), Molefe Inc is required to pass an audit opinion on the fair
presentation of the consolidated financial statements. Thus, Molefe Inc (the group engagement partner) has
to rely on the work of Lakota and Partners (the component auditor), which is the subsidiary company
auditor in this case.
Note that a component will not necessarily be a subsidiary company, as in the example above. It could
be any entity or business activity for which financial information is incorporated into the group financial
statements, for example, a joint venture, or separate division.
Despite concentrating on component auditors in a group situation, ISA 600 makes the point that the
statement “may be useful” when the auditor involves “other auditors” in the audit of financial statements
that are not group financial statements, for example, where an auditor involves another auditor to observe
an inventory count at a location which is convenient to the “other auditor” but not to the auditor himself.
The following summary will consider the principles of reliance on other auditors in the context of a
group engagement partner and a component auditor. However, you should recognise that these principles
apply equally to other situations where an auditor who has been assigned a responsibility, relies on the
work of another auditor to assist in meeting that responsibility.
The principle here is simple. If an auditor relies upon other auditors, he is entitled to assess the other
auditors and their performance to the extent he considers necessary, much in the same manner that the
auditor would assess his audit team. The other auditors are simply an extension of the audit team. The
auditor is not entitled to assume that the other auditor has the necessary technical ability and competence, or
fulfils the necessary professional requirements.
16.2.2 Responsibilities of the group engagement partner with regard to the component
auditor
16.2.2.1 Overall responsibility
The group engagement partner is responsible for the direction, supervision and performance of the group
audit engagement in compliance with the auditing standards and any legal/regulatory requirements. It is
the responsibility of the group engagement partner to obtain sufficient appropriate evidence on which to
base his opinion.
• any significant matters arising from the evaluation of the component auditor’s communication will be
discussed with the component auditor, and
• if the group engagement team concludes that the component auditor's work is insufficient, the team
must determine what further work must be done and who will do it.
16.3 ISA 610 (revised) – Using the work of internal auditors with reference
to the King IV Report
16.3.1 Introduction
The practice of internal auditing has been around for many years, but its scope, nature, form and import-
ance have evolved considerably. Before this evolution, internal audit departments were frequently under-
staffed, ill-equipped and more of a “general assistance” department to be called upon for help when the
accounting department was short-staffed or very busy. However, modern-day internal audit is a different
story. In most large companies, internal audit is respected and effective. Internal auditors are well qualified
(many are chartered accountants with extensive external audit experience), well-supported resource-wise,
and regulated by their own professional body, the Institute of Internal Auditors.
It is perhaps true to say that the focus on improving corporate governance drove the evolution of the
internal audit. As part of a large company’s overall assurance model, internal audit, along with external
audit (and other external regulatory inputs), is ideally placed to make a significant contribution to sound
corporate governance. This idea has been recognised in the King IV Report on corporate governance and
calls for company boards to ensure an effective internal audit function.
ISA 610 (revised 2013) – Using the work of internal auditors, deals with the external auditor’s
responsibilities when using the work of internal auditors, including using the work of internal auditors in
obtaining audit evidence, and using internal auditors to provide direct assistance under the direction, super-
vision and review of the external auditor.
For example:
• Limbo Ltd has an effective internal audit department. The company has recently purchased a new
inventory system and the internal auditors have compiled a report on their findings regarding the
controls over the implementation of the new system. Arendse Inc (Limbo Ltd’s external auditors) is
considering placing reliance on the report compiled by the internal auditors of Limbo Ltd.
• Arendse Inc also contemplates using Limbo Ltd’s internal audit department to assist with assessing the
controls over inventory counts.
The first example above relates to the external auditor using the work of the internal auditors, while the
second is an example of the internal auditors providing the external auditor with direct assistance.
Note that the ISA does not require the external auditor to use an internal audit in any way. The external
auditor will make this decision when establishing the overall audit strategy and audit plan, and it will be
based on whether it would be efficient and effective. Of course, the independence and competence of the
16/6 Auditing Notes for South African Students
internal audit department would also be very important in making the decision, and ISA 610 requires that
the internal audit function be carefully evaluated.
• whether those charged with governance (not management) oversee employment decisions relating to
the internal auditors, for example, appointment, dismissal, remuneration, and
• whether the internal auditors are members of a professional body which requires its members to adhere
to the principle of objectivity.
16.3.6 Determining the nature and extent of work of the internal audit function
that can be used
There is no magic formula that tells the external auditor exactly which work of the internal audit function
can be relied upon and to what extent the work can be used. It is a matter of professional judgement which
will be influenced by the following “principles”:
• The external auditor must make all significant judgements in the audit engagement and therefore should
perform more work directly (i.e. performed by the audit team) rather than using the internal auditor's
work. Significant judgements include:
– assessing the risks of material misstatements
– evaluating the sufficiency of tests performed
– evaluating significant accounting estimates, and
– planning and performing relevant audit procedures.
Certainly the external auditor will consider information from, or work carried out by, the internal auditors
pertaining to risk assessment, but will not rely greatly on this as a primary source of evidence. The external
auditor must plan and perform an appropriate range of his/her own risk assessment procedures (one of
which may be to review any internal audit risk assessment reports):
• the higher the assessed risk of material misstatement at assertion level, the greater the extent of work
done directly by the external auditor
• the lower the objectivity and competence of the internal audit function, the greater the extent of work
done directly by the external auditor. Exactly the same principle will apply where a risk of material
misstatement is identified as a significant risk, and
• the external auditor must be satisfied that he has been sufficiently involved in the audit, particularly the
gathering of sufficient appropriate evidence, to fulfil his sole responsibility for expressing the audit
opinion.
Note: Examples of work of the internal audit function that the external auditor can use include:
• testing of the operating effectiveness of controls
• substantive procedures involving limited judgement
• observations of inventory counts
• physical verification of the existence of plant and equipment, and
• testing compliance with regulatory requirements.
– sufficient, appropriate audit evidence has been obtained to be able to draw reasonable conclusions
– conclusions reached are appropriate in the circumstances and any reports prepared are consistent
with the results of the work performed, and
– any exceptions or unusual matters disclosed by internal audit, are properly resolved.
• The nature, timing and extent of the audit procedures to be performed on the work of internal audit,
will depend on the external auditor's judgement as to the risk of material misstatement and materiality
of the area concerned, as well as the evaluation of internal audit. Such procedures may include
examining items already examined by the internal audit, examining other similar items, and observing
internal audit procedures.
• Evaluation of internal audit work would take place in a similar manner to the evaluation of the external
audit team's performance, for example, discussion with/enquiries of the personnel involved, review of
working papers or completion of questionnaires.
• The external auditor should record conclusions regarding the internal audit work that has been
evaluated and tested in a work paper to be kept in the audit file.
16.3.8 Determining whether, in which areas and to what extent, internal auditors
can be used to provide direct assistance
Perhaps the primary distinction between the work of the internal audit function and the internal audit
function providing direct assistance is the level of objectivity (independence) that the internal audit function
has. Of course, the competence of the internal auditors is important, but in the evaluation of the internal
audit function (see point 16.3.5 above), a little extra attention will be paid to the objectivity of the internal
auditor. The external auditor will consider carefully:
• the extent to which the internal audit function’s organisational status and relevant policies and proced-
ures support the objectivity of the internal auditors (see point 16.3.5)
• whether the internal auditor has any family or personal relationships with an individual working in, or
responsible for, any aspect of the entity to which the (audit) work relates, for example, the external
auditor would not obtain direct assistance from an internal auditor on work relating to accounts receiv-
able if the internal auditor’s spouse was the credit controller
• whether the internal auditor has any other association with the division or department to which the
(audit) work relates, and
• whether the internal auditor has any financial interest in the entity other than remuneration on terms
consistent with other employees at a similar level of seniority.
Note: The external auditor must be satisfied that the internal auditor can perform the proposed work with-
out allowing bias, conflict of interest or undue influence of others to override professional judge-
ments. It should be fairly obvious that the external auditor may not use internal audit to provide
direct assistance if there are significant threats to the internal auditor’s objectivity or if the internal
auditor lacks the required level of competence.
As indicated in point 16.3.6 above, there is no magic formula for the external auditor to decide on the
nature and extent of the work that can be assigned to internal auditors providing direct assistance. The
following “principles” will be applied by the external auditor in making the decision:
• the internal auditor must have the necessary competence to carry out the procedures properly and with
an appropriate level of objectivity
• the external auditor must not use internal auditors to provide direct assistance to perform procedures
that:
– involve making a significant judgement
– relate to situations where there is a high risk of material misstatement
– relate to work with which the internal auditors have been involved (i.e. internal auditors cannot audit
their own work), and
– relate to fraud risk (external auditors may make inquiries of internal auditors as a risk assessment
procedure, but would not use internal audit to provide direct assistance when following up on a fraud
risk)
• the extent of involvement (direct assistance) by internal auditors in the external audit, must not create
the perception that the external audit lacks independence, and
16/10 Auditing Notes for South African Students
• where there is an audit committee, the external auditor should communicate to the committee the
nature and extent of the planned use of internal auditors to provide direct assistance. This is so that a
“mutual understanding” that the use is not excessive can be reached.
16.3.10 Documentation
If the external auditor uses the work of the internal audit function, the following must be included in the
audit documentation:
• the evaluation of whether the function’s organisational status and relevant policies and procedures
adequately support the objectivity of the internal auditors
• the evaluation of the level of competence of the function
• the evaluation of whether the function applies a systematic and disciplined approach including quality
control
• the nature and extent of the work used and the basis for that decision, and
• the audit procedures performed by the external auditor to evaluate the adequacy of the work used.
If the external auditor uses internal auditors to provide direct assistance, the following must be included in
the audit documentation:
• the evaluation of threats to the objectivity of the internal auditors and the level of competence of the
internal auditors used in the direct assistance
• the basis for the decision regarding the nature and extent of the work performed by the internal auditors
• who reviewed the work and the date and extent of that review
• the written agreements obtained from the client (CAE or audit committee) and the internal auditors
(confidentiality and threats to objectivity), and
• the working papers prepared by the internal auditors who provided direct assistance.
16.4.4 Determining the need to use an auditor’s expert when management has used
a management’s expert in the preparation of the financial statements
Where management has used a management’s expert, the auditor will need to determine whether he will
need to engage an auditor’s exert (to assist in obtaining sufficient appropriate evidence) or whether he can
rely on the work of the management’s expert or example, BeeBop Ltd has a large portfolio of properties
and management have engaged a property valuer to value the properties for financial year end reporting
purposes. Bearing in mind that the valuer is not independent of the client, the external auditor will need to
decide whether he can use the work of management’s expert or engage his own expert to provide evidence
of the valuation of the client’s property portfolio. This decision will be based on such factors as:
• the nature, scope and objectives of the management’s expert’s work, and how these align with the
requirements of the external auditor
• the extent to which management was able to control or influence the work of the management’s expert
(independence)
• the management’s expert’s competence and capabilities
• whether the management’s expert is subject to technical performance standards or other professional or
industry requirements, and
• any controls within the entity over the management’s expert’s work.
Note: A management’s expert could be an employee of the client or be engaged by the client. Where the
management’s expert is an employee, the expert's objectivity will be an even more important issue
for the external auditor and a strong encouragement to engage his own expert.
16/12 Auditing Notes for South African Students
• The respective roles and responsibilities of the auditor and the auditor’s expert
– relevant auditing and accounting standards and relevant regulatory or legal requirements which must
be complied with
– the auditor’s expert’s consent to the auditor’s intended use of the expert’s report, including any
reference to it or disclosure of the report
– the nature and extent of the auditor’s review/evaluation procedures
– whether the auditor will test source data
– the expert’s access to the client’s records and personnel
– procedures for communication between auditor and expert
– access to each party’s working papers
– ownership and control of work papers about the expert’s work
– the responsibility of the expert to perform the work with due skill and care
– agreement on the expert’s competence and capability to perform the work
– any agreement for the auditor to inform the expert of the auditor’s conclusions on the expert’s work,
and
– the need for the expert to observe all confidentiality requirements.
• Communication and reporting
– methods (written, oral) and frequency of communication (e.g. progress reports) and identification of
the individual on the engagement team to whom the expert will report
– deadline dates
– the expert’s responsibility to communicate promptly on:
o potential delays
o potential reservations/limitations on the expert’s findings
o any restrictions imposed by the client on the expert, and
o any circumstances that may create threats to the expert’s objectivity.
