LEARNING PACK

Qualification Programme

Module C
Business Assurance
 First edition 2010
Sixth edition 2017

ISBN 9781 5097 1407 0

Previous 9781 4727 3604 8

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the
British Library

Published by

BPP Learning Media Ltd

BPP House, Aldine Place
142-144 Uxbridge Road
London W12 8AA

www.bpp.com/learningmedia

The copyright in this publication is jointly owned by

BPP Learning Media Ltd and HKICPA.

Printed in China

Your learning materials, published by BPP Learning

Media Ltd, are printed on paper obtained from
traceable sustainable sources.

All rights reserved. No part of this publication may be

reproduced, stored in a retrieval system or transmitted in
any form or by any means, electronic, mechanical,
photocopying, recording or otherwise, without the prior
written permission of the copyright holders.

The contents of this publication are intended as a guide

and not professional advice. Although every effort has been
made to ensure that the contents of this publication are
correct at the time of going to press, BPP Learning Media
makes no warranty that the information in this publication
is accurate or complete and accepts no liability for any loss
or damage suffered by any person acting or refraining from
acting as a result of the material in this publication.

Every effort has been made to contact the copyright

holders of any material reproduced within this publication.
If any have been inadvertently overlooked, BPP Learning
Media will be pleased to make the appropriate credits in
any subsequent reprints or editions.

We are grateful to the HKICPA for permission to reproduce

the Learning Outcomes and past examination questions,
the copyright of which is owned by the HKICPA.

©
HKICPA and BPP Learning Media Ltd
2017

ii
Contents

Page
Director's message v
Introduction vi
Module overview vii
Chapter features viii
Learning outcomes ix

Module C Business Assurance

Part A Corporate governance

1 Scope of corporate governance 3
2 Corporate governance reports and practice 33

Part B Internal assurance

3 Internal assurance 71

Part C Professional standards and guidance

4 Code of Ethics 99
5 Framework for assurance engagements 155

Part D Assurance engagements

6 Quality control 175
7 Changes in auditor appointment 195
8 Planning, materiality and risk assessment 223
9 Audit evidence, procedures, audit methodologies and audit sampling 257
10 Fraud and irregularities 287
11 Internal control and tests of controls 315
12 Substantive procedures, including analytical procedures 345
13 Specific audit procedures 365
14 Using the work of others 429
15 Accounting estimates, opening balances and comparatives 445
16 Overall audit review and finalisation 473
17 Audit reporting 523

Introduction iii
 Page

Part E Other audit matters

18 Group audits 573
19 Audit-related services and other assurance engagements 593

Part F Computerised business systems

20 Information technology 643

Answers to exam practice questions 677

Question bank – questions 709

Question bank – answers 763

Glossary of terms 843

Index 857

iv Business Assurance
Director's message

Welcome to the Qualification Programme (QP) of the Hong Kong Institute of Certified Public
Accountants (HKICPA).
You have made the decision to complete the HKICPA's QP which entails completing the training
programme, passing professional examinations and acquiring practical experience under an
authorised employer or supervisor. This marks a further step on your pathway to a successful
business career as a CPA and becoming a valued member of the HKICPA.
The QP comprising four core modules and a final examination will provide you with a foundation for
life-long learning and assist you in developing your technical, intellectual, interpersonal and
communication skills. You will find this programme challenging with great satisfaction that will open
a wide variety of career opportunities bringing in attractive financial rewards.
A module of the QP involves approximately 120 hours of self-study over fourteen weeks,
participation in two full-day workshops and a three-hour open-book module examination at the
module end. We encourage you to read this Learning Pack which is a valuable resource to guide
you through the QP.
The four core modules of the QP are as follows:
Module A: Financial Reporting
Module B: Corporate Financing
Module C: Business Assurance
Module D: Taxation

Should you require any assistance at any time, please feel free to contact us on (852) 2287 7228.
May I wish you every success in your QP!

Shanice Tsui
Director of Education and Training
Hong Kong Institute of Certified Public Accountants

Introduction v
 Introduction

This is the sixth edition of the Learning Pack for Module C Business Assurance of the HKICPA
Qualification Programme.
The Institute is committed to updating the content of the Learning Pack on an annual basis to keep
abreast of the latest developments. This edition has been developed after having consulted and
taken on board the feedback received from different users of the previous edition. Some of the
examples and self-test questions have been rewritten to better reflect current working practices in
industry and facilitate the learning process for users of the Learning Pack.
The Learning Pack has been written specifically to provide a complete and comprehensive
coverage of the learning outcomes devised by HKICPA, and has been reviewed and approved by
the HKICPA Qualification and Examinations Board for use by those studying for the qualification.
The HKICPA Qualification Programme comprises two elements: the examinations and the
workshops. The Learning Pack has been structured so that the order of the topics in which you
study is the order in which you will encounter them in the workshops. There is a very close inter-
relationship between the module structure, the Learning Pack and the workshops. It is important
that you have studied the chapters of the Learning Pack relevant to the workshops before you
attend the workshops, so that you can derive the maximum benefit from them.
On page (ix) you will see the HKICPA learning outcomes. Each learning outcome is mapped to the
chapter in the Learning Pack in which the topic is covered. You will find that your diligent study of
the Learning Pack chapters and your active participation in the workshops will prepare you to
tackle the examination with confidence.
One of the key elements in examination success is practice. It is important that not only you fully
understand the topics by reading carefully the information contained in the chapters of the Learning
Pack, but it is also vital that you take the necessary steps to practise the techniques and apply the
principles that you have learned.
In order to do this, you should:
 Work through all the examples provided within the chapters and review the solutions,
ensuring that you understand them;
 Complete the self-test questions within each chapter, and then compare your answer with
the solution provided at the end of the chapter; and
 Attempt the exam practice questions that you will find at the end of the chapter. Many of
these are HKICPA past examination questions, which will give an ideal indication of the
standard and type of question that you are likely to encounter in the examination itself. You
will find the solutions to exam practice questions at the end of the book.
In addition, you will find at the end of the Learning Pack a bank of past HKICPA case-study style
questions. These are past 'Section A' examination questions, which present a case study testing a
number of different topics within the syllabus. These questions will provide you with excellent
examination practice when you are in the revision phase of your studies, bringing together, as they
do, the application of a variety of different topics to a scenario.
Please note that the Learning Pack is not intended to be a 'know-it-all' resource. You are required
to undertake background reading including standards, legislation and recommended texts for the
preparation for workshop and examination.

vi Business Assurance
Module overview
This module enables you to perform effective assurance and related assignments. You will also
learn the importance of corporate governance in an organisation. Please refer to the QP Learning
Centre for the cut-off rule on examinable standards.
Overall Structure of Module C (Business Assurance)
External Function Internal Function
Part C Professional Standards and Guidance
Part D Assurance Engagements Part A
Corporate
I. Engagement Acceptance Governance
II. Audit Planning
Part B
III. Audit Execution
Internal
IV. Audit Completion Assurance

Part E Other Audit Matters

Part F Computerised Business Systems

Introduction vii
 Chapter features

Each chapter contains a number of helpful features to guide you through each topic.

Topic list Tells you what you will be studying in the chapter. The topic items form the
numbered headings within the chapter.

Learning focus Puts the chapter topic into perspective and explains why it is important, both
within your studies and within your practical working life.

Learning The list of Learning Outcomes issued for the Module by HKICPA,
Outcomes referenced to the chapter in the Learning Pack within which coverage will be
found.

Topic recap Reviews and recaps on the key areas covered in the chapter.

Bold text Throughout the Learning Pack you will see that some of the text is in bold
type. This is to add emphasis and to help you to grasp the key elements
within a sentence or paragraph.

Topic highlights Summarise the key content of the particular section that you are about to
start. They are also found within sections, when an important issue is
introduced other than at the start of the section.

Key terms Definitions of important concepts. You really need to know and understand
these before the examination, and understanding will be useful at the
workshops too.

Examples Illustrations of particular techniques or concepts with a worked solution or

explanation provided immediately afterwards.

Case study/ An example or illustration not requiring a solution, designed to enrich your
Illustration understanding of a topic and add practical emphasis. Often based on real
world scenarios and contemporary issues.

Self-test questions These are questions that enable you to practise a technique or test your
understanding. You will find the answer at the end of the chapter.

Formula to learn You may be required to apply financial management formulae in Module B,
Corporate Financing.

Exam practice A question at the end of the chapter to enable you to practise the
techniques that you have learned. In most cases this will be a past HKICPA
examination question, updated as appropriate. You will find the answers in a
bank at the end of the Learning Pack entitled Answers to Exam Practice
Questions.
Further reading In Modules B and D you will find references to further reading that will help
you to understand the topics and put them into the practical context. The
reading suggested may be books, websites or technical articles.

viii Business Assurance

Learning outcomes

HKICPA's learning outcomes for the Module are set out below. They are cross-referenced to the
chapter in the Learning Pack where they are covered.
Fields of competency
The items listed in this section are shown with an indicator of the minimum acceptable level of
competency, based on a three-point scale as follows
1 Awareness
To have a general professional awareness of the field with a basic understanding of relevant
knowledge and related concepts.
2 Knowledge
The ability to use knowledge to perform professional tasks competently without assistance in
straightforward situations or applications.
3 Application
The ability to apply comprehensive knowledge and a broad range of professional skills in a
practical setting to solve most problems generally encountered in practice.
Topics
Chapter
where
Competency covered

LO1. Professional standards and guidance

Identify and where appropriate apply ethical standards,
legislation and professional guidance:
LO1.01 The Institute's Code of Ethics for Professional 3
Accountants:
1.01.01 Explain the fundamental principles and the 4
conceptual framework approach
1.01.02 Identify, evaluate and respond to threats to 4
compliance with the fundamental principles
1.01.03 Discuss and evaluate the effectiveness of 4
available safeguards
1.01.04 Recognise and advise on conflicts in the 4
application of fundamental principles for
Professional Accountants in practice and in
business
LO1.02 Professional standards and guidance: 3
1.02.01 Explain the importance of adherence to 5
professional standards and guidance
LO1.03 Legal and regulatory framework governing the profession: 3
1.03.01 Explain the regulatory framework for assurance 5
and non-assurance engagements in Hong Kong
1.03.02 Explain the nature and purpose of assurance and 5
non-assurance engagements

Introduction ix
 Chapter
where
Competency covered

LO2. Assurance engagements

Apply relevant Hong Kong Standards on Quality Control,
Auditing, Assurance and Related Services, guidance and
legislation to plan, perform and complete assurance
engagements including the audits of financial statements with
emphases on:
LO2.01 Audit requirements for a complete set of general purpose 3
financial statements
LO2.02 Other assurance engagement requirements: 2
2.02.01 Identify the level of assurance and the issues 19
relating to other assurance and non-
assurable engagements, including:
2.02.01.01 Reviews 19
2.02.01.02 Agreed-upon procedures 19
2.02.01.03 Pro-forma financial information 19
2.02.01.04 Investment circular reporting 19
engagements
2.02.01.05 Preliminary announcements of 19
annual results
2.02.01.06 Comfort letters 19
2.02.01.07 Due diligence work 19
LO2.03 Client and engagement acceptance procedures: 3
2.03.01 Explain the reasons why entities change 7
their auditors/professional accountants
2.03.02 Explain the requirements relating to the 7
appointment of auditors under the Hong
Kong Companies Ordinance
2.03.03 Explain the procedure for a change of 7
auditors
2.03.04 Explain the rights of the auditors in the 7
process of a change of auditors
2.03.05 Explain the professional clearance 7
procedures
2.03.06 Explain the matters to be considered and the 7
procedures that an audit firm/professional
accountant should carry out before accepting
a specified new client/engagement including:
2.03.06.01 Client acceptance 7
2.03.06.02 Engagement acceptance 7
2.03.06.03 Agreement of the terms of 7
engagement
2.03.07 Identify the issues relating to the agreement 7
of the scope and terms of an engagement
with a client

x Business Assurance
 Chapter
where
Competency covered

2.03.08 Explain the procedures for the transfer of books, 7

papers and information following a new
appointment
LO2.04 Audit methodologies: 3
2.04.01 Describe the key features of the following audit 3
methodologies:
2.04.01.01 Risk-based auditing 9
2.04.01.02 Top-down auditing 9
2.04.01.03 System-based auditing 9
2.04.01.04 Systems audit 9
2.04.01.05 Balance sheet approach 9
2.04.01.06 Transaction cycle approach 9
2.04.01.07 Directional testing 9
2.04.02 Understand the cost and performance efficiency 2
of different audit methodologies
LO2.05 Planning and risk assessment: 3
2.05.01 Identify and explain:
2.05.01.01 The need for planning an audit 8
2.05.01.02 The contents of the overall audit 8
strategy and the audit plan
2.05.01.03 The relationship between the 8
overall audit strategy and the
audit plan
2.05.02 Develop and document an audit plan 8
2.05.03 Explain how auditors obtain an initial 8
understanding of the entity and its environment
including the use of preliminary analytical review
procedures
2.05.04 Explain the components of audit risk 8
2.05.05 Assess the risk of material misstatement at the 8
financial statement level and assertion level
2.05.06 Recognise and suggest overall responses to 8
assessed risk
2.05.07 Recognise and suggest specific procedures to 8
respond to assessed risks
2.05.08 Explain the effect of fraud and misstatements on 10
audit planning and work
2.05.09 Explain the effect of law and regulations, and 10
non-compliance therewith, on audit planning and
procedures

Introduction xi
 Chapter
where
Competency covered

LO2.06 Quality control considerations: 3

2.06.01 Explain the principles and purposes of quality 6
control of audit and other assurance
engagements
2.06.02 Identify the features of a system of quality control 6
relevant to a specific firm
2.06.03 Choose and explain quality control procedures 6
that are relevant to a specific audit engagement
2.06.04 Assess and explain whether an engagement has 6
been performed in line with professional
standards and whether reports issued are
appropriate
LO2.07 Documentation: 3
2.07.01 Document an audit plan 8
2.07.02 Explain the need for and the importance of audit 9
documentation
LO2.08 Materiality: 3
2.08.01 Define materiality and demonstrate how it should 8
be applied in the context of financial reporting and
auditing
LO2.09 Audit procedures: 3
2.09.01 Define audit sampling 9
2.09.02 Explain the need for sampling 9
2.09.03 Apply the basic principles of sampling 9
2.09.04 Assess and explain the results of sampling 9
2.09.05 Explain the importance of internal control to 3,11
auditors and the execution of tests of control
2.09.06 Explain how auditors identify weaknesses in 11
internal control systems and how those
weaknesses limit the extent of auditors' reliance
on those systems
2.09.07 Explain the types of substantive procedures and 12
the issues in evaluating the results obtained
2.09.08 Explain what is meant by analytical review and 12
how analytical review procedures are used in an
audit
2.09.09 Explain the appropriate audit tests for:
2.09.09.01 Tangible non-current assets 13
2.09.09.02 Intangible non-current assets 13
2.09.09.03 Inventory 13
2.09.09.04 Receivables 13
2.09.09.05 Bank and cash 13

xii Business Assurance

 Chapter
where
Competency covered

2.09.09.06 Trade payables and accruals 13

2.09.09.07 Non-current liabilities 13
2.09.09.08 Provisions and contingencies 13
2.09.09.09 Capital and other issues 13
2.09.09.10 Long-term investments 13
2.09.09.11 Segment information 13
2.09.09.12 Revenue 13
2.09.09.13 Purchases 13
2.09.09.14 Wages and salaries 13
2.09.09.15 Financial instruments 13
2.09.10 Discuss the audit problems and identify
procedures for the audit of:
2.09.10.01 Accounting estimates 15
2.09.10.02 Fair values 15
2.09.10.03 Opening balances 15
2.09.10.04 Comparatives 15
2.09.10.05 Related party transactions 16
2.09.11 Recognise and explain the issues relating to the 18
audit of a group of companies
LO2.10 Audit evidence: 3
2.10.01 Explain the procedures by which audit evidence 3 9
may be obtained
2.10.02 Assess the appropriateness and sufficiency 3 9
(relevance and reliability) of different sources of
audit evidence
2.10.03 Explain the assertions contained in the financial 3 9
statements and their use in obtaining evidence
2.10.04 Explain the need to modify the audit strategy and 3 11
audit plan following the results of tests of control
2.10.05 Discuss why auditors may rely on the work of 2 14
others, including internal audit, experts and
service organisations
LO2.11 Internal audit: 2
2.11.01 Explain the relationship between internal auditors 3
and external auditors
2.11.02 Discuss why auditors may rely on the work of 3, 14
others, including internal audit, experts and
service organisations

Introduction xiii
 Chapter
where
Competency covered

LO2.12 Completion procedures: 3

2.12.01 Explain the purpose of and procedures to be
used in:
2.12.01.01 A subsequent events review 16
2.12.01.02 A going concern review 16
2.12.01.03 Obtaining written 16
representations from
management
2.12.01.04 Review of report by other 18
auditors to principal auditors of a
group of companies
2.12.01.05 Overall review of the financial 16
statements
2.12.01.06 Review of other published 16
information
2.12.02 Explain the procedures required to identify and 16
audit related party transactions
2.12.03 Explain the need to evaluate misstatements 16
identified during the audit
2.12.04 Explain the follow up on illegal act or fraud found 10, 16
while performing an audit especially in the case of
money laundering or corruption
LO2.13 Reporting: 3
2.13.01 Discuss and provide examples of how the 11
reporting of internal control weaknesses and
recommendations to overcome those
weaknesses are provided to management
2.13.02 Explain the requirement for an auditor to report to 16
management or those charged with governance
2.13.03 Explain and analyse the format and content of 17
unmodified audit reports
2.13.04 Explain and analyse the format and content of 17
modified audit reports
LO3. Corporate governance
Describe current developments and issues in corporate
governance and explain the impact that it will have on
management, assurance engagements and auditors'
responsibilities:
LO3.01 Background to corporate governance developments: 2
3.01.01 Explain the objectives, concepts, relevance and 1
importance of corporate governance

3.01.02 Discuss the provisions of international codes of 1

corporate governance (such as OECD) that are
most relevant to auditors

xiv Business Assurance

 Chapter
where
Competency covered

3.01.03 Explain corporate governance developments in 2

Hong Kong and the structure of the Corporate
Governance Code and Corporate Governance
Report in Hong Kong
LO.3.02 Key issues relating to corporate governance including 2
directors' remuneration, board composition, audit
committee and non-controlling interests:
3.02.01 Explain the concept of stakeholder theory in 1
corporate governance
3.02.02 Describe the corporate governance requirements 2
as set out in the new Companies Ordinance
(Cap. 622) and Hong Kong Stock Exchange
Listing Requirements relating to directors'
responsibilities (for example, risk management
and internal control) and the reporting
responsibilities of auditors
LO3.03 Management's responsibilities to comply with corporate 3
governance requirements and to implement related
practices:
3.03.01 Explain the responsibilities of management within 2
the corporate governance framework
3.03.02 Analyse the structure and roles of board 2
committees and discuss their drawbacks and
limitations
LO3.04 Auditors' responsibilities to consider and address 3
corporate governance requirements:
3.04.01 Explain the auditor's responsibility to consider 2
and address corporate governance requirements
LO3.05 Implications of overseas legislation such as the Sarbanes- 2
Oxley Act 2002 on Hong Kong companies and auditors:
3.05.01 Explain the effect of the Sarbanes-Oxley Act on 3
Hong Kong companies and their auditors
LO4. Computerised business systems
Discuss the features of computerised business systems and
assess and advise on risk and control frameworks:
LO4.01 Key features of a computerised business system: 3
4.01.01 Explain the characteristics of an entity operating a 20
networked computer system
4.01.02 Explain the characteristics of an entity operating 20
with standalone PCs
LO4.02 Categories and types of controls: 3
4.02.01 State examples of controls in a computerised 11, 20
system
4.02.02 Define and give examples of general and 11, 20
application controls

Introduction xv
 Chapter
where
Competency covered

LO4.03 Impact of increasing use and share of ownership by 2 20

accountants in corporate information system
LO4.04 Impact of e-commerce: 3
4.04.01 Recognise and discuss the importance of e- 20
commerce to a business
4.04.02 Identify and explain the effect of e-commerce on 20
the auditor's risk assessment and audit approach
4.04.03 Identify the knowledge and skills required to audit 20
an entity's e-commerce activities
LO4.05 Opportunities and threats to corporate information system 2 20
including capabilities in data treatment and analysis, data
integrity, system security and issues in access restriction,
and business contingency/continuity
LO4.06 Risk and control framework: 3
4.06.01 Explain the audit problems of an entity operating 20
a networked computer system
4.06.02 Explain the audit problems of an entity operating 20
with standalone PCs
LO4.07 Internal audit: 3
4.07.01 Explain the ways in which internal audit is of 20
particular significance in a computerised
accounting system
4.07.02 Identify the procedures that an auditor may have 20
to undertake to assess the role of internal audit
LO4.08 System change processes: 2
4.08.01 Explain the potential impact on the auditor where 20
an entity changes its computerised system
LO4.09 Risk assessment and evaluation of IT processes: 2
4.09.01 Identify what factors the auditor may need to 20
consider in assessing the audit risk of a
computerised environment
4.09.02 Describe the use of computer-assisted audit 20
techniques (CAAT) in an audit

xvi Business Assurance

Part A
Corporate governance

This part explains the importance and implication of corporate governance in an assurance
process.
Practical situations and requirements for good corporate governance are also discussed and
presented.

1
 Business Assurance

2
chapter 1

Scope of corporate
governance
Topic list

1 Codes of corporate governance 4 Major issues in corporate governance

1.1 What is corporate governance? 4.1 Duties of directors
1.2 Contribution of corporate governance 4.2 Composition and balance of the board
codes 4.3 Reliability of financial reporting and
1.3 Elements of corporate governance external auditors
1.4 Organisation for Economic Co-operation 4.4 Directors' remuneration and rewards
and Development (OECD) Principles of 4.5 Responsibility of the board for risk
Corporate Governance management and internal control
1.5 Corporate governance concepts 4.6 Rights and responsibilities of
1.6 HKICPA Guide on corporate shareholders
governance 4.7 Corporate social responsibility and
2 Corporate governance and agency business ethics
2.1 Nature of agency 4.8 Public and non-governmental bodies'
2.2 Accountability and reasonable care, skill corporate governance
and diligence 4.9 The driving forces underlying the
2.3 The agency problem governance code development
2.4 Resolving the agency problem: 4.10 Development of corporate governance
alignment of interests codes
3 Stakeholders in corporate governance 5 Corporate social responsibility
3.1 Stakeholders 5.1 Significance of corporate social
3.2 Stakeholder theory responsibility
3.3 Classifications of stakeholders 5.2 Corporate social responsibility and
3.4 Reconciling viewpoints of different stakeholders
stakeholders 5.3 Impact of corporate social responsibility
3.5 Stakeholder and agency theory on strategy and corporate governance
5.4 Ownership and corporate social
responsibility
5.5 Corporate social responsibility guidance
in Hong Kong

Learning focus

Corporate governance is the system by which a company is directed and controlled. There are
a number of separate codes of corporate governance with which companies must be familiar.

3
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
3.01 Background to corporate governance developments 2

3.01.01 Explain the objectives, concepts, relevance and importance of

corporate governance
3.01.02 Discuss the provisions of international codes of corporate
governance (such as the OECD) that are most relevant to
auditors
3.02 Key issues relating to corporate governance including 2
directors' remuneration, board composition, audit
committee and non-controlling interests
3.02.01 Explain the concept of stakeholder theory in corporate
governance

4
 1: Scope of corporate governance | Part A Corporate governance

1 Codes of corporate governance

Topic highlights
There is no single definition of what corporate governance really means. The most widely accepted
definition is defined by the UK Cadbury Committee Report (1992) as the 'system by which a
company is directed and controlled'. It can also be considered as the 'set of relationships between
the management, the Board of Directors (BOD), the shareholders as well as other stakeholders to
the corporation' (HKICPA, 2006). It is needed because of the agency problem: this arises due to
the separation of ownership and control of the company, ie the owners of a company and the
people who manage it are not always the same.

1.1 What is corporate governance?

Key terms
Corporate governance is the system by which companies are directed and controlled. Linked to
corporate governance is Stewardship, which refers to taking care of something (the company and
its assets) which is owned by someone else (shareholders).

Corporate governance includes managing the relationships among the many parties interested in
an entity and providing transparent, responsible management practices to meet the entity's
objectives. The first corporate governance code was the Cadbury Report, published in the UK in
1992. This identified a number of internal and external parties who hold an interest in the effective
corporate governance of an entity:
 Directors: responsible for corporate governance
 Shareholders: linked to the directors as users of the financial statements and as individuals
who stand to directly benefit financially from the activities of the entity
 Other relevant parties: these may be numerous but include employees, customers,
suppliers, the tax authorities and any special interest groups, regulators, and the wider
public.

1.1.1 The importance of corporate governance

Companies differ in the degree of shareholder involvement; in some companies, shareholders are
well informed about the direction of and management of the business because they hold
positions as directors and directly influence day-to-day management such as 'insider company'. But
in companies where the shareholders are not employed to manage the business (ie 'outsider
company'), they may only have a limited opportunity to find out about the management of the
company, usually at the AGM (annual general meeting).
AGMs are notoriously poorly attended which adds to the agency problem discussed in more
detail later. This arises when shareholders, who are actually the owners of the company (the
principals), delegate decision-making authority for the day-to-day operations to the directors
and other senior management (the agents). Since the interests of management may not always
be in line with those of shareholders, management may act in a way that is detrimental to the
interests of the shareholders. Even though management submit the company's results for
shareholders' approval at the AGM, poor turnout and little involvement in day-to-day matters means
this is usually only a matter of rubber stamping the proposals put forward by management. It is also
very unusual for the directors to be challenged on any key areas such as compensation packages.

5
 Business Assurance

As a result, there is the potential for conflicts of interest between management and
shareholders.
The current framework of corporate governance in Hong Kong and China lays down both statutory
and non-statutory requirements as to how directors should run a business to best enhance and
keep in balance stakeholders' interests. Statutory requirements consist of the new Companies
Ordinance (Cap. 622), Securities (Disclosure of Interests) Ordinance, Securities (Insider Dealing)
Ordinance, and Takeover Codes. Non-statutory requirements are those specified by the Hong
Kong Stock Exchange relating to Listing Rules and Corporate Governance Code. The Hong Kong
Code is based on the UK Combined Code of July 2003, which was renamed as the UK Corporate
Governance Code in 2010, with additional rules on connected transactions and non-controlling
interests, together with changes that tailor the approach to the Hong Kong environment (family
control and Mainland Enterprises).
There are a number of different facets to corporate governance:
 Commitment to ethical values
 Transparency in company activities
 Managing stakeholders' interests
 Safeguarding of the company's assets
 Establishing strong internal controls to deter and detect fraud
 Ensuring the efficient use of resources to create and enhance shareholder value
 Accountability, which ultimately rests with the directors and those charged with governance.
Good corporate governance is essential in today's global business environment, and especially so
in Hong Kong, if the Territory is to maintain its competitive status as one of the world's major
financial centres, in addition to acting as a premier international capital market for mainland China
and the region.
In summary, it is necessary for processes to be in place in every entity to ensure that the interests
of every stakeholder are safeguarded. It is a fiduciary duty of management that they act in the best
interests of the shareholders, employees and the external parties to whom they are accountable.

1.2 Contribution of corporate governance codes

Investors are often prepared to pay a premium to invest in a company with good corporate
governance practices in place. The individual provisions of the Codes have undoubtedly made a
number of contributions to the corporate environment:
(a) The reports have highlighted the contributions good corporate governance can make to
companies.
(b) The codes have emphasised certain risks that have contributed to corporate governance
failure, for example individual directors having too great an influence.
(c) The provisions have provided benchmarks that can be used to judge the effectiveness of
internal controls and risk management systems.
(d) The guidelines have promoted specific good practice in a number of areas, for example
non-executive directors, performance-related pay and disclosure.
(e) The recommendations have highlighted the importance of basic concepts and highlighted
how these can be put into practice, for example accountability through recommendations
about organisation-stakeholder relationships and transparency by specifying disclosure
requirements.
In Hong Kong
In Hong Kong, the Code on Corporate Governance Practices ('HK Code') sets out the principles of
good corporate governance. It refers to the companies subject to the Code as 'issuers'. The HK
Code was launched in January 2005 and requires listed issuers to report regularly their corporate
governance performance in their financial reports. With the collective and concerted efforts made

6
 1: Scope of corporate governance | Part A Corporate governance

by all market participants, the overall standard of corporate governance in Hong Kong has been
improving.
There are two levels of recommendations:
(a) Code provisions
(b) Recommended best practices
Hong Kong listed companies are expected to comply with the provisions of the Code, but may
choose to deviate from them. If they deviate then they need to explain why in the annual report, this
is called the 'comply or explain approach'. The recommended best practices are for guidance
only, although companies are encouraged to comply. Hong Kong companies may also devise their
own code on corporate governance practices on such terms as they may consider appropriate.

1.3 Elements of corporate governance

There are a number of elements in corporate governance:
(a) The management, awareness, evaluation and mitigation of risk is fundamental in all
definitions of good governance. This includes the operation of an adequate and
appropriate system of control.
(b) The notion that overall performance is enhanced by good supervision and management
within set best practice guidelines underpins most definitions.
(c) Good governance provides a framework for an organisation to pursue its strategy in an
ethical and effective way and offers safeguards against misuse of resources, human,
financial, physical or intellectual.
(d) Good governance is not just about externally established codes, it also requires a willingness
to apply the spirit as well as the letter of the law.
(e) Good corporate governance can attract new investment into companies, particularly in
developing nations.
(f) Accountability is generally a major theme in all governance frameworks, including
accountability not just to shareholders but also other stakeholders.
(g) Corporate governance underpins capital market confidence in companies and in the
government/regulators/tax authorities that administer them.

1.4 Organisation for Economic Co-operation and Development

(OECD) Principles of Corporate Governance

Topic highlights
The OECD Principles of Corporate Governance set out the rights of shareholders, the
importance of disclosure and transparency and the responsibilities of the board of directors.

An important question to consider is 'will the same way of managing companies be the best method
for all companies?' The answer is likely to be no. Companies are different from each other, and
globally, they operate in different legal systems with different institutions, frameworks and
traditions. It would not be possible to construct one single approach to operating companies that
could be described as best practice for all.
The key issue in corporate governance is that 'a high degree of priority [is] placed on the interests
of shareholders, who place their trust in corporations to use their investment funds wisely and
effectively'. Shareholders in a company might be a family, they might be the general public or they

7
 Business Assurance

might be institutional investors representing, in particular, people's future pensions. These

shareholders will vary in their degree of interaction with the company and their directors.
Codes such as the OECD Code have been developed from best practice in a number of
jurisdictions. As such, they can be seen as representing an international consensus on common
elements that underlie good corporate governance. They stress global issues that are important to
companies operating in a number of jurisdictions. The OECD Code, for example, emphasises the
importance of eliminating impediments to cross-border shareholdings and treating overseas
shareholders fairly.
In the context of this great variety in the basic element of these companies, the OECD has
established a number of Principles of Corporate Governance, which were issued in 1999 and
reviewed in 2004, and which serve as a reference point for countries (to develop corporate
governance codes if they wish) and companies. They were developed in response to a mandate
given to the OECD to develop a set of standards and guidelines on good corporate governance.
The OECD is currently conducting a review of the Principles to ensure their continuing high quality,
relevance and usefulness, taking into account recent developments in the corporate sector and
capital markets.

OECD Principles of Corporate Governance

(i) The corporate governance framework should promote transparent and efficient markets,
be consistent with the rule of law and clearly articulate the division of responsibilities
among different supervisory, regulatory and enforcement authorities.
(ii) The corporate governance framework should protect and facilitate the exercise of
shareholders' rights.
(iii) The corporate governance framework should ensure the equitable treatment of all
shareholders, including minority and foreign shareholders. All shareholders should have
the opportunity to obtain effective redress for violation of their rights.
(iv) The corporate governance framework should recognise the rights of stakeholders
established by law or through mutual agreements and encourage active co-operation
between corporations and stakeholders in creating wealth, jobs and the sustainability of
financially sound enterprises.
(v) The corporate governance framework should ensure that timely and accurate disclosure
is made on all material matters regarding the corporation, including the financial
situation, performance, ownership, and governance of the company.
(vi) The corporate governance framework should ensure the strategic guidance of the
company, the effective monitoring of management by the board, and the board's
accountability to the company and the shareholders.

The above Principles are non-binding on countries and companies. Rather they seek to identify
objectives and various means for achieving them. Their purpose is to serve as a reference point
that can be used by policy makers to analyse and develop their own legal and regulatory
frameworks for corporate governance, given their individual mixes of economic, social and legal
circumstances.
In order to obtain the best of the advantages and avoid the worst disadvantages, countries may
take a hybrid approach and make some elements of corporate governance mandatory and some
voluntary.

Self-test question 1
Keepalive Life Assurance Company is a mutual organisation, owned by its policyholders. Owing to
changes in capital adequacy requirements imposed by the regulator and pressure from lobby
groups, it has decided to convert to a public limited company and float on the stock exchange.

8
 1: Scope of corporate governance | Part A Corporate governance

The board of directors is anxious to ensure that the very highest standards of governance are
adopted in the transition to the new corporate form. It has decided to review the scope of its
policies in this respect.
The policyholders, who own the voting rights in the company, have expressed concerns about the
company's plans for several reasons. First, some doubt that the existing directors have the
experience necessary to manage the company in the new form. Many of the directors only have
experience in the life assurance industry and have been with the company for a long time. The two
previous chief executives remain on the board. Second, the company had to increase its provisions
for losses last year, causing an embarrassing admission by the board that the financial statements
were 'distorted'. One major investor has accused the board of a 'clear lack of probity'. Third, when
the company is floated it is likely that its shares will be purchased by a few very large institutional
investors who may force the company to adopt a less 'customer friendly' approach to business. At
the moment, the company offers many investment products that are highly valued by smaller, less
wealthy customers but apparently make little profit for the company.
Requirements
(a) With reference to an appropriate framework, such as the one proposed by the OECD,
explain the matters that the board of directors of Keepalive Life Assurance Company should
consider in its review of corporate governance arrangements.
(b) Explain what is meant by 'lack of probity' and why probity is important.
(The answer is at the end of the chapter)

1.5 Corporate governance concepts

1.5.1 Fairness
The directors' deliberations and also the systems and values that underlie the company must be
balanced by taking into account everyone who has a legitimate interest in the company, and
respecting their rights and views. In many jurisdictions, corporate governance guidelines reinforce
legal protection for certain groups, for example minority shareholders.

1.5.2 Openness and transparency

Key term
Transparency means open and clear disclosure of relevant information to shareholders and
other stakeholders, and not concealing information which may affect decision-making. It means
open discussion, with a default position of information provision rather than concealment.

Disclosure in this context obviously includes information in the financial statements, not just the
numbers and notes to the financial statements but also narrative statements such as the directors'
report and the operating and financial review. It also includes all voluntary disclosure, that is
disclosure above the minimum required by law or regulation. Voluntary corporate communications
include management forecasts, analysts' presentations, press releases, information placed on
websites and other reports such as stand-alone environmental or social reports.
The main reason why transparency is so important relates to the agency problem (the potential
conflict between owners and managers). This will be discussed further in section 2 of this chapter.
Without effective disclosure the position could be unfairly weighted towards managers, since they
have far more knowledge of the company's activities and financial situation than owner/investors.
Avoiding the creation of an information asymmetry between managers and owners requires not
only effective disclosure rules, but strong internal controls that ensure the reliability of information
disclosures.

9
 Business Assurance

Linked with the agency issue, publication of relevant and reliable information underpins stock
market confidence in how companies are being governed and thus significantly influences
market prices. International Financial Reporting Standards (IFRSs), Hong Kong Financial
Reporting Standards (HKFRSs), and stock market regulations based on corporate governance
codes require published financial statements to present a true and fair view. Information can only
fulfil this requirement if adequate disclosure is made of uncertainties and adverse events.
Circumstances where restricted disclosure may be justified include discussions about future
strategy (knowledge of which would benefit competitors), confidential issues relating to
individuals and discussions leading to an agreed position that is then made public.

1.5.3 Independence
Independence is an important concept in relation to directors. Corporate governance reports have
increasingly stressed the importance of independent non-executive directors; directors who are
not primarily employed by the company and who have very strictly controlled other links with it. As
a result they should be free from conflicts of interest and in a better position to promote the
interests of shareholders and other stakeholders. Freed from pressures that could influence
their activities, independent non-executive directors should be able to carry out effective
monitoring of the company in conjunction with equally independent external auditors on behalf of
shareholders.
Non-executive directors' lack of links and limits on the time that they serve as non-executive
directors should promote avoidance of managerial capture – accepting executive managers'
views on trust without analysing and questioning them.
In the Hong Kong context, the Hong Kong Stock Exchange Listing Rules specify that there must be
at least three independent non-executive directors on the main board for listed companies,
representing at least one third of the board. The rules are the same for the companies listed on the
Growth Enterprise Market (GEM).