17
Sundry topics
CONTENTS
Page
17.1 Initial audit engagements – Opening balances – ISA 510 .................................................. 17/3
17.1.1 Introduction ......................................................................................................... 17/3
17.1.2 Auditor’s objective ................................................................................................ 17/3
17.1.3 Procedures to be adopted ...................................................................................... 17/3
17.1.4 Reporting considerations ....................................................................................... 17/3
17/1
17/2 Auditing Notes for South African Students
Page
17.6 Audit considerations relating to an entity using a service organisation – ISA 402 ............. 17/23
17.6.1 Introduction ......................................................................................................... 17/23
17.6.2 Understanding of the audit client and its environment ............................................ 17/24
17.6.3 Reports from the auditor (service auditor) of a service organisation on its
internal controls (Type 1 or Type 2) ....................................................................... 17/24
17.6.4 User auditor’s responsibility .................................................................................. 17/24
Chapter 17: Sundry topics 17/3
17.2.3 Definitions
• Date of the financial statements – the date of the end of the latest period covered by the financial state-
ments, normally the financial year-end date, for example, 30 June 0001.
• Date of approval of the financial statements – the date those with the recognised authority (normally the
directors) assert that they have taken responsibility for the financial statements. (This is usually the date
on which the directors sign the financial statements).
• Date of the auditor’s report – the date the auditor selects to date the audit report on the financial state-
ments. This date can only be when the auditor has obtained sufficient, appropriate evidence, including
evidence that a complete set of financial statements have been prepared. This date cannot be before the
directors have asserted that they have taken responsibility for the financial statements.
• Date that the financial statements are issued – the date the auditor’s report and audited financial state-
ments are made available to third parties.
• Subsequent events
– events occurring between the date of the financial statements and the date of the auditor’s report, and
– facts that become known to the auditor after the date of the auditor’s report.
Note (a): IAS 10 – Events after the Reporting Period, defines events after the reporting period as those
events, both favourable and unfavourable, that occur between the end of the reporting period
and the date when the financial statements are authorised for issue.
Chapter 17: Sundry topics 17/5
Note (b): ISA 560 – Subsequent Events, deals with the period between the date of the financial statements
and the date of the auditor’s report and splits the period after the date of the auditor’s report into
two. The two time periods are:
(i) after the date of the auditor’s report but before the date the financial statements are issued,
and
(ii) after the financial statements have been issued to users.
The reason for this is that the auditor may react differently to facts that become known to him after the date
of the auditor’s report, depending on whether the financial statements have been issued or not.
Tip: When considering subsequent events (as part of your studies or in practice), it may be useful to
draw a timeline, setting out all the applicable dates discussed above.
17.2.4.3 Dividends
If a company declares a dividend after the reporting period, the entity shall not recognise those dividends as
a liability at the date of the financial statements (end of the reporting period).
Dividends are usually approved at the AGM by the shareholders and therefore at the reporting date, the
dividend payment is not a “present obligation”.
For example:
Blizzards Ltd presented its financial statements on the going concern basis at 28 February 0001, because
management had a reasonable expectation that the company would be awarded a large contract for which
they had tendered. Appropriate disclosures were made. However, in the post-reporting-date period, the
company was officially informed that it had not been awarded the contract. As such, the company is no
longer a going concern at reporting date, although this fact was only confirmed after reporting date.
Even though the event in the scenario above relates to a matter that occurred after year-end, the users of
the financial statements may make decisions based on the financial statements (if left as is), as they would
be unaware that the company is no longer a going concern.
17.2.5 Events occurring between the date of the financial statements and the date
of the auditor’s report
17.2.5.1 Duty of the auditor
Essentially the auditor has to do two things. Firstly, subsequent events must be identified, and secondly, the
treatment thereof in the financial statements must be audited to determine whether the treatment complies
with IAS 10.
In terms of ISA 560, the auditor shall request management and, where appropriate, those charged with
governance, to provide a written representation that all events occurring after the date of the financial
statements which require adjustment or disclosure have been adjusted for or disclosed.
17.2.6 Facts that become known to the auditor after the date of the auditor’s report
but before the date the financial statements are issued
17.2.6.1 Duty of the auditor
There is no duty on the auditor to perform procedures to identify subsequent events after the date of the auditor’s
report, but, during this period if the auditor becomes aware of a fact which had it been known to the auditor
at the date of the auditor’s report, he should consider whether the fact will affect the financial statements
which have already been reported on, and if so whether the effect will (at least) be material. Essentially the
auditor must decide on whether the audit report needs amendment (i.e. modification in some form).
Note (a): ISA 720 (revised), which deals with the auditor’s responsibilities relating to other information,
contains guidance and requirements concerning other information obtained after the date of the
auditor’s report. This might include other information obtained after the date of the auditor’s re-
port, but before the date, the financial statements are issued. The point being made is that such
other information, although it is defined as information other than the financial statements, may
have consequences for the auditor and the audit report.
If management does not amend the financial statements, the auditor should:
• redraft the report expressing a qualified or adverse opinion.
Note: This is only possible if the auditor has not yet released the (original) report to the client, i.e. the
auditor still has control over its distribution.
If the client has the original report and intends to release it with the incorrect financial statements, the
auditor must inform the client that:
• the financial statements, including the audit report, should not be released, and
• that if they are, the auditor will take steps to prevent reliance on the audit report.
17.2.7 Facts that become known to the auditor after the financial statements
have been issued
17.2.7.1 Duty of the auditor
• After the financial statements have been issued, the auditor has no obligation to carry out any audit
procedures regarding these financial statements.
• However, if the auditor becomes aware of a fact which, had it been known at the date of the auditor’s
report, may have caused the auditor to amend the auditor’s report, the auditor should discuss with
management whether the financial statements need amendment (adjustment/disclosure) and if they do,
inquire how management intends to address the matter.
Note (b): Note (a) above is relevant to this situation as well.
• the time elapsed since the audit report and subsequent management pronouncements. Audited financial
statements are “old news” very quickly and are unlikely to be used in decision making for very long af-
ter issue
• the imminence of issue of the next year’s audited financial statements. The matter could be dealt with
satisfactorily in these financial statements
• the practicality of communication with users; if, for example, the financial statements have not been
issued to users, a revised audit report could be attached to them. If, however, the financial statements
have been widely distributed, it will be far more difficult and possibly would not be cost-effective to reis-
sue the financial statements, and
• any legal advice that the auditor may have sought.
Note: The above considerations will be assessed cumulatively.
issue new
issue new issue new report (date) include
report (date) report (date) emphasis of
matter (other matter)
Appendix – Responding to (original) financial statements which need amendment
Auditing Notes for South African Students
Chapter 17: Sundry topics 17/11
17.3.2.3 Fraud
By understanding the entity’s related party relationships and transactions, the auditor is in a better position
to evaluate the possibility of fraud occurring at a client arising from the presence of related parties. For
apparent reasons, fraud may be more easily committed through related parties.
17.3.3 Definitions
• Arm’s-length transaction – a transaction conducted on such terms and conditions as between a willing
buyer and a willing seller who are unrelated and are acting independently of each other and pursuing
their own best interests.
• Related party:
– a person or entity that has control or significant influence, directly or indirectly through one or more
intermediaries, over the reporting entity (i.e. the company whose financial statements are being au-
dited)
– another entity over which the reporting entity has control or significant influence, directly or indirect-
ly through one or more intermediaries, and
– another entity under common control with the reporting entity through common controlling owner-
ship, owners who are close family members or common key management.
In terms of ISA 550, control is the power to govern an entity's financial and operating policies, and signifi-
cant influence is the power to participate in the financial and operating policy decisions of an entity, but
without control over those policies. Examples of situations where control or significant influence may be
present:
• direct or indirect equity holdings or other financial interests in the entity which is being audited, for
example, company A holds 55% of the shares in company B (company being audited)
• the entity which is being audited holds equity or other financial interests in other entities, for example,
company P holds 40% of the shares in company Q and 60% of the shares in company R
• being part of those charged with governance or key management, for example, the CEO controls the
board (exerts significant influence)
17/12 Auditing Notes for South African Students
• being a close family member of any person referred to in the point above, for example, the CEO’s wife
• having a significant business relationship with the person who is part of governance or key manage-
ment, for example, being a joint shareholder with the CEO in a private business venture.
It is submitted that the definition should not be taken too "technically"; from the audit perspective, the
questions that must be asked are whether the transactions with related parties are motivated by ordinary
business considerations, and correctly disclosed. Control and significant influence must be assessed realisti-
cally, regardless of preset levels or percentages. Has party A significantly influenced or controlled party B
in respect of the transaction? It must be borne in mind that related party transactions are considered an
ordinary feature of business and the vast majority are properly motivated and disclosed. However, the
potential for misstatement is present and the auditor must address this risk.
• Related party transactions – A transfer of resources, services or obligations between related parties
regardless of whether a price is charged.
17.3.4 Requirements
• When performing risk assessment procedures and related activities in compliance with ISA 315 (revised)
and ISA 240 (Responsibilities to fraud), the auditor must obtain an understanding of the entity’s related
party relationships and transactions:
– inquire of management regarding the identity of the entity’s related parties
– establish and understand the relationship between the entity and the related party, for example, close
family relationship, equity, common business venture
– determine from management whether any transactions were entered into during the period under
audit with related parties and if so, the nature and purpose thereof
– understand and evaluate the controls, if any, that are in place at the entity to:
o identify, account for and disclose related party relationships and transactions
o authorise and approve such transactions, and
o authorise and approve significant transactions outside the normal course of business (these may be
related party transactions), and
– enquire of others within the company as to the existence of related parties and related party transac-
tions, for example, internal audit, in-house legal counsel, risks and ethics committee members, audit
committee.
• In the discussions which are held with the engagement team, the susceptibility of the entity’s financial
statements to material misstatement due to fraud or error arising from the related party relationships
and transactions should be specifically discussed, and the team should be provided with and share rele-
vant information relating to related parties/transactions on an ongoing basis.
During the engagement team discussions on related parties, the following matters should be considered:
– the nature and extent of the entity’s relationships and transactions with related parties
– the importance of maintaining professional scepticism throughout the audit regarding the potential
for material misstatement associated with related parties
– the circumstances or conditions of the entity that may indicate the existence of related party relation-
ships or transactions that management has not specifically identified or disclosed to the auditor (e.g.
a complex organisational structure) and how they may be fraudulently exploited
– the records or documents that may indicate the existence of related party transactions, for example,
register of directors’ interest in contracts, minutes of directors’ meetings, lease agreements
– how related party transactions could be “hidden” by management, for example, management over-
ride of controls and
– how transactions between the entity and related parties could be arranged to accommodate manipu-
lation of the financial statements or misappropriation of assets.
• During the audit, the audit team must remain alert for evidence of the existence of related party rela-
tionships or transactions, that have not been previously identified or disclosed to the auditor. In partic-
ular, the audit team should:
– inspect bank and legal confirmations obtained for audit purposes
– inspect minutes of meetings of shareholders and those charged with governance
– inspect other relevant documents (see note 1 below), and
Chapter 17: Sundry topics 17/13
– be alert to significant transactions outside the normal course of the entity’s business and, in doing so,
establish the nature of the transaction and whether related parties could be involved (see note 2
below):
o consider the transaction's business rationale (logic) (arm’s-length, designed to conceal misappro-
priation, etc.)
o consider whether the terms of the transaction are consistent with the explanation for the (abnor-
mal) transaction, and
o consider whether the transaction has been appropriately accounted for and disclosed.
Note 1: Other documents or records which the auditor may inspect:
• other third-party confirmations
• income tax returns
• information supplied by the entity to regulatory authorities, for example, the JSE
• declarations of conflict of interest from management or directors
• shareholders’ register
• life insurance policies (may be taken out on “key” personnel and may give light to a related
party relationship)
• internal auditor’s reports, and
• records of the company’s investments.
Note 2: Transactions outside the normal course of business may include:
• complex equity transactions such as mergers, restructuring, etc.
• transactions with offshore entities operating in countries with weak corporate laws
• leasing of premises, rendering management services, but no charge is levied
• sales made with unusually generous terms, for example, large discounts, extended payment
periods, and
• sales with a commitment to repurchase (circular arrangements).
• The auditor must evaluate the accounting for and disclosing of identified related party relationships and
transactions (IAS 24).
• The auditor must obtain written representation from management, and those charged with governance
that:
– they have disclosed to the auditor the identity of the entity’s related parties and all the related party
relationships and transactions of which they are aware, and
– have appropriately accounted for and disclosed such relationships and transactions.
• The auditor must communicate with those charged with governance on any significant matters arising
during the audit in connection with the entity’s related parties.
• The auditor must include the names of the identified related parties and the nature of the related party
relationships in the audit documentation.
17.5.1.1 Introduction
In terms of ISA 500 – Audit evidence:
• Audit evidence is more reliable when it is obtained from independent sources outside the entity.