1.5.4 Probity and honesty

Hopefully this should be the most self-evident of the principles, relating not only to telling the truth,
but also not misleading shareholders and other stakeholders by presenting information in a biased
way.
Probity can be defined in terms of receipt of gifts or hospitality by trustees. They should certainly
not accept gifts or hospitality which may seem likely to influence their decisions.
1.5.5 Responsibility
Responsibility means management accepting the credit or blame for governance decisions.
Management theories stress that for management to be held properly responsible, there must be a
system in place that allows for corrective action and penalising mismanagement. Responsible
management should act in the best interests of the company and take the necessary steps to
ensure the company stays on the right path.
The board of directors must act responsively to, and with responsibility towards, all stakeholders of
the company. However, the responsibility of directors to other stakeholders, both in terms of to
whom they are responsible and the extent of their responsibility, remains a key point of contention
in corporate governance debates. We shall discuss the importance of stakeholders later in this
chapter.

10
 1: Scope of corporate governance | Part A Corporate governance

1.5.6 Accountability

Key term
Accountability (corporate) refers to whether an organisation (and its directors) are answerable in
some way for the consequences of their actions.

Accountability of directors to shareholders has always been an important part of company law, well
before the development of the corporate governance codes. For example, companies have been
required to provide financial information to shareholders on an annual basis and hold annual
general meetings. However, particularly because of the corporate governance scandals of the last
30 years, investors have demanded greater assurance that directors are acting in their interests.
This has led to the development of corporate governance codes, which we shall consider in the
next chapter. The UK Cadbury Report stresses that making the accountability work is the
responsibility of both parties. Directors, as we have seen, do so through the quality of information
that they provide whereas shareholders do so through their willingness to exercise their
responsibility as owners, which means using the available mechanisms to query and assess the
actions of the board.
As with responsibility one of the biggest debates in corporate governance is the extent of
management's accountability towards other stakeholders such as the community within which
the organisation operates. This has led on to a debate about the contents of financial statements
themselves; for what should financial statements actually account.

1.5.7 Reputation
An organisation's reputation depends on how likely other risks are to crystallise. In the same way
directors' concern for an organisation's reputation will be demonstrated by the extent to which they
fulfil the other principles of corporate governance. There are purely commercial reasons for
promoting the organisation's reputation, that the price of publicly traded shares is often dependent
on reputation and hence reputation is often a very valuable asset of the organisation.
1.5.8 Judgment
Judgment means the board making decisions that enhance the prosperity of the organisation.
This means that board members must acquire a broad enough knowledge of the business and its
environment to be able to provide meaningful direction to it. This has implications not only for the
attention directors have to give to the organisation's affairs, but also the way the directors are
recruited and trained.
The complexities of senior management mean that the directors have to bring multiple
conceptual skills to management that aim to maximise long-term returns. This means that
corporate governance can involve balancing many competing people and resource claims against
each other; although, as we shall see, risk management is an integral part of corporate
governance, corporate governance is not just about risk management.

1.5.9 Integrity

Key term
Integrity means straightforward dealing and competence. Financial reporting should be honest
and should present a balanced picture of the state of the company's affairs. The integrity of reports
depends on the integrity of those who prepare and present them.

Integrity can be taken as meaning someone of high moral character, who sticks to principles no
matter the pressure to do so otherwise. In working life this means adhering to principles of
professionalism and probity. Straightforward dealing in relationships with the different people

11
 Business Assurance

and constituencies whom you meet is particularly important; trust is vital in relationships and belief
in the integrity of those with whom you are dealing underpins this. The Cadbury Report definition
highlights the need for personal honesty and integrity of preparers of financial statements. This
implies qualities beyond a mechanical adherence to accounting or ethical regulations or guidelines.
At times accountants will have to use judgment or face financial situations which aren't covered by
regulations or guidance, and on these occasions integrity is particularly important.
Integrity is an essential principle of the corporate governance relationship, particularly in
relationship to representing shareholder interests and exercising agency. As with financial reporting
guidance, ethical codes don't cover all situations and therefore depend for their effectiveness on
the qualities of the accountant. In addition, we have seen that a key aim of corporate governance is
to inspire confidence in participants in the market and this significantly depends upon a public
perception of competence and integrity.

Self-test question 2
Excellent Limited is a company listed on the Hong Kong Stock Exchange. Excellent Limited is
engaged in construction projects contracted by certain reputable real estate developers. Recently,
the directors of Excellent Limited were aware that one of its key construction projects may face a
significant delay in completion. In accordance with the terms as set out in the respective
construction contract, the customer has the right to claim against Excellent Limited for any loss
arising from such delay. Based on the project team's estimation, the claim may amount to HK$100
million.
Required
From the corporate governance perspective, suggest actions that the directors of Excellent Limited
should take.
(8 marks)
HKICPA June 2015 (amended)
(The answer is at the end of the chapter)

1.6 HKICPA Guide on Corporate Governance

The HKICPA has published several study reports and practice guidance on corporate governance.
The following are some of the more recent of these.
In March 2001, HKICPA issued the Guide Corporate Governance Disclosure in Annual
Reports for the purpose to promote high standards of corporate governance disclosure in annual
reports of Hong Kong companies, focusing especially on listed companies.
The Guide provided practical guidance and examples of corporate governance disclosures that
would fulfil the regulatory requirements at that time in Hong Kong. It also included additional
recommended disclosures that went beyond the rules and regulations of the time and provided
illustrations and examples to show how such voluntary disclosures might be presented. Some of
the Guide's recommendations have now been overridden following the development of the
Corporate Governance Code published by the Hong Kong Stock Exchange.

12
 1: Scope of corporate governance | Part A Corporate governance

The following is the summary of the major recommendations:

Statement on Listed companies and other companies are encouraged to include a

corporate statement of corporate governance in their annual report for
governance communicating to stakeholders.
The content includes information on directors and committees, investor
relations and other matters such as corporate social responsibility.
(Note that the Corporate Governance Code has extended this
requirement and listed companies are now required to include a
Corporate Governance Report in their annual report.)
Directors' In order to enhance comparability and transparency of directors'
remuneration remuneration, detailed disclosure is required for directors'
remunerations such as performance-related pay and non-performance
related pay. The remuneration should be disclosed by individual name
of director.
Disclosure of Directors' standard remuneration should be analysed and details of
standard directors' share options should be disclosed such as value of the share
remuneration and options.
directors' share
options

Non-audit fees paid Disclosure of any non-audit fees should be disclosed as this would
to the auditors affect auditor's independence.

In May 2004, HKICPA issued the Guide Corporate Governance for Public Bodies – a Basic
Framework for the purpose of providing a basic framework for public sector corporate governance
and providing recommendation on good corporate governance.
It outlines a basic framework of corporate governance principles and recommended best practice
for such organisations to adopt, as appropriate.
The Guide aims to assist governing boards, councils and management of public sector bodies to
establish and maintain a clear focus on performance, transparency and accountability. It identifies
certain fundamental principles expected of an organisation, namely openness, integrity and
accountability, and key personal qualities required of governing board members, namely
selflessness, integrity, objectivity, accountability, openness, honesty and leadership, and applied
these principles and qualities to four dimensions of the governance of public sector organisations.

Standards of Ethical conduct – governing board members should endeavour to

behaviour exemplify the personal qualities in their entirety
Codes of conduct – a formal code of ethical conduct should be in place
to define standards of acceptable conduct for governing board
members and employees
Organisational (i) Accountability to stakeholders – directors are accountable to
structures and stakeholders for complying with statutory and regulatory
processes requirements, safeguarding funds and taking proper stewardship
of assets and resources
(ii) Commitment to openness and transparency – the governing
board in all of the main activities of the organisation
(iii) Roles and responsibilities of the board, committees, chairman,
non-executive directors should be clearly disclosed in the annual
report
(iv) Overall human resources policy – there should be effective
policies and procedures to recruit, retain and train suitable staff

13
 Business Assurance

Risk management (i) An effective system of internal control should be in place and
and control operating effectively
(ii) The governing board should have risk management and should
consider the need of contingency plans as risk responses
(iii) An effective internal audit function should be part of the
framework of control
(iv) An effective audit committee should be established
(v) External auditor should be appointed to conduct an audit of
financial statements for public sector organisations
(vi) The governing board should maintain adequate oversight to
ensure there are efficient budgeting and financial management
Accountability, (i) Committees should have regular and informative reporting to the
reporting and governing board
disclosure (ii) Any major issues should be brought to the attention of the board
on a timely basis
(iii) An annual report incorporating financial statement should be
published on a timely basis after the end of the financial year
(iv) Appropriate accounting policies and standards should be adopted
in preparation of financial statements
(v) Financial and non-financial performance measures should be
established and reported.

The Guide draws reference from important overseas studies to provide a set of recommendations
that are suitable for the public sector environment in Hong Kong. It should be applicable to
most types of organisations in the public sector, and the recommendations contained therein can
be tailored to the circumstances of individual organisations, depending on their size, complexity
and resources.
In June 2005, HKICPA issued a Guide Internal Control and Risk Management – a Basic
Framework for the purpose of providing a basic conceptual framework, general principles and
recommendations for a system of internal control and risk management. It also outlines the
responsibilities of the board and senior management in this regard, and the role that other parties,
such as the audit committee and internal auditors, can play. It should help listed companies to
understand and fulfil the requirements on internal controls contained in the Code on Corporate
Governance Practices and the disclosure requirements of the new Corporate Governance Report
(Main Board and the GEM Listing Rules, respectively).
The Guide also emphasises that establishing effective internal controls should not be seen as an
exercise in compliance but is about putting in place processes that will help a business to achieve
its corporate objectives and to identify, assess and manage the significant risks that could
otherwise prevent it from doing so. It is also a question of being more transparent and
accountable to shareholders and other stakeholders about how the business is being run.
In producing this Guide, the Institute has looked at conditions in Hong Kong and has drawn on
important international benchmarks in this field, such as the report published in the US by the
Committee of Sponsoring Organisations of the Treadway Commission, commonly known as
COSO, and the Turnbull Guidance, which formed part of the Combined Code, now known as the
UK Corporate Governance Code.
While the Guide is not intended to be exhaustive or prescriptive in nature, the Institute believes that
the principles and recommendations contained therein will provide a useful reference for listed and
group companies, as well as other companies that aim to implement or enhance their system of
internal control.

14
 1: Scope of corporate governance | Part A Corporate governance

In December 2008, HKICPA published a Guide Defining and Developing an Effective Code of
Conduct for Organisations.
This was originally produced by the International Federation of Accountants (IFAC). Acknowledging
its value to listed companies, public interest and other organisations, the Institute, together with the
Hong Kong Stock Exchange, the Hong Kong Institute of Directors and the Hong Kong Ethics
Development Centre, Independent Commission Against Corruption republished the guide with the
addition of an explanatory foreword by the four bodies.
The Guide is designed to assist professional accountants, and the organisations in which they
work, to develop a code of conduct of their own or to improve an existing code. While it does not
aim to provide detailed and prescriptive terms that are applicable to all organisations, it sets out key
principles and general guidance that should help all types of organisation to develop a more
detailed code of conduct that takes account of their own individual circumstances.
The following are the key principles in the guide, demonstrating widely accepted good practice:

Values-based The organisation's overarching objective should be to develop a values-

organisation based organisation and a values-driven code, to promote a culture that
and culture encourages employees to internalise the principle of integrity and
practise it, and encourages employees to 'do the right thing' by allowing
them to make appropriate decisions.
Code of conduct A code of conduct reflects organisational context. The nature, title and
reflects content of an effective code will vary between organisations, as will the
organisation approach to its development.
context

Commitment from Ultimately, ethical responsibility lies with the board of directors (or its
board of directors equivalent), the body that has power to influence an organisation's
culture and behaviour.
Boards should specifically oversee the development of the code of
conduct (and a wider initiative to achieve a values-based organisation),
and formally appoint a senior manager to supervise that development.
Personnel A multi-disciplinary and cross-functional group including international
personnel should lead code development where organisational size
permits.
Groups of employees and other key stakeholders can help to identify
risks to corporate culture and business conduct and consider potential
vulnerabilities arising from these risks and can usefully assist in defining
and reviewing code content.
Process for Clearly identifying the established process for defining, developing and
defining, reviewing a code will promote understanding of, and agreement on, the
developing and key stages and activities.
reviewing the code

Application across A code of conduct should apply across all jurisdictions in which an
jurisdictions organisation operates, unless contrary to local laws and regulations.

Continuous Continuous awareness and promotion of the code and the wider approach
awareness to ethics and compliance is an important part of conveying management's
and promotion commitment to their underlying principles. A continuous awareness
programme should sustain interest in and commitment to the code.
Employees and others should be made aware of the consequences of not
adhering to the code.

15
 Business Assurance

In March 2014, HKICPA published A Guide on Better Corporate Governance Disclosure following
the development of the Corporate Governance Code of the Hong Kong Stock Exchange from a
relatively short document into extensive rules, requirements and recommendations over the years.
It was felt that some important areas of the Corporate Governance Code were not self-explanatory
and warranted extra explanation. The Guide therefore serves as a practical tool to use alongside
existing guidelines and does not impose any new corporate governance requirements on listed
companies. It is expected that these topics will be further expanded and refined over time.
The aim of the Guide is to encourage meaningful corporate governance disclosures by Hong
Kong listed companies under the revised Code. It contains four parts and within each part, a
number of 'themes' are addressed. The themes cover key areas that disclosures should address.
These are as follows:
(1) The board: its role, what it did during the year and how
Theme A: The board's key roles are setting the issuer's strategy and monitoring the
management's performance.
Theme B: A good board process facilitates the operation of the board.
Theme C: The board's work during the year and how it is linked to the issuer's strategy and
focus.
(2) Accountability and audit: internal controls – sound and effective controls
Theme A: The issuer has to maintain a sound internal controls.
Theme B: The board is responsible for the issuer's maintaining sound internal controls and
should acknowledge this in the Corporate Governance report.
Theme C: The board has to review the system's effectiveness and report to the shareholders
at least on an annual basis.
Theme D: Report users, including investors, would also appreciate a high level description of
key risks facing the issuer, their impact and the mitigating measures taken.
(3) Accountability and audit: audit committee – rigorous and effective oversight
Theme A: Audit committee members, in particular its chairman, must possess the right skills
and experience to effectively carry out their responsibilities.
Theme B: A good process facilitates the working of the audit committee.
Theme C: The audit committee should carry out its responsibilities in an objective and
conscientious manner, to effectively monitor the integrity of the company's financial reporting
and maintain oversight of its internal control and risk management systems and other
relevant internal processes, as stated in its terms of reference.
Theme D: In fulfilling its responsibilities, the audit committee should engage with and assess
the effectiveness of the work of external and internal auditors.
Theme E: In addition, investors would also be interested to know how the audit committee's
focus, including new areas of focus, during the year link to the issuer's strategy, development
and changing risks.
(4) Communication with shareholders: encouraging participation by shareholders
Theme A: The board should maintain effective on-going dialogue with shareholders.
Theme B: AGMs are a special focus of the shareholders' communication policy and should
be treated as an opportunity to enhance two-way communication with shareholders.

16
 1: Scope of corporate governance | Part A Corporate governance

2 Corporate governance and agency

Topic highlights
Agency is extremely important in corporate governance as often the directors/managers are acting
as agents for the owners (principals). Corporate governance frameworks aim to ensure directors/
managers fulfil their responsibilities as agents by requiring disclosure and suggesting they are
rewarded on the basis of performance.

2.1 Nature of agency

Key term
Agency relationship is a contract under which one or more persons (the principals) engage
another person (the agent) to perform some service on their behalf that involves delegating some
decision-making authority to the agent. In other words, in a company, the shareholders are actually
the owners (the principal) of the company, who delegate decision-making authority to the senior
management (the agents). Since the interests of the managers are not always in line with those of
shareholders, they may act in a way that is detrimental to the company as a whole.

There are a number of specific types of agent. These have either evolved in particular trades or
developed in response to specific commercial needs. Examples include factors, brokers, estate
agents, del credere agents, bankers and auctioneers.

2.2 Accountability and reasonable care, skill and diligence

2.2.1 Accountability

Key term
In the context of agency, accountability (agency) means that the agent is answerable under the
contract to his principal and must account for the resources of his principal and the money he has
gained working on his principal's behalf.

Two problems potentially arise with this:

 How does the principal enforce this accountability (the agency problem see below)?
As we shall see, the corporate governance systems developed to monitor the behaviour of
directors have been designed to address this issue; and
 What if the agent is accountable to parties other than his principal – how does he
reconcile possibly conflicting duties?
2.2.2 Reasonable care, skill and diligence
In Hong Kong, the general duties of directors are mainly found in case law (leaving aside certain
specific obligations imposed by the new Companies Ordinance (Cap. 622) and by the articles of
association of a company).
Under section 465 of the new Hong Kong Companies Ordinance (Cap. 622), a director of a
company must exercise reasonable care, skill and diligence. Reasonable care, skill and diligence
mean the care, skill and diligence that would be exercised by a reasonably diligent person with:
(a) The general knowledge, skill and experience that may reasonably be expected of a person
carrying out the functions carried out by the director in relation to the company; and
(b) The general knowledge, skill and experience that the director has.

17
 Business Assurance

The duty is owed by a director of a company to the company. The duty has effect in place of the
common law rules and equitable principles as regards the duty to exercise reasonable care, skill
and diligence, owed by a director of a company to the company. Any breach of duty to exercise
reasonable care, skill and diligence from the director, civil consequences such as penalties would
be imposed.

2.2.3 Fiduciary relationship with stakeholders

Some management theorists have argued that management bears a fiduciary relationship to
stakeholders and to the corporation as an abstract entity. It must act in the interests of the
stakeholders as their agent, and it must act in the interests of the corporation to ensure the
survival of the firm, safeguarding the long-term stakes of each group. Adoption of these principles
would require significant changes to the way corporations are run. Some theorists, for example
Silvia Ayuso, go on to propose a 'stakeholder board of directors', with one representative for
each of the stakeholder groups and one for the company itself. Each stakeholder representative
would be elected by a stakeholder assembly. Companies law would have to develop to protect the
interests of stakeholders.

2.3 The agency problem

Topic highlights
The agency problem arises from separation of ownership from management of the entity and
can cause a conflict of interests if there is a breach of trust by directors by intentional action,
omission, neglect or incompetence.

The agency problem arises when a principal hires an agent to perform in the interest of principal.
In listed companies the agency problem derives from the principals (shareholders) not being able
to run the business themselves and therefore having to rely on agents (board of directors) to do so
for them. This separation of ownership from management can cause a conflict of interest or
moral hazard if there is a breach of trust by directors by intentional action, omission, neglect or
incompetence. This breach may arise because the directors are pursuing their own interests
rather than the shareholders (conflict of interest). Alternatively, the board of directors may
undertake a risky project without considering carefully the full consequences as they have a
different attitude to risk-taking to the shareholders (moral hazard).
For example, if managers hold none or very little of the equity shares of the company they work for,
what is to stop them from working inefficiently, concentrating too much on achieving short-term
profits and hence maximising their own bonuses? Without the incentive of equity ownership the
agent may not look for profitable new investment and growth opportunities, or may over-consume
perquisites such as high salaries and other benefits.
There are two possible approaches to aligning the interests between agent and principal, in order
to remedy this agency problem. One would be to offer incentive plans such as stock options or
equity in the company; the alternative would be to curb managerial controlling powers within the
firm. Ultimately shareholders do possess the right to remove the directors from office. But
shareholders have to take the initiative to do this, and in many companies they may lack the energy
and organisation to take such a step. As a last resort, they can vote in favour of a takeover or
removal of individual directors or entire boards, but this may be undesirable for other reasons.

2.4 Resolving the agency problem: alignment of interests

Agency theory sees employees of businesses, including managers, as individuals, each with his or
her own objectives. Within a department of a business, there are departmental objectives. If
achieving these various objectives leads also to the achievement of the objectives of the
organisation as a whole, there is said to be alignment of interests.

18
 1: Scope of corporate governance | Part A Corporate governance

Key term
Alignment of interests is accordance between the objectives of agents acting within an
organisation and the objectives of the organisation as a whole. Alignment of interests is sometimes
referred to as goal congruence, although goal congruence is used in other ways.

Alignment of interests may be better achieved and the 'agency problem' better dealt with by giving
managers the appropriate incentives, such as profit-related pay, or by providing more longer-term
incentives that are related to the overall company performance. Examples of such remuneration
incentives are:
 Profit-related/economic value-added pay
 Rewarding managers with shares
 Executive share option plans
Such measures might merely encourage management to adopt more 'creative accounting'
methods which will distort the reported performance of the company in the service of the managers'
own ends.
An alternative approach is to attempt to monitor managers' behaviour, for example by
establishing 'management audit' procedures, to introduce additional reporting requirements, or
to seek assurances from managers that shareholders' interests will be foremost in their priorities.
The most significant problem with monitoring is likely to be the agency costs involved, as they
may imply significant shareholder engagement with the company.

3 Stakeholders in corporate governance

Topic highlights
Directors and managers need to be aware of the interests of stakeholders in governance issues.
Governance reports have emphasised the role of institutional investors (insurance companies,
investment houses, or pension funds such as CalPers) in directing companies towards good
corporate governance.

3.1 Stakeholders

Key term
Stakeholders are any entity (person, group or possibly non-human entity) that can affect or be
affected by the achievements of an organisation's objectives. It is a bi-directional relationship.
Each stakeholder group has different expectations about what it wants and different claims upon
the organisation.

3.2 Stakeholder theory

Traditionally, the management of a company has a fiduciary duty to put the shareholders' interests
first. The company converts the input from the investors, employees, and suppliers into goods to
sell to the customer (output). By this model, companies only address the needs and wishes of
those four parties: investors, employees, suppliers and customers.
Stakeholder theory proposes corporate accountability to a broad range of stakeholders. It is
based on companies being so large, and their impact on society being so significant that they
cannot just be responsible to their shareholders. Stakeholders should be seen not as just existing,

19
 Business Assurance

but as making legitimate demands upon an organisation. The relationship should be seen as a
two-way relationship.
What stakeholders want from an organisation will vary. Some will actively seek to influence what
the organisation does; others may be concerned with limiting the effects of the organisation's
activities upon themselves.
There is considerable dispute about whose interests should be taken into account. The legitimacy
of each stakeholder's claim will depend on your ethical and political perspective on whether
certain groups should be considered as stakeholders. Should, for example, distant (developing
world) communities, other species, the natural environment in general or future generations be
considered as legitimate stakeholders?

3.3 Classifications of stakeholders

Stakeholders can be classified by their proximity to the organisation:

Stakeholder group Members

Internal stakeholders Employees, management
Connected stakeholders Shareholders, customers, suppliers, bankers, lenders, trade
unions, competitors
External stakeholders The government, local government (such as the council for a local
district), the public, pressure groups, opinion leaders

There are other ways of classifying stakeholders.

3.4 Reconciling viewpoints of different stakeholders

Enlightened long-term value maximisation offers the best, fairest, method of reconciling the
competing interests of stakeholders. Enlightened long-term value maximisation means pursuing
profit maximisation, but with regard to business ethics and the social consequences of the
organisation's actions. It is argued that the problem with traditional stakeholder theory is that it
gives no indication of how to trade off competing interests; lacking measurable targets, managers
are left unaccountable for their actions.

3.5 Stakeholder and agency theory

It is argued that agency theory does not allow managers to avoid their normal moral obligations,
particularly avoiding harm to others, respecting the autonomy of others, telling the truth and
honouring agreements. Only after fulfilling these can they maximise shareholder wealth. The
agency-principal relationship can only be meaningful if managers attend to the moral principles.
An alternate view, supported by Classical Economics, is that managers are solely responsible for
maximising the value of the firm for the owners. If managers are argued to have social
responsibilities, then they have to act in some ways that are not in the best interests of the owners,
their principals, and in ways that may reduce the value of the firm. They therefore are not acting
properly as agents; instead they are in effect raising taxes and deciding how these taxes should be
spent, which is the proper function of government, not agents.

20
 1: Scope of corporate governance | Part A Corporate governance

4 Major issues in corporate governance

Topic highlights
Key issues in corporate governance reports have included the role of the board, the quality of
financial reporting and auditing, directors' remuneration, risk management and corporate
social responsibility.

We shall examine the major areas that have been affected by corporate governance.

4.1 Duties of directors

The corporate governance reports have aimed to build on the directors' duties as defined in
statutory and case law. These include the fiduciary duties to act in the best interests of the
company, use their powers for a proper purpose, avoid conflicts of interest and exercise a
duty of care.
The new Companies Ordinance (Cap. 622) has introduced a statutory statement to provide clear
guidance in respect of the directors' duty of skill, care and diligence. The old ordinance did not
contain any provisions on this area, and the common law position in Hong Kong was not entirely
clear. The new Companies Ordinance (Cap. 622) now states that a director must exercise
reasonable care, skill and diligence, and it sets out a mixed objective and subjective test to be
applied in determining the standard required. The objective test refers to the general degree of
knowledge, skill and experience that may reasonably be expected of a person carrying out the
functions of the director in question.

4.2 Composition and balance of the board

A feature of many corporate governance scandals has been boards that are dominated by a single
senior executive with other board members merely acting as a rubber stamp. Sometimes the
single individual may bypass the board to further his own interests. Even if an organisation is not
dominated by a single individual, there may be other weaknesses in board composition.
The organisation may be run by a small group centred round the chief executive and chief financial
officer, where appointments may be made by personal recommendation rather than a formal,
objective process.
Hong Kong is quite unique in some respects in that family-owned enterprises compose the major
part of the region's businesses. This poses challenges for the composition and balance of the
board, as family members tend to dominate. A 2001 study by the OECD indicated that around 80%
of listed companies in Hong Kong are controlled by family members.
4.2.1 Independent Non-Executive Directors (INEDs) required to form one-
third of board
One of the new rules from the Consultation paper (see Chapter 2, section 2) is that at least one-
third of an issuer's board should be independent non-executive directors (INEDs).

4.3 Reliability of financial reporting and external auditors

Issues concerning financial reporting and auditing are seen by many investors as crucial
because of their central importance in ensuring management accountability. They have therefore
been the focus of much debate and litigation. While focusing the corporate governance debate
solely on accounting and reporting issues is inadequate, the greater regulation of practices such as
off-balance sheet financing has led to greater transparency and a reduction in risks faced by
investors.

21
 Business Assurance

External auditors may not carry out the necessary questioning of senior management because of
fears of losing the audit, and internal auditors do not ask awkward questions because the chief
financial officer determines their employment prospects. Often corporate collapses are followed
by criticisms of external auditors, where poorly planned audit work failed to identify illegal use of
client monies.

4.4 Directors' remuneration and rewards

Directors being paid excessive salaries and bonuses has been seen as one of the major corporate
abuses for a large number of years. It was therefore inevitable that the corporate governance
codes have targeted this issue.

4.5 Responsibility of the board for risk management and internal

control
Boards that meet irregularly or fail to consider systematically the organisation's activities and risks
are clearly not fulfilling their responsibilities. Sometimes the failure to carry out proper oversight is
due to a lack of information being provided, which in turn may be due to inadequate systems
being in place for the measurement and reporting of risk.

4.6 Rights and responsibilities of shareholders

It is important to know shareholders' rights and the role of shareholders, particularly institutional
shareholders and it has been the subject of much debate. Shareholders should have the right to
receive all material information that may affect the value of their investment and to vote on
measures affecting the organisation's governance.
The Code Provisions state that an issuer must disclose the following 'shareholder rights'
information in its Corporate Governance Report:
 The way in which shareholders can convene an extraordinary general meeting;
 The procedures for sending enquiries to the board (with sufficient contact details); and
 The procedures for making proposals at shareholders' meetings (with sufficient contact
details).

4.7 Corporate social responsibility and business ethics

The lack of consensus about the issues for which businesses are responsible and the stakeholders
to whom they are responsible has inevitably made corporate social responsibility and business
ethics an important part of the corporate governance debate.
The relationship between a company and its stakeholders should be mutually beneficial and this is
the way to create sustained business success and steady long-term growth in corporate value.

4.8 Public and non-governmental bodies' corporate governance

Many of the principles that apply to company corporate governance also apply to government
bodies or other major entities such as charities. Boards will be required to act with integrity, to
supervise the body's activities properly and to ensure appropriate control and risk
management and reporting systems are being maintained.
However, there are certain ways in which companies might differ from other types of organisation,
such as in their ownership (principals), lack of competition and their legal/regulatory environment
within which they operate.

22
 1: Scope of corporate governance | Part A Corporate governance

4.8.1 Composition of boards

This may be determined by regulation or may be tailored by the body's constitution. There may be
more than one board; possibly an executive board for overseeing operations, and a stakeholder
board containing representatives of all major stakeholder groups, which determines objectives and
ensures stakeholder interests are being represented.

4.8.2 Conduct of directors

Directors may be subject to organisation or sector-specific controls to ensure that they act in the
public interest.

4.8.3 Compulsory regulations versus voluntary best practice

Certain guidelines that are voluntary best practice in the corporate sector may be compulsory for
some other sorts of organisation, for example maintenance of an internal audit function.
4.8.4 Disclosure of internal control
Certain types of organisations are required to make disclosures about specific controls such as risk
registers, training, key performance indicators and reporting systems. Regulations such as the
Sarbanes Oxley Act 2002, section 404: Assessment of Internal Controls, have made this a
mandatory disclosure requirement in certain jurisdictions, such as the USA.

4.9 The driving forces underlying the governance code

development
Corporate governance issues came to prominence in the USA during the 1970s and in the UK and
Europe from late 1980s. The main, but not the only, drivers associated with the increasing demand
for the development of governance were as follows:
(a) Increasing internationalisation and globalisation meant that investors, and institutional
investors in particular, began to invest outside their home countries. The King report in South
Africa (1994 and revised in 2002) highlights the role of the free movement of capital,
commenting that investors are promoting governance in their own self-interest.
(b) The differential treatment of domestic and foreign investors, (both in terms of reporting
and associated rights/dividends) and the excessive influence of majority shareholders in
insider jurisdictions, caused many investors to call for parity of treatment.
(c) Issues concerning financial reporting were raised by many investors and were the focus of
considerable debate and litigation. Shareholder confidence in what was being reported in
many instances was eroded. While corporate governance development isn't just about better
financial reporting requirements, the regulation of practices such as off-balance sheet
financing has led to greater transparency and a reduction in risks faced by investors.
(d) The characteristics of individual countries may have a significant influence in the way
corporate governance has developed. The King report in South Africa (1994 and revised in
2002) emphasises the importance of qualities that are fundamental to the South African
culture such as collectiveness, consensus, helpfulness, fairness, consultation and religious
faith in the development of best practice.
(e) An increasing number of high profile corporate scandals and collapses including Maxwell
Communications Corporation (refer to the case study below) and the Enron scandal
prompted the development of governance codes. However, the scandals since then have
raised questions about further measures that may be necessary.

Case study
Robert Maxwell was a Czech refugee who came to the UK in 1940. He served in the British Army
and was awarded the Military Cross. After the war, he built up a massive publishing empire that

23
 Business Assurance

included at various times the Pergamon Press, Mirror Group Newspapers, the Berlitz language
guides and the New York Daily News. He was a famous celebrity, well-known to millions as a
flamboyant Member of Parliament and was heavily involved in professional football as the owner of
Oxford United Football Club and a director of Derby County Football Club.
Maxwell's success meant that at its peak Maxwell Communications plc was one of the largest
publicly quoted companies in the UK.
Like many publishing companies it was necessary to borrow to lever future growth. Maxwell
appeared to have no difficulty in financing his businesses. Although over time there were many
rumours about his business affairs, he adopted a highly litigious approach to his critics and took
several successful libel actions against popular magazines.
As it happened, Maxwell borrowed significant funds from the pensions funds run on behalf of his
companies' employees. Although this practice is subject to rigorous controls today, it was both
unregulated and quite common practice in the 1980s. In the same period he bought and sold
companies frequently in order to disguise the true financial position of his businesses.
In 1991 it was reported that Maxwell's companies were not meeting the statutory reporting
requirements in respect of the pension schemes. Members of these schemes made complaints in
both the UK and the USA. Maxwell's situation was worsened by the fact that he had used his
shares in his own companies to secure long-term borrowings. When the creditors sold these
shares it caused their prices to fall in the market. Maxwell responded by using borrowed funds,
including some of the operating balances of his companies and pension funds, to purchase shares
in order to support the share price.
Maxwell died by drowning in 1991. The official verdict was accidental death, though inevitably there
have been numerous conspiracy theories surrounding the accident even since. As is often the
case, the true situation concerning his businesses did not emerge immediately. It transpired that he
had used many millions of pounds belonging to occupational pension schemes to support his
businesses. Many employees lost their pensions as a result.
In 1995 several directors of Maxwell companies, including his two sons, were tried for fraud but
were acquitted.
The Maxwell scandal and the resultant consequences led to the enactment of stringent new
legislation imposing strict controls on pension funds and their relationships with employers
contributing to the schemes.

4.10 Development of corporate governance codes

To combat these problems codes of best practice were developed in many jurisdictions. Some of
the main provisions of codes have been clear attempts to deal with difficult situations. The problem
of an overbearing individual dominating a company has been countered by recommendations in
many codes that different individuals occupy the position of chief executive and chairman as the
head of a company.
The development of codes has been also prompted by the need to clarify ambiguities in the law, or
require a higher standard of behaviour than local legislation requires. Codes have also been
developed to ensure local companies comply with international best practice.

5 Corporate social responsibility

Topic highlights
Debates on organisations' social responsibilities focus on what these responsibilities are, how
organisations should deal with stakeholders and what aspects of an organisation's environment,
policies and governance are affected.

24
 1: Scope of corporate governance | Part A Corporate governance

5.1 Significance of corporate social responsibility

Businesses, particularly large and high profile ones, are subject to increasing expectations that
they will exercise corporate social responsibility.

5.1.1 Economic responsibilities

Companies have economic responsibilities to shareholders demanding a good return, to
employees wanting fair employment conditions and customers who are seeking good-quality
products at a fair price. Businesses are set up to be properly functioning economic units and so this
responsibility forms the basis of all others.

5.1.2 Legal responsibilities

Since laws codify society's moral views, obeying those laws must be the foundation of
compliance with social responsibilities. Although in all societies corporations will have a minimum
of legal responsibilities, there is perhaps more emphasis on them in some European economies
where the focus of discussion has been whether many legal responsibilities constitute excessive
red tape.

5.1.3 Ethical responsibilities

These are responsibilities that require corporations to act in a fair and just way even if the law
does not compel them to do so.

5.1.4 Philanthropic responsibilities

These are desired rather than being required of companies. They include charitable donations,
contributions to local communities and providing employees with the chances to improve their own
lives.

5.2 Corporate social responsibility and stakeholders

Inevitably discussion on corporate social responsibilities has been tied in with the stakeholder view
of corporate activity, the view that since businesses benefit from the goodwill and other tangible
aspects of society, they therefore owe society certain duties in return, particularly towards those
affected by its activities.

5.2.1 Problems of dealing with stakeholders

Whatever the organisation's view of its stakeholders, certain problems in dealing with them on
corporate social responsibility may have to be addressed.

(a) Collaborating with stakeholders may be time-consuming and expensive

(b) There may be culture clashes between the company and certain groups of stakeholders, or
between the values of different groups of stakeholders with companies caught in the middle
(c) There may be conflict between company and stakeholders on certain issues when they
are trying to collaborate on other issues
(d) Consensus between different groups of stakeholders may be difficult or impossible to
achieve, and the solution may not be economically or strategically desirable
(e) Influential stakeholders' independence (and hence ability to provide necessary criticism)
may be compromised if they become too closely involved with companies
(f) Dealing with certain stakeholders (eg public sector organisations) may be complicated by
their being accountable in turn to the wider public

25
 Business Assurance

5.3 Impact of corporate social responsibility on strategy and

corporate governance
Social responsibilities can impact on what companies do in a number of ways.

5.3.1 Objectives and mission statements

If the organisation publishes a mission statement to inform stakeholders of strategic objectives,
mention of social objectives is a sign that the board believes that they have a significant impact
on strategy.

5.3.2 Ethical codes of conduct

As part of their guidance to promote good corporate behaviour among their employees, some
organisations publish a business code of ethics.

5.3.3 Corporate social reporting and social financial statements

Some organisations, as part of their reporting on operational and financial matters, report on
ethical or social conduct. Some go further, producing social financial statements showing
quantified impacts on each of the organisation's stakeholder constituencies.

5.3.4 Corporate governance

Impacts on corporate governance could include representatives from key stakeholder groups on
the board, or perhaps even a stakeholder board of directors. It also implies the need for a
binding corporate governance code that regulates the rights of stakeholder groups.

5.4 Ownership and corporate social responsibility

Having raised the issue of the social responsibilities of companies, we also need to consider the
responsibilities of shareholders in companies. One view is that shareholders, by buying shares in a
company in the hope of greater returns, buy a responsibility; they should be insisting that those
managing the company carry out a policy that is consistent with the public welfare.
One of the main problems with this view in relation to large corporations is the wide dispersion of
shareholders. This means that shareholders with small percentage holdings have negligible
influence on managers. In addition, the ease with which shareholders can dispose of shares on
the stock markets arguably loosens their feeling of obligation in relation to their property. This then
raises the question of why the speculative (and possibly short-term) interests of shareholders
should prevail over the longer-term interests of other stakeholders.
In corporate governance discussions, the idea of ownership responsibilities have had a significant
influence because of the importance of institutional shareholders. Not only do they have the level
of shareholdings that can be used as a lever to pressure managers, but they themselves have
fiduciary responsibilities as trustees on behalf of their investors.

5.5 Corporate social responsibility guidance in Hong Kong

In August 2012, the Hong Kong Stock Exchange (HKEx) published an Environmental, Social and
Governance Reporting Guide. The Guide is currently recommended practice for all listed
companies with financial years ending on or after 31 December 2012. Subject to future
consultation, HKEx plans to raise the obligation level of some of the disclosures to 'comply or
explain' by 2015.
The Guide encourages listed companies to disclose Environmental, Social or Governance (ESG)
information either in their annual report or in a separate report which can be printed or published on
the company website. It splits ESG information into four subject areas: workplace quality,
environmental protection, operating practices and community involvement. For each subject area

26
 1: Scope of corporate governance | Part A Corporate governance

the Guide suggests KPIs and general disclosures, but does not prescribe how these KPIs are
calculated. Not all subject areas may be relevant for every company, and companies are
encouraged to prioritise those subject areas that are material in the context of their corporate
strategy.

Self-test question 3
Omnipower is an energy producer selling electricity and gas to private and business consumers.
It is a newly-established company, owned by a consortium of energy companies from different
countries.
The production of energy is a topical and controversial issue in the country in which Omnipower
operates. The country is very beautiful and rich in natural resources, so tourism is vital to the
national economy. The inhabitants of the country are fiercely protective of the environment and
their quality of life.
Anxious to build a positive relationship with the communities in which it will operate, Omnipower
has decided to produce a corporate social responsibility statement that will guarantee certain
principles to which it will adhere.
Greenspace, a local environmental pressure group, has already resisted the entry of new energy
companies to the country and has pledged that it will relentlessly pressurise Omnipower to adopt
environmentally friendly policies.
Requirements
(a) Identify the stakeholders in relation to Omnipower. Compare and contrast their respective
needs.
(b) Set out the matters that should be included in Omnipower's corporate social responsibility
(CSR) statement, including details of commitments that the company should make to its
stakeholders.
(The answer is at the end of the chapter)

27
 Business Assurance

Topic recap

Rights of shareholders
Treatment of stakeholders
Disclosure/transparency Code Recommended
Board responsibility provisions best practices

UK Corporate
Governance Code OECD Principles Hong Kong Code

International impact

Agency problem CORPORATE GOVERNANCE Stakeholder theory

Corporate governance reports Main concepts

Role of board Fairness

Quality of financial reporting Transparency
and auditing Independence
Probity
CSR: Directors’ remuneration Responsibility
Economic Risk management Accountability
Legal Reputation
Corporate social
Ethical Judgment
responsibility (CSR) Integrity
Philanthropic
Innovation
Scepticism

28
 1: Scope of corporate governance | Part A Corporate governance

Answers to self-test questions

Answer 1
(a) The OECD Framework proposes that corporate governance be considered in relation to five
areas:
Rights of shareholders
The corporate governance framework should protect shareholders and facilitate their rights
in the company. Companies are obliged to generate investment returns for the risk capital
put up by the shareholders. Directors should be accountable to shareholders in this respect.
Equitable treatment of shareholders
All shareholders should be treated equitably (fairly), including those who constitute a
minority, individuals and foreign shareholders. Shareholders should have redress when their
rights are contravened or where an individual shareholder or group of shareholders is
oppressed by the majority.
Stakeholders
The corporate governance framework should recognise the legal rights of stakeholders.
The company should facilitate co-operation with stakeholders in order to create wealth,
employment and sustainable enterprises.
Disclosure and transparency
Companies should make relevant and timely disclosures on matters affecting financial
performance, management and ownership of the business.
Board of directors
The board of directors is responsible for setting the direction of the company and monitoring
the management of the company in order to achieve its stated objectives. The corporate
governance framework should underpin the board's accountability to the company and its
members.
(b) The term 'probity' relates to honesty but goes further than simply telling the truth. Being
dishonest implies telling lies. A lack of probity, on the other hand, is not giving the true
picture of a situation, or acting in a manner that is misleading to others.
For example, giving raw data or incomplete financial information that may lead to inaccurate
conclusions demonstrates a lack of probity.
The term has been used by several judges in cases of wrongful trading. Often, a business
person may not intend to defraud creditors but may present an over-optimistic view of the
business based on a belief that its fortunes can be turned around.

Answer 2
In Hong Kong, the Code on Corporate Governance Practices ("HK Code") sets out the principles of
good corporate governance. It refers to the companies subject to the Code as "issuers".
The HK Code promotes transparency and openness. Transparency means open and clear
disclosure of relevant information to shareholders and other stakeholders, and not concealing
information, which may affect decision-making. It means open discussion, with a default position of
information provision rather than concealment.
Directors should also hold responsibilities to their stakeholders. Directors should act in the best
interests of the company and take the necessary steps to ensure that the company stays on the
right path.

29
 Business Assurance

Directors are accountable to stakeholders for complying with statutory and regulatory requirements,
safeguarding funds and taking proper stewardship of assets and resources. Any major issues
should be brought to the attention of the board on a timely basis. Financial and non-financial
performance measures should be established and reported.
In this regard, the directors should understand thoroughly the status of the construction with the
operational personnel, in order to evaluate if a significant delay in the completion is likely to arise.
They should consider seeking expert advice from internal or external sources.
Concurrently, the directors should establish measures to respond to the possible losses. For
example, making every effort to negotiate with their customer aiming to minimise the loss and
damage to the company.
The directors should also assess the significance of the impact arising from the delay of the
construction project and consider if a disclosure of the event is required. The impact can be a
financial loss, which may cause a significant loss arising in profit or loss, and a non-financial loss,
which is a reputation risk.

Answer 3
(a) The stakeholders in this situation are:
 Customers of Omnipower
 Owners of Omnipower
 The community and the local environment
 Residents who are not customers
 The government
 Greenspace (whose members may also be customers, residents or both)
 Employees of Omnipower
Using a table for simple presentation:

Stakeholder category Needs

Customers Low prices and good quality service.

Owners of Omnipower Capital growth and dividends. Payback on
investment.
Community and environment No adverse effects on landscape. No
depletion of natural resources if avoidable.
Development of new sources of renewable
energy. As little pollution as possible.
Residents who are not customers Same as community.
Government Compliance with laws. Operations to be
consistent with environmental policy.
Greenspace Same as community and environment.
Employees Stable salary, job satisfaction and future
employment development.

It can be seen from the table that the needs polarise into two sets of stakeholders. The first
set wants the company to be efficient and deliver energy as cost-effectively as possible.
A secondary concern here might be environmental impact. The second set are more
concerned with the impact on the environment as a primary need.
Energy companies are in an almost impossible position in relation to reconciling the needs of
stakeholders when there is polarisation of views.

30
 1: Scope of corporate governance | Part A Corporate governance

(b) A CSR statement should address all major concerns in relation to social responsibilities.
In the case of Omnipower, it should address both social and environmental concerns.
One example of CSR policy is the stakeholder analysis that forms the basis of CSR in CLP
Holdings Ltd, an energy company listed on the Hong Kong Stock Exchange which provides
energy to Hong Kong, mainland China, India, Southeast Asia, Taiwan and Australia.
The company has developed what it terms a 'sustainability framework' under which 15 'goals'
are grouped under four main 'sustainability pillars'.
People - Meet the evolving expectations of our stakeholders
 Zero injuries
 Support a healthy workforce
 Develop committed and motivated employees
 Meet customer expectations
 Earn and maintain community acceptance
 Operate our business ethically
Environment - Minimise environmental impacts
 Move towards zero emissions
 Move towards a more sustainable rate of resource use
 Move towards no net loss of biodiversity
Energy Supply – Deliver world-class products and services
 Supply energy reliably
 Operate efficiently
 Adopt emerging technology in a timely manner
Business Performance – Continually increase business value
 Create long-term shareholder return
 Proactively adapt to a changing business environment
 Enhance individual and organisational capability
It will be apparent from the above list that most of the concerns of the stakeholders of
Omnipower fall into one or more categories.
(Note: Sustainability Framework taken from CLP Holdings 2014 Sustainability Report
https://www.clpgroup.com/en/Sustainability-
site/Report%20Archive%20%20Year%20Document/SR_Full_2014_en.pdf)

31
 Business Assurance

Exam practice

Corporate governance 16 minutes

Trading & Factory Limited ('T&F') has been producing and selling outdoor furniture and garden
ornaments to North America for about ten years. T&F's founder, Mr. Lee, has occupied the roles of
Chairman and Chief Executive for three years, and has largely dominated its board of directors.
T&F struggled financially during 20X8-X9, but it has managed to survive through the recession and
has recently presented the unaudited management accounts for the year ended 31 December
20Y0 to its auditor. Extracted below are certain key financials for the years 20X9 and 20Y0.
Extracts from Extracts from
unaudited management audited financial statements
accounts for the year ended for the year ended
31 December 20Y0 31 December 20X9
HK$'000 HK$'000
Sales 482,100 254,300
Gross margin 30% 29%
Net profit before 98,100 16,200
tax
Current ratio 0.9 1.2
Following the recent revival in performance, Mr. Lee has expressed T&F's desire to go for a listing
within a year or two.
Due to the lack of financial expertise on the board and without a separate audit committee, T&F's
board has been relying on the management letter from its auditor to monitor the operating
effectiveness of its internal controls.
Required
Make three recommendations to improve T&F's corporate governance. (9 marks)
HKICPA June 2011 (amended)

32
chapter 2

Corporate governance
reports and practice
Topic list

1 Significance of international codes 4 Board committees

1.1 Limitations of international codes 4.1 Audit committees
2 Corporate Governance Code in Hong Kong 4.2 Nomination committee
and the UK Corporate Governance Code 4.3 Remuneration committee
2.1 Corporate Governance Code in Hong 5 Management's responsibilities to comply
Kong and the UK Corporate with corporate governance requirements
Governance Code 5.1 Duties of directors
3 Corporate governance developments in 5.2 Composition and balance of the board
Hong Kong 5.3 Reliability of financial reporting and
3.1 Similarities between the Code in Hong external auditors
Kong and the UK Corporate 5.4 Directors' remuneration and rewards
Governance Code
3.2 Comply or explain approach
(principles-based approach)
3.3 Application of principles-based
approaches by investors
3.4 Current issues
3.5 Structure of the Code in Hong Kong
3.6 Corporate Governance Report (CGR) in
Hong Kong
3.7 The New Hong Kong Companies
Ordinance (Cap. 622)

Learning focus

You may well have to discuss the implications of basing governance guidance on principles.
Knowledge of the main features and advantages and disadvantages of corporate governance
codes in general is important, but line-by-line knowledge is not required. Questions normally
require assessment of the strength of corporate governance arrangements in a particular
organisation.
As regards specific codes, the main themes of Sarbanes-Oxley may be tested. The UK
Corporate Governance Code (formerly known as the Combined Code) sets out good practice
but students should be aware of Hong Kong local codes of practice.
The existence of wider social responsibilities is likely to be a theme in questions.

33
 Business Assurance

Learning outcome

In this chapter you will cover the following learning outcomes:

Competency
level
3.01 Background to corporate governance developments 2
3.01.03 Explain corporate governance developments in Hong Kong
and the structure of the Corporate Governance Code and
Corporate Governance Report in Hong Kong
3.02 Key issues relating to corporate governance including 2
directors' remuneration, board composition, audit
committee and non-controlling interests
3.02.02 Describe the corporate governance requirements as set out in
the new Companies Ordinance (Cap. 622) and Hong Kong
Stock Exchange Listings Requirements relating to directors'
responsibilities (for example, risk management and internal
control) and the reporting responsibilities of auditors
3.03 Management's responsibilities to comply with corporate 3
governance requirements and to implement related
practices
3.03.01 Explain the responsibilities of management within the
corporate governance framework
3.03.02 Analyse the structure and roles of board committees and
discuss their drawbacks and limitations
3.04 Auditor's responsibilities to consider and address 3
corporate governance requirements
3.04.01 Explain the auditor's responsibility to consider and address
corporate governance requirements

34
 2: Corporate governance reports and practice | Part A Corporate governance

1 Significance of international codes

Topic highlights
Codes such as the OECD Code mentioned in the previous chapter have been developed from best
practice in a number of jurisdictions. As such, they can be seen as representing an international
consensus. They stress global issues that are important to companies operating in a number of
jurisdictions. The OECD Code for example, emphasises the importance of eliminating
impediments to cross-border shareholdings and treating overseas shareholders fairly.

Although the OECD Code (mentioned in Chapter 1) is non-binding and voluntary, its principles
have been incorporated into national guidance by a number of countries. The OECD Principles
have also been used by world-wide organisations as a basis for assessing the corporate
governance frameworks and practices in individual countries. These assessments are used to
determine the level of policy dialogue with, and technical assistance given to, these countries.
The fact that the local codes of different countries are based on the same international code means
that compliance costs for companies who are operating in many jurisdictions will be reduced.
It also gives investors some confidence about the application of governance rules.
The development of international codes should also be seen in the context of the development of
robust financial reporting rules, since investors' concerns with unreliable accounting information
has meant that they have questioned corporate governance arrangements. Developments in
international accounting standards aim to promote greater international harmony in accounting
practice, and international convergence on corporate governance is consistent with this.

1.1 Limitations of international codes

A number of problems have been identified with international codes.
(a) International principles represent a lowest common denominator of general, fairly bland,
principles.
(b) Any attempt to strengthen the principles will be extremely difficult because of global
differences in legal structures, financial systems, structures of corporate ownership, culture
and economic factors.
(c) As international guidance has to be based on best practice in a number of regimes,
development will always lag behind changes in the most advanced regimes.
(d) The codes have no legislative power.
(e) The costs of following a very structured international regime (such as one based on
Sarbanes-Oxley) may be very burdensome for companies based in less developed
countries that are not used to such regulation.

35
 Business Assurance

2 Corporate Governance Code in Hong Kong and the

UK Corporate Governance Code
2.1 Corporate Governance Code in Hong Kong and the UK
Corporate Governance Code

Topic highlights
The Hong Kong Stock Exchange published the Code on Corporate Governance Practices (the HK
Code) and the Corporate Governance Report (CGR) in November 2004, which is included in the
Appendices (Appendix 14) of the Main Board Listing Rules, and the (Appendix 15) Growth
Enterprise Market (GEM) Listing Rules. The HK Code and CGR became effective in 2005.
Commencing in 2012, amendments were made to the code provisions ('CP'), recommended best
practices ('RBP') and rules.
The HK Code is broken down into six main areas which will be examined later in this chapter:
1 Directors
2 Remuneration of Directors and Senior Management and Board Evaluation
3 Accountability and Audit
4 Delegation by the Board
5 Communication with Shareholders
6 Company Secretary
The UK Corporate Governance Code (formally known as the Combined Code) similarly contains
detailed guidance on good corporate governance, and strongly influences the corporate
governance requirements in other jurisdictions around the world including Hong Kong.

2.1.1 A history of corporate governance

Before we discuss the provisions of the HK Code, there is a history of corporate governance in
other countries, especially in the UK, that affects Hong Kong companies.
As a result of several accounting scandals in the 1980s and 1990s, the Cadbury Code in the UK
was the first code of corporate governance produced, for UK listed companies. Subsequently, in
1995, the Greenbury report added a set of principles on the remuneration of executive directors
for UK listed companies. The Hampel report in 1998 brought the Cadbury and Greenbury reports
together to form the first Combined Code, adding requirements relating to internal control and risk
management. In 1999, Turnbull produced a report explaining how the risk management and
internal control requirements should be applied.
In 2002, the Higgs report (Review of the role and effectiveness of non-executive directors) and the
Smith report on the role of audit committees were produced, and a new Combined Code was
issued.
In 2010, a new Stewardship Code for investment institutions was issued by the Financial
Reporting Council, providing guidelines on the role of investment institutions (as shareholders of
listed companies) in promoting good corporate governance practices. The Combined Code was
also revised in 2010 and renamed as the UK Corporate Governance Code. The amendments
included a clearer statement of the board's responsibilities relating to risk, a greater emphasis on
the importance of getting the right mix of skills and experience on the board, and recommendation
that all directors of FTSE 350 companies be put up for re-election every year. The Code was
revised again in 2012.
The development of corporate governance in Hong Kong is considered on the following pages.

36
 2: Corporate governance reports and practice | Part A Corporate governance

1998
The Hong Kong Stock Exchange issued its guidance of the Code of Best Practice for the Hong
Kong listed companies in 1998, to form the skeleton of a code of best practice to which listed
companies in Hong Kong should aim to adhere. Companies listed on the Main Board were required
to devise their own codes of practice in the interest of both non-executive directors and the
board of directors as a whole. Whereas, for companies listed on the Exchange's Growth Enterprise
Market (GEM) Board, the company had to establish an audit committee with at least three
independent non-executive directors and should appoint competent personnel for some specified
management positions.
2004 – 2005
In 2004, the Hong Kong Stock Exchange issued its draft Code on Corporate Governance Practices
(the Code) and the associated Corporate Governance Report (CGR) to help to strengthen the overall
standard of corporate governance of Hong Kong issuers. The Code on corporate governance
provided a detailed approach to various areas of corporate governance in Hong Kong. The HK
Code replaced the previous Listing Rules (the Code of Best Practice) related to corporate
governance whilst the Rules on the Corporate Governance Report set out the requirements in
respect of the preparation and issuance of a Corporate Governance Report (CGR). The new rules
required the board of directors to prepare an additional report (CGR), for inclusion in the annual
report.
The HK Code and the CGR considered the principles and guidelines set out in the revised UK
Corporate Governance Code and the proposals set by the Standing Committee on Company Law
Reform in June 2003.
The HK Code and the Rules on the CGR were effective for accounting periods commencing on or
after 1 January 2005. The Hong Kong Stock Exchange issued the HK Code and the CGR as
Appendices to the Listing Rules for Main Board issuers and GEM issuers.
As mentioned in Chapter 1, the HKICPA Corporate Governance Committee (the CG Committee)
has issued several publications on corporate governance such as Corporate Governance for Public
Bodies – A Basic Framework in 2004 and Internal Control and Risk Management – A Basic
Framework in 2005 respectively.
2007 – 2009
In February 2009 the Hong Kong Stock Exchange issued its major findings of the third annual
review (2007) of listed issuers' compliance with the Code (the Third Review).
To develop or enhance an in-house code, the Hong Kong Institute of Certified Public Accountants,
The Hong Kong Institute of Directors, the Hong Kong Stock Exchange and the Hong Kong Ethics
Development Centre, Independent Commission Against Corruption (ICAC) sought permission from
the International Federation of Accountants (IFAC) to reproduce 'The International Good Practice
Guide, entitled Defining and Developing an Effective Code of Conduct for Organisations', in Hong
Kong. (We have already discussed the key principles of this guidance in Chapter 1.)
2010 – 2012
Following the financial crisis outbreak in late 2008, the Hong Kong Stock Exchange published a
consultation paper on proposed changes to the HK Code and certain Listing Rules to corporate
governance to enhance the corporate governance in Hong Kong in December 2010. The
consultation period ended in March 2011 where the Hong Kong Stock Exchange adopted most of
the proposals outlined in the Consultation Paper, subject to certain modifications as set out in the
Consultation Conclusions.
The amendments kept the Corporate Governance Code in line with international best practices. In
its first interim/half year or annual report covering a period after 1 April 2012, the issuer had to state,
in that report, whether it had, for that period, complied with the Code Provisions (CPs) in the
revised Code as well as those of the former Code. Issuers were able to adopt the revised Code at
an earlier date than 1 April 2012.

37
 Business Assurance

HKEx's Consultation on Board Diversity

On 7 September 2012, Hong Kong Exchanges and Clearing Limited (the 'HKEx') published its
'Consultation Paper – Board Diversity' (the Consultation Paper) to set out the proposed
amendments concerning board diversity to Appendix 14 (Corporate Governance Code (the Code)
and Corporate Governance Report) to the Rules Governing the Listing of Securities on the Hong
Kong Stock Exchange.
The major purposes of the proposed amendments were to promote effective decision-making and
better governance, and monitoring through diversity in the boardroom. It was proposed that
diversity was to be given a wide interpretation and no criteria was to be prescribed to define its
meaning. An issuer was to take into account various factors to achieve boardroom diversity
depending on its own business model and circumstances, including gender, age, cultural and
educational background and professional experience.
On 13 December 2012, the HKEx published the consultation conclusions on board diversity.
Having received broad support to promote board diversity within listed issuers, the HKEx then
decided to implement new measures. In brief, the measures include a Code Provision ("CP") which
required the issuer to:
 Have a Board Diversity policy
 Disclose the policy or its summary in the issuer's corporate governance report
 Disclose any measurable objectives for implementing the policy and progress on achieving
those objectives
In addition, a note was added under the CP to clarify how the HKEx intended diversity to be
understood. The measures were effective on 1 September 2013. The conclusions were as follows:
(i) Board composition
The board should have a balance of skills, experience and diversity of perspectives
appropriate to the requirements of the issuer's business. It should ensure that changes to its
composition can be managed without undue disruption. It should include a balanced
composition of executive and non-executive directors (including independent non-executive
directors) so that there is a strong independent element on the board, which can effectively
exercise independent judgment. Non-executive directors should be of sufficient calibre and
number for their views to carry weight.
(ii) Appointments, re-election and removal
There should be a formal, considered and transparent procedure for the appointment of
new directors. There should be plans in place for orderly succession for appointments. All
directors should be subject to re-election at regular intervals. An issuer must explain the
reasons for the resignation or removal of any director.
(iii) Nomination Committee
The nomination committee (or the board) should have a policy concerning diversity of board
members, and should disclose the policy or a summary of the policy in the corporate
governance report which is included in the annual report.
Board diversity will differ according to the circumstances of each issuer.
Diversity of board members can be achieved through consideration of a number of factors,
including but not limited to gender, age, cultural and educational background, or
professional experience. Each issuer should take into account its own business model and
specific needs, and disclose the rationale for the factors it uses for this purpose.
2014 – 2015
In December 2014, HKEx published Consultation Conclusions on Risk Management and Internal
Control: Review of the Corporate Governance Code and Corporate Governance Report following
the publication of a consultation paper seeking comments in June 2014.

38
 2: Corporate governance reports and practice | Part A Corporate governance

Amendments to the HK Code following the consultation were effective for accounting periods
ending on or after 1 January 2016. Amendments were made to both the Main Board Listing Rules
and the GEM Rules.
In summary, the main changes to the Code included:
 Incorporating risk management into the Code where appropriate
 Defining the roles and responsibilities of the board and management
 Clarifying that the board has an ongoing responsibility to oversee the issuer's risk
management and internal control
 Upgrading to Code Provisions (CPs) the recommendations in relation to the annual review of
the effectiveness of the issuer's risk management and internal control and disclosures in the
Corporate Governance Report
 Upgrading to a CP the recommendation that issuers should have an internal audit function,
and those without to review the need for one on an annual basis
In December 2015, HKEx published Consultation Conclusions: Review of the Environmental,
Social and Governance Reporting Guide. This followed the publication of a consultation paper
seeking comments in July 2015. Consequently, amendments were made to the Environmental,
Social and Governance Guide and related GEM Listing Rules. In summary, the main changes
included:
 Adding a requirement that issuers must state in their annual report or a separate
environmental, social and governance (ESG) report whether they have complied with the
'comply or explain' provisions set out in the ESG Guide and if not, the reason why
 Revising the introductory section to provide more guidance on reporting and to be more in
line with international standards
 Re-arranging the Guide into two Subject Areas: Environmental and Social
 Upgrading the General Disclosures under each Aspect of the Guide to 'comply or explain'
 Revising the wording of the General Disclosures (where relevant) to be consistent with the
directors' report requirements under the Companies Ordinance (Cap. 622 of the Laws of
Hong Kong) (CO)
 Revising the wording of the recommended (ie voluntary) disclosures of the Guide to bring it
more in line with international standards of ESG reporting by incorporating disclosure of
gender diversity
 Upgrading the Key Performance Indicators (KPIs) under the 'Environmental' Subject Area to
'comply or explain'
The implementation date for the upgrade of the Environmental KPIs to 'comply or explain' was for
issuers' financial years commencing on or after 1 January 2017. All other amendments were
effective for issuers with financial years commencing on or after 1 January 2016.

2.1.2 Principles of the HK Code and the UK Corporate Governance Code

The HK Code lays down standards of good practice for entities on issues such as the composition
of the board, directors' remuneration, accountability and audit, relations with shareholders
communication with shareholders and the role of company secretary.
The HK Code contains a combination of:
 Broad principles
 More specific provisions (Code provisions (CP)
 Recommended best practices (RBPs).

39
 Business Assurance

Companies are required to conduct their corporate governance in accordance with the principles
and to apply the detailed code provisions. They are also encouraged to follow recommended best
practices.
The HK Code applies a 'comply or explain' approach, and listed companies in Hong Kong have
to disclose that they have applied the Code provisions, or if they have not, to provide an
explanation why.
The HK Code refers to companies as 'issuers'. The main principles of the Code are set out
below.

Section A: Directors
The Board
An issuer should be headed by an effective board, which should assume responsibility for
leadership and control of the issuer, and be collectively responsible for promoting the success of
the issuer by directing and supervising the issuer's affairs. Directors should take decisions
objectively and in the best interests of the issuer.
The board should regularly review the contribution required from a director to perform his
responsibilities to the issuer, and whether he is spending sufficient time performing them.
Chairman and Chief Executive
There are two key aspects of the management of every issuer – the management of the board, and
the day-to-day management of the issuer's business. There should be a clear division of these
responsibilities at the board level so that power is not concentrated in any one individual.
Board composition
The board should have a balance of skills, experience and diversity of perspectives appropriate for
the requirements of the business of the issuer. The board should ensure that changes to its
composition can be managed without undue disruption.
It should include a balanced composition of executive and non-executive directors including
independent non-executive directors (INEDs) so that there is a strong independent element on the
board, which can effectively exercise independent judgment. Non-executive directors should be of
sufficient calibre and number for their views to carry weight.
Appointments, re-election and removal
There should be a formal, considered and transparent procedure for the appointment of new
directors. There should be plans in place for orderly succession for appointments. All directors
should be subject to re-election at regular intervals. An issuer must explain the reasons for the
resignation or removal of any director. Non-executive directors should be appointed for a specific
term, subject to re-election.
Nomination committee
In carrying out its responsibilities, the nomination committee should give adequate consideration to
the Principles under board composition and appointments, re-election and removal.
Responsibilities of directors
Every director must always know his responsibilities as a director of an issuer and in conducting its
business activities and development. Given the essential unitary nature of the board, non-executive
directors have the same duties of care and skill, and fiduciary duties as executive directors.
Supply of and access to information
Directors should be provided in a timely manner with appropriate information in the form and of
quality to enable them to make an informed decision and perform their duties and responsibilities.

40
 2: Corporate governance reports and practice | Part A Corporate governance

Section B: Remuneration of directors and senior management and board

evaluation
The level and make-up of remuneration and disclosure
An issuer should disclose its directors' remuneration policy and other remuneration related matters.
The procedure for setting policy on executive directors' remuneration and all directors'
remuneration packages should be formal and transparent. Remuneration levels should be sufficient
to attract and retain the directors needed to run the company successfully, but companies should
avoid paying more than is necessary for this purpose. No director should be involved in deciding
his own remuneration.

Section C: Accountability and audit

Financial reporting
The board should present a balanced, clear and comprehensible assessment of the company's
performance, position and prospects.
Risk management and internal control
The board is responsible for evaluating and determining the nature and extent of the risks it is
willing to take in achieving the issuer's strategic objectives, and ensuring that the issuer
establishes and maintains appropriate and effective risk management and internal control
systems. The board should oversee management in the design, implementation and monitoring of
the risk management and internal control systems, and management should provide a
confirmation to the board on the effectiveness of these systems.
Audit committee
The board should establish formal and transparent arrangements to consider how it will apply
financial reporting, risk management and internal control principles and maintain an appropriate
relationship with the company's auditors. The audit committee established under the Listing Rules
should have clear terms of reference.

Section D: Delegation by the board

Management functions
An issuer should have a formal schedule of matters specifically reserved for board approval. The
board should give clear directions to management as to the matters that must be approved by it
before decisions are made on the issuer's behalf.
Board committees
Board committees should be formed with specific written terms of reference which deal clearly
with their authority and duties.

Section E: Communication with shareholders

Effective communication
The board should be responsible for maintaining an on-going dialogue with shareholders and in
particular, use annual general meetings or other general meetings to communicate with them and
encourage their participation.
Voting by poll
The issuer should ensure that shareholders are familiar with the detailed procedures for conducting
a poll.

41
 Business Assurance

Section F: Company Secretary

The company secretary plays an important role in supporting the board by ensuring good
information flow within the board and that board policy and procedures are followed. The company
secretary is responsible for advising the board through the Chairman and/or the Chief Executive on
governance matters and should also facilitate induction and professional development of directors.
In comparison, the UK Corporate Governance Code sets out standards of good practice in
relation to board leadership and effectiveness, remuneration, accountability and relations with
shareholders.
All companies with a premium listing of equity shares in the UK ('premium listed companies') are
required under the Listing Rules to report on how they have applied the UK Corporate Governance
Code in their annual report and accounts.
The UK Code contains broad principles and more specific provisions, but does not contain
recommended best practices. Listed companies are required to report on how they have applied
the main principles of the Code, and either to confirm that they have complied with the Code's
provisions or – where they have not – to provide an explanation ('comply or explain').
Compared with the HK Code, the UK Corporate Governance Code is substantially more detailed.

2.1.3 Auditors and the Code

The Hong Kong Stock Exchange in October 2011 amended the Main Board/GEM Listing Rules
relating to the Corporate Governance Code ('the revised Code') and associated Listing Rules. One
of the amendments was that the management of a company should ensure the company's auditor
attends the annual general meeting ('AGM') to answer questions relevant to:
(i) The conduct of the audit – responses to questions about the conduct of the audit
(ii) The preparation and content of the auditor's report
(iii) The accounting policies adopted by the company in relation to the preparation of the
financial statements
(iv) The independence of the auditor in relation to the conduct of the audit
(v) Modification to the independent auditor's report, if any.
In response to this new requirement, HKICPA published a Technical Bulletin AATB 2 Guidance to
the Auditor when Responding to Questions at an Annual General Meeting in March 2012. Amongst
other matters, guidance is provided on the auditor's responsibilities in responding to questions,
responses to questions where there is a modification to the auditor's report and how to respond
where the auditor cannot provide an immediate response.
The Rules also require shareholders' approval at a general meeting of any proposal to appoint or
remove an auditor before the end of the term of his office. The Rules require the issuer to send a
circular containing any written representation from the auditor to shareholders and the auditor must
be allowed to make a written and/or verbal representation at the general meeting to remove him.

2.1.4 Executive directors

Executive directors are usually responsible for setting an entity's strategy, formulating policies and
identifying systems and controls and monitoring performance. Let's break this down further:
Setting strategy and guiding policy
Executive directors are ultimately responsible for the safe stewardship of the company, and this
includes all aspects of its management: formulating strategic plans, and translating this into
budgets, HR plans, developing and maintaining assets, investing in technology and ensuring
corporate governance rules or any industry regulation or tax rules are complied with. One important
area in formulating strategy is identifying and controlling risks. Internal audit may have a very
important role to play in this area, although it is a decision made by the executive directors as to

42
 2: Corporate governance reports and practice | Part A Corporate governance

whether to set up an internal audit function, and if so, to direct relevant work activity to that
department.
In an effective board, there should be a balance of power as well as a balance of skills and
experience, and a single individual should not be able to dominate the board. One way of achieving
this is to comply with the provision in the HK Code that the roles of Chairman of the board and
Chief Executive should be separate and should not be performed by the same individual. This
means that no one individual should have unfettered powers of decision.
The board should also take responsibility for monitoring its own fitness to manage the company.
This means an assessment of the knowledge, experience, and skills of the executive directors in
areas core to the entity's business as well as the directors' personal characteristics, such as
integrity, judgment and available energy and time to invest in the business. It also involves
decisions as to new members, good induction procedures and personal development.
The board relies on reliable, timely information from the entity's systems in order to make decisions
and should review the availability and quality of the information available and set up procedures to
improve any deficiencies.
Setting up systems, controls and monitoring
Executive directors are also responsible for the systems used to fulfil the company objectives and
the controls put in place to safeguard against risks, a point we will return to later in this chapter. It
was previously Recommended Best Practice in the HK Code for the boards of listed Hong Kong
companies to consider annually whether an internal audit function is required (HK Code Section
C.2.6). However this requirement was upgraded to a CP for accounting periods beginning on or
after 1 January 2016 following the publication of Consultation Conclusions on Risk Management
and Internal Control: Review of the Corporate Governance Code and Corporate Governance
Report in December 2014.
Executive directors are also responsible for monitoring the effectiveness of the system of
internal control and risk management. An internal audit function can support the board in
ensuring adequate oversight of internal systems and controls and therefore has a primary role to
play in an entity's corporate governance framework.

In the UK, the Turnbull report on the review by the board of the effectiveness of internal control
and risk management made the following recommendations:

Turnbull Guidelines
Have a defined process for the effectiveness of internal control
Review regular reports on internal control
Consider key risks and how they have been managed
Check the adequacy of action taken to remedy weaknesses and incidents
Consider the adequacy of monitoring
Conduct an annual assessment of risks and the effectiveness of internal control; and
Make a statement on this process in the annual report

2.1.5 Non-executive directors

Key term
Non-executive directors are directors who do not have day-to-day operational responsibility for
the company. They are not employees of the company or affiliated with it in any other way.

Non-executive directors may be independent or they may not be independent. When a non-
executive director is considered 'not independent', this means that the individual may be subject to

43
 Business Assurance

the views and influence of others. For example a non-executive director may represent the
interests of a major shareholder, or the director may be subject to the influence of the executive
management team, especially after serving as a non-executive director many years.
The Listing Rules provide guidelines on how the 'independence' of a non-executive director may be
assessed. The HK Code also specifies that if an independent non-executive director has been on
the board for more than nine years, this would be a factor to consider when judging whether he is
still independent.
Board composition has a significant impact on corporate performance. The importance of
independent non-executive directors is their detachment from the day to day operational
responsibility of the company, in other words they are 'objective'. As already stated in Section 2.1.2,
at least one-third of an issuer's board should be independent non-executive directors (INEDs).
A company should also maintain on its website an up-to-date list of all its directors, indicating their
function or role and whether they are INEDs.
Non-executive directors may be appointed to oversee a particular sensitive area such as company
reporting, nomination of directors and remuneration of executive directors. Often entities establish
sub-committees of board members to deal with these issues. We will consider one such sub-
committee, the audit committee, in more detail in Section 4.1.

Self-test question 1
The HK Corporate Governance Code is a Hong Kong Stock Exchange requirement for listed
companies. It is recommended for other companies. Some argue that the HK Code should be
mandatory for all companies.
Requirements
(a) Discuss the benefits of the HK Code to shareholders and other users of financial statements.
(b) Discuss the merits and drawbacks of having such provisions in the form of a voluntary code.
(The answer is at the end of the chapter)

3 Corporate governance developments in Hong Kong

Topic highlights
Listed companies are required to confirm their compliance with the HK Code or, where they do not
comply, to provide explanations for any variation in practice.

3.1 Similarities between the Code in Hong Kong and the

UK Corporate Governance Code
When introducing the revised HK Code and the Rules on the CGR in Hong Kong, the Hong Kong
Stock Exchange noted that the HK Code represents a significant move towards the adoption of
international benchmarks of corporate governance, best practice and disclosure for Hong Kong
listed entities. The HK Code has taken into account the UK Corporate Governance Code.
In contrast to other corporate governance reporting regimes, the Hong Kong Code is broader in
coverage but less onerous in terms of required management action and attestation. This should
translate into a corporate governance framework that empowers business to succeed, while not
having a significant financial impact.
The Hong Kong Stock Exchange has adopted a 'comply or explain' approach, (which we discuss
in the next Section 3.2) to both Main Board and GEM corporate governance provisions. However,
where an issuer chooses not to comply with the relevant Code, the issuer must give considered

44
 2: Corporate governance reports and practice | Part A Corporate governance

reasons for any deviation, although such deviation may not necessarily constitute a breach of
Hong Kong Stock Exchange Listing Rules. In addition, the Hong Kong Stock Exchange requires
Main Board and GEM listed companies to include a Corporate Governance Report (CGR) in the
annual report. The Hong Kong Stock Exchange sets out mandatory and recommended
disclosures (discussed in Section 3.6) for inclusion in the CGR. Failure to include any of the
mandatory disclosures in the CGR will be regarded by the Hong Kong Stock Exchange as a breach
of the Listing Rules.