• Audit evidence obtained directly by the auditor is more reliable than audit evidence obtained indirectly
or by inference.
• Audit evidence is more reliable when it exists in documentary form, whether paper or electronic.
Thus external confirmations provide potentially “good” (reliable) evidence, provided that the requirements
set out below are satisfied.
17.5.1.2 Requirements
In terms of ISA 505, when carrying out external confirmation procedures, the auditor should
• maintain control over the process (not make use of the client to control the procedure)
• determine the information to be confirmed, for example, debtors balance at a particular date
• select the appropriate confirming party (e.g. must be an individual, competent and authorised to provide
the confirmation)
• design the confirmation request to effectively obtain the evidence which is the objective of the confirma-
tion request
• include specific instructions that the response details be sent directly to the auditor, and
• send (retain control over sending) the requests to the confirming party.
17/16 Auditing Notes for South African Students
17.5.2.5 Contents of the client’s request to the attorneys to provide a representation letter
The matters included in the letter are as follows:
• identification of the name, and the end of the reporting period, of the company(ies) to which the
enquiry relates, for example, the holding company and its subsidiaries and the year-end date
• a list prepared by management which names each company that is a party to material litigation or claims
and describes the nature of such litigation and claims, the amount claimed and its status
• management’s estimate of the financial exposure (inclusive of costs) for each litigation and claim in
respect of which the company has engaged the attorney
• a request that the attorney advise whether the items are properly described and whether management’s
evaluations are reasonable
• a request for comment on those litigation matters and claims on which the attorney disagrees with
management
• a request for a list of any other litigation and claims dealt with by the attorney concerning the company
(completeness)
• an indication of the amount below which litigation and claims are not considered to be material for the
enquiry regarding litigation and claims. (These claims need not be considered when attorneys take the
opportunity of bringing further litigation and claims, of which they are aware, to the attention of the
auditor.)
• a request that the response address events as at, and after, the financial year-end of the company(ies) as
close as possible to the expected date of the audit report, and
• a request that the nature of, and reasons for, any limitation on the response, be communicated.
17/18 Auditing Notes for South African Students
17.5.2.6 Example of a schedule sent to the attorney with the letter (see above) requesting
an “attorney’s representation letter”
Name of entity: Crackerjac (Pty) Ltd
Financial year-end: 28 February 0001
We confirm that we are acting for Crackerjac (Pty) Ltd concerning the claim mentioned above and that
management’s description and estimates of the amounts of the financial exposure (including costs and
disbursements) which might arise about those matters, are in our opinion, over-optimistic as detailed
above.
In addition to the above matters, we wish to bring to your attention the following litigation and claims
exceeding R100 000 of which we are aware, in relation to the company:
Case reference C/914
A customer of Crackerjac (Pty) Ltd is suing the company for R150 000. The claim arises from the
customer having suffered a severe laceration to his leg while using a garden tool manufactured by
Crackerjac (Pty) Ltd. We have advised the company to settle out of court for R50 000. We believe that
the plaintiff would accept this settlement. Legal costs amount to R10 000.
Attorneys: Doogood and Deefend Dated: 15 April 2022
17.5.3.2 Requirements
Theoretically, an external confirmation from a financial institution should be regarded as reliable evidence
because it is independent evidence from a reliable source. However, this will only be the case if the follow-
ing basic requirements are followed:
• The request for the confirmation certificate should be made by the auditor to the financial institution:
– the necessary authority must be given to the financial institution by the audit client to furnish the
information requested by the auditor
– the certificate must be sent directly to the auditor at the auditor’s address
– the request must be sent to the financial institution timeously, and
– it must be sent to the appropriate individual at the institution (most entities will have an individual at
the bank with whom they deal, or alternatively, the bank will have a designated person who deals
with issuing certificates of this nature).
• Obtaining the external confirmation certificate must be properly planned:
– the date by which the certificate is needed must be set
– the auditor must decide exactly what information he requires from the financial institution. this
may range from a simple confirmation of an account balance at year-end, to a request for extensive
confirmation of information relating to complex transactions such as those identified in the introduc-
tion paragraph
– the information to be provided to the financial institution to respond appropriately must be gathered.
for example, suppose a confirmation of balance is required. in that case, the account number must be
included, or if the auditor is seeking confirmation about debt covenants pertaining to loans made by
the financial institution to the client, the request must include details which the auditor wants con-
firmed. it is not a matter of the auditor requesting the financial institution to supply all the infor-
mation, the auditor supplies the information and the institution confirms if it is correct
– the validity of the authority given by the client to the financial institution must be confirmed, and
– the appropriate individual to whom the confirmation request must be sent must be identified.
• inspection of directors’ minutes for the year to determine whether, for example:
– new financial institution accounts were opened
– any financial institution accounts were closed
– the entity entered into agreements or covenants with the financial institutions
– any arrangements relating to securities, guarantees, derivations, etc., were undertaken, and
– changes were made to authorised account signatories.
• inspection of significant contracts for confirmation that any related financial matters were conducted
through financial institution accounts already listed, and
• obtaining management representation as to the completeness of financial institution accounts infor-
mation that management has supplied.
17.5.4.2 Objectives
The auditor’s objectives in obtaining written representations are, in terms of ISA 580:
• to obtain a written representation from management that it (management) has fulfilled its responsibility
for the preparation of the financial statements and the completeness of the information provided to the
auditor
• to support (corroborate) other audit evidence relevant to the financial statements or specific assertions in
the financial statements.
17.5.4.3 Requirements
The auditor should request written representations from individuals in management who have relevant
responsibilities and knowledge of the matters concerned:
• those responsible for the preparation of the financial statements, and
• the chief executive officer and chief financial officer.
In some instances, management may consult other parties to assist in making the written representation.
These will be individuals who have assisted in preparing the financial statements by providing specialist
knowledge, for example, in house actuaries, legal counsel or staff engineers.
The auditor must request management to specifically provide written representation that:
• it (management) has fulfilled its responsibility for the preparation of the financial statements
• it has provided the auditor with all relevant information and access, and
• all transactions have been recorded and are reflected in the financial statements.
Chapter 17: Sundry topics 17/21
In addition to the representations above, the auditor may consider it necessary to obtain other written
representations about the financial statements. These may include representations about:
• whether the selection and application of accounting policies is appropriate
• whether there has been appropriate recognition, measurement, presentation and disclosure of the
following in terms of IFRS or IFRS for SMEs:
– plans or intentions that may affect the carrying value of assets and liabilities, for example, intentions
to discontinue certain operations
– liabilities, both actual and contingent, for example, pending lawsuits
– title to assets, liens, encumbrances and assets pledged as security, for example, agreements to buy
back assets previously sold, and
– aspects of laws, regulations and contractual agreements that may affect the financial statements, for
example, unintentional foreign exchange contraventions, loans made to a director or related person
in contravention of the Companies Act
– related party transactions
– subsequent events, and
– intended changes to capital, for example, capitalisation issues, rights issues.
ISA 580 does not restrict the auditor in obtaining written representations. Although these representations
do not feature particularly high on the hierarchy of evidence, they force management to commit themselves
in writing and hopefully focus their minds on what they represent. In addition to the above, various ISAs
require that the auditor obtain management representations about the topic of that ISA, for example,
ISA 240 (fraud).
If the auditor doubts the reliability of the written representations of management or the requested written
representations are not provided, the auditor should:
• discuss the matter with management
• re-evaluate the integrity and diligence of management (is this a deliberate attempt to mislead or hide
information?)
• consider whether this unreliability or refusal affects other audit evidence gained on the audit (both its
reliability and sufficiency)
• extend testing (evidence gathering) if necessary, and
• consider the effect on the audit opinion.
Management should be quite prepared to make the necessary representations, and the auditor should be
sceptical (or suspicious) if management makes unreliable, incomplete representations or refuses to do so at
all. However, management representations are corroborative in nature and do not stand on their own;
unreliable representations or an absence of representations will not automatically result in a qualification or
disclaimer of the audit opinion.
17.5.4.4 Conclusion
To be of value, management representations should be:
• written, not oral
• corroborated by other evidence
• reasonable and consistent concerning other evidence obtained
• given by members of the management team who are sufficiently well informed on the particular matter
about which representations are being made
• addressed to the auditor
• contain specific information
• appropriately dated (preferably the same as the auditor’s report), and
• appropriately signed, for example, senior executive officer.
17/22 Auditing Notes for South African Students
(b) The reliability of the data on which the analytical procedures will be conducted
There is no point in performing analytical procedures on unreliable data – this gives unreliable results! The
auditor will consider:
• the source of the data, for example, external evidence is better than internal evidence
• comparability, for example, the auditor must compare “apples with apples” not “apples with oranges”;
ratios in a wholesale business will not be comparable with the same ratios in a retail business
Chapter 17: Sundry topics 17/23
• nature and relevance, for example, if a budget is being used for comparison, is the budget a well pre-
pared, thought out document or a “just going through the motions of putting a budget together” type
budget?, and
• controls over the preparation of the data, for example, poor control over validity, accuracy and complete-
ness, results in unreliable data.
18
The audit report
CONTENTS
Page
18.1 Introduction .................................................................................................................... 18/3
18.1.1 Background .......................................................................................................... 18/3
18.1.2 The mechanics of reporting ................................................................................... 18/3
18.1.3 Changes to the layout of the audit report................................................................ 18/3
18.1.4 The audit objective and reporting .......................................................................... 18/3
18.1.5 The auditing statements relating to reporting.......................................................... 18/3
18.1.6 Objectives ............................................................................................................. 18/4
18.1.7 Form of opinion ................................................................................................... 18/4
18.2 Structure and content of the unmodified audit report – ISA 700 (revised)
and SAAPS 3 (revised May 2019) ..................................................................................... 18/5
18.2.1 Structure............................................................................................................... 18/5
18.2.2 Content ................................................................................................................ 18/5
18.4 Compiling a report where the opinion is modified – Structure and wording
(form and content) .......................................................................................................... 18/16
18.4.1 Introduction ......................................................................................................... 18/16
18.4.2 Companies ........................................................................................................... 18/16
18.4.3 Additional points relating to structure and wording (form and content) ................... 18/17
18.5 Communicating key audit matters in the independent auditor’s report – ISA 701 ............ 18/24
18.5.1 Introduction ......................................................................................................... 18/24
18.5.2 Key audit matters: Definition and description ........................................................ 18/24
18.5.3 Determining key audit matters .............................................................................. 18/24
18.5.4 Diagram: Determination of key audit matters ........................................................ 18/27
18.5.5 Communicating key audit matters ......................................................................... 18/28
18.5.6 Modified opinions, going concern issues and key audit matters............................... 18/29
18/1
18/2 Auditing Notes for South African Students
Page
18.6 Emphasis of matter paragraphs and other matter paragraphs in the independent
auditor’s report – ISA 706 (revised) ................................................................................. 18/29
18.6.1 Introduction ......................................................................................................... 18/29
18.6.2 Emphasis of matter paragraphs.............................................................................. 18/29
18.6.3 Examples of where the use of an emphasis of matter may be necessary ................... 18/26
18.6.4 Emphasis of matter paragraphs and key audit matters ............................................ 18/30
18.6.5 Other matter paragraphs ....................................................................................... 18/31
18.7 The auditor’s responsibilities relating to other information – ISA 720 (revised)
(effective for audits of financial statements for periods ending on or after
15 December 2016) ......................................................................................................... 18/31
18.7.1 Introduction ......................................................................................................... 18/31
18.7.2 The auditor’s responsibilities ................................................................................. 18/32
18.7.3 Reading and considering the other information ...................................................... 18/32
18.7.4 The auditor’s response when a material inconsistency appears to exist or
other information appears to be materially misstated .............................................. 18/33
18.7.5 Other information and the audit report .................................................................. 18/33
18.1 Introduction
18.1.1 Background
In January 2015 the IAASB issued a set of revised reporting standards and a new standard (ISA 701 –
Communicating Key Audit Matters in the Independent Auditor’s Report), effective for audits of financial
statements for periods ending on or after 15 December 2016. Issuing this set of statements is to increase the
“value of auditor reporting” by making the auditor’s report more relevant to users. The primary means of
achieving this is the introduction of ISA 701, which requires that details of key audit matters (KAM) be
included in the audit reports of listed companies (see note below). Key audit matters are dealt with later in
this chapter are defined as “those matters that, in the auditor’s professional judgement, were of most
significance in the audit of financial statements”. By including any key audit matters in the audit report, it
is anticipated that users will gain a better understanding of the “inner workings” of the audit for example,
in relation to how areas of significant risk or significant judgement on the part of management and the
auditor, were handled.
Note: In terms of ISA 700 (revised) the inclusion of key audit matters applies only to listed companies, but
there is nothing to prevent the auditor from including the paragraph for other entities.
• ISA 710 – Comparative information – corresponding figures and comparative financial statements
• ISA 720 (revised) – The auditor’s responsibilities relating to other information in documents containing
audited financial statements.
In addition to the above, SAAPS 3 (revised May 2019) provides illustrative auditor’s reports for listed and
private companies for different situations which may arise on audit, for example, adverse opinion reports,
disclaimers, etc. The ISAs provide the basic “rules” and framework for reporting internationally. The
recommended wording applicable to audit reports for South African companies is as illustrated in
SAAPS 3 (revised May 2019). SAAPS 3 (revised May 2019) has been updated as a result of the
amendments to the International Ethics Standards Board for Accountants (IESBA) Code of Ethics for
Professional Accountants (now the IESBA International Code of Ethics for Professional Accountants
(including International Independence Standards) (IESBA Code)) and the amendments to the IRBA Code
of Professional Conduct for Registered Auditors (now the IRBA Code of Professional Conduct for
Registered Auditors (revised November 2018) (IRBA Code))
18.1.6 Objectives
In terms of ISA 700 (revised) the auditor’s objectives are to:
• form an opinion on the financial statements based on an evaluation of the conclusions drawn from the
audit evidence obtained and
• to express clearly that opinion through a written report.
To be in a position to form the opinion, the auditor must conclude on whether he has obtained reasonable
assurance as to whether the financial statements as a whole are free from material misstatement (arising
from fraud or error). In drawing this conclusion the auditor must consider:
• whether sufficient appropriate audit evidence has been obtained
• whether uncorrected misstatements are material (individually or in aggregate)
• whether the financial statements are prepared, in all material respects, in terms of an applicable
reporting framework, for example, IFRS or IFRS for SMEs
• whether significant accounting policies selected and applied have been appropriately disclosed
• whether these accounting policies are consistent with the applicable financial reporting standards and
are appropriate
• whether the accounting estimates made by management are reasonable
• whether the information presented in the financial statements is relevant, reliable, comparable and
understandable including whether:
– the information that should have been included has been included and is appropriately classified,
aggregated or disaggregated, and characterised
– the overall presentation has not been undermined by included information that is not relevant or
which obscures a proper understanding of the matters disclosed
• whether there is adequate disclosure to enable the intended users to understand the effect of material
transactions and events on the information conveyed in the financial statements
• whether the terminology used in the financial statements is appropriate.
18.2 Structure and content of the unmodified audit report – ISA 700 (revised)
and SAAPS 3 (revised May 2019)
One of the consequences of the revised reporting standards, particularly ISA 701, is that some differences
in the basic structure and content of the audit report for a public company and a private company have
been introduced. Again, these differences do not affect the mechanics of reporting as described in para-
graph 2 of this chapter. The section headings and the wording of the audit report as described in this
chapter are taken from SAAPs 3 (revised May 2019) and will, in some minor instances, differ from the
wording in the ISAs. Remember that although the ISAs are international, they allow some variation within
different countries, so for reporting in South Africa, SAAPs 3 will be the authoritative guide.
In the description of the structure and content of the unmodified audit report given below, take note of the
comments on the differences between listed (public) and private company reports. The report is divided
into sections that deal with different aspects of the report.
18.2.1 Structure
• Title
• Addressee
Subtitle: Report on the audit of financial statements (see note (c) below)
• Opinion section
• Basis for Opinion section
• Key audit matters section (Note: Listed companies only)
• Other information section
• Responsibilities of the directors for the financial statements section
• Auditor’s responsibilities for the audit of the financial statements section
Subtitle: Report on other legal and regulatory requirements (see note (c) below).
• Signing off.
18.2.2 Content
Title: The report is headed Independent Auditor’s Report
Note (a): The report must be in “writing”, (i.e. hard copy or electronic). The auditor cannot just give a
verbal audit report at the AGM!
Note (b): The structure given above relates to unmodified audit reports. The report is modified in various
situations, for example where the audit opinion is qualified or an emphasis of matter is required,
and in such situations additional sections may be added as explained later in this chapter.
Note (c): Subtitles. The use of the two subtitles (see structure above) is only necessary when the auditor
has a duty to report on other legal and regulatory requirements in addition to reporting on the
financial statements. For example, when the auditor has reported a reportable irregularity to the
IRBA in terms of the Auditing Profession Act (s 44 of the APA), or when the auditor of a listed
company is fulfilling his duty to report on “auditor’s tenure” (the number of years the auditor’s
firm has been the auditor of the company) as required by the IRBA rules, the sub-titles must be
included.
Note (d): Including the word “independent” in the title adds to the credibility of the audit report by
emphasising that the auditor is reporting as an individual who is independent of the company
being reported on.
Addressee: To the shareholders of Jumpingjax Proprietary Limited
Note (e): • The audit report for a public company is addressed to the shareholders.
• An audit of a private company that is required to be audited because of its public interest
score or because its Memorandum of Incorporation requires it, will also be addressed to the
shareholders.
• When a Memorandum of Incorporation (MOI) for a company that is exempt from a
statutory audit requires the company to appoint an auditor, the auditor’s report is also
addressed to the shareholders or members, as appropriate. When an MOI for a company that
18/6 Auditing Notes for South African Students
is exempt from a statutory audit does not require the company to appoint an auditor, and the
company chooses to be audited (by means of a shareholders’, members’ or directors’
resolution), the addressee will depend on whether the requirement for an audit was by way of
a shareholders’ or members’ resolution (in which case the auditor’s report would then be
addressed to the shareholders or members, as appropriate) or a directors’ resolution (in that
instance, the auditor’s report would be addressed to the directors).
• The audit report for a close corporation is addressed to the members. (In terms of the
Companies Act 71 of 2008, some CCs must be audited.)
Public sector perspective
In the public sector there is a wide range of potential users of the auditor’s report, including the
general public. However, it is not deemed appropriate to address the auditor’s report to the
general public at large. The auditor’s report is thus addressed to parliament or the provincial
legislature as the bodies that represent the general public.
The auditor’s report may also be addressed to shareholders, trustees or other identified users
in addition to parliament or the provincial legislature where there are persons or classes of
persons for whom it has been prepared (not the board of directors or the accounting authority
that is responsible for preparing the financial statements). If the Public Finance Management
Act 1 of 1999 (PFMA) as amended by the PFMA 29 of 1999, is not applicable to an entity and
the financial statements are not required to be tabled in parliament or the provincial legislature,
the auditor’s report should then be addressed to the appropriate level of oversight, usually the
responsible executive authority.
Opinion section
We have audited the financial statements of Jumpingjax Proprietary Limited set out on pages 10–45, which
comprise the statement of financial position as at 31 March 0001, and the statement of profit or loss and
other comprehensive income, statement of changes in equity and statement of cash flows for the year then
ended, and notes to the financial statements, including a summary of significant accounting policies.
In our opinion, the financial statements present fairly, in all material respects, the financial position of
Jumpingjax Proprietary Limited as at 31 March 0001 and its financial performance and cash flows for the
year then ended in accordance with International Financial Reporting Standards and the requirements of
the Companies Act of South Africa.
Note (f): The opinion paragraph must:
(i) have a heading “opinion”
(ii) state that the financial statements have been audited
(iii) identify the company whose financial statements have been audited
(iv) identify the title of each statement comprising the financial statements
(v) refer to the notes, including the summary of significant accounting policies, and
(vi) specify the date of, or period covered by, each financial statement making up the financial
statement as a whole, for example the statement of financial position at 31 March 0001,
statement of cash flows for the year then ended.
Note (g): In South Africa, the phrase present fairly, in all material respects has been adopted. ISA 700
(revised) allows the phrase “give a true and fair view”, but it is not used in South Africa.
Note (h): The opinion paragraph must also identify the reporting framework and any other regulatory
requirements in accordance with which the financial statements have been presented. In South
Africa this (usually) means IFRS or IFRS for SMEs and the Companies Act 2008, which also
contains certain reporting requirements. The annual financial statements of South African
companies comprise a complete set of financial statements identified in accordance with the
applicable financial reporting framework and the disclosure requirements of the Companies Act.
A directors’ report, however, is not identified as forming part of a complete set of financial
statements under the disclosure requirements of the applicable financial reporting framework
Note (i): When the auditor gives a qualified or adverse opinion or disclaims an opinion, it will require
changes to the wording of the opinion paragraph. This is explained later in the chapter.
Chapter 18: The audit report 18/7
Furthermore, in South Africa an entity’s integrated report will be its annual report for purposes
of ISA 720 (revised), irrespective of the following:
• its title (example.g., “Integrated report”; “Integrated annual report” or “Annual report”), and
• whether the annual financial statements and the auditor’s report thereon are contained
therein.
ISA 720 (revised) does not expand on the meaning of “accompanies” in the definition of an
annual report. The Standard does not, for example, indicate that a document would “accom-
pany” the financial statements only if it is issued at the same time or in close proximity to the
issuance of the financial statements. The IRBA’s reading of the Standard is that a document
could meet the definition of an annual report even if there was a significant time delay between
the issue date of the financial statements and that of the entity’s annual report.
The application material to ISA 720 (revised) explains that an annual report is different in
nature, purpose and content from other reports, such as a report prepared to meet the informa-
tion needs of a specific stakeholder group or a report prepared to comply with a specific
regulatory reporting objective (even when such a report is required to be publicly available). It
lists, among others, separate regulatory reports and sustainability reports1 as examples of reports
that, when issued as standalone documents, are not typically part of the combination of docu-
ments that comprise an annual report (subject to law, regulation or custom) and that, therefore,
are not other information within the scope of the Standard. The IRBA is thus of the view that
regulatory reports and sustainability reports that are issued as standalone documents, without,
for example, being described as forming part of the entity’s annual report, are not part of the
combination of documents that comprise an entity’s annual report.
Public sector perspective
The Directors’ Report,2 the Audit Committee’s Report,3 (when applicable) and the Company Secretary’s
Certificate4 (when applicable) form part of the annual financial statements prescribed by the Companies
Act. Where the entity is not a company, reference to these documents should be omitted.
In addition to King IV, the Listings Requirements and the Companies Act requirements that may be
applicable to certain public sector entities, the PFMA also includes requirements relating to these entities’
annual reports.
In the public sector, other information comprises financial and non-financial information, other than (i)
the financial statements; (ii) the auditor’s report thereon; and (iii) those objectives in the entity’s annual
report where its performance against predetermined objectives have been specifically audited and reported
on in the auditor’s report.
In terms of section 28(1)(c) of the Public Audit Act 25 of 2004 (PAA), the report of an auditor appointed
in terms of section 25(1)(b) of the PAA (i.e. section 4(3) registered auditors), must reflect such opinions and
statements as may be required by any legislation applicable to the auditee which is the subject of the audit,
but must reflect at least an opinion or conclusion on –
(c) the reported information relating to the performance of the auditee against predetermined objectives.
______________
1 The Global Reporting Initiative (GRI) defines a sustainability report as “a report published by a company or organisation
about the economic, environmental, and social impacts caused by its everyday activities”.
2 S 30(3)(b) of the Companies Act, 2008.
3 S 94(7)(f).
4 S 88(2)(e).
18/10 Auditing Notes for South African Students
Note (o): Although ISA 700 (revised) stipulates that the heading of this paragraph should read
“Responsibilities of Management . . . ”, SAAPS 3 (revised May 2019) requires the heading to
read “Responsibilities of the Directors . . . ” This is perfectly permissible in terms of ISA 700
(revised) and is the preferred wording for South Africa.
Note (p): The inclusion of this paragraph is to emphasise (for users) that the directors are responsible for:
(i) preparing the financial statements (not the auditor)
(ii) implementing internal controls which underlie the financial statements
(iii) assessing the company’s going concern ability, and
(iv) using the going concern basis of accounting to prepare the financial statements (unless they
intend to liquidate, cease trading or have no option other than to do so).
Note (q) The Companies Act requires the annual financial statements to be approved by the board and
signed by an authorised director. As such, in the case of a South African company, the report
should state that the company’s directors are responsible for the preparation (and fair
presentation) of the financial statements.
In terms of the Close Corporations Act 68 of 1984, these requirements apply to the authorised
member(s) of a Close Corporation. As such, the reference to the directors’ responsibility
becomes a reference to the members’ responsibility.
ISA 700 (revised) also requires that this section of the auditor’s report should identify those
responsible for the oversight of the financial reporting process when they are different from those
who fulfil the responsibilities for the preparation of the financial statements. In such a case, this
section’s heading would also refer to “Those Charged with Governance” (TCWG). TCWG is
defined in ISA 260 (revised), Communication With Those Charged With Governance.