3.2 Comply or explain approach (principles-based approach)

Topic highlights
Many governance codes have adopted a principles-based approach allowing companies
flexibility in interpreting the codes' requirements and to explain if they have departed from the
provisions of the code.
A continuing debate on corporate governance is whether the guidance should predominantly be in
the form of principles, or whether there is a need for detailed laws or regulations.

Hong Kong has adopted a non-statutory approach for its corporate governance framework, based
on the UK's Corporate Governance Code. This means that the Code is voluntary in nature, with
Hong Kong companies being asked to 'comply or explain' any deviation from the code. The Hong
Kong Stock Exchange requires that disclosures be made as to whether it has been complied with,
but there are no statutory requirements to comply.
Principles-based approaches have often been adopted in jurisdictions where the governing bodies
of stock markets have had the prime role in setting standards for companies to follow. By
comparison the USA has adopted a more rules-based approach in their corporate governance
framework.

3.2.1 Benefits of comply or explain approach (principles-based approach)

Possible benefits of basing corporate governance codes on a series of principles are as follows:
(a) The approach focuses on objectives (for example, the objective that shareholders holding a
minority of shares in a company should be treated fairly) rather than the mechanisms by
which these objectives will be achieved. Possibly therefore, principles are easier to
integrate into strategic planning.
(b) Principles-based approaches can be applied across different legal jurisdictions rather than
being founded in the legal regulations of one country. The OECD Principles are a good
example of guidance that is applied internationally. This will increase global harmonisation.
(c) Where principles-based approaches have been established in the form of corporate
governance codes, the specific recommendations that the codes make are generally
enforced on a comply or explain basis. Listing Rules include a requirement to comply with
codes, but because the guidance is in a form of a code, companies have more flexibility
than they would if the code was underpinned by legal requirements.
(d) The disclosure requirements ensure that shareholders are aware of the position and they
can make any points they want to about compliance with the code at the AGM.
(e) It has been argued that making such a code obligatory would have punitive effects on
some companies, due to their size or investor make up and that legislation would create a
burden of requirement which could be excessive in many cases. Therefore, it is less
burdensome in terms of time and expenditure.
(f) A principles-based approach allows companies to develop their own approach to
corporate governance that is appropriate for their circumstances within the limits laid down
by stock exchanges.

45
 Business Assurance

(g) Enforcement on a comply or explain basis means that businesses can explain why they
have departed from the specific provisions if they feel it is appropriate. In many instances
now, the departures from best practice described in reports are of a minor or temporary
nature. Explanations of breaches have generally included details of how and when non-
compliance will be remedied.

3.2.2 Criticisms of comply or explain approach

(a) A principles-based approach can lay stress on those elements of corporate governance to
which rules cannot easily be applied. These include overall areas such as the requirement
to maintain sound systems of internal control, and 'softer' areas such as organisational
culture and maintaining good relationships with shareholders and other stakeholders.
(b) Disclosure of non-compliance is insufficient as the AGM is still not sufficient protection for
shareholders.
(c) Having a voluntary code allows some companies not to comply freely, to the detriment of
their shareholders.
(d) The requirement to disclose is only a Stock Exchange requirement, and there are many
unlisted companies who should be encouraged to apply the codes.
(e) There may be confusion over what is compulsory and what isn't. Although codes may
state that they are not prescriptive, their adoption by the local stock exchange means that
specific recommendations in the codes effectively become rules, which companies have to
obey in order to retain their listing.
(f) Some companies may perceive a principles-based approach as non-binding and fail to
comply without giving an adequate or perhaps any explanation. Not only does this
demonstrate a failure to understand the purpose of principles-based codes but it also
casts aspersions on the integrity of the companies' decision-makers.

3.3 Application of principles-based approaches by investors

In practice, comply or explain has not led to lots of companies treating compliance as being
voluntary. Analysts and investors have taken breaches, particularly by larger listed companies, very
seriously. The reputation of companies has been adversely affected if they have tried to justify non-
compliance on the grounds of excessive trouble or cost. However the value of smaller or recently
listed companies has been less affected by non-compliance; stock markets have effectively
allowed these companies more latitude even though they have breached the governance codes.
The governments have shown concerns for this area in the past and it is believed that they might
take actions in the future to regulate this area more heavily.
However, at the moment, having a voluntary code is a compromise based on the points made
above.

3.4 Current issues

Some observers attributed the global economic downturn from 2008 to a failure of those in
corporate governance, such as non-executive directors and audit committees, to manage risk
effectively. In particular, several banks in the USA and Europe were criticised for poor governance
and a failure to understand the risk exposures the banks are facing. Other observers argue that it is
not fair to blame directors who, due to rigorous independence requirements, may only have a
limited knowledge of the business or industry and are only allocated a few days a month to their
role. There seems to be an expectations gap between what is expected of those in corporate
governance and the tasks they can reasonably be required to do.
It is likely that corporate governance regulation will be reviewed as regulators react to the situation.
However, it is important that any changes are carefully considered and not just quickly
implemented regulations to appease public opinion.

46
 2: Corporate governance reports and practice | Part A Corporate governance

While it stressed that a different code may not have prevented the current economic conditions, it is
thought that it is an appropriate time to examine its effectiveness.

3.5 Structure of the Code in Hong Kong

Over the years, HKEx has undertaken a series of initiatives to raise the standards of corporate
governance in Hong Kong, improving the quality of disclosures and fostering corporate governance
culture amongst issuers in Hong Kong.
As stated earlier, the HK Code sets out the principles of good corporate governance, and two
levels of recommendations: (a) code provisions; and (b) recommended best practices. Hong Kong
listed companies are expected to comply with the code provisions (or explain any non-compliance).
The recommended best practices are for guidance only. Issuers may also devise their own code on
corporate governance practices on such terms as they may consider appropriate.
For the deviations the listed company must provide reasons in the annual reports and interim
reports.
As we have seen when examining the Code Principles in Section 2.1.2, the Code is structured in
the following sections:
A Directors
B Remuneration of directors and senior management and board evaluation
C Accountability and audit
D Delegation by the board
E Communication with shareholders
F Company secretary

The main Code Provisions in the HK Code are set out below.

Section A Directors
The Board
 The board should meet regularly and board meetings should be held at least four times a
year at approximately quarterly intervals. Director can attend either in person or through
electronic means of communication.
 Arrangements should be in place to ensure that all directors are given an opportunity to
include matters in the agenda for regular board meetings.
 At least 14 days notice should be given of regular board meetings to give all directors an
opportunity to attend. For all other board meetings, reasonable notice should be given.
 Minutes of board meetings and board committee meetings should be kept and should be
open for inspection at any reasonable time on reasonable notice by any director.
 Minutes should record in sufficient detail the matters considered and decisions reached.
Draft and final versions of minutes should be sent to all directors within a reasonable time
after the board meeting is held.
 There should be a procedure to enable directors, upon reasonable request, to seek
independent professional advice in appropriate circumstances, at the issuer's expense.
 Issuers should arrange insurance cover in respect of legal action against its directors.
Chairman and Chief Executive
 The roles of Chairman and Chief Executive should be separate and should not be performed
by the same individual. The division of responsibilities between the Chairman and Chief
Executive should be clearly established and set out in writing.

47
 Business Assurance

 The Chairman should ensure that all directors are properly briefed on issues arising at board
meetings.
Board composition
 An issuer should maintain on its website and on the Exchange's website an updated list of its
directors identifying their role and function and whether they are INEDs.
Appointments, re-election and removal
 Non-executive directors should be appointed for a specific term, subject to re-election.
 If an INED serves more than nine years, his further appointment should be subject to a
separate resolution to be approved by shareholders. Shareholders should be informed of the
reasons why the board believes he is still independent and should be re-elected.
Nomination committee (See Section 4.2 for more details on nomination committees)
 Issuers should establish a nomination committee chaired by the Chairman of the board or an
INED.
Responsibilities of directors
 Every newly appointed director of an issuer should receive a comprehensive, formal and
tailored induction on appointment. Subsequently he should receive any briefing and
professional development necessary to ensure that he has a proper understanding of the
issuer's operations and business and is fully aware of his responsibilities under statute and
common law, the Exchange Listing Rules, legal and other regulatory requirements and the
issuer's business and governance policies.
 Every director should ensure that he can give sufficient time and attention to the issuer's
affairs and should not accept the appointment if he cannot do so.
 All directors should participate in continuous professional development to develop and
refresh their knowledge and skills. This is to ensure that their contribution to the board
remains informed and relevant. The issuer should be responsible for arranging and funding
suitable training, placing an appropriate emphasis on the roles, functions and duties of a
listed company director. Note: Directors should provide a record of the training they received
to the issuer.
Supply of and access to information
 For regular board meetings, and as far as practicable in all other cases, an agenda and
accompanying board papers should be sent, in full, to all directors. These should be sent in a
timely manner and at least three days before the intended date of a board or board
committee meeting (or other agreed period).
 Management has an obligation to supply the board and its committees with adequate,
complete and reliable information, in a timely manner, to enable it to make informed
decisions. Where any director requires more information than is volunteered by
management, he should make further enquiries where necessary.

Section B Remuneration of directors and senior management and board

evaluation
 The remuneration committee should be provided with sufficient resources to perform its
duties.
(See section 4.3 in this Chapter for further information on remuneration committees.)

48
 2: Corporate governance reports and practice | Part A Corporate governance

Section C Accountability and audit

Financial reporting
 Management should provide sufficient explanation and information to the board to enable it
to make an informed assessment of financial and other information put before it for approval.
 Management should provide all members of the board with monthly updates giving a
balanced and understandable assessment of the issuer's performance, position and
prospects in sufficient detail to enable the board as a whole and each director to discharge
their duties.
 The directors should acknowledge in the Corporate Governance Report (CGR) their
responsibility for preparing the accounts. There should be a statement by the auditors about
their reporting responsibilities in the auditor's report on the financial statements.
 Unless it is inappropriate to assume that the company will continue in business, the directors
should prepare the accounts on a going concern basis, with supporting assumptions or
qualifications as necessary.
 Where the directors are aware of material uncertainties relating to events or conditions that
may cast significant doubt on the issuer's ability to continue as a going concern, they should
be clearly and prominently disclosed and discussed at length in the Corporate Governance
Report. The Corporate Governance Report should contain sufficient information for investors
to understand the severity and significance of matters.
Risk management and internal control (see section 1.2 and 1.3 of Chapter 3 for further
information)
 The board should oversee the issuer's risk management and internal control systems on an
ongoing basis, ensure that a review of the effectiveness of the issuer's and its subsidiaries'
risk management and internal control systems has been conducted at least annually and
report to shareholders that it has done so in its Corporate Governance Report. The review
should cover all material controls, including financial, operational and compliance controls.
 The board's annual review should, in particular, ensure the adequacy of resources, staff
qualifications and experience, training programmes and budget of the issuer's accounting,
internal audit and financial reporting functions.
 The issuer should have an internal audit function. Issuers without an internal audit function
should review the need for one on an annual basis and should disclose the reasons for the
absence of such a function in the Corporate Governance Report.
Internal controls
 The directors should at least annually conduct a review of the effectiveness of the issuers' and
its subsidiaries' internal control and report to shareholders that they have done so in their
Corporate Governance Report. The review should cover all material controls, including
financial, operational and compliance controls and risk management functions.
 The board's annual review should, in particular, consider the adequacy of resources, staff
qualifications and experience, training programmes and budget of the issuer's accounting
and financial reporting function.
Audit committee (see section 4.1 for further information on audit committees)
 Full minutes of audit committee meetings should be kept by a duly appointed secretary. Draft
and final versions of minutes of the meetings should be sent to all committee members
within a reasonable time after the meeting.

49
 Business Assurance

Section D Delegation by the board

Management functions
 When the board delegates aspects of its functions to management, it must give clear
directions as to the management's powers, in particular, where management should report
back and obtain prior board approval before making decisions or entering into any
commitments on the issuer's behalf.
 The board should not delegate matters to a board committee, executive directors or
management to an extent that would significantly hinder or reduce the ability of the board as
a whole to perform its functions.
 An issuer should formalise the functions reserved to the board and those delegated to
management.
 An issuer should disclose the respective responsibilities, accountabilities and contributions of
the board and management.
 Directors should clearly understand delegation arrangements in place. Issuers should have
formal letters of appointment for directors setting out the key terms and conditions of their
appointment.
Board Committees
 Where board committees are established to deal with matters, the board should give them
sufficiently clear terms of reference to enable them to perform their functions properly.
 The terms of reference of board committees should require them to report back to the board
on their decisions or recommendations, unless there are legal or regulatory restrictions on
their ability to do so.
Corporate Governance Functions
 The board should be responsible for performing the corporate governance duties set out in
the terms of reference or it may delegate the responsibility to a committee or committees.

Section E Communications with shareholders

Effective communication
 For each substantially separate issue at a general meeting, a separate resolution should be
proposed by the Chairman of that meeting. Issuers should avoid 'bundling' resolutions unless
they are interdependent and linked forming one significant proposal. Where the resolutions
are 'bundled', issuers should explain the reasons and material implications in the notice of
meeting.
 The Chairman of the board should attend the annual general meeting. He should also invite
the Chairmen of the audit, remuneration, nomination and any other committees (as
appropriate) to attend.
 The issuer should arrange for the notice to shareholders to be sent for annual general
meetings at least 20 clear business days before the meeting and to be sent at least 10 clear
business days for all other general meetings.
 The board should establish a shareholders' communication policy and review it on a regular
basis to ensure its effectiveness.
Voting by Poll
 The chairman of a meeting should ensure that an explanation is provided of the detailed
procedures for conducting a poll and answer any questions from shareholders on voting by
poll.

50
 2: Corporate governance reports and practice | Part A Corporate governance

Section F Company Secretary

 The Company Secretary should be an employee of the issuer and have day-to-day
knowledge of the issuer's affairs.
 Where an issuer engages an external service provider as its company secretary, it should
disclose the identity of a person with sufficient seniority (e.g. chief legal counsel or chief
financial officer) at the issuer whom the external provider can contact.
 The board should approve the selection, appointment or dismissal of the Company
Secretary.
 The Company Secretary should report to the board Chairman and/or the Chief Executive.
 All directors should have access to the advice and services of the Company Secretary to
ensure that board procedures, and all applicable law, rules and regulations, are followed.

3.6 Corporate Governance Report (CGR) in Hong Kong

As stated, listed companies are required to include a CGR in each annual report and summary
financial report (if any). The rules on the CGR set out two levels of disclosure:
 Mandatory disclosure requirements: Failure to include these mandatory disclosure in the
CGR will be regarded by the Hong Kong Stock Exchange as a breach of the Listing Rules.
 Recommended disclosures: The Hong Kong Stock Exchange notes that the list of
recommended disclosures is provided for listed companies' references and is not intended to
be exhaustive or mandatory. The level of detail needed varies with the nature and complexity
of issuers' business activities. Issuers are encouraged to include the recommended
disclosure information in their Corporate Governance Report.

Mandatory disclosure requirements

(i) Corporate Governance Practices

A narrative statement explaining how the issuer has applied the principles in the Code, enabling its
shareholders to evaluate how the principles have been applied and a statement as to whether the
issuer meets the code provisions.
If an issuer has adopted its own code that exceeds the code provisions, it may draw attention to
this fact in its annual report and for any deviation from the code provisions, details of the deviation
during the financial year (including considered reasons).
(ii) Directors' Securities Transactions
Whether the issuer has adopted a code of conduct regarding directors' securities transactions on
terms no less exacting than the required standard.
Whether the directors of the issuer have complied with its code of conduct regarding directors'
securities transactions. For any non-compliances, details of these and an explanation of the
remedial steps taken by the issuer to address them.
(iii) Board of Directors
Composition of the board, by category of directors, including name of Chairman, executive
directors, non-executive directors and INEDs.
The number of board meetings held during the financial year.
Attendance of each director, by name, at the board and general meeting. For each named director,
the number of board or committee meetings he attended and separately the number of board or
committee meetings attended by his alternate. Attendance at board or committee meetings by an
alternate director should not be counted as attendance by the director himself.

51
 Business Assurance

A statement of the respective responsibilities, accountabilities and contributions of the board and
management. In particular, a statement of how the board operates, including a high level statement
on the types of decisions taken by the board and those delegated to management.
Details of any non-compliance with appointment of a sufficient number INEDs and appointment of
an INED with appropriate professional qualifications, or accounting or related financial
management expertise.
Reasons why the issuer considers an INED to be independent where he/she fails to meet one or
more of the guidelines for assessing independence.
Relationship (including financial, business, family or other material/relevant relationship(s)), if any,
between board members and in particular, between the Chairman and the Chief Executive.
How each director, by name, complied with the Principle and Code Provisions relating to
'Responsibilities of directors'.
(iv) Chairman and Chief Executive
The identity of the Chairman and Chief Executive and whether the roles of the Chairman and Chief
Executive are separate and exercised by different individuals.
(v) Non-executive directors
The term of appointment of non-executive directors.

Mandatory disclosure requirements

(vi) Board Committees

The role and function of the committee.
The composition of the committee and whether it comprises INEDs, non-executive directors and
executive directors (including their names and identifying the Chairman of the committee).
The number of meetings held by the committee during the year to discuss matters and the record
of attendance of members, by name, at meetings held during the year; and a summary of the work
during the year.
(vii) Auditor's remuneration
An analysis of remuneration in respect of audit and non-audit services provided by the auditors to
the issuer. The analysis must include, in respect of each significant non-audit service assignment,
details of the nature of the services and the fees paid.
(viii) Company secretary
Where an issuer engages an external service provider as its company secretary, its primary
corporate contact person at the issuer including his/her name and position.
(ix) Shareholders' rights
How shareholders can convene an extraordinary general meeting.
The procedures by which enquiries may be put to the board and sufficient contact details to enable
these enquiries to be properly directed.
The procedures and sufficient contact details for putting forward proposals at shareholders' meetings.
(x) Investor relations
Any significant changes in the issuer's constitutional documents during the year.

52
 2: Corporate governance reports and practice | Part A Corporate governance

For the following recommended disclosures, the Code allows issuers to choose to include some or
all of this information:
(a) On its website and highlight to investors where they can access the soft copy by giving a
hyperlink direct to the relevant webpage and/or collect a hard copy of the relevant
information free of charge; or
(b) Where the information is publicly available, by stating where the information can be found.
Any hyperlink should be direct to the relevant webpage.
This choice has been allowed in response to the fact that some issuers may consider that the
recommended disclosure to be too lengthy and detailed to be included in the Corporate
Governance Report.
(xi) Risk management and internal control
Where an issuer includes the board's statement that it has conducted a review of its risk
management and internal control systems in the annual report, it must disclose the following:
(a) Whether the issuer has an internal audit function;
(b) How often the risk management and internal control systems are reviewed, the period
covered, and where an issuer has not conducted a review during the year, an explanation
why not; and
(c) A statement that a review of the effectiveness of the risk management and internal control
systems has been conducted and whether the issuer considers them effective and adequate.
Section C of the Code also requires issuers to include, as part of their Corporate Governance
Report, a narrative statement about how they have complied with the Code provisions on risk
management and internal control during the reporting period. This statement should include:
(a) The processes used by the issuer for identifying, evaluating and managing the significant
risks that it faced
(b) The main features of the issuer's risk management and internal control systems
(c) An acknowledgement by the board that it is responsible for the risk management and internal
control systems and reviewing their effectiveness. It should also explain that such systems
are designed to manage rather than eliminate the risk of failure to achieve business
objectives, and can only provide reasonable and not absolute assurance against material
misstatement or loss
(d) The process used to review the effectiveness of the risk management and internal control
systems and to resolve material internal control defects
(e) The procedures and internal controls for the handling and dissemination of inside information

Recommended disclosures

(i) Share interests of senior management

The number of shares held by senior management (i.e. those individuals whose biographical
details are disclosed in the annual report).
(ii) Investor relations
Details of shareholders by type and aggregate shareholding.
Details of the last shareholders' meeting, including the time and venue, major items discussed and
voting particulars.
Indication of important shareholders' dates in the coming financial year and public float
capitalisation at the year end.

53
 Business Assurance

Recommended disclosures

(iii) Risk management and internal control

 The board may disclose in the Corporate Governance Report that it has received a
confirmation from management on the effectiveness of the issuer's risk management and
internal control systems.
 The board may disclose in the Corporate Governance Report details of any significant areas
of concern.
(iv) Management functions
The division of responsibility between the board and management.
A CP states that the annual report should include an explanation of the basis on which the
company generates or preserves value over the longer term and the strategy for delivering the
objectives of the company.

Self-test question 2
There are several provisions in Section C of the Code on Corporate Governance Practices ("the
Code") about the annual review of the risk management and internal control system of listed
companies. The Code states that the board should conduct a review of the effectiveness of the
company's risk management and internal control system, and report to the shareholders that they
have done so in the Corporate Governance Report.
During the year under review, the Chief Financial Officer ("CFO") of Green Limited reported to its
board that since the second quarter of the financial year, more than half of its information
technology ("IT") staff had left the company. The IT support to Green Limited was intermittent
because only part-time non-IT staff could be employed. The lack of IT support was the cause of
various discrepancies found between Green Limited's sales and inventory ledgers. Hence, the
financial statements closing process has been delayed.
Required
(a) With respect to the board's annual assessment of the listed companies' risk management
and internal control effectiveness, advise as to what information should be included in a
Corporate Governance Report required by the Code. (5 marks)
(b) What are the possible consequences arising from the above incident? Advise as to what
actions the board should consider in order to ensure the internal control of the IT system is
effective in the upcoming financial year. (5 marks)
HKICPA June 2016 (amended)
(The answer is at the end of the chapter)

54
 2: Corporate governance reports and practice | Part A Corporate governance

3.7 The New Hong Kong Companies Ordinance (Cap. 622)

A comprehensive exercise to rewrite the Companies Ordinance (Cap. 32) was launched in mid-
2006 with the aim of modernising Hong Kong's company law and further enhancing Hong Kong's
status as a major international business and financial centre. The Companies Bill was finalised
and introduced into the Legislative Council ("the LegCo") on 26 January 2011. On 12 July 2012,
the Companies Bill was passed by the LegCo.
The new Companies Ordinance (Cap. 622) ("the new CO"), which consists of more than 900
sections and 11 schedules, provides a modernised legal framework for the incorporation and
operation of companies in Hong Kong. It aims to achieve four main objectives, namely, to enhance
corporate governance, ensure better regulations, facilitate business and modernise the law.
To facilitate implementation of the new CO, over ten regulations will have to be made in 2013-14.
In parallel, the Companies Registry will enhance its information system and carry out an overall
review of its procedures and forms for the implementation of the new legislation. The new CO
commenced operation on 3 March 2014.
Under the new CO, there are new measures for enhancing corporate governance and the following
are some of the major measures for the enhancement:
(a) Strengthening the accountability of directors
Restricting the appointment of corporate directors by requiring every private company to
have at least one natural person to act as director, to enhance transparency and
accountability.
Clarifying in the statute the directors' duty of care, skill and diligence with a view to providing
clear guidance to directors.
(b) Enhancing shareholder engagement in the decision-making process
Introducing a comprehensive set of rules for proposing and passing a written
resolution.
Requiring a company to bear the expenses of circulating members' statements relating to the
business of, and proposed resolutions for, Annual General Meetings, if they are received in
time to be sent with the notice of the meeting.
Reducing the threshold requirement for members to demand a poll from 10% to 5% of the
total voting rights.
(c) Improving the disclosure of company information
Requiring public companies and the larger (i.e., companies that do not qualify for simplified
reporting) private companies and guarantee companies to prepare a more comprehensive
directors' report which includes an analytical and forward-looking 'business review', whilst
allowing private companies to opt out by special resolution. The business review will provide
useful information for shareholders. In particular, the requirement to include information
relating to environmental and employee matters that have a significant effect on the
company is in line with international trends to promote corporate social responsibility.
(d) Fostering shareholder protection
Introducing more effective rules to deal with directors' conflicts of interests, including
expanding the requirement for seeking shareholders' approval to cover directors'
employment contracts which exceed three years.
Requiring disinterested shareholders' approval in cases where shareholders' approval is
required for transactions of public companies and their subsidiaries.
Requiring the conduct of directors to be ratified by disinterested shareholders' approval to
prevent conflicts of interest and possible abuse of power by interested majority shareholders
in ratifying the unauthorised conduct of directors.

55
 Business Assurance

Replacing the 'headcount test' with a not more than 10% disinterested voting requirement for
privatisations and specified schemes of arrangement, while giving the court a new discretion
to dispense with the test (in cases where it is retained) for members' schemes.
Extending the scope of the unfair prejudice remedy to cover 'proposed acts and omissions',
so that a member may bring an action for unfair prejudice even if the act or omission that
would be prejudicial to the interests of members is not yet effected.
(e) Strengthening auditors' rights
Empowering an auditor to require a wider range of persons, to provide information or
explanation reasonably required for the performance of the auditor's duties. This includes the
officers of a company's Hong Kong subsidiary undertakings and any person holding or
accountable for the company or its subsidiary undertakings' accounting records. The offence
for failure to provide the information or explanation is extended to cover officers of the
company and the wider range of persons.

4 Board committees
Topic highlights
Many companies operate a series of board sub-committees responsible for supervising specific
aspects of governance. Operation of a committee system does not clear the main board of its
responsibilities for the areas covered by the board committees.
Good use of committees seems to have had a positive effect on the governance of many
companies. It is found that committees had given assurance that important board duties were being
discharged rigorously.

The main board committees are:

 Audit committee – arguably the most important committee, responsible for liaising with
external audit, supervising the internal audit function and reviewing the annual financial
statements and internal controls
 Nomination committee – responsible for recommending the appointments of new directors
to the board
 Remuneration committee – responsible for advising on executive director remuneration
policy and the specific package for each director
 Risk committee – responsible for overseeing the organisation's risk response and
management strategies
Corporate governance guidance has concentrated on the work of the audit, remuneration and
nomination committees. The corporate governance report recommends that no one individual
should serve on all committees; most reports recommend that the committees should be staffed by
non-executive directors and preferably INEDs. We shall now consider the role of committees to see
why their role is deemed to be so significant.

4.1 Audit committees

Topic highlights
An audit committee can help a company maintain objectivity with regard to financial reporting and
the audit of financial statements.

56
 2: Corporate governance reports and practice | Part A Corporate governance

Appendix 14, Section C.3 of the HK Code sets the minimum duties for the audit committee. The
HK Code further determines the role of the audit committee and its role in monitoring the integrity of
the company's financial statements as well as being primarily responsible for the company's
relationship with the external auditors, reviewing the internal controls and recommending the
appointment of external auditors. The company should provide sufficient resources to the audit
committee to discharge its duties.
A former partner of the company's existing auditing firm should be prohibited from acting as a
member of the company's audit committee for a period of one year commencing on the date of
ceasing to be partner of the auditing firm or ceasing to have any financial interest in the auditing
firm (whichever is later).
4.1.1 Role and function of audit committees
An audit committee should be set up. It should consist entirely of non-executive directors and there
should be at least three non-executive directors on the committee. The board should satisfy
itself that at least one member of the audit committee is an INED who has appropriate professional
qualifications, or accounting or related financial management expertise.
The majority of the audit committee members must be INEDs, and the chairman of the audit
committee must be an INED as well.
The exact role of an audit committee will vary from entity to an entity. The audit committee terms of
reference should be set out in writing and publicly available on HKEx and the issuer's websites.
The Code requires that the board should establish formal and transparent arrangements for
considering how it should apply the financial reporting and internal control principles for maintaining
an appropriate relationship with the company's auditors. The provisions relating to this principle are
set out below.

Code provisions relating to the audit committee in Hong Kong

Chapter 3, section 3.21 of the Main Board Listing Rules requires:
'Every listed issuer must establish an audit committee comprising non-executive directors only. The
audit committee must comprise a minimum of three members, at least one of whom is an INED
with appropriate professional qualifications or accounting or related financial management
expertise as required under rule 3.10(2). The majority of the audit committee members must be
independent non-executive directors of the listed issuer. The audit committee must be chaired by
an independent non-executive director.'
The GEM Board (Growth Enterprise Market) has similar requirements in Chapter 5, Section 5.28
covering Audit Committees.
For further assistance the HKICPA (formerly known as the Hong Kong Society of Accountants)
published in February 2002, 'A Guide for Effective Audit Committees'. Listed issuers may refer to
the terms of reference set out in this Guide, or they may adopt any other comparable terms of
reference for the establishment of an audit committee.
The main role and responsibilities should be set out in written terms of reference and should
include:
(a) To monitor the integrity of the financial statements of the company and any formal
announcements relating to the company's financial performance, reviewing significant
financial reporting issues and judgments contained in them.
The audit committee should review arrangements by which staff of the company may, in
confidence, raise concerns about possible improprieties in matters of financial reporting or
other matters. The audit committee's objective should be to ensure that arrangements are in
place for the proportionate and independent investigation of such matters and for
appropriate follow-up action.
The terms of reference of the audit committee, including its role and the authority delegated
to it by the board, should be made available. A separate section of the annual report should
describe the work of the committee in discharging those responsibilities.

57
 Business Assurance

(b) To review the company's internal financial controls and, unless expressly addressed by a
separate board risk committee composed of independent directors or by the board itself, the
company's internal control and risk management systems.
(c) To monitor and review the effectiveness of the company's internal audit function.
Where there is no internal audit function, the audit committee should consider annually
whether there is a need for an internal audit function and make a recommendation to the
board, and the reasons for the absence of such a function should be explained in the
relevant section of the annual report.
(d) To make recommendations to the board on the appointment, reappointment and removal of
the external auditors, to approve the remuneration and terms of engagement of the external
auditors and any questions of resignation or dismissal of the external auditors (section
C.3.3(a) of Appendix 14).
If the board does not accept the audit committee's recommendation, it should include in the
annual report, and in any papers recommending appointment or re-appointment, a statement
from the audit committee explaining the recommendation and should set out reasons why
the board has taken a different position.
(e) To monitor and review the external auditors' independence, objectivity and effectiveness of
the audit process in accordance with applicable standards (section C.3.3(b) of Appendix 14).
To seek information from the external auditors on an annual basis on the external auditors'
processes for maintaining independence and monitoring compliance with relevant
requirements, including any applicable requirement on rotation of engagement team
members.
(f) To develop and implement policy on engagement of the external auditor to supply non-audit
services, taking into account relevant ethical guidance regarding the provisions of non-audit
services by the external audit firm and to report to the board, identifying any matters in
respect of which it considers that action or improvement is needed, and making
recommendations as to the steps to be taken (section C.3.3(c) of Appendix 14).
(g) An audit committee should meet the external auditor at least twice a year.
(h) To ensure co-ordination between the internal audit function (where it exists) and the external
auditors.
(i) To review the external auditors' management letter, any material queries raised by the
external auditors to management in respect of the accounting records, financial statements
or systems of control and management's response.
(j) An audit committee's terms of reference should include arrangements for employees to raise
concerns about financial reporting improprieties.
(k) A RBP recommends the audit committee establish a whistleblowing policy and system.

4.1.2 Advantages and drawbacks of audit committees

The advantages of having an audit committee are as follows:
(a) To improve the quality of financial reporting, by reviewing the financial statements on behalf
of the board.
(b) To create an ethical environment and establish controls which will act as a deterrent and
reduce the opportunity for fraud.
(c) To enable the non-executive directors to inject their experience, expertise and an
independent judgment into the entity's affairs.
(d) To help the Chief Financial Officer, by providing a forum in which he can raise matters of
concern, and a mechanism for resolving potentially difficult issues.

58
 2: Corporate governance reports and practice | Part A Corporate governance

(e) To work with and improve the quality and efficiency of the external auditor, by providing a
means of communication and apparatus to resolve issues of concern.
(f) To provide a framework within which the external auditor can assert his position in the event
of a dispute with management.
(g) To strengthen the status of the internal audit function, by providing a greater degree of
independence from management.
(h) To increase public confidence in the reliability and objectivity of financial statements.
Opponents of audit committees argue the following:
(a) The executive directors may not understand the purpose of an audit committee and may
perceive that it detracts from their authority.
(b) There may be difficulty selecting sufficient non-executive directors with the necessary
competence in auditing matters for the committee to be really effective.
(c) The establishment of such a formalised reporting procedure may dissuade the auditors
from raising matters of judgment and limit them to reporting only on matters of fact; and
(d) Costs may be increased.

4.2 Nomination committee

4.2.1 Role and function of nomination committee
In order to ensure that balance of the board is maintained, corporate governance codes recommend
the board should set up a nomination committee, to oversee the process for board appointments
and make recommendations to the board. The nomination committee needs to consider:
 The skills, knowledge and experience possessed by the current board
 The need for continuity and succession planning
 The desirable size of the board
 The need to attract board members from a diversity of backgrounds
Code Provisions state that a listed company should:
(a) Establish a nomination committee with a majority of INEDs, chaired by an INED or the board
Chairman
(b) Establish a nomination committee with written terms of reference that performs the duties
described
(c) Include, as one of the nomination committee's duties, a review of the structure, size and
composition of the board at least annually to complement the issuer's corporate strategy
(d) Make the nomination committee's terms of reference available on both the issuer's and the
HKEx websites
(e) Ensure a nomination committee has sufficient resources
(f) Enable a nomination committee to seek independent professional advice at the issuer's
expense

4.3 Remuneration committee

4.3.1 Role and function of remuneration committee
In Hong Kong, the key objectives of establishing a remuneration committee are to assist the board
of directors in maintaining a formal and transparent procedure for setting policy on directors'
remuneration, and to determine an appropriate remuneration package for all directors. The
remuneration committee should ensure that remuneration arrangements support the strategic aims
of the business, and enable the recruitment, motivation and retention of senior executives while

59
 Business Assurance

complying with all rules and regulations. According to the HK Code, issuers should establish a
remuneration committee with specific written terms of reference which deal clearly with its authority
and duties. A majority of the members of the remuneration committee should be INEDs. The
Chairman of the remuneration committee should be an INED.
There should be written terms of reference for the remuneration committee. Any listed company
that fails to comply with these rules should immediately announce its reasons for not doing so and
any other relevant details. The listed company will have a three-month period to rectify its non-
compliance.
The remuneration committee should consult the Chairman and/or Chief Executive about their
proposals relating to the remuneration of other executive directors. Where necessary it adds that
professional advice can be sought by the remuneration committee, however any professional
advice made available to a remuneration committee should be independent;
The remuneration committee should only perform an advisory role to the board, with the board
retaining the final authority to approve executive directors' and senior management's remuneration.
It should ensure that its terms of reference are available on both the issuer's and the Hong Kong
Stock Exchange websites.
Overall, the remuneration committee plays the key role in establishing remuneration arrangements.
In order to be effective, the committee needs both to determine the organisation's general policy on
the remuneration of executive directors and specific remuneration packages for each director.

Self-test question 3
Peace Limited is a company listed on the Hong Kong Stock Exchange and has entered into an
agreement with Mr. Chan, an executive director of Peace Limited, for consultancy services.
Pursuant to the agreement, Peace Limited will pay HK$10 million to Mr. Chan for general
consultancy services such as promoting the image of Peace Limited in the market.
Required
Suggest the corporate governance measures required (ignoring the Hong Kong Listing Rules
requirements on connected transactions) to enhance the transparency of transactions with
directors in Peace Limited.
(8 marks)
HKICPA June 2014 (amended)
(The answer is at the end of the chapter)

5 Management's responsibilities to comply with

corporate governance requirements
The powers of directors to run the company are set out in the company's constitution or articles
of association.
Under corporate governance best practice there is a distinction between the role of executive
directors, who are involved full-time in managing the company, and the non-executive
directors, who primarily focus on monitoring. However, under Companies Law, in most
jurisdictions the legal duties of directors apply to both executive and non-executive directors.
Section A of Appendix 14 covers the issues relating to directors.

5.1 Duties of directors

The corporate governance reports have aimed to build on the directors' duties as defined in
statutory and case law duties of directors. These include the fiduciary duties to act in the best

60
 2: Corporate governance reports and practice | Part A Corporate governance

interests of the company, use their powers for a proper purpose, avoid conflicts of interest
and exercise a duty of care.

5.2 Composition and balance of the board

A feature of many corporate governance scandals has been boards dominated by a single senior
executive with other board members merely acting as a rubber stamp. Sometimes the single
individual may bypass the board to action his own interests. Even if an organisation is not dominated
by a single individual, there may be other weaknesses in board composition. The organisation may
be run by a small group centred round the Chief Executive and Chief Financial Officer, and
appointments may be made by personal recommendation rather than a formal, objective process.
As we shall see, the board must also be balanced in terms of skills and talents from several
specialisms relevant to the organisation's situation.

5.3 Reliability of financial reporting and external auditors

Issues concerning financial reporting and auditing are seen by many investors as crucial because
of their central importance in ensuring management accountability. They have therefore been the
focus of much debate and litigation. While focusing the corporate governance debate solely on
accounting and reporting issues is inadequate, the greater regulation of practices such as off-balance
sheet financing has led to greater transparency and a reduction in risks faced by investors.
External auditors may not carry out the necessary questioning of senior management because of
fears of losing the audit, and the internal audit function do not ask awkward questions because
the Chief Financial Officer determines their employment prospects. Often corporate collapses
are followed by criticisms of external auditors, where poorly planned and focused audit work failed
to identify illegal use of client monies.

5.4 Directors' remuneration and rewards

Packages will need to attract, retain and motivate directors of sufficient quality, while at the
same time taking into account shareholders' interests as well. However, assessing executive
remuneration in an imperfect market for executive skills may prove problematic. The remuneration
committee needs to be mindful of the implications of all aspects of the package, also the
individual contributions made by each director.
Directors being paid excessive salaries and bonuses has been seen as one of the major corporate
abuses for a large number of years. It is therefore inevitable that the corporate governance codes
have targeted this issue, with such measures as:
(a) Directors' remuneration should be set by independent members of the board
(b) Any form of bonus should be related to measurable performance or enhanced shareholder
value
(c) There should be full transparency of directors' remuneration, including pension rights, in
the annual financial statements
In order for readers of the financial statements to achieve a fair picture of remuneration
arrangements, the annual report would need to disclose:
 Remuneration policy
 Arrangements for individual directors
Other disclosures that may be required by law or considered as good practice include the duration
of contracts with directors, and notice periods and termination payments under such
contracts. Details of external remuneration consultants employed by the remuneration
committee to advise on determining remuneration should be provided.

61
 Business Assurance

Topic recap

Listed companies Compliance responsibility

required to 'comply of the Board (possibly
or explain' supervised by sub-committees)

Influenced by OECD Corporate Governance

Code and UK HONG KONG CODE Report (CGR)
Corporate Governance
Code
Six main areas: Distinction betweetn role
1. Directors of executive and
2. Remuneration of directors non-executive directors
and senior managers and board
evaluation
3. Accountability and audit Board responsible for
4. Delegation by the board effectiveness of controls
5. Communication with shareholders
6. Company secretary

62
 2: Corporate governance reports and practice | Part A Corporate governance

Answers to self-test questions

Answer 1
(a) Benefits of the HK Code
Shareholders
Of key importance to the shareholders are the suggestions that the HK Code makes in
respect of the annual general meeting. In the past, particularly for large listed companies,
AGMs have sometimes been forbidding and unhelpful to shareholders. The result has been
poor attendance and low voting on resolutions.
The HK Code requires that separate resolutions are made for identifiably different items
which should assist shareholders in understanding the proposals laid before the meeting.
It also requires that director members of various important board committees (such as the
remuneration committee) be available at AGMs to answer shareholders' questions.
Internal controls
Another important area for shareholders is the emphasis placed on directors monitoring and
assessing internal controls in the business on a regular basis. While it is a statutory
requirement that directors safeguard the investment of the shareholders by instituting
internal controls, this additional emphasis on quality should increase shareholders'
confidence in the business.
Directors re-election
The requirements of the HK Code also make the directors more accessible to the
shareholders. They are asked to submit to re-election every three years. They are also
asked to make disclosure in the financial statements about their responsibilities in relation to
preparing financial statements and going concern.
Audit committee
Last, some people would argue that the existence of an audit committee will lead to
shareholders having greater confidence in the reporting process of an entity.
Other users
The key advantage to other users is likely to lie in the increased emphasis on internal
controls as this will assist the company in operating smoothly and increasing viability of
operations, which will be of benefit to customers, suppliers and employees.
(b) Voluntary code
Adherence to the HK Code is not a statutory necessity, although it is possible that in the
future, such a code might become part of company law.
Advantages
The key merit of the HK Code being voluntary for most companies is that it is flexible.
Companies can review the Code and make use of any aspects which would benefit their
business.
If they adopt aspects of the HK Code, they can disclose to shareholders what is being done
to ensure good corporate governance, and what aspects of the HK Code are not being
followed, with reasons.
This flexibility is important, for there will be a cost of implementing such a Code, and this
cost might outweigh the benefit for small or owner-managed businesses.

63
 Business Assurance

Disadvantages
Critics would argue that a voluntary code allows companies that should comply with the
Code to get away with non-compliance unchallenged.
They would also argue that the type of disclosure made to shareholders about degrees of
compliance could be confusing and misleading to shareholders and exacerbate the
problems that the Code is trying to guard against.

Answer 2
(a) The report should comprise an assessment of risk management and internal control and
should confirm that the board has considered all significant aspects of internal control based
on its identification of business risks. In particular, the report should include the following:
(i) Any changes since the last assessment in the nature and extent of the significant risks
faced by the company, and the company's ability to respond to changes in its business
environment.
(ii) The scope and quality of the monitoring by management of risk and internal control,
and the scope and quality of the work of the internal audit function, if such a function
exists in the company.
(iii) The extent and frequency of reporting to the board (or board committee) on the results
of this ongoing monitoring activity. This regular reporting enables the board or
committee to build up a cumulative assessment of the state of internal control and the
effectiveness of risk management.
(iv) The incidence of any significant control failings or deficiencies that have been
identified which have a material impact on the company's financial performance or
position, or might have a material impact in the future.
(v) The effectiveness of the company's processes for compliance with financial reporting
rules and Listing Rules.
In addition, a narrative statement about how they have complied with the Code provisions on
risk management and internal control during the reporting period. In particular, they should
disclose:
(i) The process used to identify, evaluate and manage significant risks;
(ii) The main features of the risk management and internal control systems;
(iii) An acknowledgement by the board that it is responsible for the risk management and
internal control systems and reviewing their effectiveness;
(iv) The process used to review the effectiveness of the risk management and internal
control systems; and
(v) The procedures and internal controls for the handling and dissemination of inside
information.
As a listed company, Green Limited should have an internal audit function. If the company
does not have such a function they should review the need for one on an annual basis and
the report should also disclose the reasons for the absence of an internal audit function.
(b) During the year under review, Green Limited had experienced significant control failings with
regard to its IT system. The IT system has a material impact on the company's sales and
inventory processes and its financial reporting.
The discrepancies found in the company's sales and inventory ledgers may cause material
misstatements in its financial statements.
The lack of IT support may also cause a failure to safeguard Green Limited's assets if sales
and inventories are not properly recorded.

64
 2: Corporate governance reports and practice | Part A Corporate governance

The board of Green Limited should consider in particular:

 The resources in the accounting and financial reporting function may not be adequate
because reconciliation of these discrepancies is required;
 The qualifications and experience of the staff of the IT-related financial reporting
function do not meet requirements because only part-time and non-IT staff are
employed;
 Increasing the budget to recruit more qualified staff to remediate the existing control
failure; and
 Implementing the remediation plan to ensure the internal control of the IT system is
effective.

Answer 3
The Hong Kong Stock Exchange sets out the principles of good corporate governance in the
Corporate Governance Code ('the Code') included in the Appendix of the Main Board Listing Rules.
The recommended corporate governance measures Peace Limited should consider include:
Composition and balance of the board of directors
A single individual may bypass the board to action his own interest. The board should include
directors with proper knowledge and experience in assessing the reasonableness of material
transactions entered into by Peace Limited. The mix between executive and independent non-
executive director should also be balanced to allow a proper review of management activities.
Audit committee
Peace Limited is a company listed on the Hong Kong Stock Exchange. It must establish an audit
committee according to the listing rules. An audit committee should be established to review Peace
Limited's internal financial controls. The Code has already a requirement that the Audit Committee
should be independent from the management. The committee should also be kept abreast of the
information and developments in Peace Limited's as a monitoring measure against contract with
directors.
Remuneration Committee
The Code requires the establishment of a Remuneration Committee, consisting of the majority of
independent executive directors, to approve the remuneration of directors and executives. A
reasonable remuneration package for the management is usually a general measure to prevent
senior management from acting for self-interest or committing wrong-doings at the expense of the
company's interest.
Other measures
Typical corporate governance measures also include an employee whistle-blowing scheme where
employees are encouraged to report exceptional or suspicious related party activities e.g. fraud or
collusion and corporate governance issues. Peace Limited should consider establishing such a
communication channel.

65
 Business Assurance

Exam practice

DREIT 25 minutes
Dummy Real Estate Investment Trust (DREIT) is a mid-size real estate investment trust listed in
Hong Kong. With a portfolio of 50 real estates comprising retail malls, commercial premises and
car park facilities, DREIT was established by a trust deed (Trust Deed).
DREIT has a manager (Manager) who has the general power to manage DREIT's assets in the
interests of its unitholders (Unitholders) in accordance with the Trust Deed. A Board of Directors is
responsible for the Manager's overall governance, including establishing targets for executive
management and monitoring the achievement of these targets. DREIT's trustee (Trustee) is
responsible under the Trust Deed for the safe custody of DREIT's assets and holds the same for
and on behalf of the Unitholders. The Manager is independent of the Trustee.
DREIT aims to produce a sustainable stream of income from its portfolio and to maximise the value
through the enhancement of its physical built structure, trade-mix, marketing and customer service.
As these enhancement projects progress, the portfolio offers customers better shopping facilities
with more choices at reasonable prices, whilst improving returns for the Unitholders.
Since its listing on the Hong Kong Stock Exchange in December 20X8, DREIT has been paying the
Unitholders at about 90% of its net income and has demonstrated consistent growth in distribution
per unit. A substantial portion of the remuneration of DREIT's senior executives is closely linked to
the growth rate of the distribution per unit.
Certain DREIT's financial and operating data are set out as follows:

Year ended Year ended

31 December 20Y0 31 December 20X9

Revenue HK$404 million HK$385 million

Net property income margin 35% 35%
Distribution per unit 49 cents 43 cents
Average monthly unit rent HK$26 per square foot HK$26 per square foot
Occupancy rate 91% 87%
Gearing 20% 18%

Mr Kwok is the audit director of a CPA incorporated practice in charge of the audit of DREIT's
financial statements for the year ended 31 December 20Y0.
In April 20Y0, DREIT made an acquisition of a block of low-rise commercial premises in the New
Territories. Part of the premises suddenly collapsed in December 20Y0. There was no casualty
reported and DREIT's manager believed that the damages are fully covered by its group insurance
policy. However, emerging evidence indicates that there was an illegal extension built on the
premises which might have caused the collapse. If it is the case, the damage could be an
uninsured loss.
(Note. DREIT is a collective investment scheme in the form of a unit trust established by a trust
deed, authorised by the Securities and Futures Commission under the Securities and Futures
Ordinance and regulated by the provisions of the Code on Real Estate Investment Trusts.)

66
 2: Corporate governance reports and practice | Part A Corporate governance

DREIT has established an audit committee to comply with the Listing Rules of the Hong Kong
Stock Exchange.
Required
(a) To what extent can the establishment of an effective audit committee improve DREIT's
corporate governance in the context of external auditing, financial reporting and internal
control? (8 marks)
(b) Describe some ways to gauge the effectiveness of DREIT's audit committee. (6 marks)
(Total = 14 marks)
HKICPA December 2011

67
 Business Assurance

68
Part B
Internal assurance

Internal assurance is an important concept linked to a good corporate governance

environment.
A discussion of internal assurance helps students to perform the environmental consideration
for assurance purposes. Internal assurance is also an input to the audit risk assessment
process.

69
 Business Assurance

70
chapter 3

Internal assurance
Topic list

1 Internal control effectiveness 3 Sarbanes-Oxley Act 2002

1.1 Importance of internal control and risk 3.1 The Enron scandal
management 3.2 The Sarbanes-Oxley Act 2002
1.2 Directors' responsibilities for risk 3.3 Detailed provisions of the Sarbanes-
management and internal control Oxley Act
1.3 Annual assessment of the effectiveness 3.4 Impact of Sarbanes-Oxley in America
of risk management and internal control 3.5 International impact of Sarbanes-Oxley
systems 3.6 Impact of Sarbanes-Oxley in Hong Kong
1.4 Auditors' responsibilities for internal 3.7 Criticisms of Sarbanes-Oxley
control 4 Internal auditors
2 Internal audit and corporate governance 4.1 Using the work of internal auditors
2.1 Introduction 4.2 Relationship between HKSA 315
2.2 Internal audit and corporate governance (Revised 2016) and HKSA 610 (Revised
2.3 The role of internal audit in risk 2013)
management 4.3 Internal audit function
2.4 Outsourcing the internal audit function 4.4 Evaluating the internal audit function
2.5 Managing an outsourced department 4.5 Using the work of the internal audit
function
4.6 Using internal auditors to provide direct
assistance
4.7 Documentation
4.8 Distinction between internal and external
audit
4.9 Responsibility for fraud and error
4.10 Limitations of the internal audit function

Learning focus

Internal assurance can be regarded as a key concept that underpins the whole of business
assurance. As we shall see in this chapter, internal assurance relates both to the wider
principles of corporate governance that we have discussed in the first two chapters of this
Learning Pack and also to the role of the internal audit function within the context of an
individual entity.

71
 Business Assurance

Learning outcome

In this chapter you will cover the following learning outcomes:

Competency
level
2.09 Audit procedures 3
2.09.05 Explain the importance of internal control to auditors and the
execution of tests of control
2.11 Internal audit 2
2.11.01 Explain the relationship between internal auditors and external
auditors
2.11.02 Discuss why auditors may rely on the work of others, including
internal audit, experts and service organisations
3.05 Implications of overseas legislation such as the Sarbanes- 2
Oxley Act 2002 on Hong Kong companies and auditors
3.05.01 Explain the effect of the Sarbanes-Oxley Act 2002 on Hong
Kong companies and their auditors

72
 3: Internal assurance | Part B Internal assurance

1 Internal control effectiveness

Topic highlights
It is the directors of a company who are ultimately responsible for ensuring that a company's
system of controls is effective.

1.1 Importance of internal control and risk management

The role of internal controls are to:
 Safeguard the company's assets
 Help to prevent and detect fraud
 Protect the shareholders' investment
Good internal control is designed to reduce identified risks to the business. It helps deter and
detect fraud. Good internal control also helps to ensure reliability of reporting, and compliance with
laws.

1.2 Directors' responsibilities for risk management and internal

control
The board is responsible for:
 Evaluating and determining the nature and extent of the risks it is willing to take in achieving
the issuer's strategic objectives;
 Ensuring the issuer establishes and maintains appropriate and effective risk management
and internal control systems; and
 Overseeing management in the design, implementation and monitoring of the risk
management and internal control systems; management should provide a confirmation to the
board on the effectiveness of these systems.

1.2.1 Setting up internal control

Setting up internal controls necessitates assessing the risks faced by the business, so that the
system can be constructed to ensure that those risks are mitigated.
Internal control will always have inherent limitations. No system of internal control is tight enough
to eliminate totally the possibility of human error, or the chance that employees will collude in fraud
to override the controls in place which might prevent the fraudulent intentions of an employee
working alone.

1.2.2 Monitoring risk management and internal control

The board should:
 Oversee the issuer's risk management and internal control systems on an ongoing basis;
 Ensure a review of the effectiveness of the issuer's and its subsidiaries' risk management
and internal control systems has been conducted at least annually. The review should cover
all material controls, including financial, operational and compliance controls; and
 Report to shareholders that it has done so in its Corporate Governance Report.

73
 Business Assurance

The board monitors risk management and internal control systems through an internal audit
function. Code provision C.2.5 states the issuer should have an internal audit function. Issuers
without an internal audit function should:
 Review the need for one on an annual basis; and
 Disclose the reasons for the absence of such a function in the Corporate Governance
Report.
The annual review of the effectiveness of the issuer's risk management and internal control
systems is explained in more detail in section 1.3.

1.3 Annual assessment of the effectiveness of risk management

and internal control systems
There are several provisions in section C of the Code about the annual review of the risk
management and internal control systems.
The Code states that the annual review should consider in particular:
 The adequacy of resources in the accounting, internal audit and financial reporting functions
 The qualifications and experience of the staff in the accounting, internal audit and financial
reporting functions
 Their training programmes and budget.
The annual review should consider in particular:
(a) Any changes since the last annual review in the nature and extent of the significant risks
faced by the company, and the company's ability to respond to changes in its business
and external environment.
(b) The scope and quality of the ongoing monitoring of the risks and internal control systems by
management, and the scope and quality of the work of the internal audit function, if such a
function exists in the company.
(c) The extent and frequency of reporting to the board (or board committee) on the results of
this ongoing monitoring activity. This regular reporting enables the board or board committee
to assess control and the effectiveness of risk management.
(d) The incidence of any significant control failings or weaknesses that have been identified
during the period, and the extent to which they have a material impact on the company's
financial performance or condition, or might have a material impact in the future.
(e) The effectiveness of the company's processes for compliance with financial reporting
rules and Listing Rules.
Refer to section 3.6 of Chapter 2 for details of the disclosure requirements in the Corporate
Governance Report.

1.4 Auditors' responsibilities for internal control

The Corporate Governance Code (Appendix 14 of the Listing Rules) does not mention specifically
that the auditors have a responsibility for internal control. However, in the UK guidance is given in
Bulletin 2009/4.
The auditors should concentrate on the review carried out by the board. The objective of the
auditors' work is to ascertain whether the entity's reporting of its internal control processes is
consistent with the financial statements for the year and is supported by the documentation
prepared by the directors.
The auditors should review the statement made by the board in the financial statements and the
supporting documentation and make appropriate inquiries.

74
 3: Internal assurance | Part B Internal assurance

Auditors will have obtained some understanding of the entity's controls from their work on the financial
statements; however, what they are required to do by auditing standards is narrower in its scope than
the review performed by the directors. The auditors should review the statements made on internal
control in the annual report to ensure that they appear true and are not in conflict with the audited
financial statements.
The auditors are not required to consider whether the board's statements on internal control cover
all risks and controls, or form an opinion on the effectiveness of the company's corporate
governance procedures or its risk and control procedures.
However, it is very important for auditors to communicate quickly to the directors any material
deficiencies they do uncover, because of the requirements for the directors to make a statement on
internal control.
The directors are required to consider the material internal control aspects of any significant
problems disclosed in the financial statements. Auditors' work on this is the same as on other
aspects of the statements; the auditors are not required to consider whether the internal control
processes will remedy the problem.
The auditors may report by exception if problems such as the following arise:
(a) The board's report of the process of review of internal control effectiveness does not
reflect the auditors' understanding of that process.
(b) The processes that deal with material internal control aspects of significant risk areas do
not reflect the auditors' understanding of those processes.
(c) The board has not made an appropriate disclosure if it has failed to conduct an annual
review, or the disclosure made is not consistent with the auditors' understanding.

Self-test question 1
The Corporate Governance Code in Hong Kong ("the Code") clearly states the responsibilities of
the board of directors relating to internal controls.
Required
Explain the responsibilities of the board of directors relating to internal controls in the context of
principle and code provisions under the Code.
(3 marks)
HKICPA December 2012 (amended)
(The answer is at the end of the chapter)

2 Internal audit and corporate governance

Topic highlights
The internal audit function assists management in achieving the entity's corporate objectives,
particularly in establishing good corporate governance.

75
 Business Assurance

2.1 Introduction
Key term
The internal audit function is a function of an entity that performs assurance and consulting
activities designed to evaluate and improve the effectiveness of the entity's governance, risk
management and internal control processes.

The internal audit function is generally a feature of large companies. It is a function, provided either
by employees of the entity or sourced from an external organisation, to assist management in
achieving corporate objectives. An entity's corporate objectives will vary from company to
company, and will be found in a company's mission statement and strategic plan.

2.2 Internal audit and corporate governance

Established codes of corporate governance such as the Corporate Governance Code and
Corporate Governance Report (Appendix 14) in Hong Kong and the UK's Corporate Governance
Code highlight the need for boards to maintain good systems of internal control to manage the
risks the company faces. The internal audit function can play a key role in assessing and
monitoring internal control policies and procedures.
The internal audit function can assist the board in other ways as well:
 By, in effect, acting as auditors for board reports not audited by the external auditors
 By being the experts in fields such as auditing and accounting standards in the company and
assisting in implementation of new standards
 By liaising with external auditors, particularly where external auditors can use the internal
audit function's work and reduce the time and therefore the cost of the external audit
Section C.3 of the Corporate Governance Code (Appendix 14 of the Listing Rules) in Hong Kong
states that the key principle for the Audit Committee is that: 'The board should establish formal and
transparent arrangements for considering how it will apply financial reporting and internal control
principles and maintain an appropriate relationship with the issuer's auditors. The audit committee
established under the Listing Rules should have clear terms of reference.'
This implies that the board should establish formal and transparent arrangements for considering
how they should apply the financial reporting and internal control principles for maintaining an
appropriate relationship with the company's auditors.
Part of achieving this principle requires the audit committee to monitor and review the effectiveness
of the internal audit function's activities.
In addition, in order for the board to comply with the requirements of the Code where there is no
internal audit function:
 The audit committee should consider annually whether there is a need for this function and
make a recommendation to the board.
 To explain in the Corporate Governance Report the absence of such a function.
The following summarises the key responsibilities of the board in relation to internal control:
 Assess the scope and effectiveness of the internal control being established by the
management
 Ensure appropriate internal control in place for monitoring compliance with related laws and
regulations
 Monitoring the process of internal audit
 Ensure the internal audit function has sufficient resources and empowerment to perform their
work
 Approving the appointment or dismissal of the head of the internal audit function
 Considering the management response to the suggestions made by the internal audit
function

76
 3: Internal assurance | Part B Internal assurance

Role of the internal audit function in corporate governance

The internal audit function is placed perfectly to assist management in the assessment of risks and
internal controls. The UK Guidance on Risk Management, Internal Control and Related Financial
and Business Reporting (which contains what used to be called the Turnbull guidance) in particular
highlights the role the internal audit function can have in providing objective assurance and advice
on risk and control. The following summarises the key role of the internal audit function, which is to
assist the board in practice:
 An objective evaluation of the existing risk and internal control framework
 Analysis of business processes and associated internal controls
 Reviews of existence and the value of assets
 Information on frauds and irregularities
 Ad hoc reviews on any other area for which the risk level is unacceptable
 Reviews on the financial and operational activities of the company
 Reviews of the compliance framework and specific compliance issues
 Recommendations for more effective and efficient uses of the company's resources
 Assessment on the accomplishment on the company's goals and objectives

The UK Guidance on Risk Management, Internal Control and Related Financial and Business
Reporting sets out some key guidelines for the board in relation to risk management and internal
control.
 Ensuring the design and implementation of appropriate risk management and internal
controls that identify the risks facing the company and enable the board to make a robust
assessment of the principal risks
 Determining the nature and extent of the principal risks faced and those risks which the
organisation is willing to take in achieving its strategic objectives (determining its 'risk
appetite')
 Ensuring that appropriate culture and reward systems have been embedded throughout the
organisation
 Agreeing how the principal risks should be managed or mitigated to reduce the likelihood of
their incidence or their impact
 Monitoring and reviewing the risk management and internal controls, and the management's
process of monitoring and reviewing, and satisfying itself that they are functioning effectively
and that corrective action is being taken where necessary
 Ensuring sound internal and external information and communication processes and taking
responsibility for external communication on risk management and internal control
All companies face risks arising from their operational activities. Risks arise in different areas.
 Risk the company will go bankrupt
 Risks arising from regulations and law
 Risks arising from publicity
The guidelines require that risk be managed. This gives rise to another role for the internal audit
function, risk management.
Risk awareness and management should be the role of everyone in the organisation. The
extended role of the internal audit function with regard to risk is the monitoring of integrated risk
management within a company, and the reporting of results to the board to enable them to report to
shareholders.
Internal auditor relationships
Internal auditors have relationships with the following people:
 Management: by whom they are employed and may report to
 Audit committee: to whom they report; and
 External auditors: who may make use of their work

77
 Business Assurance

Reliance on the work of internal auditors by external auditors

HKSA The external auditors may make use of the work of the internal audit function. The guidance over
610.13 when this is appropriate is given to them in HKSA 610 (Revised 2013) Using the Work of Internal
Auditors.
The HKSA states that the external auditors must determine whether the work of the internal audit
function can be used, and if so, in which areas and to what extent. If external auditors do use the
work of the internal audit function, they must determine whether the work is adequate for the
purposes of the audit.
In evaluating the internal audit function the following factors must be considered:
 The objectivity of the internal audit function
 Technical competence of the internal auditors
 Whether the work is likely to be carried out with due professional care
 Whether there is likely to be effective communication between the internal and external
auditors
 Nature and scope of the work
 Assessed risk of material misstatement
 Degree of subjectivity involved in the evaluation of the audit evidence gathered by the
internal auditors
We will look at HKSA 610 (Revised 2013) in detail in section 4 of this chapter.

2.3 The role of internal audit in risk management

Topic highlights
The internal audit function has two key roles to play in relation to organisational risk management:
 Ensuring the company's risk management system operates effectively
 Ensuring that strategies implemented in respect of business risks operate effectively

The internal audit function has a two-fold role in relation to risk management.
 It monitors the company's overall risk management policy to ensure it operates
effectively
 It monitors the strategies implemented to ensure that they continue to operate effectively
A significant risk management policy in companies is to implement internal controls, and here the
internal audit function has a key role in assessing systems and testing controls.
The internal audit function may assist in the development of systems. However, its key role will be
in monitoring the overall process and in providing assurance that the systems which the
departments have designed meet objectives and operate effectively.
It is important that the internal audit function retains its objectivity towards these aspects of its
role, which is another reason why the internal audit function would generally not be involved in the
assessment of risks and the design of the system.
The UK guidance and the internal audit function's role in relation to risk management was touched
on. In response to this, directors need to ensure three steps are taken in their business.
 Identify risks
 Control risks
 Monitor risks

78
 3: Internal assurance | Part B Internal assurance

It is not the internal audit function's primary role to manage risk in a company. It is the responsibility
of the directors, usually delegated to individual managers in various departments.
The risks are identified and assessed, and a policy is taken in respect of each of them. This policy
is usually one of four:
(i) Accept risk (if it is low impact and likelihood)
(ii) Reduce risk (by setting up a system of internal control)
(iii) Avoid risk (by not entering market, accepting contract etc)
(iv) Transfer risk (by taking out insurance)
With their skills in business systems, internal auditors are ideally placed to monitor this process
and add value to it. They can:
 Give advice on the best design of systems and monitor their operation
 Be involved in a process that continually improves internal control
 Provide assurance on systems set up in each department
The involvement of the internal audit function as a monitoring unit will help to ensure that the
process of risk identification and management in a business is a continual process rather than a
one-off exercise.

2.4 Outsourcing the internal audit function

Topic highlights
Internal audit functions may consist of employees of the company, or may be outsourced to
external service providers. The advantages of outsourcing the internal audit function include
speed, cost and a tailored answer to internal audit requirements. One of the main disadvantages
may include threats to independence and objectivity if the external audit service is provided by the
same firm.

2.4.1 What is outsourcing?

Key term
Outsourcing is the use of external suppliers as a source of finished products, components or
services. It is also known as sub-contracting.

While the scope of the internal auditor's work is different to that of the external auditor, there are
many features that can link them. One of the key factors is that the techniques which are used to
carry out audits are the same for internal and external auditors.
It can be expensive to maintain an internal audit function consisting of employees of the company.
It is possible that the monitoring and review required by a certain company could be done in a
small amount of time and full-time employees cannot be justified.
It is also possible that a number of internal audit staff are required, but the cost of recruitment is
prohibitive, or the directors are aware that the need for an internal audit function is only short-term.
In such circumstances, it is possible to outsource the internal audit function, that is, purchase the
service from outside.
In this respect, many of the larger accountancy firms offer internal audit services. It is likely that the
same firm might offer one client both internal and external audit services. In such circumstances
the firm would have to be aware of the independence issues this would raise for the external
engagement team and implement safeguards to ensure that its independence and objectivity
were not impaired.

79
 Business Assurance

2.4.2 Advantages and disadvantages of outsourcing

The advantages and disadvantages of outsourcing the internal audit function are set out in the
following table:

Advantages of outsourcing Disadvantages of outsourcing

 Staff do not need to be recruited, as the  There will be independence and
service provider has good quality objectivity issues if the company uses the
staff. same firm to provide both internal and
 The service provider has different external audit services.
specialist skills and can assess what  The cost of outsourcing the internal audit
management require them to do. function might be high enough to make the
 Outsourcing can provide an immediate directors choose not to have an internal
internal audit function. audit function at all.

 Associated costs, such as staff  Company staff may oppose outsourcing if

training, are eliminated. it results in redundancies.

 The service contract can be for the  There may be a high staff turnover of
appropriate time scale. internal audit staff.

 Because the time scale is flexible, a  The outsourced staff may only have a
team of staff can be provided if limited knowledge of the company.
required.  The company will lose existing or
 It can be used on a short-term basis or developing in-house skills.
on a 'as needed basis'.

2.5 Managing an outsourced department

A company will need to establish controls over the outsourced internal audit function. These would
include the following:
(a) Setting performance measures in terms of cost and areas of the business reviewed and
investigating any variances

(b) Ensuring appropriate audit methodology (working papers/reviews) is maintained

(c) Reviewing working papers on a sample basis to ensure they meet internal
standards/guidelines

(d) Agreeing internal audit work plans in advance of work being performed

(e) If external auditor is used, ensuring the firm has suitable controls to keep the two functions
separate so that independence and objectivity is not impaired

3 Sarbanes-Oxley Act 2002

Topic highlights
The Sarbanes-Oxley legislation requires directors to report on the effectiveness of the
controls over financial reporting, limits the services auditors can provide and requires listed
companies to establish an audit committee. It adopts a rules-based approach to governance.

80
 3: Internal assurance | Part B Internal assurance

3.1 The Enron scandal

The most significant scandal in America in recent years has been the Enron scandal, when one
of the country's biggest companies filed for bankruptcy. The scandal also resulted in the
disappearance of Arthur Andersen, one of the Big Five accountancy firms who had audited Enron's
financial statements. The main reasons why Enron collapsed were over-expansion in energy
markets, eventually too much reliance on derivatives trading which eventually went wrong,
breaches of federal law, and misleading and dishonest behaviour. Inquiries into the scandal
exposed a number of weaknesses in the company's governance structure.
The following case study describes the details of the scandal:

Case study
The Enron case is perhaps the best-known failure of a large American corporation.
Enron Corporation was an energy company based in Houston, Texas. At its peak it was one of the
world's largest producers of electricity and gas as well as having large-scale pulp, paper and
communications businesses. At the time it filed for Chapter 11 bankruptcy (protection from
creditors' claims under US law) in 2001, Enron employed over 20,000 personnel. By the end of that
year, it had been revealed that Enron had been used as a vehicle for systematic accounting fraud,
with its major executives directly involved in the criminal activities.
Prior to the disaster, Enron had been highly successful and reputable. It had been voted America's
most innovative company on several occasions. The company's business model was one of
integration and diversification. In addition to marketing energy, Enron actually built the pipelines
and power plants (backward integration). To spread its risks beyond the energy industry, it moved
successfully into telecommunications and e-commerce as well as trading derivatives.
Once the problems were uncovered, it emerged that Enron's financial statements were completely
misleading. Its recorded assets were inflated in value and in some cases non-existent. The
company had placed debts and other obligations with offshore entities, thereby not consolidating
them in the group financial statements.
The systematic false accounting that had taken place led to a criminal investigation and the arrest
and indictment of several senior figures in the company. Several of the directors paid significant
sums of money to settle law suits against them. Jeffrey Skilling, the former Chief Executive, was
sentenced to 24 years in prison on numerous charges, including fraud.
The ramifications of the Enron case were not confined to the company. Serious questions were
raised about the failure of Arthur Andersen, the external auditors of the company, to identify the
inconsistencies in the Enron financial statements. This led to the subsequent break up and
dissolution of the accounting firm.
Enron's successor company, Enron Creditors Recovery Corporation, survives today with less than
500 personnel.
The Enron scandal, together with other high profile corporate failures, led to a reappraisal of
standards of corporate governance in the USA and further afield. The Enron case was the prime
mover for the introduction in 2002 of the Sarbanes-Oxley Act in the USA, which established a
Public Company Accounting Oversight Board ('PCAOB') to oversee the auditors of public
companies. Its stated purpose is to 'protect the interests of investors and further the public interest
in the preparation of informative, fair, and independent audit reports'. The formation of the PCAOB
greatly reinforced the laws on senior executive accountability. The Act also influenced the stock
exchanges of many countries and accelerated the creation of codes of practice to which all listed
companies are now expected to adhere.

81
 Business Assurance

3.1.1 Lack of transparency in the financial statements

This particularly related to certain investment vehicles that were kept off balance sheet. Various
other methods of inflating revenues, offloading debt, massaging quarterly figures and avoiding
taxes were employed.

3.1.2 Inadequate scrutiny by the external auditors

Arthur Andersen failed to spot or failed to question dubious accounting treatments. Since
Andersen's consultancy arm did a lot of work for Enron, there were allegations of conflicts of
interest.

3.1.3 Information asymmetry

That is the agency problem of the directors/managers knowing more than the investors. The
investors included Enron's employees. Many had their personal wealth tied up in Enron shares,
which ended up being worthless. They were actively discouraged from selling them. Many of
Enron's directors, however, sold the shares when they began to fall, potentially profiting from them.
It is alleged that the Chief Financial Officer of Enron, concealed the gains he made from his
involvement with affiliated companies.

3.1.4 Executive compensation methods

These were meant to align the interests of shareholders and directors, but seemed to encourage
the overstatement of short-term profits. Particularly in the USA, where the tenure of Chief
Executives is fairly short, the temptation is strong to inflate profits in the hope that share options will
have been cashed in by the time the problems are discovered.

3.2 The Sarbanes-Oxley Act 2002

3.2.1 The history of the Sarbanes-Oxley Act 2002
The Oxley Bill, composed by House Representative Michael Oxley, was passed in April 2002,
which was related to the accountability, responsibility and transparency of stating financial status of
the company. At the same time Senator Paul Sarbanes had another proposal on the similar lines.
He presented the bill to the Senate Banking Committee which passed the Bill with a majority.
Thereafter both the proposals made by House Representative Oxley and Senator Paul Sarbanes
were reconciled to be formed into one Act, which is now popularly known as the Sarbanes-Oxley
Act.
Sarbanes-Oxley came into force mainly due to the financial scandals committed by corporate
giants like Enron, WorldCom, etc, showing inadequacies in corporate government arrangements
causing breakdown of stock market trust. Since then the Sarbanes-Oxley Act has been the most
important piece of legislation to seriously affect the corporate governance, financial disclosures and
total accounting practice in companies.
Most companies focus their attention on Sarbanes-Oxley work in 13 specific areas. These 13 areas
are the ones where most of the financial impact is felt. Section 404 of the Sarbanes-Oxley Act is
the one that has caused most concern in the financial sector as it requires the corporate body to
enforce stricter controls over financial reporting by internal accounting personnel.

3.2.2 Application of the Sarbanes-Oxley Act

It has now become mandatory for US listed companies to have Sarbanes-Oxley compliance, and
to meet Sarbanes-Oxley compliance deadlines. Sarbanes-Oxley states that smaller companies and
foreign companies should meet the mandates for statements filed.

82
 3: Internal assurance | Part B Internal assurance

The Act applies to all companies that are required to file periodic reports with the Securities and
Exchange Commission (SEC). The Act was the most far-reaching US legislation dealing with
securities in many years and has major implications for public companies. Rule-making authority
was delegated to the SEC on many provisions.
Sarbanes-Oxley shifts responsibility for financial probity and accuracy to the board's audit
committee which typically comprises three independent directors, one of whom has to meet
certain financial literacy requirements (equivalent to non-executive directors in other jurisdictions).
Along with rules from the Securities and Exchange Commission, Sarbanes-Oxley requires
companies to increase their financial statement disclosures, to have an internal code of ethics
and to impose restrictions on share trading by, and loans to, corporate officers.

3.3 Detailed provisions of the Sarbanes-Oxley Act

3.3.1 Public Oversight Board
The Act set up a new regulator, The Public Company Accounting Oversight Board (PCAOB), to
oversee the audit of public companies that are subject to the securities laws.
The Board has powers to set auditing, quality control, independence and ethical standards for
registered public accounting firms to use in the preparation and issue of audit reports on the
financial statements of listed companies. In particular, the Board is required to set standards for
registered public accounting firms' reports on listed company statements on their internal control
over financial reporting. The Board also has inspection and disciplinary powers over firms.
The Public Company Accounting Oversight Board (PCAOB) has powers include setting
auditing, quality control, ethics, independence and other standards relating to the preparation of
audit reports by issuers. It also has the authority to regulate the non-audit services that audit firms
can offer.

3.3.2 Auditing standards

Audit firms should retain working papers for at least seven years, and have quality control
standards in place such as second partner review. As part of the audit they should review internal
controls to ensure that they reflect the transactions of the client and provide reasonable
assurance that the transactions are recorded in a manner that will permit preparation of the
financial statements in accordance with generally accepted accounting principles. They
should also review records to check whether receipts and payments are being made only in
accordance with management's authorisation.