Since the company’s directors or the public entity’s accounting authority are responsible for
the oversight of the financial reporting process, as stated above, no reference to oversight
responsibilities is required in the auditor’s report of a South African company.
Public sector perspective
The auditor’s report in the public sector refers to the accounting authority’s responsibility, based
on the PFMA requirements, as follows:
• public entities – accounting authority, and
• public entities registered as a company – the board of directors, which constitutes the
accounting authority.
If the PFMA is not applicable to an entity, the name of the party responsible for the preparation
of the financial statements – in terms of the legislation that governs that entity – should be
inserted.
• Evaluate the appropriateness of accounting policies used and the reasonableness of accounting
estimates and related disclosures made by the directors.
• Conclude on the appropriateness of the directors’ use of the going concern basis of accounting and
based on the audit evidence obtained, whether a material uncertainty exists related to events or condi-
tions that may cast significant doubt on the company’s ability to continue as a going concern. If we
conclude that a material uncertainty exists, we are required to draw attention in our auditor’s report to
the related disclosures in the financial statements, or, if such disclosures are inadequate, to modify our
opinion. Our conclusions are based on the audit evidence obtained up to the date of our auditor’s
report. However, future events or conditions may cause the company to cease to continue as a going
concern.
• Evaluate the overall presentation, structure and content of the financial statements, including the
disclosures, and whether the financial statements represent the underlying transactions and events in a
manner that achieves fair presentation.
We communicate with the directors regarding, among other matters, the planned scope and timing of the
audit and significant audit findings, including any significant deficiencies in internal control that we
identify during our audit.
Note (r): ISA 700 (revised) has expanded the auditor’s responsibility paragraph significantly. SAAPs 3
(revised May 2019) has responded to this with new and appropriate wording. The intention is
again to provide the user with a better understanding of what the audit is all about and what the
auditor’s responsibilities are as opposed to those of the directors. A number of general matters
are covered in this paragraph:
(i) the objectives of the auditor, i.e. obtain reasonable assurance and report
(ii) the meaning of reasonable assurance, i.e. a high level of assurance but not a guarantee
(iii) the meaning of material in the context of misstatements
(iv) professional judgement and professional scepticism, and
(v) the risk relating to fraud, as opposed to error.
These are followed by a broad description of what the auditor does:
(vi) identify, assess and respond to the risks of material misstatements
(vii) obtain sufficient appropriate evidence to provide a basis for our opinion
(viii) obtain an understanding of internal control but not for the purpose of expressing an opinion
on its effectiveness
(ix) evaluate the appropriateness of accounting policies and estimates
(x) conclude on the appropriateness of the use of the going concern basis of accounting
(xi) evaluate overall presentation, structure and content of the financial statements and whether
they fairly present the underlying transactions, and
(xii) communicate with the directors (see note (s).
Note (s): For a private company audit report, the auditor’s responsibility section concludes with a sentence
which deals with communicating with the directors on the planned scope, timing and significant
audit findings including if any, deficiencies in internal control. For a public company audit
report, the auditor’s responsibility section, in addition, explains that the auditor supplies the
directors with a statement that he has complied with “independence” requirements, and that he
will communicate with them on any relationships/matters that may affect his independence and
if applicable, any safeguards put in place to address any independence issues.
Note (t): Again for a listed (public) company only, the auditor states in the auditor’s responsibility section
(at the end) that from the matters communicated with the directors, those that were of most
significance to the audit were designated key audit matters and thus were described in the audit
report.
Note (u): In terms of ISA 700 (revised), the description section of the auditor’s responsibilities section
(essentially everything after and including Note (r) iv above may be omitted from the audit
report and included in an appendix to the audit report. ISA 700 (revised) also permits that the
audit report may contain reference to a specific website on which the description of the auditor’s
responsibilities can be found. However, there is no regulation in South Africa which permits
this.
18/12 Auditing Notes for South African Students
Signing off
In terms of the IRBA Code, section 150.6, if the audit report is presented on a firm’s letterhead, the
following signing off will be appropriate:
Tommy Tickitt
Thomas Tickitt: Partner or Director
Registered Auditor
1 May 0001
Note (v): If the report is not presented on a firm’s letterhead, the name and address of the registered
auditor’s firm must be added.
Note (w): The designation “director” is used when the auditor’s firm is incorporated. If the auditor is a
sole practitioner, neither “partner” nor “director” is required.
Note (x): The auditor’s report must be dated no earlier than the date on which the auditor has obtained
sufficient appropriate audit evidence on which to base the auditor’s opinion. By implication, this
means that the auditor has considered the effect of events and transactions on the financial
statements up to the date of signing. Before signing, the auditor must ensure that:
(i) a complete set of financial statements has been prepared, and
(ii) the directors have signed the financial statements (indicating that the board has taken
responsibility for them).
The first situation under (b) arises when the auditor is satisfied that there is material misstatement; and
the second arises when the auditor does not know whether or not there is material misstatement.
(c) When modifying the opinion, the auditor’s options are to (see 18.3.2 (d) below):
• express a qualified opinion (except for)
• express an adverse opinion (do not), or
• disclaim an opinion (unable to form an opinion).
18.3.2 Determining the nature of the matter giving rise to the modification
(a) The auditor concludes that, based on the audit evidence obtained, the financial statements as a
whole are not free from material misstatement
This situation arises when at the conclusion of the audit there is material uncorrected misstatement in the
financial statements. Note that ISA 450 – Evaluations of Misstatements Identified during the Audit, defines
a misstatement as a difference between the amount, classification, presentation or disclosure of a reported
financial statement item, and the amount, classification, presentation or disclosure that is required for the
item to be in accordance with the applicable financial reporting framework, for example IFRS.
Looked at another way, this situation arises when the auditor, based on the evidence gathered on the
audit, disagrees with one or more representations (assertions) made by the directors in the financial state-
ment being audited. Remember that the financial statements are the responsibility of the directors and that
the auditor’s responsibility is to determine whether the financial statements are fairly presented.
Material misstatement of the financial statements may arise in relation to:
(b) The auditor is unable to obtain sufficient appropriate evidence to conclude that the financial state-
ments as a whole are free from material misstatement. The auditor’s inability to obtain sufficient
appropriate audit evidence (often referred to as a limitation of scope) can arise from:
Circumstances beyond the control of the audit client
• For example, the client’s accounting records were destroyed by fire and were not adequately backed up.
• For example, ongoing physical danger; political unrest has prevented the auditor from visiting certain of
the audit client’s warehousing or manufacturing facilities to conduct audit procedures such as inventory
counts.
Circumstances relating to the nature or timing of the auditor’s work
• For example, the audit client is required to account for an associated company using the equity method,
but the auditor is not able to obtain sufficient appropriate evidence about the associated company’s
financial information to evaluate whether the equity method has been appropriately applied. (Remem-
ber that the auditor does not have the right to demand evidence from the associated company.)
• For example, the timing of the auditor’s appointment is such that the auditor is unable to observe the
counting of physical inventories.
Limitations imposed on the auditor by the client’s management
• For example, management refuses to give the auditor access to the accounting records relating to
directors’ emoluments.
• For example, the board will not allow the auditor to review the minutes of directors’ meetings.
Bear in mind that the inability to carry out a specific procedure does not constitute a limitation of scope if
alternative audit procedures provide the necessary, sufficient, appropriate evidence. Also, remember that a
lack of ability, competence or resources on the part of the auditor cannot be regarded as a limitation of the
scope of the auditor.
18.3.3 Making a judgement about the pervasiveness of the effects or possible effects
of the matter on the financial statements
18.3.3.1 Material and, material and pervasive
The second matter which the auditor considers is the extent to which the financial statements are affected,
or may possibly be affected by the matter which may give rise to a modification of the auditor’s opinion,
i.e. will the effect be material or will it be material and pervasive? Bear in mind that if the modification arises
out of a difference (misstatement), the auditor can clearly state the difference and quantify its effect on the
financial statements. If the modification arises because the auditor could not obtain sufficient appropriate
evidence, he can only judge the possible effect of the matter on the financial statements. He will not have the
necessary evidence to quantify the effect.
As discussed in chapter 7, the auditor will have given considerable thought to materiality, both in plan-
ning and performing the audit and in considering final materiality so he has a good indication of what is
material both quantitatively and qualitatively. The auditor has to measure the full effect or possible effect of
the matter giving rise to the modification of the audit opinion on the financial statements. He needs to
measure the misstatement against what he considers would be material in the eyes of users. Remember that
ISA 320 suggests that a matter will be material if it could reasonably be expected to influence the economic
decisions of a user taken based on the financial statements.
Think of it like this. The auditor’s final materiality level is R100 000. This means that in the auditor’s
judgement, misstatement in the financial statements of say, R105 000 would have at least a material effect
on the decisions users make based on the financial statements. 0But what about misstatement of R250 000
or more? The effect of misstatement of this size relative to his materiality limit is likely to be material and
pervasive. Measuring the effect of a disagreement is far easier than measuring the effect of a limitation of
scope. In the case of a modification arising from a limitation of scope, the auditor will still need to judge
how extensively the limitation affects the financial statements, but he does not have actual amounts to
work with. For example, if the limitation relates only to evidence relating to long-term loans the auditor
might consider the possible effect to be material only, but if the scope limitation spreads to evidence
relating to long term loans, creditors and capitalised leases and profit figures, the auditor is likely to
consider that the scope limitation “pervades” (spreads throughout) the financial statements as a whole. The
auditor still does not have exact amounts to work with and will have to rely on his professional judgement
to judge the pervasive effects.
Chapter 18: The audit report 18/15
ISA 705 (revised) defines “pervasive effects” as those that in the auditor’s judgement:
• are not confined to specific elements, accounts or items in the financial statements, or
• if they are so confined, represent a substantial proportion of the financial statements, or
• in relation to disclosures, are fundamental to a user’s understanding of the financial statements.
Some guidance was given in an earlier version of the reporting statement and although it is no longer
“current” it is still helpful. In terms of the former statement:
• a modification of the audit opinion arising from misstatement becomes material and pervasive when its
impact on the financial statements is so great that fair presentation as a whole has been undermined and an
“except for” qualification will not adequately convey the misleading or incomplete nature of the financial
statements
• a modification of the audit opinion arising from insufficient appropriate evidence (a scope limitation)
should be regarded as material and pervasive if the effect of the limitation has resulted in the auditor
being unable to obtain sufficient appropriate evidence to the extent that it is simply impossible to
express any opinion.
18.4 Compiling a report where the opinion is modified – Structure and wording
(form and content)
18.4.1 Introduction
The intention of Appendix 1 and Appendix 2 is to illustrate how the wording changes when different types
of audit reports are given. We have compared the wording used in qualified reports to an unmodified
report (Appendix 1) and the wording in adverse opinion reports and disclaimer of opinion reports to the
same unmodified report. In Appendix 2 we have included an audit report for a listed company to illustrate
the inclusion of additional information required in a listed company report compared to a private company
report.
• You will notice immediately that a large portion of the wording does not change from report to report,
but you should also notice that there are some subtle (not so obvious) changes.
• SAAPS 3 (revised May 2019) requires that the full description of the company be used in audit reports.
For the purposes of illustrations we have used the abbreviations Ltd and (Pty) Ltd.
• We have chosen five companies, four private and one listed for the illustration. Use the information
below in conjunction with the appendices to gain an understanding of what is required.
18.4.2 Companies
• Riggs (Pty) Ltd’s audit report is used to illustrate an unmodified report. No problems were encountered
on the audit and there was no duty to report on other legal and regulatory requirements, for example
sections 44 and 45 of the Auditing Profession Act or audit tenure (IRBA Rules). Therefore it is not
necessary to include the subtitles (see page 18/5) in the report.
• Basix (Pty) Ltd’s audit report is used to illustrate a qualified opinion arising out of a material
misstatement (disagreement) which is considered by the auditor to be material but not material and
pervasive. The company has failed to capitalise a finance lease. Again there is no duty to report on
other legal and regulatory requirements, for example sections 44 and 45 of the Auditing Profession Act
or audit tenure (IRBA Rules).
• Millco (Pty) Ltd’s audit report is used to illustrate a qualified opinion arising out of an inability on the
part of the auditor to obtain sufficient appropriate evidence (scope limitation), the effect of which is
considered by the auditor to be material but not material and pervasive. In addition to selling its
products on credit, the company has opened a factory shop from which it sells its products for cash only.
As this is a new venture, the controls over cash sales are poor. The factory shop has been very successful
and turnover has increased. Cash sales are reflected at about 12% of total turnover. Again no other
reporting duties. In the illustrative report, take note of the inclusion of the word possible in the opinion
when comparing Millco (Pty) Ltd to Basix (Pty) Ltd.