3.3.3 Non-audit services

Auditors are expressly prohibited from carrying out a number of services including internal audit,
bookkeeping, systems design and implementation, appraisal or valuation services, actuarial
services, management functions and human resources, investment management, legal and expert
services. Provision of other non-audit services is only allowed with the prior approval of the
audit committee.

3.3.4 Quality control procedures

There should be rotation of lead or reviewing audit partners every five years and other procedures
such as independence requirements, consultation, supervision, professional development, internal
quality review and engagement acceptance and continuation.

3.3.5 Auditors and the audit committee

Auditors should discuss critical accounting policies, possible alternative treatments, the
management letter and unadjusted differences with the audit committee.

83
 Business Assurance

3.3.6 Audit committees

Audit committees should be established by all listed companies.
All members of audit committees should be independent and should therefore not accept any
consulting or advisory fee from the company or be affiliated to it. At least one member should be
a financial expert. Audit committees should be responsible for the appointment, compensation
and oversight of auditors. Audit committees should establish mechanisms for dealing with
complaints about accounting, internal controls and audit.

3.3.7 Corporate responsibility

The Chief Executive and Chief Finance Officer should certify the appropriateness of the financial
statements and that those financial statements fairly present the operations and financial condition
of the issuer. If the company has to prepare a restatement of financial statements due to material
non-compliance with standards, the Chief Finance Officer and Chief Executive should forfeit their
bonuses.

3.3.8 Off-balance sheet transactions

There should be appropriate disclosure of material off-balance sheet transactions and other
relationships (transactions that are not included in the financial statements but that impact upon
financial conditions, results, liquidity or capital resources).

3.3.9 Internal control reporting

Annual reports should contain internal control reports that state the responsibility of management
for establishing and maintaining an adequate internal control structure and procedures for
financial reporting. Annual reports should also contain an assessment of the effectiveness of
the internal control structure and procedures for financial reporting. Auditors should report on
this assessment.
Companies should also report whether they have adopted a code of conduct for senior financial
officers and the content of that code.

3.3.10 Whistleblowing provisions

Employees of listed companies and auditors will be granted whistleblower protection against
their employers if they disclose private employer information to parties involved in a fraud claim.

3.4 Impact of Sarbanes-Oxley in America

After the Sarbanes-Oxley Act came into force, accounting systems and financial statements
disclosed by the companies made tremendous progress. This improvement has been possible due
to rigorous requirements stated in the Sarbanes-Oxley Act, which helps to protect investor
confidence in companies and the US legislature as well. Moreover, it also helps in establishing a
Public Company Accounting Oversight Board, auditor independence, corporate responsibility and
enhanced financial disclosures.
The biggest expense as a result of compliance that companies are incurring is fulfilling the
requirement to ensure their internal controls are properly documented and tested. US companies
had to have efficient controls in the past, but they are now having to document them more
comprehensively than before, and then have the external auditors report on what they have done.
The Act also formally stripped accountancy firms of almost all non-audit revenue streams that they
used to derive from their audit clients, for fear of conflicts of interest.
For lawyers, the Act strengthens requirements on them to whistleblow internally on any wrongdoing
they uncover at client companies, right up to board level.

84
 3: Internal assurance | Part B Internal assurance

3.5 International impact of Sarbanes-Oxley

The Act also has a significant international dimension. About 1,500 non-US companies, including
many of the world's largest, list their shares in the US and are covered by Sarbanes-Oxley. There
were complaints that the new legislation conflicted with local corporate governance customs, and
following an intense round of lobbying from outside the US, changes to the rules were secured.
As America wields such significant influence worldwide, arguably Sarbanes-Oxley may influence
certain jurisdictions to adopt a more rules-based approach.

3.6 Impact of Sarbanes-Oxley in Hong Kong

There are a number of companies listed on both the Hong Kong Stock Exchange and the New
York Stock Exchange, these companies are subject to applicable Hong Kong laws and regulations,
including the Hong Kong Listing Rules, the Hong Kong Companies Ordinance, as well as
applicable US federal securities laws, including the US Securities Exchange Act of 1934, as
amended, and the Sarbanes-Oxley Act. In addition, these companies are subject to the listing
standards of the New York Stock Exchange to the extent they apply to non-US issuers. As a non-
US issuer, these companies are not required to comply with all of the corporate governance listing
standards of the New York Stock Exchange.
However, the Act has marked a new era in the Hong Kong regulatory regime which is
commensurate with international securities regulatory standards starting in 2003. Consequently,
Hong Kong and London are the places where companies are finding it easier and cheaper to list
their shares and raise capital.

3.7 Criticisms of Sarbanes-Oxley

Many commentators have criticised Sarbanes-Oxley for not being strong enough on some
issues, for example the selection of external auditors by the audit committee, and at the same time
being over-rigid on others. Directors may be less likely to consult lawyers in the first place if they
believe that legislation could override lawyer-client privilege.
In addition, they allege a Sarbanes-Oxley compliance industry has sprung up focusing companies'
attention on complying with all aspects of the legislation, significant or much less important. This
has distracted companies from improving information flows to the market and then allowing the
market to make well-informed decisions. The Act has also done little to address the temptation
provided by generous stock options to inflate profits, other than requiring possible forfeiture if
financial statements are subsequently restated.
Most significantly perhaps there is recent evidence of companies turning away from the US stock
markets and towards other markets such as London and Hong Kong. The number of initial public
listings fell in New York after the introduction of Sarbanes-Oxley and rose in stock exchanges
allowing a more flexible, principles-based, approach. An article in the Financial Times suggested
that this was partly due to companies tiring of the increased compliance costs associated with
Sarbanes-Oxley implementation.
In particular, directors of smaller listed companies have been unhappy with the requirement for
companies to report on the effectiveness of their internal control structure and procedures for financial
reporting. They have argued that gathering sufficient evidence for auditors on the internal controls
over financial reporting is expensive and less important for small companies than for large ones.
In addition, the nature of the regulatory regime may be an increasingly significant factor in listing
decisions. A rules-based approach means compliance must be absolute; the comply or explain
choice is not available.

85
 Business Assurance

4 Internal auditors

Topic highlights
External auditors may make use of the work of an internal audit function when carrying out audit
procedures.

4.1 Using the work of internal auditors

HKSA 610. Although the responsibilities of internal and external auditors are different (we explore how in the
13-24 paragraphs that follow), the external auditor may be able to make use of the work of internal
auditors in forming an opinion. Often the respective roles employ the same techniques but to
different ends. HKSA 610 (Revised 2013) Using the Work of Internal Auditors requires that external
auditors should take into account the internal audit function when planning their audit, but bear in
mind that internal auditors work for management and those charged with governance so they are
not independent. Therefore, the external auditors hold sole responsibility for the audit opinion
expressed on the financial statements. The standard was revised in December 2012 and then
revised again in May 2013 with additional provisions added where internal auditors are used to
provide direct assistance.

4.2 Relationship between HKSA 315 (Revised 2016) and HKSA

610 (Revised 2013)
HKSA 315 (Revised 2016) addresses how the knowledge and experience of the internal audit
function can inform the external auditor's understanding of the entity and its environment, as well
as the identification and assessment of risks of material misstatement. HKSA 315 (Revised 2016)
also explains how effective communication between the internal and external auditors creates an
environment in which the external auditor can be informed of significant matters that may affect the
external auditor's work.
HKSA 610 (Revised 2013) addresses the external auditor's responsibilities when, based on the
external auditor's preliminary understanding of the internal audit function, obtained as a result of
procedures performed under HKSA 315 (Revised 2016), the external auditor expects to use the
work of the internal audit function as part of the audit evidence obtained.
The External Auditor's Responsibility for the Audit
The external auditor has sole responsibility for the audit opinion expressed, and that responsibility
is not reduced by the external auditor's use of the work of the internal audit function on the
engagement.

4.3 Internal audit function

4.3.1 Objectives and scope of internal functions
The objectives and scope of the internal audit function typically include assurance and consulting
activities designed to evaluate and improve the effectiveness of the entity's governance processes,
risk management and internal control, such as the following:
 Activities relating to governance
 Activities relating to risk management
 Activities relating to internal control

86
 3: Internal assurance | Part B Internal assurance

Performance of activities similar to those performed by an internal audit function may be

conducted by functions with other titles within an entity.
While the objectives of the entity's internal audit function and the external auditor differ, the internal
audit function may perform audit procedures similar to those performed by the external auditor in
an audit of financial statements.

4.4 Evaluating the internal audit function

The external auditor shall determine whether the work of the internal audit function can be used for
purposes of the audit by evaluating the following:
(a) The extent to which the internal audit function's organisational status and relevant
policies and procedures support the objectivity of the internal auditors.
The external auditor exercises professional judgment in determining whether the work of the
internal audit function can be used for the purposes of the audit, and the nature and extent
to which the work of the internal audit function can be used in the circumstances.
Objectivity refers to the ability to perform those tasks without allowing bias, conflict of
interest or undue influence of others to override professional judgments. Factors that may
affect the external auditor's evaluation include the following:
 Whether the organisational status of the internal audit function, including the
function's authority and accountability, supports the ability of the function to be free
from bias, conflict of interest or undue influence of others to override professional
judgments, e.g. whether the internal audit function reports to those charged with
governance or an officer with appropriate authority, or if the function reports to
management, whether it has direct access to those charged with governance.
 Whether the internal audit function is free of any conflicting responsibilities e.g.
having managerial or operational responsibilities outside the internal audit function.
 Whether those charged with governance oversee employment decisions related to
the internal audit function, e.g. determining the appropriate remuneration policy.
 Whether there are any constraints or restrictions placed on the internal audit
function by management or those charged with governance e.g. in communicating
findings to the external auditor.
 Whether the internal auditors are members of relevant professional bodies and
their memberships obligate their compliance with relevant professional standards
relating to objectivity.
(b) The level of competence of the internal audit function;
 Whether the internal audit function is adequately and appropriately resourced
relative to the size of the entity and the nature of its operations.
 Whether there are established policies for hiring, training and assigning internal
auditors to internal audit engagements.
 Whether the internal auditors have adequate technical training and proficiency in
auditing.
 Whether the internal auditors possess the required knowledge relating to the
entity's financial reporting.
 Whether the internal auditors are members of relevant professional bodies that
oblige them to comply with the relevant professional standards including continuing
professional development requirements.

87
 Business Assurance

(c) Whether the internal audit function applies a systematic and disciplined approach,
including quality control.
Factors that may affect the external auditor's determination of whether the internal audit
function applies a systematic and disciplined approach include the following:
 The existence, adequacy and use of documented internal audit procedures or
guidance covering such areas as risk assessments, work programs, documentation
and reporting, the nature and extent of which is commensurate with the size and
circumstances of an entity.
 Whether the internal audit function has appropriate quality control policies and
procedures, for example, such as those policies and procedures in HKSQC 1
(Clarified) that would be applicable to an internal audit function (such as those relating
to leadership, human resources and engagement performance) or quality control
requirements in standards set by the relevant professional bodies for internal auditors.

4.4.1 Determining the nature and extent of work that can be used
The external auditor considers the nature and scope of the work that has been performed or is
planned to be performed by the internal audit function and assesses its relevance to the overall
strategy and plan for the external audit.
The external audit must make all significant judgments in relation to the audit and must prevent
undue use of the work of the internal auditor by performing more of the work directly. Examples of
internal audit work that might be used by the external auditor include:
 Testing of the operating effectiveness of controls
 Substantive procedures involving limited judgment
 Observations of inventory controls
 Tracing transactions through the information system relevant to financial reporting
 Testing of compliance with regulatory requirements

4.5 Using the work of the internal audit function

If the external auditor plans to use the work of the internal audit function, the external auditor shall
discuss the planned use of its work with the function as a basis for coordinating their respective
activities.
(a) Discussion and coordination with the internal audit function
In discussing the planned use of their work with the internal audit function as a basis for
coordinating the respective activities, it may be useful to address the following:
 The timing of such work
 The nature of the work performed
 The extent of audit coverage
 Materiality for the financial statements as a whole and performance materiality
 Proposed methods of item selection and sample sizes
 Documentation of the work performed
 Review and reporting procedures
Coordination between the external auditor and the internal audit function is effective
when, for example:
 Discussions take place at appropriate intervals throughout the period.
 The external auditor informs the internal audit function of significant matters that may
affect the function.
 The external auditor is advised of and has access to relevant reports of the internal
audit function and is informed of any significant matters that come to the attention of

88
 3: Internal assurance | Part B Internal assurance

the function when such matters may affect the work of the external auditor so that the
external auditor is able to consider the implications of such matters for the audit
engagement.
 The external auditor shall read the reports of the internal audit function relating to the
work of the function that the external auditor plans to use to obtain an understanding
of the nature and extent of audit procedures it performed and the related findings.
(b) Adequacy of the work of internal auditors
The external auditor shall perform sufficient audit procedures on the body of work of the
internal audit function as a whole that the external auditor plans to use to determine its
adequacy for purposes of the audit, including evaluating whether:
 The work of the function had been properly planned, performed, supervised, reviewed
and documented
 Sufficient appropriate evidence had been obtained to enable the function to draw
reasonable conclusions
 Conclusions reached are appropriate in the circumstances and the reports prepared
by the function are consistent with the results of the work performed
The procedures the external auditor may perform to evaluate the quality of the work
performed and the conclusions reached by the internal audit function include:
 Making inquiries of appropriate individuals within the internal audit function
 Observing procedures performed by the internal audit function
 Reviewing the internal audit function's work program and working papers
(c) Nature and extent of the external auditor's audit procedures
The nature and extent of the external auditor's audit procedures shall be responsive to the
external auditor's evaluation of:
 The amount of judgment involved.
 The assessed risk of material misstatement.
 The extent to which the internal audit function's organisational status and relevant
policies and procedures support the objectivity of the internal auditors.
 The level of competence of the function. This shall include reperformance of some of
the work. Reperformance involves the external auditor's independent execution of
procedures to validate the conclusions reached by the internal audit function.
Reperformance provides more persuasive evidence regarding the adequacy of
internal audit as compared to other procedures.
The requirement to reperform some of the internal audit work is a new requirement
included in the revised HKSA.

HKSA
610.26-35 4.6 Using internal auditors to provide direct assistance
HKSA 610 (Revised 2013) includes guidance for situations where the external auditor uses the
internal auditors to provide direct assistance.

Key term
Direct assistance. The use of internal auditors to perform audit procedures under the direction,
supervision and review of the external auditor

89
 Business Assurance

4.6.1 Determining whether internal auditors can be used to provide direct

assistance
If the external auditor wishes to use the internal audit function to provide direct assistance, and this
is not prohibited by law or regulation the external auditor is required to evaluate the existence and
significance of threats to objectivity and the level of competence of the internal auditors. In making
this assessment the external auditor will consider the following:
 The extent to which the internal audit function's organisational status and relevant policies
and procedures support the objectivity of the internal auditors
 Family and personal relationships with an individual working in, or responsible for, the aspect
of the entity to which the work relates
 Association with the division or department in the entity to which the work relates
 Significant financial interests in the entity (other than remuneration on terms consistent with
those applicable to other employees at a similar level of seniority
HKSA 610 (Revised 2013) also specifies instances where use of internal auditors to provide direct
assistance is prohibited:
 Where there are significant threats to the objectivity of the internal auditor
 Where the internal auditor lacks sufficient competence to perform the proposed work

4.6.2 Nature and extent of work that can be assigned

When determining the nature and extent of the work that can be assigned to the internal auditors
the external auditor must consider:
 The amount of judgment involved in planning and performing the procedures and evaluating
the evidence gathered
 The assessed risk of material misstatement and
 The external auditor's evaluation of the existence and significance of threats to the objectivity
and level of competence of the internal auditors
HKSA 610 (Revised 2013) prohibits the use of internal auditors to provide direct assistance to
perform the following procedures:
(a) Those that involve making significant judgments in the audit
(b) Those that relate to work with which the internal auditors have been involved and which has
been/will be reported to management/those charged with governance
(c) Those that relate to decisions the external auditor makes regarding the internal audit function
and the use of its work or direct assistance
It would not be appropriate for the internal auditors to provide direct assistance in respect of the
following:
 Discussion of fraud
 Determination of unannounced audit procedures in accordance with HKSA 240
 Responsibilities regarding external confirmation requests and evaluation of results of
external confirmation procedures
The HKSA also makes the point that excessive use of internal auditors to provide direct assistance
may affect perceptions regarding the independence of the external audit.

90
 3: Internal assurance | Part B Internal assurance

4.6.3 Using internal auditors to provide direct assistance

Before using the internal auditors to provide direct assistance the external auditor is required to
obtain written agreement from the entity that the internal auditors will be allowed to follow
instruction from the external auditor. Written agreement from the internal auditors that they will
keep information confidential must also be obtained. The external auditor is then responsible for
ensuring that the internal auditors' work is properly directed, supervised and reviewed.

HKSA
610.36-37 4.7 Documentation
If the external auditor uses the work of the internal audit function, the external auditor shall include
in the audit documentation:
(a) The evaluation of:
 Whether the function's organisational status and relevant policies and procedures
adequately support the objectivity of the internal auditors
 The level of competence of the function
 Whether the function applies a systematic and disciplined approach, including quality
control.
(b) The nature and extent of the work used and the basis for that decision.
(c) The audit procedures performed by the external auditor to evaluate the adequacy of the
work used.
If the internal auditors provide direct assistance the external auditors must document the following:
(a) The evaluation of the existence and significance of threats to objectivity
(b) The basis for the decision regarding the nature and extent of the work performed by the
internal auditors
(c) Who reviewed the work performed and the date and extent of that review
(d) The written agreements required (see section 4.6.3 above)
(e) The working papers prepared by the internal auditors

Self-test question 2
As the external auditors for Union Bank, you are considering relying on the work of the internal
audit function for testing the internal control. The internal audit function is part of the accounting
and finance division and reports to the Chief Financial Officer.
Being the audit senior, you have been assigned to review the work of internal auditors prior to the
commencement of this year's audit. The following issues are discovered:
(1) For most of the audit tests, there is no detailed documentation of the work by the internal
auditors that has been completed.
(2) There is a high staff turnover within the internal audit function. There are five staff in the
function responsible to undertake internal control testing. The new staff employed have no
audit and accounting experience.
(3) Union Bank's audit plan and programme are developed based on the firm's standard audit
plan. However, the testing of wages is not selected. Upon discussion with the internal
auditors, the auditors reveal that the financial controller has altered the instructions as he
recognises that the risk of non-compliance in the wages area is minimal.
(4) For those areas that have been documented, the results are quite clear and competently
completed. However, three compliance errors are detected in the loan approvals and there
are no follow up procedures, as the entity believes these incidents are immaterial.

91
 Business Assurance

Requirement
Demonstrate the weaknesses in the internal audit function and your consideration whether you
consider the audit firm should rely on Union Bank's internal audit function.
(The answer is at the end of the chapter)

4.8 Distinction between internal and external audit

Topic highlights
Although many of the techniques internal and external auditors use may be similar, the basis and
reasoning of their work is different.

The external audit is focused on the financial statements, whereas the internal audit function
is focused on the operations of the entire business.
The following table highlights the differences between internal and external audit:

Internal audit External audit

Objective Designed to add value and improve An exercise to enable auditors to

an entity's operations. express an opinion on the financial
statements.
Reporting Reports to the board of directors, or Reports to the shareholders or members
other people charged with of an entity on the truth and fairness of
governance, such as the audit the financial statements. Audit report is
committee. Reports are private and publicly available to the shareholders
for the directors and management of and other interested parties.
the entity.
Scope Work relates to the operations of the Work relates to the financial statements.
entity.
Relationship Often employees of the organisation, Independent of the entity and its
although sometimes the function is management. Usually appointed by the
outsourced. shareholders.

The table demonstrates that the whole basis and reasoning of internal audit work is
fundamentally different to that of external audit work.

4.9 Responsibility for fraud and error

Topic highlights
It is the responsibility of management and those charged with governance to prevent and detect
fraud, and in this respect, the internal audit function may have a role to play.

Fraud is a significant business risk. It is the responsibility of the directors to prevent and detect
fraud. However, as the internal audit function plays an important role in the management of risk so
it is by implication involved in the process of managing the risk of fraud. It is not the responsibility of
the external auditors to prevent and detect fraud, although they may uncover fraud while carrying
out their audit of the financial statements, which will be undertaken with the possibility of material
misstatement through fraud in mind. We will study the external auditor's responsibilities for the
detection of fraud and error in more detail in Chapter 10.

92
 3: Internal assurance | Part B Internal assurance

The internal audit function can help to prevent fraud by carrying out timely reviews on the
adequacy and effectiveness of control systems and making appropriate recommendations. The
internal audit function may be able to detect fraud by being mindful to the possibility when
carrying out its work and reporting any suspicions.
Establishing an internal audit function and investing it with appropriate authority and stature
may act as a powerful deterrent to fraud in itself. Management may require the internal auditors to
undertake special projects to investigate any reported suspicions.

4.10 Limitations of the internal audit function

Although the presence of an internal audit function within an entity is indicative of good internal
control, by its very nature, there are some limitations of the internal audit function.
Internal auditors are employed by the entity and this can impair their independence and
objectivity and ability to report fraud/error to senior management because of perceived threats to
their continued employment within the entity.
To ensure transparency, best practice indicates that the internal audit function should have a dual
reporting relationship, i.e. report both to management and those charged with governance (the
audit committee). If this reporting structure is not in place, management may be able to unduly
influence the internal audit plan, scope, and whether issues are reported appropriately. This results in
serious potential conflict, and limits the scope and compromises the effectiveness of the internal audit
function.
Internal auditors are not required to be professionally qualified (as accountants are) and so there
may be limitations in their knowledge and technical expertise.

93
 Business Assurance

Topic recap

Prevention and Effective system of May be outsourced

detection of fraud internal controls

Sarbanes-Oxley requires:
Assists management · Directors to report on
internal control effectiveness
·· Limits on non-audit services
Listed companies to establish
audit committees

Part of corporate
INTERNAL AUDIT FUNCTION
governance framework

Work performed may be Organisational risk

used by external auditor management

Evaluate internal Similar Different Internal auditor Risk management Risk strategies
audit work and techniques basis and may provide direct system operates operate effectively
assess adequacy reasoning assistance effectively

Reperformance
of procedures

94
 3: Internal assurance | Part B Internal assurance

Answer to self-test questions

Answer 1
The general principle of the Corporate Governance Code ('the Code') in Hong Kong requires the
board of directors to maintain a sound and effective system of internal control to safeguard the
shareholder's investment and the issuer's assets.
In Section C of the Code, the board is required to conduct a review of the effectiveness of the
company's system of internal controls and report to the shareholders that they have done so in
their Corporate Governance Report at least annually.
The review should cover all material controls, including financial, operational and compliance
controls and risk management functions; and consider the adequacy of resources, qualifications
and experience of staff of the company's accounting and financial reporting functions, and their
training programmes and budget.

Answer 2
The weaknesses in the internal audit function may be identified as follows:
(1) The new staff are not competent and do not have any professional qualifications or
accounting experience. More competent staff should be engaged.
(2) The internal audit function reporting to the chief financial officer is not an independent act.
The internal auditors should report to the highest level of management such as the board or
the audit committee.
(3) There is no documentation of work performed and this is inadequate. Proper documentation
should be in place.
(4) Errors in the compliance tests have not been followed up and this shows lack of competence
and professional due care.
(5) The audit programme has been altered by the Financial Controller. Internal auditors should
not be influenced by any other management person.
Under HKSA 610 (Revised 2013), external auditors should consider the following before relying on
the work of the internal audit function:
 The extent to which the internal audit function's organisational status and relevant policies
and procedures support the objectivity of the internal auditors.
 The level of competence of the internal audit function.
 Whether the internal audit function applies a systematic and disciplined approach, including
quality control.
Overall, it seems that it is not desirable to rely on internal auditing work.

95
 Business Assurance

Exam practice

Stone Company Limited 23 minutes

You are the audit manager of a CPA firm and are responsible for the audit of Stone Company
Limited ('Stone') for the year ended 31 December 20X3. The Chief Finance Officer of Stone,
Mr Chan, has informed you that at the beginning of the year the company set up an internal audit
function. He has asked you to use extensively Stone's internal audit function resources for the
purpose of carrying out the forthcoming audit. In particular, Mr Chan has suggested you rely on the
internal audit function for the following audit procedures:
(a) Attendance of year-end inventory count
(b) Determining the sample sizes; and selecting and arranging confirmation of the
company's receivables balances.
At 31 December 20X3, the inventory and receivables balances were approximately 25% and 30%
of the company's total assets, respectively. The head of the internal audit function will report to
you directly the findings of the year-end inventory count and the results of the confirmation.
Required
(a) If you plan to use the internal audit function's work, how would you assess Stone's
internal audit function before deciding to use their work? (7 marks)
(b) Explain whether you would use the work of Stone's internal audit function in the specific
ways suggested by Mr Chan. (8 marks)

(Total = 15 marks)
HKICPA February 2004 (amended)

96
Part C
Professional standards and
guidance

Professional standards and guidance are a must to have a job done properly in any
accountancy and auditing engagement. The practice of arbitrary techniques and scandals
developed from creative procedures are damaging the accountancy profession. Students are
expected to learn the Code of Ethics by heart and become a CPA of the highest calibre. They
are then more ready to face ethical dilemmas and carry out their responsibilities in a creditable
way.

97
 Business Assurance

98
 chapter 4

Code of Ethics
Topic list

1 Fundamental principles and the conceptual 5 Specific guidance: Conflicts of interest

framework approach 5.1 Conflicts between professional
1.1 The importance of ethics accountants' and entities' interests
1.2 The fundamental principles 5.2 Conflicts between the interests of
1.3 The conceptual framework different entities
1.4 Threats to compliance with the 6 Conflicts in application of the fundamental
fundamental principles principles
1.5 Available safeguards 6.1 Matters to consider
2 Specific guidance: Independence 6.2 Unresolved conflict
2.1 Objective of the guidance 7 Code of ethics applicable to professional
2.2 What is independence? accountants in business
2.3 Self-interest threat 7.1 Examples of threats for professional
2.4 Self-review threat accountants in business
2.5 Advocacy threat 7.2 Safeguards to comply with the
2.6 Familiarity threat fundamental principles for professional
2.7 Intimidation threat accountants in business
2.8 Other assurance engagements 7.3 Potential conflicts
2.9 HKSQC 1: Quality control: Independence 7.4 Preparation and reporting of information
3 Specific guidance: Responding to Non- 7.5 Acting with sufficient expertise
Compliance with Laws and Regulations 7.6 Financial interests
3.1 Professional accountants in public 7.7 Inducements
practice 8 Other issues
3.2 Professional accountants in business 8.1 Client acceptance
4 Specific guidance: Confidentiality 8.2 Engagement acceptance
4.1 Duty of confidence 8.3 Changes in professional appointment
4.2 Recognised exceptions to the rule of 8.4 Marketing professional services
confidentiality 8.5 Custody of entity's assets
4.3 Disclosure in the public interest 8.6 Integrity, objectivity and independence in
insolvency

Learning focus

Professional accountants are sometimes faced by ethical dilemmas. Codes of ethics, such as
that issued by the Hong Kong Institute of Certified Public Accountants, give guiding principles
to help professional accountants carry out their responsibilities to both their profession and the
wider public.
There are also a number of practical measures (safeguards) that a firm may implement to
ensure that these ethical principles are not breached.

99
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
1.01 The Institute's Code of Ethics for Professional Accountants 3
1.01.01 Explain the fundamental principles and the conceptual framework
approach
1.01.02 Identify, evaluate and respond to threats to compliance with the
fundamental principles
1.01.03 Discuss and evaluate the effectiveness of available safeguards
1.01.04 Recognise and advise on conflicts in the application of fundamental
principles for Professional Accountants in practice and in business

The following summary illustrates the main parts of the chapter:

ETHICAL REQUIREMENTS
Code of Ethics

INDEPENDENCE CONFLICT OF INTEREST CONFIDENTIALITY

OBJECTIVITY INTEGRITY
THE FIRM CLIENT OBLIGATION FREEDOM
V V TO TO
THE CLIENT DISCLOSE DISCLOSE
CLIENT
IDENTIFY THREATS TO
INDEPENDENCE

Self-Interest Threat
Self-Review Threat
Familiarity Threat
Advocacy Threat
Intimidation Threat Provide Obligated Protect
safeguard by law the firm's
to reduce interests
the conflict
SAFEGUARDS AGAINST
THREATS TO INDEPENDENCE
By legislation and regulation
Firm wide
Engagement specific Decline the Accept
engagement client

100
 4: Code of ethics | Part C Professional standards and guidance

It is important that you understand the topic well. Auditors are subject to ethical requirements
imposed by the accountancy bodies; in Hong Kong, it is the HKICPA.
Code of Ethics for Professional Accountants Revised June 2010; February 2012; November
2013; March 2014, January 2015 and December 2016
This Code of Ethics for Professional Accountants (the Code) is effective on 1 January 2011
(although the several subsequent amendments to bring it into line with the IESBA Code of Ethics
are effective from different dates indicated within each amendment). All subsequent amendments
to the Code have been incorporated into this Learning Pack.
All Professional Accountants are required to comply with the Code.
Section A – GENERAL APPLICATION OF THE CODE
Section B – PROFESSIONAL ACCOUNTANTS IN PUBLIC PRACTICE
Section C – PROFESSIONAL ACCOUNTANTS IN BUSINESS
Section D – ADDITIONAL ETHICAL REQUIREMENTS
Section E – SPECIALISED AREAS OF PRACTICE
Professional Accountant in Professional Accountant in
Public Practice Business
Definition: Professional accountant in a Professional accountant
firm that provides professional employed or engaged in an
services executive or non-executive
capacity ie commerce,
industry, service etc
Adoption of which Parts of the Code: A,B,D,E of the Code A,C D,E of the Code

SECTION A: General application of the Code

Section A provides guidance on fundamental ethical principles where professional accountants
are required to apply this conceptual framework to identify threats to compliance with the
fundamental principles, to evaluate the significance of such threats and the safeguards to
eliminate them or reduce the threats to acceptable levels.

SECTION B: Professional accountants in public practice

Section B provides specific ethical guidance for professional accountants in public practice.

1 Fundamental principles and the conceptual

framework approach

Topic highlights
Professional accountants rely on the guidance of an ethical code because they hold positions of
trust, and people rely on them. In their business dealings they may encounter situations or be put
under pressure to act in ways that further their own advantage, or that of an entity, against the
wider public interest or the interest of their profession.

101
 Business Assurance

1.1 The importance of ethics

Professional accountants are expected to demonstrate the highest standards of ethical behaviour
and to act in the public interest. Around the world accountancy bodies have produced ethical
guidance in the form of codes of ethics in order to help professional accountants carry out their
responsibilities both to their profession and to the wider public.
In Hong Kong this guidance is given in the HKICPA's Code of Ethics for Professional Accountants
(the Code) which states the following about the particular responsibilities of the professional
accountant:

'A distinguishing mark of the accountancy profession is its acceptance of the responsibility to act in
the public interest. Therefore, a professional accountant's responsibility is not exclusively to satisfy
the needs of an individual entity or employer.
The public interest is considered to be the collective well-being of the community of people and
institutions the professional accountant serves, including entities, lenders, governments,
employers, employees, investors, the business and financial community and others who rely on the
work of professional accountants.'

Two points are very clear from this: first, the key reason that professional accountants must
behave ethically is that a very wide range of people rely on them and their expertise. The
second is that the accountant has a duty to serve not only the entity who has engaged his services
or his employer, but the wider public interest – that is, he must be, and must be seen to be,
independent.
Professional accountants hold positions of trust by the entities whom they serve, and the users of
the information they provide through statutory reporting. They have access to sensitive financial
and strategic information which may have a significant impact on the future direction of the
business and its stakeholders.
Undertaking these professional obligations may give rise to ethical dilemmas and conflicts of
interest; when it does the professional accountant may turn to the guidance laid down by the
accountancy bodies, such as the Hong Kong Institute of Certified Public Accountants. As it is
impossible to anticipate the very many scenarios which may give rise to these difficulties the
guidance is given in the form of fundamental principles, guidance and explanatory notes. The
professional accountant is given the freedom to use his own judgment as to how to apply the
principles or may seek advice from the HKICPA.

1.2 The fundamental principles

HKICPA Code of Ethics

Integrity. A professional accountant should be honest and straightforward in all professional

and business relationships. Integrity also implies fair dealing and truthfulness. Professional
accountants should not be associated with information that contains a materially false and
misleading statement or the information has been furnished recklessly.
Objectivity. A professional accountant should not be biased nor have conflicts of interest or
undue influence to override professional or business judgment. The professional accountant
should not compromise professional or business judgment due to bias. In addition, they should
avoid being exposed to situations that may impair objectivity.
Professional competence and due care. A professional accountant should be competent to
perform professional services and should act diligently and in accordance with applicable
technical and professional standards when providing professional services.
Professional competence requires both attainment and maintenance of professional competence
which requires continuing awareness and understanding of relevant technical professional and
business development.

102
 4: Code of ethics | Part C Professional standards and guidance

HKICPA Code of Ethics

Diligence includes the responsibility to act in accordance with the requirements of an

assignment, carefully, thoroughly and on a timely basis.
The engagement team should have appropriate training and supervision and if there are any
inherent limitations, the professional accountant should notify the entity or users of the financial
statements.
Confidentiality. A professional accountant should respect the confidentiality of information
acquired as a result of professional and business relationships and should not disclose any
information to third parties without proper and specific authority unless there is a legal or
professional right or duty to disclose. Confidential information should not be used for personal
advantage or for any third parties.
There is a need to maintain confidentiality of information within the firm or within an employing
organisation.
The duty of confidentiality continues even after the end of the relationship between the
professional accountant and the entity.
Disclosure of information is allowed only when:
 Permitted by law and authorised by the entity or employer
 Required by law in the course of legal proceedings or to appropriate public authorities
 There is a professional duty or right to disclose, i.e.
– To comply with technical standard and professional standards, including ethical
requirements
– To protect professional interests of the accountant in legal proceedings
– To comply with a HKICPA practice review
– To deal with an inquiry or investigation by HKICPA or other regulatory bodies.
Additional requirements are set out in section 225 Responding to Non-Compliance with Laws
and Regulations, section 410 'Unlawful Acts or Defaults by Clients of Members' and section 411
'Unlawful Acts or Defaults by or on Behalf of a Member's Employer'.
Professional behaviour. A professional accountant should comply with relevant laws and
regulations and avoid any conduct that discredits the profession.
Professional accountants should not bring the profession into disrepute during its promotion.
Professional accountants should not exaggerate claims for their services that they offer, the
qualifications they possess or experience they have gained.
Professional accountants should not make disparaging references or unsubstantiated
comparisons to the work of others.

1.3 The conceptual framework

The conceptual framework in the Code requires a professional accountant to identify, evaluate and
address threats to compliance with the fundamental principles.
A professional accountant has an obligation to evaluate any threats to compliance with the
fundamental principles. They should take into account both qualitative and quantitative factors
when considering the significance of a threat.
When the threats are identified and the threats are clearly significant, a professional accountant
should where appropriate, apply safeguards to eliminate the threats or reduce them to an
acceptable level.
A professional accountant should decline or discontinue the service if no safeguards can be
implemented.
A professional accountant shall use professional judgment in applying this conceptual framework.

103
 Business Assurance

1.4 Threats to compliance with the fundamental principles

There are five general sources of threat:
(a) Self-interest threats – may occur as a result of the financial or other interests of a
professional accountant or of an immediate or close family member (for example, having a
financial interest in an entity)
(b) Self-review threats – may occur when a previous judgment needs to be reviewed by the
professional accountant responsible for that judgment (for example, auditing financial
statements prepared by the firm)
(c) Advocacy threats – may occur when a professional accountant promotes a position or
opinion that subsequently objectivity may be compromised (for example, promoting shares in
a listed entity when that entity is a financial statement audit entity)
(d) Familiarity threats – may occur when due to a close relationship, a professional accountant
becomes too sympathetic to the interests of others (for example, an engagement team
member having family member at the entity)
(e) Intimidation threats – may occur when a professional accountant may be deterred from
acting objectivity by threats, actual or perceived (for example, threats of replacement due to
disagreement)

1.5 Available safeguards

There are three general categories of safeguards:
 Safeguards created by the profession, legislation or regulation
 Safeguards in the work environment
 Safeguards created by the individual

Examples of safeguards created by the profession, legislation or regulation:

(a) Educational training and experience requirements for entry into the profession
(b) Continuing professional development requirements
(c) Corporate governance code
(d) Professional standards
(e) Professional or regulatory monitoring and disciplinary procedures
(f) External review by a legally empowered third party of the reports, returns, communication or
information produced by a professional accountant

HKICPA issues ethical standards, quality control standards and auditing standards which work
together to ensure independence is safeguarded and quality audits are carried out.
Examples of safeguards in the work environment:
(a) Strong firm leadership to emphasise the importance of compliance with the fundamental
principles and their expectation that members of the assurance team will act in the public
interest
(b) Establish policies and procedures to implement and monitor quality control of assurance
engagement
(c) Document the firm's independence policies including identification and evaluation of threats
(d) Document the internal policies and procedures requiring compliance with the fundamental
principles

104
 4: Code of ethics | Part C Professional standards and guidance

(e) Establish policies and procedures to identify interests or relationships between the firm or
assurance team members, to monitor and manage the undue dependence on fee from a
single entity
(f) Rotate senior audit staff, partners with separate reporting lines of the provision of non-
assurance services to an entity
(g) Establish policies and procedures to prohibit non-team members influence the outcome of
the engagement
(h) Update all partners and professional staff of firm's policies and procedures including giving
appropriate training
(i) Senior management should review the adequate functioning of the safeguarding system
(j) Advise partners and professional staff to be independent
(k) Establish disciplinary mechanism to promote compliance with the firm's policies and
procedures
(l) Involve an additional professional accountant to review the work done or otherwise advise as
necessary

(m) Consult an independent third party, such as a committee of independent directors, a

professional regulatory body or another professional accountant

(n) Use different partners and engagement teams with separate reporting lines for the provision
of non-assurance services to entities

(o) Discuss ethical issues with those in charge of entity governance

(p) Disclose to those charged with governance the nature of services provided and extent of
fees charged
(q) Involve another firm to perform or reperform part of the engagement
Example of safeguards created by the individual:
(a) Comply with continuing professional development requirements
(b) Keep records of contentious issues and approach to decision-making
(c) Maintain a broader perspective on how similar organisations function through establishing
business relationships with other professionals
(d) Use an independent mentor
(e) Maintain contact with legal advisers and professional bodies

105
 Business Assurance

2 Specific guidance: Independence

Professional accountants in public practice should not engage in any activities that impair or might
impair integrity, objectivity or the good reputation of the profession.

2.1 Objective of the guidance

Stage 1
Identify threats to independence
 Self-Interest Threat  Advocacy Threat
 Self-Review Threat  Intimidation Threat
 Familiarity Threat

Stage 2
Evaluate the significance of those threats
Significant or not?

Stage 3
Identify and apply safeguards to eliminate the threats

ABLE TO REDUCE TO AN UNABLE TO REDUCE TO AN

ACCEPTABLE LEVEL ACCEPTABLE LEVEL

CONTINUE OR ACCEPT DECLINE THE

THE ENGAGEMENT ENGAGEMENT

The guidance states its purpose in a series of steps. It aims to help firms and members:
Step 1
Identify threats to independence.
Step 2
Evaluate whether the threats are insignificant.
Step 3
If the threats are not insignificant, identify and apply safeguards to eliminate risk, or reduce it to
an acceptable level.
It also recognises that there may be occasions where no safeguard is available. In such a
situation, it is only appropriate to:
 Eliminate the interest or activities causing the threat
 Decline the engagement, or discontinue it

106
 4: Code of ethics | Part C Professional standards and guidance

2.2 What is independence?

A provider of assurance services must be, and be seen to be, independent. What is meant by
independence?

Key terms
Independence of mind: The state of mind that permits the expression of a conclusion without
being affected by influences that compromise professional judgment, thereby allowing an individual
to act with integrity, and exercise objectivity and professional scepticism.
Independence in appearance: The avoidance of facts and circumstances that are so significant
that a reasonable and informed third party would be likely to conclude weighing all the specific facts
and circumstances that a firm's or a member of the engagement team's integrity, objectivity or
professional scepticism has been compromised.

Firms must evaluate the significance of any threats to independence and then put safeguards in
place, where this is possible, to reduce the threat to acceptable levels. If it is not possible to put
adequate safeguards in place, it may be better to withdraw services than to risk a conflict of
interest. Certain entities, listed companies or those deemed to be of significant public interest due
to the wide range of stakeholders involved may be subject to more stringent rules.

Section 290 Independence – Audit and review engagements

This section addresses the independence requirements for audit engagements and review
engagements, which are assurance engagements in which a professional accountant in public
practice expresses a conclusion on financial statements.
Such engagements comprise audit and review engagements to report on a complete set of
financial statements and a single financial statement. Independence requirements for assurance
engagements that are not audit or review engagements are addressed in Section 291.
Degree of independence:
The degree of independence required is less rigid for a low level assurance engagement to non-
audit clients than for audit. For example:

Audit client Non audit assurance client

Audit Must be independent * N/A

Non audit, general use Must be independent * Only the assurance team and
the firm must be independent.
Non audit, restricted use Must be independent * The assurance team and the
firm must have no material
financial interest in the client.

* Applicable to the assurance team, the firm and the network firm

Topic highlights
HKICPA's Code of Ethics gives examples of a number of situations where independence might be
threatened and suggests safeguards to protect independence.

HKICPA's Code gives extensive lists of examples of threats to independence and applicable
safeguards. In the rest of this chapter, these threats and some relevant factors and potential
safeguards are outlined. Definite rules are shown in bold. You should learn these.

107
 Business Assurance

2.3 Self-interest threat

The HKICPA Code of Ethics highlights a great number of areas in which a self-interest threat might
arise.
Employment with entity
Close business relationships
Partner on entity board
Financial interests

Family and personal relationships

Recruitment SELF-INTEREST THREAT Gifts and hospitality

Loans and guarantees

Lowballing Percentage or
contingent fees
High percentage Overdue fees
of fees

2.3.1 Financial interests

Key term
A financial interest exists where a firm has a financial interest in an entity's affairs, for example,
the firm owns shares in the entity, or is a trustee of a trust that holds shares in the entity.

When considering whether a financial interest in a client constitutes a self interest threat, the
significance of the threat should be considered in the light of the following factors:
 Whether the financial interest is direct or indirect
 Role of the owner
 Materiality of the interest
Examples:
 Beneficial interests in shares/other interest
 Overdue fees
 Hold shares in a company's client
 Being trustee of a trusts that holds the shares in the company
 Having a retirement plan that owns shares in the company
 Material indirect ownership of shares
Financial interest in an audit entity may create a self-interest threat
If a member of the engagement team, a member of that individual's immediate family or a firm has
a direct financial interest or a material indirect financial interest in the audit client the self-interest
threat created would be so significant that no safeguards could reduce the threat to an acceptable
level.
The parties listed below are not allowed to own a direct financial interest or an indirect material
financial interest in a client:
 The assurance firm
 A member of the assurance team
 An immediate family member of a member of the assurance team

108
 4: Code of ethics | Part C Professional standards and guidance

Key terms
Direct financial interests are:
 Financial interests owned directly by and under the control of an individual or entity
 Beneficially owned through a collective investment vehicle such as trust over which the
individual or entity has control.
Indirect financial interests are:
 Beneficially owned through a collective investment vehicle such as trust over which the
individual or entity has no control.

When a close family member has a direct financial interest or a material indirect financial interest in
the entity, a self-interest threat is created.
Safeguards available to eliminate the threat or reduce it to an acceptable level are:
(a) The close family member should dispose of all, or a sufficient amount of the financial
interest, at the earliest practical date
(b) Use an additional professional accountant who did not participate in the assurance
engagement to review the work done
(c) Remove the member from the engagement team
If a firm or a partner or employee of the firm or a member of that individual's immediate family
receive the financial interest by way of inheritance, gift or through a merger, this will cause a self-
interest threat.
Safeguards available to eliminate the threat or reduce it to an acceptable level include disposing of
the financial interest at the earliest practical date.
Such matters will involve judgment on the part of the partners who are charged with making
decisions about ethical issues. For example, what constitutes a material interest? A small
percentage stake in a company might be material to its owner. How does the firm judge the
closeness of a relationship between staff and their families, in other words, what does immediate
mean in this context?
Firms should have quality control procedures requiring staff to disclose relevant financial interests
for themselves and close family members. They should also foster a culture of voluntary disclosure
on continuous basis so that any potential problems are identified in a timely manner.

2.3.2 Close business relationships

There are various ways of determining whether a firm has an inappropriately close relationship
with an entity and methods to address the issue if this is found to be the case. However, there is
often a degree of judgment involved.
For example, purchasing goods and services from an entity on an arm's length basis does
not usually constitute a threat to independence. However, if there are a substantial number of
transactions constituting a material interest, there may be a threat to independence and safeguards
may be necessary. Whether distribution or marketing arrangements under which the firm acts as
distributor or marketer of the entity's products or services or vice versa constitute a material interest
will also depend on the degree of involvement and the effect of the transactions on both
businesses overall.
Where a degree of judgment is involved, unless the interest is clearly insignificant, an
assurance provider should not participate in a venture with an entity.
Unless any financial interest is immaterial and the business relationship is insignificant to the firm,
the threat created would be so significant that no safeguards could reduce the threat to an
acceptable level.

109
 Business Assurance

Where the significance and nature of the threat to independence involves a single individual
member (or a close relation of his), appropriate ethical behaviour would demand that the individual
is removed from the engagement team.

Self-test question 1
With 25 branches in the New Territories, Bank of New Territories ('BNT') is a top tier retail bank in
Hong Kong specialised in home loans. SMP & Co. ('SMP') has been the external auditor of BNT for
five years.
BNT operates a staff mortgage scheme offering all members of staff concessionary mortgage rate
deals. The staff rate is currently at one-month HIBOR plus 0.5% while the market rate is plus 1.5%.
Before the upcoming Annual General Meeting, Charles Chow, BNT's Head of Consumer Credit,
suggests to Peter Chan, the SMP audit engagement partner, that BNT would like to extend the
concessionary staff mortgage scheme to all SMP members of staff, in recognition of SMP's
services. Charles and Peter have been golf teammates in the Annual Golf Team Tournament
organised by the HKICPA for the last three years.
Required
Assess and explain the professional and ethical issues in each of the situations above. State the
possible safeguards to address the professional and ethical issues.
(10 marks)
HKICPA December 2013
(The answer is at the end of the chapter)

2.3.3 Employment with the entity

Independence may be threatened when a professional accountant is employed by both an audit
firm and a client entity during the course of his career, or even where there is the prospect of
employment at an entity. Where an accountant has been connected with an audit at an entity
which subsequently offers employment (or may offer employment):
 Objectivity might be impaired by the motivation to impress a potential future employer
 A finance director who has a background as an audit partner has too much knowledge of the
audit firm's systems and procedures to perform independently
Again, the significance of the threat to independence depends on the specific circumstances. In
considering the safeguards that may need to be put in place, consideration would be made of the
influence the individual held over the audit in the past, the time interval between the audit and the
acceptance of the employment and the capacity for influence the appointment gives over the
subject matter of the assurance engagement.
If a former member of the engagement team or a partner of the firm joins an audit client as a
director, officer or employee in a position to exert significant influence over the preparation of the
client's accounting records of the financial statements and a significant connection remains
between the firm and the individual the threat would be so significant that no safeguards would
reduce it to an acceptable level. Where no connections remains the significance of the threat would
depend on factors including:
 The position taken
 The extent of involvement with the engagement team
 The length of time since the individual was a member of the engagement team
 Former position of the individual in the engagement team

110
 4: Code of ethics | Part C Professional standards and guidance

Safeguards which may be used include:

 Modification of the assurance plan
 Reassigning the engagement to another professional accountant with appropriate expertise
 Involving an additional independent professional accountant to review the work performed
 Carrying out a quality control review of the engagement
A firm should also have quality control procedures requiring an individual involved in serious
employment negotiations with an entity to disclose the fact that these negotiations are
taking place to the firm. The firm may then exercise its discretion and remove the individual from
the engagement.
'Cooling off' period
The revised Code requires 'cooling off periods' where partners intend to join public interest entities
as follows:
 Key audit partner: one audit opinion covering a period of not less than 12 months for which
the partner was not a member of the engagement team
 Firm's Managing Partner (or equivalent): one year
A new provision is that an individual who has moved from the firm to a client should not be entitled
to any benefits or payments from the firm unless pre-determined arrangements have been made.

2.3.4 Partner on entity board

A partner or employee of the firm should not serve on the board of an entity, although in
some circumstances it is permissible for a partner or employee of an assurance firm to serve as
Company Secretary, or in a similar purely administrative role.

2.3.5 Family and personal relationships

Family or close personal relationships constitute a serious threat to independence. Again, the
significance of the threat requires individual circumstances, such as those listed below, to be taken
into account:
(a) The individual's responsibilities on the assurance engagement. This includes the degree of
influence the individual may exert over the outcomes of the audit. However, the close family
relationships with a directors, officers or employees of an entity should be monitored even if
that individual is not part of the particular assurance team).
(b) The closeness of the relationship, (see the definition given in the Code of what constitutes
immediate family).
(c) The role of the other party at the entity. This means whether they exert significant influence
over the subject matter of the assurance engagement as a director, company officer or
employee and how closely they are involved with the processes and so on being tested).
When an immediate family member of a member of the engagement team is:
(a) A director or officer of the audit client; or
(b) An employee in a position to exert significant influence over the preparation of the client's
accounting records or the financial statements on which the firm will express an opinion.
The threats to independence can only be reduced to an acceptable level by removing the individual
from the engagement team. The Code defines an immediate family member as a spouse or
dependant.
When a close family relationship is disclosed it is also usually appropriate to remove the individual
from the assurance team.

111
 Business Assurance

A firm should have quality control procedures under which employees should disclose if a close
family member employed by a client is promoted within the entity so increasing the risk of a
significant threat.
If a firm inadvertently violates the rules concerning family and personal relationships there are
further safeguards available: in these circumstances it is usual to conduct a quality control review
or discuss the matter with the entity's audit committee if it is of sufficient size to have one.

2.3.6 Gifts and hospitality

This is a notoriously difficult area; in some parts of the world, offering gifts or corporate hospitality is
an accepted part of business life; in others, it falls into a grey area somewhere between
inducement and downright bribery! In general, unless the value of the gift or hospitality is trivial
and inconsequential a member of an engagement team should decline any offers which may be
seen to be intended to influence the judgment of a professional accountant.

2.3.7 Loans and guarantees

The advice on loans and guarantees is similar to that on business transactions. Where the loan or
guarantee is not made under normal lending terms safeguards are unlikely to reduce the self-
interest threat to an acceptable level.
If the loan from a financial institution, is made on an arm's length usual commercial basis, then
there is no threat to independence. For individuals, a loan of this sort is likely to be material, such
as a mortgage, but as long as usual commercial terms apply, there is no impairment to
independence. If a loan to a firm is deemed material it is necessary to apply safeguards to reduce
the risk to an acceptable level. One safeguard likely to be used is an independent review (by a
partner from another office in the firm).
However, the firm or an individual on the assurance engagement should never enter into
any loan or guarantee arrangement with an entity that is not a bank or similar institution.
The advice on loans and guarantees falls into two categories:
 Client is a bank or similar institution
 Other situations

2.3.8 Overdue fees

By allowing fees to remain overdue, the professional accountant runs the risk of effectively offering
a loan to an entity. The professional accountant may then run the risk of being in breach of the
rules set out above.
Appropriate safeguards include an independent review to ensure that the fees charged are fair for
the work performed. Policies should be in place to ensure that unpaid fees do not build up to
unfeasibly high levels. Unpaid fees should be discussed with the entity's senior management
promptly. If the fees remain unpaid then the firm should consider resignation.

2.3.9 Percentage or contingent fees

Key term
Contingent fees are fees which are calculated on a predetermined basis relating to the outcome of
a transaction or the result of the services performed by the firm.

A firm should not enter into a contingent fee arrangement for any assurance engagement as
payment arrangements based on outcomes create self-interest and advocacy threats which cannot
be reduced to acceptable levels through the application of suitable safeguards.

112
 4: Code of ethics | Part C Professional standards and guidance

Contingent fees charged on non-assurance engagement

A contingent fee charged directly or indirectly by a firm in respect of a non-assurance service
provided to an audit client may also create a self-interest threat. The threat created would be so
significant that no safeguards could reduce the threat to an acceptable level if:
 The fee is charged by the firm expressing the opinion on the financial statements and the
fee is material or expected to be material to that firm;
 The fee is charged by a network firm that participates in a significant part of the audit and
The fee is material or expected to be material to that firm; or
 The outcome of the non-assurance service, and therefore the amount of the fee, is
dependent on a future or contemporary judgment related to the audit of a material amount in
the financial statements.
All arrangements shall be prohibited.
Compensation and evaluation policies
A self-interest threat is created when a member of the engagement team is evaluated on or
compensated for selling non-assurance services to that audit client.
The significance of the threat shall be evaluated and, if the threat is not at an acceptable level, the
firm shall either revise the compensation plan or evaluation process for that individual or apply
safeguards to eliminate the threat or reduce it to an acceptable level.
A key audit partner shall not be evaluated on or compensated based on that partner's success in
selling non-assurance services to the partner's audit client. This is not intended to prohibit normal
profit-sharing arrangements between partners of a firm.

2.3.10 Undue dependence on total fees

A self-interest threat arises where the total fees generated by an entity represent a large proportion
of a firm's total revenue.
Whether it is a situation of undue dependence may be mitigated by factors such as the size and
structure of the firm and how long it has been trading (a new firm may not have a wide enough
client base to follow the ruling emboldened above).
Similar threats may be created by situations where the fees generated by an entity represent a
large proportion of the revenue brought in by an individual partner.
Safeguards in these situations include:
 Discussion of the matter with the entity's senior management or the audit committee if it has one
 Taking steps to reduce the financial dependency on the entity
 Obtaining external or internal quality control reviews
 Consulting a third party such as HKICPA
Audit Clients that are Public Interest Entities
Where an audit client is a public interest entity and, for two consecutive years, the total fees
from the client and its related entities represent more than 15% of the total fees received by the
firm expressing the opinion on the financial statements of the client, the firm shall disclose to those
charged with governance of the audit client the fact that the total of such fees represents more than
15 percent of the total fees received by the firm, and discuss which of the safeguards below it will
apply to reduce the threat to an acceptable level, and apply the selected safeguard:
 A pre-issuance review – Prior to the issuance of the audit opinion on the second year's
financial statements, a professional accountant, who is not a member of the firm expressing
the opinion on the financial statements, performs an engagement quality control review
of that engagement or a professional regulatory body performs a review of that engagement
that is equivalent to an engagement quality control review.

113
 Business Assurance

 A post-issuance review – After the audit opinion on the second year's financial statements
has been issued, and before the issuance of the audit opinion on the third year's financial
statements, a professional accountant, who is not a member of the firm expressing the
opinion on the financial statements, or a professional regulatory body performs a review of
the second year's audit that is equivalent to an engagement quality control review.

2.3.11 Lowballing
Lowballing is the term used to describe the situation where a firm quotes a significantly lower fee
level for an assurance service than would have been charged by the predecessor firm usually in
order to gain other more lucrative business. A self-interest threat arises which must be
safeguarded against. If the firm wins the tender the following safeguards should be applied:
 Careful record keeping to demonstrate that the firm used appropriate staff, spent sufficient
time, and adhered to appropriate technical and professional standards in carrying out the
engagement
 Demonstration that the assurance engagement complied with all applicable assurance
standards, guidelines and quality control procedures

In other words, the low generation of fee revenue must not have any adverse impact on the quality
of the review carried out. Lowballing and the significant low fee issue below carry the risks of fee
disputes, if the company is eventually forced to make a choice between losing money or
compromising on quality or if the lucrative other business the firm hoped to win on the back of the
loss-making audit does not materialise.
2.3.12 Significant low fee
A firm is entitled to charge a significant low fee for any reason but should be aware of the threat to
objectivity this creates. This fee strategy may cause a self-interest threat and call into question the
professional competence and due care owed by the firm. Both independence and quality of work
may be compromised as it may be difficult to perform the engagement in accordance with
applicable technical and professional standards for the fee charged.
The professional accountant should consider if there is:
 Any terms on securing the contract to supply other non-audit services (lowballing issue)
 Any compromise on the quality of the audit work
 Any restriction on senior staff working on the audit
 Any possibility the entity was misled as to the basis on which fees for the current and
subsequent years were to be determined
 Awareness by the entity of all the terms of the engagement and fees charged
 Appropriate review to ensure work is done fully in accordance with auditing standards; and
should
 Appropriate time and competent staff assigned to the engagement
By engaging in these risky pricing strategies the firm not only threatens its independence but also
raises the risk of fee disputes and negligence claims that could do long-term damage to the
business.

2.3.13 Recruitment
Professional accountants may offer HR consultancy services (see the further discussion of this in
2.4 below). However, recruitment and assurance services offered by the same firm may result in a
conflict of interest and either the assurance business or the consultancy business should be
declined. It may be acceptable for the assurance firm to play a limited part in say, the recruitment of
a senior officer at an entity who uses their assurance services, if the final decision for the
appointment rests with another party.

114
 4: Code of ethics | Part C Professional standards and guidance

2.3.14 Receiving or paying referral and commission

Paying a commission or referral fee or accepting this kind of fee is acceptable. However, accepting
a referral fee may create self-interest threat to objectivity and call into question professional
competence and due care. Safeguards should be applied:
(a) Disclose to the entity the arrangement to pay/receive a referral fee to another professional
accountant for the work passed onto them
(b) Obtain advance agreement from the entity for commission arrangements in connection with
the sale by a third party of goods or services to the entity

Self-test question 2
Kwok & Co have been the auditors of Kowloon Bank for a number of years.
(a) Kowloon Bank operates a staff scheme offering all members of staff low rate mortgage
deals. The staff rate is currently set at 3.5% below the bank prime rate. The Head of Lending
of Kowloon Bank tells the audit engagement partner at Kwok & Co, with whom he has dealt
for a number of years, that Kowloon Bank would like to extend the staff scheme in respect of
low rate mortgages to all members of staff at Kwok & Co, as a token of their appreciation of
Kwok & Co's services.
(b) An audit assistant, who was on the audit of Kowloon Bank last year is considering
resignation from Kwok & Co to accept a trainee manager position at Kowloon Bank.
The audit engagement partner for Kowloon Bank has just become aware of this situation.
Required
Explain any professional and ethical issues in each of the above situations.
(11 marks)
HKICPA February 2006
(The answer is at the end of the chapter)

2.4 Self-review threat

General other
Recent service services
with an entity
Preparing accounting records
and financial statements

Other services SELF-REVIEW THREAT Valuation services

Corporate
Internal audit Tax services
finance
services

Self-review threats arise when a professional accountant, or a firm of professional accountants,

have previously been involved in performing a service which they are then called upon to review.
This may include setting up financial systems they are then asked to review, or preparing financial
records or valuations for the financial statements they are then asked to audit. The risk is greater
when the service was performed very recently. As market competition has encouraged firms of

115
 Business Assurance

professional accountants to expand the range of services they may offer entities, so the risk of self-
review has increased. The table below shows a range of the services that may be provided and
there follows a discussion about how the provision of these services may impair independence.

Services provided by professional accountants

Bookkeeping
Preparation of financial statements
Tax services, although generally these are not seen to impair independence
Design and implementation of financial information systems
Appraisal, valuation services and fairness opinions
Actuarial services Risk of
self-
Internal audit services review
Management functions, but there are strict rules about the degree to which
assurance advisers may intervene in the management decisions of the entity
Human resources – such as recruitment and selection of senior management,
provision of temporary staff cover and so on
Corporate finance, broker-dealer services, accessing finance and so on
Legal services and litigation support

The HKICPA Code gives rules about the other services firms may provide to their entities, (see
sections 2.4.2–2.4.9 below).
The distinction between listed companies, (or public interest companies), and private companies is
an important one in the provision of other services to entities. The rules are much more stringent
for listed companies and those deemed to be of public interest.

Key terms
Listed companies are those whose shares have been admitted to a recognised exchange, such
as the Hong Kong Stock Exchange.
Public interest companies are those which for some reason (size, nature, product) are in the
'public eye'. Professional accountants should treat these as if they are listed companies.

2.4.1 Recent service

The Code sets out the following rule with regard to individuals who have completed a recent period
of service with an entity:
Individuals who have held the role of director or served as an officer of the entity, or been
an employee in a position to exert direct, significant influence over the subject matter of the
assurance engagement in the period under review or the previous two years should not be
assigned to the assurance team.
If an individual had been closely involved with the entity but outside of the time limits established
above, the assurance firm should consider the threat to independence and apply safeguards, if
appropriate.
This may be to:
 Obtain a quality control review of the individual's work on the assignment
 Discuss the issue with the audit committee if the entity has one

116
 4: Code of ethics | Part C Professional standards and guidance

2.4.2 General other services

Another rule which should be learned is that, where the assurance firm is providing other services
for an entity:
Professional accountants are not allowed to:
 Authorise, execute or consummate a transaction
 Sanction a particular course of action for the entity to pursue (this is a matter for its
own management)
 Report in a management capacity to those charged with governance
However, keeping custody of an entity's assets, supervising the entity's employees in the
performance of their normal duties, and preparing source documents on an entity's behalf are a
common requirement for assurance firms which could also pose significant self-review threat,
Safeguards which may be used to address this are described below:
(a) Segregation of duties: the assurance firm can make sure that different staff are used on the
assurance team to the staff engaged in the other capacity
(b) Seeking the advice of an independent professional accountant
(c) Clear quality control policies establishing what staff are and are not allowed to do on behalf
of entities
(d) Making appropriate disclosures and discussion of the matter with those charged with
governance
(e) Resigning from the assurance engagement
(f) Establishing policies and procedures to prohibit professional accountants from making
managerial decisions on behalf of the entity

2.4.3 Preparing accounting records and financial statements

290.164 Management is responsible for the preparation and fair presentation of the financial statements
in accordance with the applicable financial reporting framework. These responsibilities include:
 Originating or changing journal entries
 Determining or approving the account classifications of transactions
 Preparing or changing source documents
 Determining accounting policies
290.165 A firm that provides an audit client with accounting and bookkeeping services, such as preparing
accounting records or financial statements, creates a self-review threat when the firm subsequently
audits the financial statements.
Audit clients that are not public interest entities
290.168 The firm may provide services related to the preparation of accounting records and financial
statements to an audit client that is not a public interest entity where the services are of a routine or
mechanical nature, so long as any self-review threat created is reduced to an acceptable level.
Services that are routine or mechanical in nature require little to no professional judgment from the
professional accountant. Examples of such services include preparing payroll calculations or
reports based on client originated data for approval and payment by the client, or posting client
approved entries to the trial balance.
In all cases, the firm must analyse the risks arising and put safeguards in place to reduce the threat
to an acceptable level or eliminate it entirely. Examples of safeguards include using staff members
other than audit team members to carry out the work or having a senior staff member with
appropriate expertise who is not part of the audit team to review the work.

117
 Business Assurance

Audit clients that are public interest entities

290.169 A firm shall not provide to an audit client that is a public interest entity accounting and bookkeeping
services, including payroll services, or prepare financial statements on which the firm will express
an opinion or financial information which forms the basis of the financial statements.

290.170 However, a firm may provide accounting and bookkeeping services, including payroll services and
the preparation of financial statements or other financial information, of a routine or mechanical
nature for divisions or related entities of an audit client that is a public interest entity if the personnel
providing the services are not members of the audit team and:
(a) The divisions or related entities for which the service is provided are collectively immaterial
to the financial statements on which the firm will express an opinion; or
(b) The services relate to matters that are collectively immaterial to the financial statements of
the division or related entity.

2.4.4 Temporary staff assignments

The lending of staff by a firm to an audit client may create a self-review threat. Such assistance
may be given, but only for a short period of time and the firm's personnel shall not be involved in:
 Providing non-assurance services that would not be permitted under the Code; or
 Assuming management responsibilities.
In all situations, the audit client shall be responsible for directing and supervising the activities
of the loaned staff.

2.4.5 Valuation services

Key term
A valuation comprises the making of assumptions with regard to future developments, the
application of certain methodologies and techniques, and the combination of both in order to
compute a certain value, or range of values, for an asset, a liability or for a business as a whole.

If a firm performs a valuation to be included in the entity's financial statements which are then
subsequently audited by the firm, a self-review threat arises.
A firm should not carry out valuations on matters:
(a) Which are material to the financial statements; and
(b) If the valuation is subject to high degree of subjectivity.
No safeguard is available to reduce the threat to an acceptable level under these circumstances.
If the valuation is neither material nor subject to high degree of subjectivity, the firm may apply
safeguards to ensure that the risk is reduced to an acceptable level. The following matters need to
be considered:
 The extent of the entity's knowledge of the relevant matters in making the valuation
 The degree of judgment involved
 How much use is made of established methodologies
 The degree of uncertainty in the valuation
The firm may use the following safeguards to manage the risk:
 Second partner review
 Confirming that the entity understands how the valuation is reached and the underlying
assumptions
 Ensuring the entity acknowledges its responsibility for the valuation
 Using separate staff for the valuation and the audit

118
 4: Code of ethics | Part C Professional standards and guidance

For audit clients that are public interest entities

A firm shall not provide valuation services to an audit client that is a public interest entity if the
valuations would have a material effect, separately or in the aggregate, on the financial statements
on which the firm will express an opinion.
Self-test question 3
You are the audit manager of a CPA firm, Yu & Yu. You are responsible for the audit of the
financial statements of a manufacturing and trading group, La'Monsa Limited ('La'Monsa'), for the
year ended 31 December 20X6. The group's principal product is clothing. In the last financial year,
La'Monsa set up a subsidiary to manufacture footwear products. They acquired a brand and set up
a production line.
When planning the audit work for the year ended 31 December 20X6, you learnt that the footwear
business had not been successful and production had been suspended.
In a meeting with Mr. Jun, the Chief Executive ('CE') of La'Monsa, you raised your concerns
regarding valuation of the brand and production facilities in the footwear business. The CE believed
that the brand was acquired last year and was still quite popular, and the machinery and equipment
were still workable. He also advised you that a merger of La'Monsa with another footwear company
was under negotiation. As valuation services were provided by your firm, he suggested your firm,
Yu & Yu, prepare a valuation report on the brand and the machinery and equipment. Mr. Jun also
suggested your firm use the valuation report in the audit of the financial statements for the year
ended 31 December 20X6.
Required:
(a) Discuss the general independence consideration for Yu & Yu in accepting non-assurance
engagements by its existing audit client. (5 marks)
(b) Discuss the independence consideration in the specific circumstances of La'Monsa's
suggestion that Yu & Yu be appointed to provide valuation services. (10 marks)
(Total = 15 marks)
HKICPA May 2007
(The answer is at the end of the chapter)

2.4.6 Taxation services

Generally, the provision of taxation services is not seen as any threat to independence.

Taxation services comprise a broad

range of services, including:

Tax return Tax calculations for the Tax planning and other Assistance in the
preparation purpose of preparing tax advisory services resolution of tax
the accounting entries disputes

Performing certain tax services creates self-review and advocacy threats.

The existence and significance of any threats will depend on:
 The system by which the tax authorities assess and administer the tax in question and the
role of the firm in that process
 The complexity of the relevant tax regime and the degree of judgment necessary for
application

119
 Business Assurance

 The particular characteristics of the engagement

 The level of tax expertise of the client's employees.

Tax return preparation

Accordingly, providing such services does not generally create a threat to independence if
management takes responsibility for the returns including any significant judgments made.
Tax calculations for the purpose of preparing accounting entries
(i) Audit clients that are not public interest entities
Preparing calculations of current and deferred tax liabilities (or assets) for an audit client for
the purpose of preparing accounting entries that will be subsequently audited by the firm
creates a self-review threat.
Safeguards shall be applied when necessary to eliminate the threat or reduce it to an
acceptable level.
(ii) Audit clients that are public interest entities
In the case of an audit client that is a public interest entity, a firm shall not prepare tax
calculations of current and deferred tax liabilities (or assets) for the purpose of preparing
accounting entries that are material to the financial statements on which the firm will express
an opinion.
Tax planning and other tax advisory services
Such services involve advising the client how to structure its affairs in a tax efficient manner
or advising on the application of a new tax law or regulation.
A self-review threat may be created where the advice will affect matters to be reflected in the
financial statements.
The significance of any threat shall be evaluated and safeguards applied when necessary to
eliminate the threat or reduce it to an acceptable level.
Safeguards:
 Using professionals who are not members of the engagement team to perform the
service
 Having a tax professional, who was not involved in providing the tax service, advise
the engagement team on the service and review the financial statement treatment
 Obtaining advice on the service from an external tax professional; or
 Obtaining pre-clearance or advice from the tax authorities.

Where the effectiveness of the tax advice depends on a particular accounting treatment or
presentation in the financial statements and the self-review threat would be so significant
that no safeguards could reduce the threat to an acceptable level. Accordingly, a firm shall
not provide such tax advice to an audit client.
Assistance in the resolution of tax disputes
An advocacy or self-review threat may be created when the firm represents an audit client in the
resolution of a tax dispute once the tax authorities have notified the client that they have rejected
the client's arguments on a particular issue and either the tax authority or the client is referring the
matter for determination in a formal proceeding,
Where the taxation services involve acting as an advocate for an audit client before a public
tribunal or court in the resolution of a tax matter and the amounts involved are material to the
financial statements on which the firm will express an opinion, the advocacy threat created would
be so significant that no safeguards could eliminate or reduce the threat to an acceptable level.

120
 4: Code of ethics | Part C Professional standards and guidance

Self-test question 4
Situation (i)
The Chief Financial Officer ('CFO') of one of your audit clients offers you two VIP tickets to the
Lady Lolita Concert. Each ticket costs HK$8,000 and you will have the chance to shake hands and
take photos with Lady Lolita.
Situation (ii)
The financial controller of another of your audit clients invites you and your team to a dinner.
Situation (iii)
The Chairman of a client company commits to offer your audit firm an additional 40% bonus on top
of the audit fee if his company is able to get listed successfully.
Situation (iv)
The tax team of your firm maintains a very close relationship with one of your non-listed audit
clients. They give advice to your non-listed audit client on different tax issues from tax planning to
tax compliance. They also perform the review of the tax provision computation prepared by this
client to support the audit team's work requirement.
Required
Discuss any ethical and professional issues as an external auditor in each of the above situations
and suggest the possible safeguards, if any.
(10 marks)
HKICPA December 2014
(The answer is at the end of the chapter)

2.4.7 Internal audit services

Internal audit activities may include:
 Monitoring of internal controls
 Examination of financial and operating information
 Review of the economy, efficiency and effectiveness of operating activities
 Review of compliance with laws, regulations and other external requirements, and with
management policies and directives
The provision of internal audit services to an audit client creates a self-review threat to
independence if the firm uses the internal audit work in the course of a subsequent external audit.
Performing a significant part of the client's internal audit activities increases the possibility that firm
personnel providing internal audit services will assume a management responsibility.
A firm may provide internal audit services to an entity, without impairment to independence so long
as the firm ensures that the entity recognises its responsibility for establishing, maintaining and
monitoring the internal controls. Usually the following safeguards are put in place:
(a) An employee of the entity is made responsible for all internal audit activities
(b) The entity approves all of the work undertaken by the internal engagement team
Audit clients that are public interest entities
In the case of an audit client that is a public interest entity, a firm shall not provide internal audit
services that relate to:
 A significant part of the internal controls over financial reporting;

121
 Business Assurance

 Financial accounting systems that generate information that is, separately or in the
aggregate, significant to the client's accounting records or financial statements on which the
firm will express an opinion; or
 Amounts or disclosures that are, separately or in the aggregate, material to the financial
statements on which the firm will express an opinion.

2.4.8 Corporate finance

Certain aspects of corporate finance create self-review threats that cannot be reduced to an
acceptable level by safeguards. A firm is not allowed to promote, deal in or underwrite an
entity's shares under any circumstances. Similarly, it is also not allowed for a firm to commit
an entity to the terms of a transaction or consummate a transaction. There are other
corporate finance services, formulating corporate strategies, raising capital or providing
restructuring advice which may be acceptable without impairment to independence, providing that
appropriate safeguards are in place. Such safeguards include using different teams of staff, and
making sure policies are in place to ensure that no management decisions are taken on behalf of
the entity and these are closely controlled.
The Hong Kong Takeovers and Share Repurchase Codes
A member who provides takeover services for clients is required to comply with the Codes which
are expressly applied to professional advisers as well as to those engaged in the securities market.
The Stock Exchange of Hong Kong Limited's (Stock Exchange) Rules Governing the Listing
of Securities (Listing Rules)
Members' attention is also drawn to the Listing Rules in particular when acting as a sponsor or as
an independent financial adviser.
2.4.9 Other services
There are other services a firm might offer to entities.
IT services
Providing systems services may create a self-review threat depending on the nature of the
services and the IT systems.
Providing services to an audit client that is not a public interest entity involving the design or
implementation of IT systems that:
(a) Form a significant part of the internal control over financial reporting; or
(b) Generate information that is significant to the client's accounting records or financial
statements on which the firm will express an opinion creates a self-review threat.
In the case of an audit client that is a public interest entity, a firm shall not provide services
involving the design or implementation of IT systems that:
(a) Form a significant part of the internal control over financial reporting; or
(b) Generate information that is significant to the client's accounting records or financial
statements on which the firm will express an opinion.
Temporary staff cover
Providing recruiting services to an audit client may create self-interest, familiarity or intimidation
threats.
The firm may generally provide such services as reviewing the professional qualifications of a
number of applicants and providing advice on their suitability for the post.
A firm shall not provide recruiting services to an audit client that is a public interest entity with
respect to a director or officer of the entity or senior management in a position to exert significant
influence over the preparation of the client's accounting records or the financial statements on
which the firm relies.