• Markx Ltd’s audit report is used to illustrate an adverse opinion arising from a material misstatement
(disagreement), the effect of which is considered by the auditor to be material and pervasive. The
company is listed on the JSE. Due to competition in the market place for some of the company’s products
and damage to inventory caused by flooding, the net realisable value of some products has fallen below
cost. The directors have declined to recognise any impairment losses. Because the company is listed, the
report must include a Key Audit Matters section. In addition, because it is a public interest company
(by virtue of being a listed company), the auditor has an additional duty to report on audit tenure in
terms of the IRBA regulations.
Note (a): Although a qualified or an adverse opinion is by its nature, a Key Audit Matter, it is not treated
as such in the audit report. There is no point in duplicating a matter which has already been
communicated in the Basis for Qualified (Adverse) Opinion section. However, ISA 701 requires
that reference to the Basis for Qualified (Adverse) Opinion section be made in the Key Audit
Matter section as illustrated in Appendix 2.
Note (b): In terms of the Companies Act 2008, public companies are required to include, in addition to
the directors’ report, the audit committee’s report and the company secretary’s certificate in the
financial statements. These are deemed to be “other information” and reference to them must be
made in the other information section of the audit report. In addition the JSE Ltd listing
requirements require listed companies to provide supplementary reports, schedules etc. which
may be presented with the financial statements in the annual report but which do not form part
of the financial statements. These supplementary reports, schedules etc. must also be identified
in the Other Information section.
Chapter 18: The audit report 18/17
• Cheap (Pty) Ltd’s audit report is used to illustrate a disclaimer of opinion arising from the auditor’s
inability to obtain sufficient appropriate evidence (scope limitation), the effect of which is considered by
the auditor to be material and pervasive. Cheap (Pty) Ltd sells for cash only. During the year the
company experienced numerous breakdowns in the system of control over the recording of sales.
Again, there is no duty to report on other legal or regulatory requirements.
Note (c): When a disclaimer of opinion is given, some changes are made to the positioning of wording
and some wording is omitted:
(i) In the qualified and adverse reports the paragraph which refers to the ISAs, the auditor’s
responsibilities section, independence and sufficient appropriate evidence is located in the
Basis for Opinion section, but when a disclaimer is given, this paragraph is omitted from
the Basis of Opinion section but included in the auditor’s responsibilities section. In effect,
the auditor explains that he was unable to meet his responsibilities to conduct and audit in
terms of the ISA, but that he did meet his independence and ethical requirements.
(ii) In addition to (i) above, the detailed description of the auditor’s responsibilities, as
contained in the Qualified Opinion and Adverse Opinion reports, is omitted in the
Disclaimer of Opinion report. Only what is described in (i) above is included.
18.4.3 Additional points relating to structure and wording (form and content)
• Where the opinion is qualified “except for”, for more than one matter, an explanation will be included
for each matter in the Basis for Qualified Opinion section. If the nature of the matters giving rise to the
qualifications is different (i.e. one matter is based on misstatement and the other is based on a scope
limitation) the two explanations will need to be separately identified. This is because reference to each
explanation will have to be made in the Opinion section.
Example: Assume that the misstatement matter is explained in paragraph (a) and the scope limitation
matter is explained in paragraph (b). The opinion section will read
“In our opinion, because of the effects of the matter described in paragraph (a) of the Basis for Qualified Opinion
section and because of the possible effects of the matter described in paragraph (b) of the Basis for Qualified
Opinion section the financial statements present fairly in all material respects . . .”
• Theoretically, a situation could arise where the effect of misstatements is, in itself, material and
pervasive and the effect of a scope limitation is also material and pervasive. Obviously, it is not possible
to combine an adverse opinion and a disclaimer of opinion as mentioned earlier. What does the auditor
do? There is no clear answer, but the adverse opinion is the stronger modification, because it is an
actual opinion. The scope limitation could be raised in an “Other matter” section after the opinion
section, but with very clear and precise wording which makes it clear that an adverse opinion has been
given.
• Where an “Emphasis of matter” or “Other matter” paragraph is added, it must be placed below the
opinion section.
• The most desirable audit opinion is an unmodified opinion, as this sends a positive message to users. It
signifies that the financial information which they may use for decision making is fairly presented
– Although misstatements, etc., will already have been discussed with management at the time they
were discovered, any proposed modifications should be discussed with the individuals responsible for
the financial statements in order to give them the opportunity to provide further information or to
amend the financial statements in a way which will enable the auditor to express an unmodified
opinion. In a listed company this process will be part of communicating with the audit committee.
– Where, after following these steps, the auditor still believes that a modification is necessary, careful
consideration should be given to whether the lesser modification, i.e. “except for” can be given
instead of an adverse opinion or a disclaimer. In other words, the material/ material and pervasive
decision should be revisited.
– The above steps are taken with the intention of concluding a positive and constructive audit.
However, it must be emphasised that the auditor must not compromise his compliance with the reporting or
other standards in an attempt to arrive at an unmodified opinion.
18/18 Auditing Notes for South African Students
Appendix 1 – Comparison of the wording used in an unmodified opinion report and in qualified
opinion reports
Qualified
Section Unmodified Qualified – scope limitation
– material misstatement
Title Independent Auditor’s Report Independent Auditor’s Report Independent Auditor’s Report
Addressee To the Shareholders of Riggs To the Shareholders of Basix To the Shareholders of Millco
(Pty) Ltd (Pty) Ltd (Pty) Ltd
Subtitle: Not applicable: No other Not applicable: No other Not applicable: No other
Report on reporting duties reporting duties reporting duties
the audit of
the financial
statements
Opinion 1. Heading: Opinion 1. Heading: Qualified Opinion. 1. Heading: Qualified Opinion.
2. We have audited the 2. We have audited the financial 2. We have audited the financial
financial statements of Riggs statements of Basix (Pty) Ltd statements of Millco (Pty) Ltd
(Pty) Ltd . . . ... ...
3. In our opinion the financial 3. In our opinion, except for the 3. In our opinion, except for the
statements present fairly, in effects of the matter described in the possible effects on the matter
all material respects, the Basis for Qualified Opinion section described in the Basis for
financial position of Riggs of our report, the financial Qualified Opinion section of our
(Pty) Ltd . . . statement present fairly, in all report, the financial statements
material respects, the financial present fairly in all material
position of Basix (Pty) Ltd . . . respects, the financial
position of Millco (Pty) Ltd
...
Basis for 1. Heading: Basis for Opinion 1. Heading: Basis for Qualified 1. Heading: Basis for Qualified
opinion 2. Explanation: none required. Opinion. Opinion.
3. Standard content 2. Explanation. 2. Explanation.
3.1 Audit conducted in The company has excluded from Included in turnover is an
accordance with property, plant and equipment and amount of Rxxx in respect of cash
International Standards liabilities in the accompanying sales. The company did not have
on Auditing statements of financial position, a adequate internal controls to
lease obligation that should be record these sales. We were
3.2 Reference to the capitalised in order to conform unable to obtain sufficient
auditor’s responsibility with International Accounting appropriate evidence to satisfy
section Standard IFRS16 – Leases. If this ourselves as to the completeness of
3.4 Independence and obligation had been capitalised, the cash sales recorded. As a
ethical requirements. right of use asset would be consequence, we were unable to
increased by Rxxxx, tight of use determine whether or not any
3.5 Sufficient appropriate
liability by Rxxxx the current adjustments were required to the
evidence to provide a
portion of long-term liabilities by financial statements arising from
basis for the opinion.
Rxxx and retained earnings by the omission of cash sales.
(see detailed wording Rxxx at 31 March 0001. 3. Standard context
on page 18/7) Additionally net profit would be 3.1 Audit conducted in
increased by Rxxx for the year then accordance with Inter-
ended. national Standards on
3. Standard content Auditing.
3.1 Audit conducted in 3.2 Reference to the
accordance with Inter- auditor’s responsibility
national Standards on section.
Auditing.
3.3 Independence and ethical
3.2 Reference to the auditor’s requirements.
responsibility section.
3.4 Sufficient appropriate
3.3 Independence and ethical evidence to provide a
requirements. basis for our qualified
3.4 Sufficient appropriate opinion.
evidence to provide a basis
for our qualified opinion.
continued
Chapter 18: The audit report 18/19
Qualified
Section Unmodified Qualified – scope limitation
– material misstatement
Key audit This section is not included as This section is not included as it is This section is not included as it
matters it is not required for private not required for private company is not required for private
company audit reports audit reports company audit reports
Other Matters covered in this section: No changes to the wording as No changes to the wording as
information 1. Directors’ responsibility for used in the unmodified report. used in the unmodified report.
other information.
2. Identification of other infor-
mation (including Directors’
report).
3. Audit opinion does not
cover other information.
4. Auditor’s responsibility to
other information and
whether there is anything to
report arising from this
responsibility.
See detailed wording on
page 18/8–18/9
Responsibil- Matters covered in this section: No changes to the wording as No changes to the wording as
ities of the 1. Preparing financial used in the unmodified report. used in the unmodified report.
directors for statements in accordance
the financial with IFRS (IFRS for SMEs).
statements
2. Implementing internal
controls necessary to
prepare financial statements
that are free of material
misstatement.
3. Assessing going concern.
4. Using the going concern
basis to prepare FS.
See detailed wording on
page 18/9
Auditor’s Matters covered in this section: No changes to the wording as No changes to the wording as
responsibil- 1. Auditor’s objectives. used in the unmodified report. used in the unmodified report.
ities for the
2. Explanation of reasonable
audit of the
assurance.
financial
statements 3. Professional judgement and
scepticism.
4. Identify, assess and respond
to the risks of material
misstatement.
5. Obtain an understanding of
internal control but no opinion
given on internal control.
6. Evaluate accounting policies
and estimates.
7. Conclude on the appro-
priateness of going concern.
8. Evaluate overall
presentation, structure and
content of FS.
9. Communication with the
directors.
See detailed wording on
page 18/10
continued
18/20 Auditing Notes for South African Students
Qualified
Section Unmodified Qualified – scope limitation
– material misstatement
Subtitle: This subtitle is not required as This subtitle is not required as This subtitle is not required as
Report on there are no other reporting there are no other reporting there are no other reporting
other legal duties. duties. duties.
and
regulatory
requirements
Signing off 1. Terry Tickett. No changes. No changes.
2. Terence Tickett
Partner
Registered Auditor
1 May 0001
3. If the audit report is not
presented on a firm’s letter-
head, the name and address
of the auditor’s firm is
included in signing off.
Appendix 2 – Comparison of the wording used in an unmodified audit report and in an adverse opinion
report and a disclaimer of opinion report
is inferred from ISA 701 that the key audit matters included in the audit report cannot simply be a
duplication of all the matters communicated with those charged with governance; the auditor must
select the most significant matters in the audit of the financial statements.
• only matters of most significance in the audit of the financial statements must be extracted from those
matters that required significant audit attention to be included as key audit matters in the audit report.
This decision is based on professional judgement.
Note 1: The “population” from which key audit matters will be selected will be all formal communications
with the audit committee which have taken place during the full course of the audit process.
Note 2: Matters which required significant auditor attention in performing the audit are generally regarded
as those matters which:
(i) posed challenges to the auditor in obtaining sufficient appropriate audit evidence, for
example related party transactions
(ii) posed challenges to the auditor in forming an opinion
(iii) relate to areas of complexity and significant management judgement (e.g. accounting for
complex transactions and determining impairment allowances), and
(iv) require extensive input from senior audit personnel or personnel with specialised skills such
as an auditor’s expert.
Note 3: ISA 701 requires that in determining those matters that required significant audit attention, the
auditor should consider the headings in the three boxes shown next to Note 3 in the diagram.
(i) ISA 315 (revised) defines a significant risk as one which requires special audit consideration
and may include risks associated with material misstatement related to for example, fraud,
complex transactions, subjectivity in the measurement of financial information (e.g.
estimates) and related parties. The mere fact that significant risks require “special audit
consideration” may be an indication that the matter required significant audit attention. For
example, a successful response to an identified significant risk, say, assessing fair presen-
tation for a complex transaction, may be to allocate a senior member of the audit team to
address the risk. Whilst this response may amount to “special audit consideration”, it is
unlikely to be regarded as “significant audit attention” unless the senior member’s input was
time consuming, expensive and required specialised skills. The same logic would apply to
areas of higher assessed risk. Also remember that although in terms of ISA 260 (revised),
significant risks must be communicated with those charged with governance and therefore
satisfy the first requirement to be a key audit matter, they do not automatically “qualify” as a
key audit matter. The significant risk must have required significant audit attention and must
be a matter of “most audit significance”.
(ii) Again in terms of ISA 260 (revised), the auditor must communicate with those charged with
governance, the auditor’s view on significant qualitative aspects of the company’s accounting
practices. These frequently relate to critical accounting estimates and related disclosures and
are likely to be areas of significant auditor attention, particularly if the estimate has a high
18/28 Auditing Notes for South African Students
level of estimation uncertainty. For example, if a motor manufacturer has a major recall of
vehicles it has sold due to a design fault in say, its braking system and has to estimate the
costs relating to this, a significant amount of judgement is likely to be applied by manage-
ment in arriving at this estimate. It is also likely that significant attention will have to be
applied to the audit of the estimate.
(iii) Events or transactions that occurred during the reporting period may significantly affect the
financial statements and may require significant audit attention to ensure that the event or
transaction has been appropriately presented and disclosed. This can be perfectly illustrated
by the Volkswagen scandal. In 2015, the German car manufacturer was identified as having
manipulated carbon emissions tests on its vehicles to reflect lower emissions. This led to
massive recalls of vehicles, allegations of fraud/misrepresentation from regulatory bodies, the
dealership network and consumers which are likely to result in massive litigation costs as
well as significant reputational damage, all of which would have had (and will have in the
future), a significant effect on the company’s financial statements. A news bulletin put out by
Volkswagen AG in late 2015 relating to the scandal, indicated that, inter alia, the group
realignment was making good progress, approximately 450 external and internal experts
were involved in the investigation of the emissions scandal and that “technical solutions”
had been developed for customers. It is easy to understand that PWC, the auditors of
Volkswagen AG, will need to make significant assumptions and judgements relating to the
financial statements.
Note 4: The final step is for the auditor to decide which matters are of most significance in the audit.
(i) In the auditor’s judgement, there may be no key audit matters, and this is an acceptable
situation. There is no fixed number of key audit matters which must be reported, and it is not
anticipated that there will be “lengthy lists of key audit matters” (ISA 701 para A30), as this
would be contrary to the notion of most audit significance.
(ii) Selecting matters of most significance implies that the auditor will consider the significance
of the matter relevant to other matters (which required significant audit attention). Factors
which may influence this decision are:
• the importance of the matter to a user’s understanding of the financial statements and in
particular, its materiality
• the complexity or subjectivity involved in management’s selection of an appropriate
policy relating to the matter
• the nature and materiality quantitatively and qualitatively, of corrected and uncorrected
misstatements due to fraud or error (if any)
• the nature and extent of audit effort to address the matter, for example specialised skills,
consultations with external parties
• the nature and severity of difficulties in applying audit procedures, evaluating the results
of procedures and obtaining appropriate evidence relating to the matter
• the severity of any control deficiencies relevant to the matter, and
• whether the matter involved a number of separate but related auditing considerations, for
example a single matter may have ramifications for a number of account headings or dis-
closures.
Bear in mind that key audit matters are likely to be complex and reasonably difficult to describe as
required, by their very nature. A simplified description of a key audit matter might read as follows:
“In terms of IFRS, the company is required to conduct an annual indicator review of its plant and equipment to assess
whether there has been any impairment of its plant and equipment. Due to declines in demand for the products manufactured
by the company, and due to physical damage caused to some plant and equipment as a result of flooding due to torrential
rain, management’s assessment of impairment was difficult and complicated. It was also highly judgemental and required the
application of assumptions relating to future trading conditions, foreign exchange rates and the availability of reconstruction
experts. This inspection review test and the subsequent impairment allowances were significant to our audit because plant
and equipment and the impairment thereof are material to the fair presentation of the financial statements.
We addressed this matter in the following manner. We engaged the services of an economist to assist us with the evaluation of
the assumptions made in respect of future trading conditions and foreign exchange movements. Senior audit personnel
working with client personnel, evaluated the company’s detailed plans (including costings) for the engagement of German
reconstruction experts and wherever possible, sought corroborative evidence from other sources to strengthen our assessment.
The company’s disclosures about this matter are included in note 7.”
Even if there are no key audit matters in the auditor's judgement, the Key Audit Matters section of the
audit report must still be included but will simply contain the following statement: “We have determined that
there are no key audit matters to communicate in our report”.
In terms of SAAPs 3 (revised May 2019), the Key Audit Matters section will be placed below the Basis for
Opinion section. In terms of ISA 701, the order in which the auditor lists each key audit matter in the
section will be a matter of professional judgement, with the likely order being the relative importance of
each matter.
18.5.6 Modified opinions, going concern issues and key audit matters
By their very nature, matters giving rise to a modified audit opinion, or a material uncertainty related to
events or conditions that may cast significant doubt about the company’s ability to continue as a going
concern, are likely to be key audit matters. However, in terms of ISA 705 (revised) and ISA 570 (revised),
both these situations are dealt with in their own separate and specific sections of the audit report. Therefore
they will not be included in the Key Audit Matters section of the audit report, but a reference to either the
Basis for Qualified (Adverse) Opinion section, or the Material Uncertainty Related to Going Concern
section, will be included in the Key Audit Matters paragraph as applicable. This requirement makes perfect
sense as there is no point in duplicating details of the matter in the audit report, i.e. dealing with the
modified opinion/going concern issue twice.
• An emphasis of matter can never be a substitute for disclosures which are required in terms of the
financial reporting framework or that are otherwise necessary to achieve fair presentation.
disclosed), but the audit was not a matter of “most significance” on the audit. It may for example, have
been a very straight-forward, uncomplicated subsequent event that did not require significant audit
attention.
• You will deduce from the above that the same matter cannot be included as a key audit matter and an
emphasis of matter. If the auditor wants to “highlight/emphasise” a key audit matter, he could, for
example, make it the first key audit matter to be listed or he could enhance its wording to convey its
importance.
Note (c): When an emphasis of matter paragraph is included in the report, it will normally be placed
beneath the Basis of Opinion section, and above the Key Audit Matters section.
Note (d): The paragraph heading may describe what the matter is about, for example Emphasis of Matter
– Subsequent event, and the wording will be “We draw attention to Note 13 of the financial
statements, which describes a flood in the company’s raw material storage facility. Our opinion is
not modified in respect of this matter”.
18.7 The auditor’s responsibilities relating to other information – ISA 720 (revised)
(effective for audits of financial statements for periods ending on
or after 15 December 2016)
18.7.1 Introduction
The revision of ISA 720 has resulted in a very long and wordy statement which has grown from a
manageable five pages to fifty pages of the Students Handbook. Fortunately a detailed knowledge of the
statement is not central to your understanding of audit reports but there are some aspects of the topic of
which you should be aware.
18/32 Auditing Notes for South African Students
The essence of ISA 720 (revised) is that annual financial statements are usually issued together with a
wide range of other information in what is called the “annual report” or something similar. Besides the
annual financial statements, the annual report will often contain reports prepared to meet the information
needs of various stakeholders as well as supplementary/summarised information for shareholders. These
reports/schedules may cover such diverse matters as corporate social responsibility, labour practices,
selected operating data, summaries of key financial data, strategy overviews and detailed explanations of
amounts or disclosures in the financial statements. The auditor’s duty is to give an opinion on the financial
statements as defined/described in the Companies Act, section 29. This definition/ description does not
include other information. Therefore the auditor has no responsibility to give an opinion on other information
and is not in a position to do so.
However, there is a potential problem. If the other information is materially inconsistent with the financial
statements or the auditor’s knowledge obtained in the audit, it indicates that a material misstatement of the
financial statements exists or that the other information is misstated. If left “uncorrected” this could
undermine the credibility of the financial statements and the auditor’s report, and may inappropriately
influence the economic decisions of users. A misstatement of the other information exists when the other
information is incorrectly stated or otherwise misleading (including because it omits or obscures informa-
tion necessary for a proper understanding of a matter disclosed in the other information).
• a statement that the auditor has nothing to report or if there is an uncorrected material misstatement of
the other information, a statement that describes the uncorrected material misstatement of the other
information.
Note 1: In South Africa, the Directors’ Report, Audit Committees’ Report and the Company Secretary’s
Certificate are regarded as “other information” and will be identified where applicable in the
Other Information section. (All three will be included in a listed company’s audit report, but in a
private company, only the Directors’ report is mentioned.) Other information, such as summary
schedules, reports and charts, is also included and is identified by page number.
Note 2: The Other Information section is not the same as an Other Matter paragraph.
Note 3: ISA 720 (revised) does distinguish between “other information obtained prior to the date of the
auditor’s report” and other information the auditor expects to obtain after the audit report. This
has not been dealt with as it is not regarded as being central to your understanding of how the
auditor deals with “other information”.
Note 4: Any modification of the audit opinion which may have arisen from the auditor’s “reading and
considering” of other information, will not be mentioned or dealt with in the Other Information
section. It will be dealt with like any other modification of the audit opinion.
18.8.3 Reporting
Ordinarily the audit report will make no mention of the corresponding figures. Because South Africa
adopts the corresponding figure method of presenting comparatives, it is implied that the auditor’s opinion
is on the financial statements as a whole, including the corresponding figures.
• When the auditor’s report on the prior year financial statements included a modified opinion, and the
matter giving rise to the modification has been properly resolved and properly accounted for or disclosed,
the current audit report need not refer to the previous modification.
• When the auditor's report on the prior period included a qualified or adverse opinion or a disclaimer
opinion and the matter which gave rise to the modification is unresolved the auditor will modify the
current audit opinion.
• If the prior period financial statements were not audited the auditor must state in an Other Matter section
of the audit report that the corresponding figures are unaudited. (The Other Matter section is not to be
confused with the Other Information section.)
– However, this does not relieve the auditor of the duty to obtain sufficient appropriate audit evidence
that the opening balances do not contain misstatements that materially affect the current period’s
financial statements on which the audit opinion is to be expressed.
• If the auditor is unable to obtain sufficient appropriate evidence regarding the opening balances, the
auditor must qualify or disclaim an opinion on the current period’s financial statements.
• If the auditor encountered significant difficulty in obtaining sufficient appropriate audit evidence that the
opening balances do not contain misstatements that materially affect the current period’s financial
statements, the auditor may consider this to be a key audit matter (only applicable when key audit
matters are communicated in terms of ISA 701).
• In terms of ISA 710, if the prior period’s financial statements were audited by a predecessor auditor
(another auditor), and the auditor of the current financial statements decides to convey this fact to users
in the audit report, it would be raised in the Other Matter section. The Other Matter section must state:
– that the financial statements of the prior period were audited by the predecessor auditor
– the type of opinion expressed by the predecessor auditor and, if the opinion was modified, the
reasons therefor, and
– the date of that report.
For example: The financial statements of the company for the year ended 31 December 0001 were audited
by another auditor who expressed an unmodified opinion on those statements on 25 March
0002.
Note: All audit reports must be structured in the (new) format required by ISA 700. The illustrative
reports in ISA 710 have been updated and appear in the conforming amendments contained in the
Students Handbook of ISAs.
The IRBA guide interprets the reference to “without such qualifications as may be appropriate” as meaning
that the audit report could result in:
• a modified audit opinion and a notification to the user that the auditor has reported a reportable irregu-
larity to the IRBA in terms of the Auditing Profession Act, or
• only a notification and no modification of the audit opinion. In other words, a notification (when
appropriately given) satisfies the requirement of section 44 (2) with regard to the term “qualifications”.
If the reportable irregularity does not affect the fair presentation of the financial statements, the audit report
only needs to include a notification to the user in the Report on other Legal and Regulatory Requirements
section of the audit report.
In terms of the IRBA guide the auditor is unable to issue an auditor’s report without appropriate
notification or a modified opinion and a notification, in the event that:
(a) the reporting process to IRBA is incomplete
(b) a reportable irregularity did exist, even if it is no longer taking place and in respect of which adequate
steps have been taken for the prevention or recovery of any loss as a result thereof
(c) a reportable irregularity existed which could not be/was not corrected (i.e. the reportable irregularity is
continuing).
Perhaps the easiest way to illustrate what can be a “tricky” reporting duty, is to describe a matter giving rise
to the reportable irregularity and to consider the auditor’s options. Assume that the first report has been
made by the auditor to the IRBA and that management has been notified.
Example: Inbound (Pty) Ltd imports goods into South Africa. The auditor has reason to believe that
during the past financial year the directors have been defrauding SARS by not declaring the true
nature of the goods imported, thereby paying less import duties than are due. The amounts
involved are material.
Situation 1. The directors of Inbound (Pty) Ltd acknowledge the fraud, make full declaration to SARS,
and make the necessary adjustments (e.g. raise SARS as a creditor for amounts owed
including penalties) and make full disclosure in the financial statements. The auditor is
satisfied.
Outcome 1. The auditor is able to notify the IRBA (second report) that the reportable irregularity did exist
but has been resolved.
The audit opinion does not need qualification (as the financial statements are fairly presented) but users
must be notified of the reportable irregularity by the inclusion of the following in the “Report on Other
Legal and Regulatory Requirements” section of the audit report.
“In accordance with our responsibilities in terms of section 44(2) and 44(3) of the Auditing Profession Act, we report that we
identified a Reportable Irregularity in terms of the Auditing Profession Act. We reported such matter to the Independent
Regulatory Board for Auditors. The matters pertaining to the reportable irregularity have been described in note 7 to the
financial statements”.
In terms of the IRBA guide the auditor could add some explanatory text if he deems it necessary, for
example:
The directors have responded to the circumstances and conduct in question to the extent that we believe
no further loss will be suffered by the parties identified in Note 7 and that all amounts owed including
penalties have been accounted for. The unlawful act described in Note 7 is to the best of our knowledge no
longer occurring.
Situation 2. The directors of Inbound (Pty) Ltd provide sufficient appropriate evidence to satisfy the auditor
that no reportable irregularity has taken place.
Outcome 2. The auditor must notify the IRBA (second report) that no reportable irregularity existed.
The matter will have no effect on the audit report, i.e. no modification of the audit opinion or
notification in the Report on Other Legal and Regulatory Requirements section, because no
reportable irregularity actually existed.
Situation 3. The directors of Inbound (Pty) Ltd acknowledge that the fraud has taken place, agree to
discontinue the fraud but refuse to make any adjustments to or disclosures in the financial
statements arising from the fraud, for example adjusting for the amounts owed to SARS
including penalties, or to notify the SARS of the fraud.
Outcome 3. The auditor must notify the IRBA (second report) that the reportable irregularity did exist and
as the directors will not take any corrective action, is continuing.
Chapter 18: The audit report 18/37
The audit opinion does need modification as the financial statements do not fairly present. The qualifi-
cation will be based on disagreement (misstatement) and the auditor will need to judge whether the effect
of the matter is material or material and pervasive.
Where the opinion is modified, it appears from the IRBA guide and SAAPs 3 (revised May 2019) and
paragraph 43 of ISA 700 (revised) that the auditor has the option of:
(i) Describing the reportable irregularity in the Basis for Qualified Opinion section and in the same
section, notifying users of his reporting duties in terms of the Auditing Profession Act as follows:
In accordance with our responsibilities in terms of section 44(2) and 44(3) of the Auditing Profession Act,
responsibilities beyond those required by the International Standards on Auditing, we report that we have
identified the matter described in the preceding paragraph as a reportable irregularity in terms of the Auditing
Profession Act. We have reported such matter to the Independent Regulatory Board for Auditors.
(ii) Describing the reportable irregularity in the Basis for Qualified Opinion section but notifying uses of
his reporting duties in terms of the APA in the Report on Other Legal and Regulatory Requirements
section by the inclusion of the following:
In accordance with our responsibilities in terms of section 44(2) and 44(3) of the AP Act, we report that we have
identified a reportable irregularity in terms of the Auditing Profession Act. We have reported such matter to the
IRBA. The matter pertaining to the reportable irregularity has been described in the audit report above.
Situation 4. Although having communicated to the directors of Inbound (Pty) Ltd that a first report has
been made to the IRBA, no response has been forthcoming from the directors.
Outcome 4. If the 30-day period for response from the directors has elapsed, the auditor has no option but
to report to IRBA (second report) that the reportable irregularity exists. The auditor has no
reason or additional evidence to change his original decision that a reportable irregularity
exists. The effect on the audit report will be the same as for situation 3, i.e. modification of the
opinion and notification to users of the auditor’s duties to report in terms of the AP Act.
With regard to the nature of the matter giving rise to the qualification, the auditor will need to decide
whether the matter is a material misstatement or an inability to obtain sufficient appropriate evidence. If
the auditor has sufficient appropriate evidence that the financial statements are materially misstated (either
account headings or disclosures), he would be entitled to modify the opinion on the basis of disagreement
(material misstatement) because he is satisfied that because of the fraud (which he believes has occurred),
the financial statements are misstated. On the other hand he may interpret the fact that because of the non-
response of the directors, he has been limited in his scope which in turn has led to an inability to obtain
sufficient appropriate evidence with regard to fair presentation. This is perhaps a somewhat technical point
and regardless of which basis of modification the auditor decides is appropriate, he will have satisfied his
reporting duties.
Note: In the unlikely event that the auditor has to sign the audit report between sending the first report to
the IRBA and the 30-day response date and the reportable irregularity has not been addressed, the
appropriate treatment would probably be for the auditor to include the normal details in the Report
on Other Legal and Regulatory Requirements section but to convey that the 30-day response period
had not expired at the date of the audit report. A far more desirable outcome would be to put
pressure on the directors to respond before the 30-day period is complete or to delay signing the
audit report until the 30-day period for response has expired so that the appropriate report can be
given.
In general it is anticipated that the directors will co-operate with the auditors with regard to reportable
irregularities, but this may not always be the case.
CHAPTER
19
Review engagements and related service
engagements
CONTENTS
Page
19.1 Engagements to review historical financial statements.................................................... 19/3
19.1.1 Introduction ...................................................................................................... 19/3
19.1.2 Companies that qualify for an independent review .............................................. 19/3
19.1.3 Description of a review engagement .................................................................. 19/3
19.1.4 Objectives .......................................................................................................... 19/5
19.1.5 Ethical requirements and professional scepticism ................................................ 19/5
19.1.6 Engagement level quality control ........................................................................ 19/6
19.1.7 Pre-conditions and preliminary engagement activities for accepting
a review engagement .......................................................................................... 19/6
19.1.8 The engagement letter ........................................................................................ 19/7
19.1.9 Performing the engagement ................................................................................ 19/7
19.1.10 Determining materiality ..................................................................................... 19/8
19.1.11 Obtaining an understanding of the entity ............................................................ 19/9
19.1.12 Inquiries and analytical procedures ..................................................................... 19/10
19.1.13 Performing additional procedures ....................................................................... 19/11
19.1.14 Procedures to address specific circumstances....................................................... 19/12
19.1.15 Reconciling the financial statements to the underlying accounting records ........... 19/12
19.1.16 Written representations from management ......................................................... 19/12
19.1.17 Forming the practitioner’s conclusion on the financial statements ........................ 19/13
19.1.18 Expressing a conclusion ..................................................................................... 19/13
19.1.19 The practitioner’s report ..................................................................................... 19/14
19.1.20 Modifications .................................................................................................... 19/15
19/1
19/2 Auditing Notes for South African Students
Page
19.3 Compilation engagements ............................................................................................... 19/18
19.3.1 Introduction ....................................................................................................... 19/18
19.3.2 The compilation engagement .............................................................................. 19/19
19.3.3 Objectives .......................................................................................................... 19/19
19.3.4 Ethical requirements........................................................................................... 19/19
19.3.5 Professional judgement ....................................................................................... 19/19
19.3.6 Engagement level quality control ........................................................................ 19/20
19.3.7 Engagement acceptance and continuance ............................................................ 19/20
19.3.8 Performing the engagement ................................................................................ 19/20
19.3.9 The practitioner’s report ..................................................................................... 19/21
Chapter 19: Review engagements and related service engagements 19/3
19.1.4 Objectives
The objectives of the practitioner conducting a review engagement are to:
x Obtain limited assurance about whether the financial statements as a whole, are free of material
misstatement, thereby allowing the practitioner to express a conclusion on whether anything has
come to his attention that causes him to believe the financial statements are not prepared, in all
material respects, in accordance with an applicable financial reporting framework, for example,
IFRS for SMEs. The limited assurance is obtained primarily by inquiry and analytical proced-
ures.
x Report on the financial statements. The report may contain a qualified or adverse conclusion
and may even disclaim a conclusion.
Adopting an appropriate level of professional scepticism will reduce the risk of the practitioner overlooking
unusual circumstances, over-generalising when drawing conclusions from evidence and of using
inappropriate assumptions in determining the review plan and in the evaluation of evidence gathered. In a
sense, professional scepticism guards against the review team treating a review engagement as “not that
important” as referred to in the introduction to this chapter.
finance providers. In these circumstances, it is acceptable for the practitioner to assume that users will
simply be seeking some “comfort” (limited assurance) that the financial statements reflect a reasonably fair
representation of the state of the company.
For example:
A shareholder who is not involved directly in the company might use the financial statements to broadly
assess how the company is doing.
Another example:
A bank may be seeking some assurance that the overdraft it is providing is reasonably secure and that the
value of inventory that has been offered as security for the overdraft, is not materially misstated.
Perhaps the point to be made is that if a user is making important decisions of some magnitude or serious
consequence, an audit opinion and not a review conclusion would be required.
In terms of ISRE 2400 (revised), the practitioner shall obtain an understanding of:
• relevant industry, regulatory, legal and other external factors including the applicable financial reporting
framework
• the nature of the entity, including:
– its operations
– ownership and governance structures
– types of investment the entity is making
– the way the entity is structured and financed
– the entity’s objectives and strategies
• the entity’s accounting systems and accounting records
• the entity’s selection and application of accounting policies.
The statement makes the point that obtaining an understanding of the entity is a “continual dynamic
process” of gathering, updating and analysing information throughout the engagement. Practitioners need to
avoid simply carrying out a routine set of standard procedures without much thought and assuming that
not much has changed since the previous engagement.
The statement also makes the point that the practitioner should gain an understanding of the “tone at the
top” and the control environment, as these factors are likely to reveal much about management’s attitude
to fair financial reporting.
19/10 Auditing Notes for South African Students
In order to carry out the analysis, the practitioner will make use of information from most, if not all, of the
following sources:
• financial information for comparable prior periods, for example, previous year, three years, etc.
• information about expected operating and financial results, for example, budgets and forecasts
• relationships among elements of financial information within the period, for example, sales commis-
sions (expense) to sales (revenue)
• information regarding the industry in which the client operates, for example, industry norms for gross
profit, industry averages for payroll expenses, and
• relevant non-financial information for current and prior periods, for example, delivery costs to delivery
vehicles, sales to sales personnel.
accounting professional” has compiled the financial statements, management is still responsible) and
has provided the practitioner with all relevant information and access to information
• all transactions have been recorded and reflected in the financial statements, and
• management has disclosed to the practitioner–
– the identity of the client’s related parties, related party relationships and transactions of which
management is aware
– significant facts relating to frauds or suspected frauds
– known, actual or possible non-compliance with laws and regulations
– all information relevant to the going concern ability of the entity
– where required, that all subsequent events have been adjusted for or disclosed in the financial
statements
– all material commitments, contractual obligations or contingencies, and
– all material non-monetary transactions or transactions undertaken for no consideration.
If management does not provide “one or more” of the requested written representations, the practitioner
should:
• discuss with management and those charged with governance, and
• re-evaluate the integrity of management and evaluate the effect of this on the evidence gathered.
If the practitioner concludes that there is sufficient doubt about the integrity of management or manage-
ment does not provide the representations requested, the practitioner must disclaim a conclusion.
19.1.20 Modifications
Where the reviewer’s conclusion requires modification, a paragraph must be included in the report
explaining the modification. This paragraph will be positioned above the conclusion paragraph and will be
headed according to the type of modification. The options are:
There is no standard wording for “Basis for” paragraphs. The paragraph must be sufficiently clear and
detailed to the extent the user needs to understand the modification.
19/16 Auditing Notes for South African Students
19.2.2 Objective
In an “agreed upon procedures” engagement, the auditor is engaged to carry out procedures (usually of an
audit nature) that have been agreed upon by the parties involved, for example, the auditor, the client and
any interested third party. The auditor reports only on the facts as found. No assurance is given, neither in the
form of an audit opinion nor in the form of a review conclusion. The users of the report are required to
draw their own conclusions from the facts presented.
Chapter 19: Review engagements and related service engagements 19/17
(b) Addressee: To the directors of Pentel Ltd (will be whoever engaged the practitioner)
19.3.3 Objectives
The practitioner’s objectives are to:
• apply accounting and financial reporting expertise to assist management in the preparation and
presentation of financial statements in accordance with IFRS for SMEs, and
• report in accordance with the requirements of ISRS 4410 (revised).
(f) Reliance*
Since a compilation engagement is not an assurance engagement, we are not required to verify the
accuracy or completeness of the information you provided to us to compile these financial statements.
Accordingly, we do not express an audit opinion or a review conclusion on whether these financial
statements are prepared in accordance with IFRS for SMEs.