122
 4: Code of ethics | Part C Professional standards and guidance

Litigation support services

Providing legal services to an entity that is an audit client may create both self-review and
advocacy threats.
Acting in an advocacy role for an audit client in resolving a dispute or litigation when the amounts
involved are material to the financial statements on which the firm will express an opinion would
create advocacy and self-review threats so significant that no safeguards could reduce the threat to
an acceptable level.
The appointment of a partner or an employee of the firm as General Counsel for legal affairs of an
audit client would create self-review and advocacy threats that are so significant that no safeguards
could reduce the threats to an acceptable level.

Legal services
In each case, the firm should consider whether there are any barriers to independence and
whether these can be reduced by appropriate safeguards. Among the scenarios which might fall
into this category are where a firm is asked to design internal control IT systems, which it would
later review as part of its audit, or a professional accountant from the firm was seconded to cover
the finance director's maternity leave. Before you read on, what would you consider to be
appropriate ethical behaviour in those two circumstances?

2.4.10 Management responsibility

When providing non-assurance services to an audit client, a firm must be careful not to assume an
audit client's management responsibility since no safeguards could reduce the resulting threats to
an acceptable level. Examples of activities that would be viewed as a management responsibility
include:
 Hiring or dismissing employees
 Setting policies or strategic direction
 Deciding which recommendations of the firm or other third parties to implement
 Authorising transactions
Assuming a management responsibility can create a familiarity threat where the views and
interests of the firm become too closely aligned with those of management.
To avoid the risk of assuming a management responsibility, a firm shall be satisfied that the client
management makes all judgments and decisions that are the responsibility of management. The
firm must ensure there is a suitable individual at the client responsible for making decisions.
Providing advice and recommendations to assist management in discharging its responsibilities is
not assuming a management responsibility.

2.5 Advocacy threat

Legal services

Contingent fees ADVOCACY THREAT

Corporate finance

123
 Business Assurance

An advocacy threat often arises in the provision of legal or corporate finance services. To avoid this
threat firms must avoid being in the position of taking the entity's part in a dispute or somehow
acting as their advocate in a way that threatens the appearance of independence. Examples are
when a firm has provided legal services to an entity and, perhaps defended them in a legal case.
Corporate finance examples are where the firm gives such as advice on debt reconstruction and
negotiates with the bank on the entity's behalf or deals or acts as a promoter of shares for an entity.
In these instances a professional accountant may promote or may be seen to promote an
entity's position to the point that objectivity may be impaired.
Again, the firm may be able to reduce the threat by using appropriate safeguards, including
separate teams and disclosures, but if the threat cannot be reduced to an acceptable level the firm
must withdraw from the engagement.

2.6 Familiarity threat

A familiarity threat often arises in conjunction with a self-interest threat. Independence is
jeopardised by the firm and its staff becoming too closely connected or too familiar with or
sympathetic to the entity and its employees. Professional scepticism may be severely impaired in
circumstances.
Where there are family and personal
relationships between entity/firm

Long association with entities FAMILIARITY THREAT Employment with entity

Recent service with entity

2.6.1 Long association of senior personnel with entities

Familiarity and self-interest threats are created by using the same senior personnel on an audit
engagement over a long period of time. A long association with an entity may erode the
independence of senior members of staff as the length of service may mean they become too close
to or too overly sympathetic to the business to remain objective and exercise professional
scepticism.
The significance of the threat depends upon how long the staff member has been in the team, their
role, the nature of the engagement, whether the client management has changed and the structure
of the audit firm.
Firms should continually monitor the relationship between staff and established entities, including
requirements to disclose any promotions or changes within the entities which may introduce a new
risk. The threat can be reduced or eliminated by the use of safeguards such as rotation of senior
personnel, second partner reviews, and independent internal or external quality reviews.
In addition, the Code of Ethics goes further for public interest entities with a list of specific rules to
prevent this situation from arising.
The rules state that for the audit of public interest entities:
 An individual shall not be a key audit partner for more than seven years, and shall not be a
member of the engagement team or key audit partner for another two years

 In rare unforeseen cases (for example, due to serious illness of the intended engagement
partner) a key audit partner may be permitted an additional year on the audit team so long as
safeguards can reduce threats to an acceptable level

124
 4: Code of ethics | Part C Professional standards and guidance

When an audit client becomes a public interest entity, the length of time the individual has
served the audit client as a key audit partner before the client becomes a public interest entity shall
be taken into account in determining the timing of the rotation.
If the individual has served the audit client as a key audit partner for five years or less when
the client becomes a public interest entity, the number of years the individual may continue to serve
the client in that capacity before rotating off the engagement is seven years less the number of
years already served. If the individual has served the audit client as a key audit partner
for six or more years when the client becomes a public interest entity, the partner may
continue to serve in that capacity for a maximum of two additional years before rotating off
the engagement.
When a firm has only a few people with the necessary knowledge and experience to serve as a
key audit partner on the audit of a public interest entity, rotation of key audit partners may not be an
available safeguard.

2.7 Intimidation threat

An intimidation threat arises when members of the assurance team are intimidated or pressured to
act unethically by entity staff. This generally means the firm has something to lose or is under
pressure in some way which the entity is trying to push to its own advantage. Loss of business,
replacement with another auditor and litigation are some of the methods by which an entity may try
to intimidate a firm.
Close business relationships

Litigation INTIMIDATION THREAT Family and personal relationships

Assurance staff members move

to employment with entity

A professional accountant may be dissuaded from using objectivity and exercising professional
scepticism by threats, whether actual or perceived from directors of an entity.
There are three main types of threat:
(a) Loss of business: for instance, as a result of a disagreement over the application of an
accounting principle, the entity may threaten to change its auditors if they wish to modify
their report as a result of the dispute.
(b) Loss of fee revenue: for instance, the entity may apply pressure to reduce the extent of
work performed by the professional accountants unjustifiably in order to reduce the fees.
(c) Litigation: defending a claim for negligence can be time consuming, publicly damaging and
expensive, even if the assurance firm were to eventually win the case (see below).

2.7.1 Actual and threatened litigation

Litigation, threatened or real, is a very serious threat indeed for firms: not only does it involve the
loss of the immediate client, the firm may suffer further losses from the associated negative
publicity and association with negligent behaviour, even if successfully defended. The threat may
lead to the firm being put under pressure to publish an unqualified audit report although they have
been qualified in the past, for example. The risk is so great that if the litigation is at all serious, the
firm should consider resignation.
However, good control systems should be in place to prevent such situations arising. When they
do, the following considerations should be taken into account:
 The materiality of the litigation
 The nature of the assurance engagement

125
 Business Assurance

 Whether the litigation relates to a prior assurance engagement

The following safeguards could be applied:
 Disclosing to the audit committee the nature and extent of the litigation
 Removing specific affected individuals from the engagement team
 Involving an additional professional accountant on the team to review work

2.7.2 Second opinions

An entity may seek a second opinion from a different firm when they are unhappy with the audit
opinion given or the work performed. The second firm, as it is not officially appointed, is not able to
give a formal audit opinion on the financial statements. However, if a another firm indicates to an
entity's management that a different audit opinion might be acceptable, the appointed firm may feel
under pressure to change the audit opinion in order to preserve the client relationship. In effect, a
self-interest threat arises.
In practice, second opinions often cause independence issues for firms of professional accountants
and care should be taken if asked to provide one.
A company director is free to talk to another firm about the treatment of matters in the financial
statements if he believes there is a good reason for doing so. However, new accounting standards
are increasingly prescribing a single method of treatment reducing the scope for subjectivity and
the need for this kind of second opinion. Where an opinion like this is sought, the second firm is
relying on the director to communicate all of the relevant information on which the original opinion
has been based in a factual manner ie without any bias which may lead the professional
accountants to take a view that the entity might prefer. It is usual for the second firm to request the
co-operation of the appointed firm in order to ensure they have all the information they need. If this
is refused, there are probably good reasons why the engagement should be declined.
Safeguards are:
 Obtain the entity's consent
 Describe the limitations surrounding any opinion in communications with the entity
 Provide the existing professional accountant with a copy of the opinion

2.8 Other assurance engagements

2.8.1 Independence – Other assurance engagements
Section 291 addresses independence requirements for assurance engagements that are not audit
or review engagements. The basic principles are the same as those set out in section 290.
However, the following additional points should be noted.

2.8.2 Employment with an audit client

The basic principles are the same as those set out in section 290 although section 291 does not
include specific 'cooling off' provisions.

2.8.3 Contingent fees

The basic principle is the same as that described in section 290, ie a contingent fee should not be
charged in respect of an assurance engagement. In addition, a contingent fee should not be
charged in respect of a non-assurance service provided to an assurance client if the outcome of
the non-assurance service (and therefore the amount of the fee) is dependent on a judgment
related to the subject matter of the assurance engagement. For other contingent fee arrangements
charged by a firm for a non-assurance service to an assurance client the significance of any threat
will have to be evaluated and safeguards applied.

126
 4: Code of ethics | Part C Professional standards and guidance

2.8.4 Multiple responsible parties

In some assurance engagements, whether assertion-based or direct reporting, there might be
several responsible parties. In determining whether it is necessary to apply the provisions in this
section to each responsible party in such engagements, the firm may take into account whether an
interest or relationship between the firm, or a member of the assurance team, and a particular
responsible party would create a threat to independence that is not trivial and inconsequential in
the context of the subject matter information.

2.8.5 Interpretation 2005-01 (Revised June 2010 to conform to changes

resulting from the IESBA's project to improve the clarity of the Code)
This Interpretation focuses on the application issues that are particular to assurance engagements
that are not financial statement audit engagements.
Assertion-Based Assurance Engagements
In an assertion-based assurance engagement independence is required from the responsible
party, which is responsible for the subject matter information and may be responsible for the
subject matter. (Note that the term 'assertion-based assurance engagement' is equivalent to
'attestation engagement' as used in Chapter 19. The difference in the terms arises from differences
between the Code of Ethics and HKSAE 3000.)
Direct reporting assurance engagements
In a direct reporting assurance engagement, the professional accountant in public practice
either directly performs the evaluation or measurement of the subject matter, or obtains a
representation from the responsible party that has performed the evaluation or measurement that is
not available to the intended users. (Note that the term 'direct reporting assurance engagement' is
equivalent to 'direct engagement' as used in Chapter 19. The difference in the terms arises from
differences between the Code of Ethics and HKSAE 3000.)

2.9 HKSQC 1: Quality control: Independence

HKSQC 1 (Clarified) is the quality control standard issued by HKICPA and within it, there is a
particular requirement which refers to ethics.
Firm should establish policies and procedures to emphasise the compliance on principles of
professional ethics which should be enforced by:
(a) Leadership of the firm
(b) Training
(c) Monitoring
(d) Process of dealing with non-compliance
HKSQC 1.21- The standard sets out some detailed requirements with regard to independence.
23

The firm shall establish policies and procedures designed to provide it with reasonable assurance
that the firm, its personnel and, where applicable, others subject to independence requirements
(including network firm personnel), maintain independence where required by the Code. Such
policies and procedures shall enable the firm to:
(a) Communicate its independence requirements to its personnel and, where applicable, others
subject to them
(b) Identify and evaluate circumstances and relationships that create threats to independence,
and to take appropriate action to eliminate those threats or reduce them to an acceptable
level by applying safeguards, or, if considered appropriate, to withdraw from the engagement

127
 Business Assurance

Such policies and procedures shall require:

(a) Engagement partners to provide the firm with relevant information about client engagements,
including the scope of services, to enable the firm to evaluate the overall impact, if any, on
independence requirements
(b) Personnel to promptly notify the firm of circumstances and relationships that create a threat
to independence so that appropriate action can be taken
(c) The accumulation and communication of relevant information to appropriate personnel so
that:
(i) The firm and its personnel can readily determine whether they satisfy independence
requirements
(ii) The firm can maintain and update its records relating to independence, and
(iii) The firm can take appropriate action regarding identified threats to independence that
are not at an acceptable level.
The firm shall establish policies and procedures designed to provide it with reasonable assurance
that it is notified of breaches of independence requirements, and to enable it to take appropriate
actions to resolve such situations.
The policies and procedures shall include requirements for:
(a) Personnel to promptly notify the firm of independence breaches of which they become aware
(b) The firm to promptly communicate identified breaches of these policies and procedures to:
(i) The engagement partner who, with the firm, needs to address the breach
(ii) Other relevant personnel in the firm and those subject to the independence
requirements who need to take appropriate action
(c) Prompt communication to the firm, if necessary, by the engagement partner and the other
individuals referred to in subparagraph 23 (b)(ii) of the actions taken to resolve the matter, so
that the firm can determine whether it should take further action
At least annually, the firm shall obtain written confirmation of compliance with its policies and
procedures on independence from all firm personnel required to be independent by the HKICPA
Code and national ethical requirements.

2.9.1 Familiarity threat

HKSQC 1.24 Last, HKSQC 1 (Clarified) sets out some specific guidance in relation to the threat of over-
familiarity with entities.

The firm shall establish policies and procedures:

(a) Setting out criteria for determining the need for safeguards to reduce the familiarity threat to
an acceptable level when using the same senior personnel on an assurance engagement
over a long period of time

(b) Requiring for audits of financial statements of listed entities, the rotation of the engagement
partner and the individuals responsible for engagement quality control review, and, where
applicable, others subject to rotation requirements after a specified period in compliance with
relevant ethical requirements

128
 4: Code of ethics | Part C Professional standards and guidance

3 Specific guidance: Responding to Non-Compliance

with Laws and Regulations

Topic highlights
Professional accountants in public practice or in business may encounter non-compliance or
suspected non-compliance with laws and regulations during the course of their work. Guidance on
an appropriate response was issued in December 2016 and is effective on 15 July 2017.

Key terms
Non-compliance with laws and regulations (non-compliance) comprises acts of omission or
commission, intentional or unintentional, committed by a client, or by those charged with
governance, by management or by other individuals working for or under the direction of a client
which are contrary to the prevailing laws or regulations.

Examples of laws and regulations where non-compliance could occur include, but are not limited
to, fraud, money laundering, terrorist financing, data protection, environmental laws, tax laws and
public health and safety.
Laws and regulations can have a direct impact on amounts and disclosures in the financial
statements, for example where non-compliance with a law or regulation will result in a fine.
Alternatively, laws and regulations may not directly impact on amounts or disclosures in the
financial statements but non-compliance with them could result in the business no longer being
able to operate, for example removal of a trading licence where health and safety laws are
breached.

3.1 Professional accountants in public practice

225.12-15 A professional accountant performing an audit of financial statements may become aware of actual
or suspected non-compliance. If this occurs, the professional accountant is required to obtain an
understanding of the non-compliance, including the nature of the act and the circumstances in
which it has occurred or may occur. The professional accountant is expected to apply knowledge,
professional judgment and expertise. However they are not expected to have a level of knowledge
of laws and regulations greater than that required to undertake the engagement. Whether an act
constitutes non-compliance is ultimately a matter to be determined by a court or other appropriate
adjudicative body.
If the professional accountant identifies or suspects that non-compliance has occurred or may
occur, the professional accountant shall discuss the matter with the appropriate level of
management and, where appropriate, those charged with governance.
225.18 During this discussion, the professional accountant shall advise management or those charged
with governance to take appropriate and timely actions, if they have not already done so, to:
(a) Rectify, remediate or mitigate the consequences of the non-compliance;
(b) Deter the commission of the non-compliance where it has not yet occurred; or
(c) Disclose the matter to an appropriate authority where required by law or regulation or where
considered necessary in the public interest.
225.23, 25 The professional accountant shall assess the appropriateness of the response of management
& 29 and, where applicable, those charged with governance. In light of this response, the professional
accountant shall determine if further action is needed in the public interest. This may include:
 Disclosing the matter to an appropriate authority even when there is no legal or regulatory
requirement to do so.

129
 Business Assurance

 Withdrawing from the engagement and the professional relationship where permitted by law
or regulation.
225.34-35 The determination of whether to make a disclosure to an appropriate authority depends on
the nature and extent of the actual or potential harm that is or may be caused by the matter to
investors, creditors, employees or the general public. For example, disclosure may be determined
to be appropriate if the business is producing products that are harmful to public health.
If the professional accountant determines that disclosure of the non-compliance or suspected non-
compliance to an appropriate authority is an appropriate course of action in the circumstances, this
will not be considered a breach of the duty of confidentiality under Section 140 of the Code.
The response to actual or suspected non-compliance is similar where the professional accountant
is providing non-audit services. However the professional accountant must also consider whether
the actual or suspected non-compliance should be communicated to the client's external
auditor where this is different to the professional accountant carrying out the non-audit work.

3.2 Professional accountants in business

360.13-14 Senior professional accountants in business (senior professional accountants) are directors,
officers or senior employees able to exert significant influence over, and make decisions regarding,
the acquisition, deployment and control of the employing organisation's human, financial,
technological, physical and intangible resources. If a senior professional accountant becomes
aware of information concerning an instance of non-compliance or suspected non-compliance, the
professional accountant shall obtain an understanding of the matter, including:
(a) The nature of the act and the circumstances in which it has occurred or may occur;
(b) The application of the relevant laws and regulations to the circumstances; and
(c) The potential consequences to the employing organisation, investors, creditors, employees
or the wider public.
360.16-19 If a senior professional accountant identifies or suspects non-compliance, it must be discussed with
their immediate superior to determine how it should be addressed, unless the their immediate
superior appears to be involved in the non-compliance. In this situation, the actual or suspected
non-compliance must be discussed with the next higher level of authority within the employing
organisation. The senior professional accountant shall also take appropriate steps to:
(a) Have the matter communicated to those charged with governance;
(b) Comply with applicable laws and regulations, including legal or regulatory provisions
governing the reporting of non-compliance or suspected non-compliance to an appropriate
authority;
(c) Have the consequences of the non-compliance or suspected non-compliance rectified,
remediated or mitigated;
(d) Reduce the risk of re-occurrence; and
(e) Seek to deter the commission of the non-compliance if it has not yet occurred.
The senior professional accountant must also determine if disclosure of the matter to the employing
organisation's external auditor is needed.
The senior professional accountant shall assess the appropriateness of the response of the
professional accountant's superiors, if any, and those charged with governance. In the light of this
response, the professional accountant shall determine if further action is needed in the public
interest. Further action by the professional accountant may include:
360.25  Informing the management of the parent entity of the matter if the employing organisation is
a member of a group.
 Disclosing the matter to an appropriate authority even when there is no legal or regulatory
requirement to do so.

130
 4: Code of ethics | Part C Professional standards and guidance

 Resigning from the employing organisation.

360.27 The senior professional accountant may consider consulting internally, obtaining legal advice to
understand the professional accountant's options and the professional or legal implications of
taking any particular course of action, or consulting on a confidential basis with a regulator or
professional body.
360.29-30 The determination of whether to make a disclosure to an appropriate authority depends on
the nature and extent of the actual or potential harm that is or may be caused by the matter to
investors, creditors, employees or the general public. If the senior professional accountant
determines that disclosure of the matter to an appropriate authority is an appropriate course of
action in the circumstances, this will not be considered a breach of the duty of confidentiality under
Section 140 of the Code.

360. 35
Professional accountants in business who are not senior accountants are expected to obtain
an understanding of any actual or suspected non-compliance and inform an immediate superior to
enable that superior to take appropriate action. If the immediate superior is suspected to be
involved in the non-compliance they must instead inform the next higher level of authority in the
employing organisation.

4 Specific guidance: Confidentiality

Topic highlights
HKICPA recognises a duty of confidentiality and several exceptions to it.

4.1 Duty of confidence

A professional accountant has a duty of confidentiality to his client. This principle is encapsulated in
the HKICPA Code of Ethics which states that a professional accountant who acquires sensitive
information in the course of his work, should not use, nor appear to use, that information to his own
advantage or to the advantage of any third party with which he is connected.
It is an implied term of any agreement of engagement that that the professional accountant will not
discuss the entity's affairs to any third party without the entity's consent. There are a few
recognised exceptions to this rule of confidentiality discussed below.

4.2 Recognised exceptions to the rule of confidentiality

Obligatory disclosure. If a member knows or suspects the entity to have committed an offence of
treason he is obliged to disclose all the information at his disposal to a competent authority. Local
legislation may also require the firm to disclose other infringements.

A professional accountant must disclose information if compelled to do so by a court order (process

of law).
If a member is requested to assist the police, the tax authorities or any other authority by providing
information about an entity's affairs in connection with inquiries being made he should first inquire
under what statutory authority the information is demanded. If the demand for information is
pressed without any statutory authority the professional accountant should seek the permission of
the entity as to whether the information should be disclosed. If it is declined, legal advice may need
to be sought. Any notice served directly to the professional accountant for obtaining documents
related to the entity, the professional accountant should read carefully and seek legal advice if
necessary.

131
 Business Assurance

A member should not voluntarily co-operate with the authorities by assisting with any investigations
unless he acts with the entity's consent or is required to do so by law (see the three circumstances
in which he is compelled to do so below). If he volunteers the information, it constitutes a breach of
confidentiality.
From time to time a professional accountant may know or suspect that an entity has committed a
wrongful act and in these circumstances he must give careful thought to his own position. Even in a
criminal matter (excluding treason, money-laundering and terrorist offences),he is under no
obligation to disclose his information to the relevant authority, but he must ensure that he has not
prejudiced himself by, for example, relying on incorrect information.
However, the professional accountant may himself be chargeable with a criminal offence if he
acted directly, without lawful authority or reasonable excuse, in such a manner as to impede with
intent the arrest or prosecution of a entity whom he knows or believes to have committed an
arrestable offence.
A member should not normally appear in court as a witness against an entity unless a written court
order is served.
A member should seek legal advice to clarify the legal aspects of his position.

Voluntary disclosure
In certain cases voluntary disclosure may be made by the professional accountant:
 To protect the professional accountant's interests (for instance, to defend in litigation against
him)
 Where it is in the public's interest
 Where it is authorised by statute
 To non-governmental bodies
HKICPA Code of Ethics for Professional Accountants
 To comply with technical standards and professional standards including ethical
requirements
 To comply with the quality review of a member or professional body
 To respond to an inquiry or investigation by a member body or regulatory body (i.e.
disciplinary actions from HKICPA)
 To enable the firm to sue for its fee
 To resist an action for negligence brought against the professional accountant by an entity
Also, having decided that confidential information can be disclosed, professional accountants
should consider:
 Whether all relevant facts are known and substantiated
 What type of communication is expected and to whom it should be addressed
 Whether the professional accountant will incur any legal liability as a result of disclosure

4.3 Disclosure in the public interest

The courts have never given a definition of 'the public interest'. This means that again, the issue is
left to the judgment of the professional accountant. It is often therefore appropriate for the member
to seek legal advice.
It is only appropriate for information to be disclosed to certain authorities, for example, the police.
The HKICPA's Code states that there are several factors that the member should take into account
when deciding whether to make disclosure.

132
 4: Code of ethics | Part C Professional standards and guidance

HKICPA guidance
 The size of the amounts involved and the extent of likely financial damage
 Whether members of the public are likely to be affected
 The possibility or likelihood of repetition
 The reasons for the entity's unwillingness to make disclosures to the authority
 The gravity of the matter
 Relevant legislation, accounting and auditing standards
 Any legal advice obtained

Preparation comments
If you are required to make judgments about whether such a disclosure should be made in a given
scenario, you should apply a checklist like this to the scenario to ensure you have shown evidence
of your consideration of all the relevant factors.

4.3.1 Unlawful acts or defaults by or behalf of a member's employer

If a HKICPA member is aware that his employer or an agent may have committed an unlawful act,
he should first draw it to the attention of internal management at an appropriate level. He may
then report the offence to the board of non-executive directors, or if this option is not available, he
may make a report to an external competent authority.
No general obligation exists for a professional accountant who becomes aware of a criminal or
unlawful act to disclose this information to a third party without the prior authority from his
employer. However, a HKICPA member has a general duty to his employer to act in good faith and
with a duty of confidence.
The employed HKICPA member should not generally disclose any confidential information without
the entity's consent.
Members' own relations with authorities: criminal offences
A member himself commits a criminal offence:
(a) If he incites a client or anyone else to commit a criminal offence
(b) If he helps or encourages a client or anyone else in the planning or execution of a criminal
offence
(c) If he agrees with a client or anyone else to pervert or obstruct the course of justice by
concealing, destroying or fabricating evidence or by misleading the police by statements
which he knows to be untrue
Members are advised not to attempt to avoid the awkward responsibility of qualifying the report
on the accounts by refusing to report and by resigning.
Members may find that they are requested in their professional capacity by the Independent
Commission Against Corruption (ICAC) to assist in investigation of certain corruption allegations,
mainly against their own clients. Such assistance usually is requested in the form of furnishing
information to ICAC officers either orally or in writing.
Self-test question 5
(a) What are an auditor's obligations to a client with regards to confidentiality? (8 marks)
(b) You are the auditor of Logic (Hong Kong) Limited and have just received a letter from the
auditor of Logic (Group) Limited, the parent company of Logic (Hong Kong) Limited (a
company also incorporated in Hong Kong), requesting you to make available to them for

133
 Business Assurance

their review your working papers and to meet with them in relation to your audit of the
financial statements of Logic (Hong Kong) Limited.
Required
What are your considerations and responses to these requests? (8 marks)
(Total = 16 marks)
HKICPA June 2014
(The answer is at the end of the chapter)

5 Specific guidance: Conflicts of interest

Topic highlights
Professional accountants should identify potential conflicts of interest as they could result in ethical
codes being breached.

A conflict of interest is a situation that may undermine the judgment of a professional accountant.
There may be too much personally at stake either for himself or for his firm for the professional
accountant to reconcile the stakeholders' or public interest against his own. In these situations:
 Principles of independence, integrity and objectivity are not satisfied
 Promoting personal interest may result in adverse consequences to stakeholders
Firms should take reasonable steps to identify circumstances that could pose a conflict of interest
before they happen. A conflict of interest may result in the Code being breached (often conflicts of
interest give rise to self-interest threats).
The key principle for the firm is that it firm should not accept an engagement in which there is
likely to be a significant conflict of interest.

5.1 Conflicts between professional accountants' and entities'

interests
A conflict of interest may be created when:
 The professional accountant provides a professional service related to a particular matter for
two or more clients whose interests with respect to that matter are in conflict; or
 The interests of the professional accountant with respect to a particular matter and the
interests of the client for whom the professional accountant provides a professional service
related to that matter are in conflict.
Examples of situations in which conflicts of interest may arise provided by the Code of Ethics (s.
220) include the following:
 Providing a transaction advisory service to a client seeking to acquire an audit client of the
firm, where the firm has obtained confidential information during the course of the audit that
may be relevant to the transaction
 Advising two clients at the same time who are competing to acquire the same company
where the advice might be relevant to the parties' competitive positions
 Providing services to both a vendor and a purchaser in relation to the same transaction
 Representing two clients regarding the same matter who are in a legal dispute with each
other

134
 4: Code of ethics | Part C Professional standards and guidance

 Providing strategic advice to a client on its competitive position while having a joint venture
or similar interest with a major competitor of the client
 Advising a client on the acquisition of a business which the firm is also interested in acquiring
Evaluating potential issues
One of the key principles that the professional accountant must consider when evaluating issues
relating to conflicts of interest is whether a reasonable and informed third party would be likely to
conclude that compliance with the fundamental principles of the Code have not been compromised.
The Code requires that an effective conflict identification process should be in place. The nature of
this process will depend on factors including:
 The nature of the professional service provided
 The size of the firm
 The size and nature of the client base
 The structure of the firm, for example the number and geographic location of the offices
Identified conflicts of interest
If a conflict of interest is identified the professional accountant is required to evaluate:
 The significance of the relevant interests or relationships
 The significance of the threats created by performing the service
Safeguards
It may be necessary to apply safeguards in order to eliminate threats or reduce them to an
acceptable level. The Code provides the following examples of relevant safeguards:
 Implementing procedures to prevent unauthorised disclosure of confidential information. This
could include:
– Using separate teams
– Creating separate areas of practice for speciality functions within the firm
– Establishing policies and procedures to limit access to client files, the use of
confidentiality agreements and/or the physical and electronic separation of confidential
information
 Regular review of the application of safeguards by a senior individual not involved in the
engagement
 Review of the work performed by an individual not involved in the engagement
 Consulting with third parties, such as a professional body, legal counsel or another
professional accountant
In addition, the nature of the conflict of interest and the related safeguards if any, should be
disclosed to the clients affected, and when safeguards are required, their consent must be obtained
to the professional accountant performing the service.
If explicit consent is requested from a client and the consent is refused, the professional accountant
should decline the engagement or discontinue the service (or terminate other relationships which
are the cause of the conflict).
Safeguards insufficient
If safeguards cannot reduce the threat created by the conflict of interest to an acceptable level the
professional accountant must decline the engagement or discontinue the service. Alternatively the
relationship/interest causing the conflict could be terminated/disposed of.
Conflicts of interest – professional accountant in business
More comprehensive guidance is also provided for the professional accountant in business (s.310).

135
 Business Assurance

5.2 Conflicts between interests of different entities

There is nothing improper in a firm serving two or more entities whose interests may be in conflict.
431.14 Where the firm does act for two competing entities, it must manage its work so that the interests of
one entity do not adversely affect another entity. Where the acceptance or continuance of an
engagement would, even with safeguards, materially prejudice the interests of any entity, the
appointment should not be accepted or continued, or one of the appointments discontinued.
Material prejudice may mean information being leaked or for firms to be forced into a corner where
they have to choose between the interests of one entity or the other.
431.10 A firm must take all reasonable steps to evaluate whether any conflict of interest exists between a
firm and its client, including implications arising from the possession of confidential information and
431.13 how this may be protected. The firm should continually review its relationships with both
prospective and existing entities before accepting or continuing engagements. If aware of possible
conflicts between clients or potential clients, the firm should introduce safeguards to try to manage
them. If the relationship ended over two years before, it would be unlikely to constitute a conflict.
431.21 Wherever there is a significant conflict between the interests of different clients or potential clients,
sufficient disclosure in writing should be made to the clients or potential clients concerned together
with details of the safeguards proposed so that they may make an informed decision as to whether
to engage the firm or continue their relationship with the firm.
Particular difficulties can arise when it comes to share issues, and takeovers. Professional
accountants are often involved in either situation. With regard to share issues, the firm should
431.43 never underwrite an issue of shares to the public of an entity it audits. In a takeover situation, if the
firm audits the accounts of both the offer and the target company, it must ensure that it does not:
 Act as the lead adviser to either party; or
 Issue reports assessing the financial statements of either party other than their audit report.
If they find that they possess material confidential information, they should contact the competent
authority.

Self-test question 6
You are an audit manager in MKJ & Co, a local CPA firm. Your firm has been approached by a
new entity, Washington, which wants to engage your firm for both audit and advisory work.
Washington has expanded rapidly over the last few years and is planning to list in the next financial
year. Washington's Financial Controller, Mr. Otto, is an old friend of one of your senior partners, Mr.
Man.
Mr. Otto has indicated that if Washington can successfully list its shares, the taxation and
consultancy work would be performed by your firm. Within your firm's portfolio, you have also an
entity which is Washington's rival.
One of your audit seniors has resigned recently to take up the post as Human Resources Manager
in Washington. Before any acceptance, Mr. Otto has invited your firm to join a very extravagant
cocktail party. Washington will distribute its prospectus during the occasion.
Required
(a) Identify and explain the ethical issues in the above situation.
(b) Give three examples for safeguards within the firm to be used for reducing the threat to
independence.
(The answer is at the end of the chapter)

136
 4: Code of ethics | Part C Professional standards and guidance

6 Conflicts in application of the fundamental principles

Topic highlights
The Code of Ethics gives some general guidance to professional accountants who encounter a
conflict in the application of the fundamental principles.

6.1 Matters to consider

The resolution process should include consideration of:
 Relevant facts
 Ethical issues involved
 Fundamental principles related to the matter in question
 Established internal procedures
 Alternative courses of action

6.2 Unresolved conflict

If the matter is unresolved, the member should consult with other appropriate persons within the
firm. They may wish to obtain advice from HKICPA or legal advisers.
If after exhausting all relevant possibilities, the ethical conflict remains unresolved, the professional
accountant shall, unless prohibited by law, refuse to remain associated with the matter creating the
conflict. The professional accountant shall consider withdrawing from the engagement or specific
assignment, or resigning altogether from the engagement, the firm or employing organisation.

7 Code of ethics applicable to professional accountants

in business
Section C of the Code applies to professional accountants in business.
A professional accountant in business is a professional accountant employed or engaged in
executive or non executive position.
He may be:
 A salaried employee, partner, director, owner, working for many organisations
 Solely or jointly responsible for preparing and reporting financial and other information
for their employers or any persons relying on the information
 Responsible for providing effective financial management and competent advice for
investors, creditors, employers or government departments
 Has the responsibility to further legitimate aims of their employing organisation
 Is expected to encourage an ethics-based culture and environment in an employing
organisation that emphasises the importance of ethical values
 Shall not knowingly engage in any business, occupation, or activity that impairs or might
impair integrity, objectivity or the good reputation of the profession and as a result would be
incompatible with the fundamental principles

137
 Business Assurance

7.1 Examples of threats for professional accountants in business

The following are examples of threat to compliance with the fundamental principles for a
professional accountant in business.

7.1.1 Self-interest threat

 Holding a financial interest in, or receiving a loan or guarantee from the employing
organisation
 Participation in incentive compensation arrangements offered by the employing organisation
 Inappropriate personal use of corporate assets
 Consideration of employment security
 Commercial pressure from outside the employing organisation

7.1.2 Self-review threat

Consideration of appropriate accounting treatment for a business combination after performing the
research study that supported the acquisition decision.

7.1.3 Familiarity threat

 Where the professional accountant in business is responsible for the selection of the
employing organisation's financial reporting when an immediate or close family member
employed by the entity makes decisions that would affect the entity's financial reporting.
 Long association with business contracts affecting the business decisions.
 A professional accountant in business accepts a material gift or hospitality, unless the value
is trivial and inconsequential.

7.1.4 Intimidation threat

 Threat of dismissal or replacement of the professional accountant in business or a close
or immediate family member over a disagreement about the application of an accounting
principle or the way in which financial information is to be reported.
 The professional accountant in business with a dominant personality attempting to
influence the decision making process.

7.1.5 Advocacy threat

When achieving the legitimate goals and objectives of their employing organisations, professional
accountants in business may promote the organisation's goals. If the statements made are neither
false not misleading, the actions would not create an advocacy threat.

7.2 Safeguards to comply with the fundamental principles for

professional accountants in business
Two types of safeguards are available:
 Safeguards created by the profession, legislation or regulation.
 Safeguards in the working environment.
These include the following:
 The employing organisation's systems of corporate oversight or other oversight
structures
 The employing organisation's ethics and conduct programmes

138
 4: Code of ethics | Part C Professional standards and guidance

 Recruitment procedures in the employing organisation emphasising the importance of

employing highly competent staff
 Implementing strong internal controls
 Appropriate disciplinary processes
 Strong leadership to emphasise the importance of ethical behaviour and expecting
employees to act ethically at all times
 Set policies and procedures to implement and monitor quality of employee
 Update employees with any changes in policies and procedures
 Appropriate training education in implementing such policies
 Set policies and procedures to encourage each employee to communicate to senior levels
within the employing organisation
 Consult another professional accountant

7.3 Potential conflicts

A professional accountant in business is expected to support ethical and legitimate objectives
established by the employer and the employer's established rules and procedures. Sometimes,
there might be conflict in between a professional accountant's responsibilities to an employing
organisation and professional obligations to comply with the fundamental principles.
The professional accountant in business may be under pressure to:
 Act contrary to law or regulation, technical or professional standards
 Facilitate unethical or illegal earning management strategies
 Lie to or intentionally mislead others such as auditors or regulators
 Issue or be associated with a financial or non-financial report that materially misrepresents
The facts.
Safeguards available to eliminate the threat or reduce it to an acceptable level:
 Obtain advice from the employing organisation, an independent professional adviser or a
relevant professional body
 The existence of a formal dispute resolution process within the employing organisation
 Seek legal advice

7.4 Preparation and reporting of information

A professional accountant in business should prepare or present financial and other information
fairly, honestly and comply with professional standards so that the information will be
understood in its context.
A professional accountant in business shall maintain information for which the professional
accountant is responsible so that the information:
 Describes clearly the true nature of business transactions, assets and liabilities
 Classifies and records information in a timely and proper manner
 Represents the facts accurately and completely in all material respects
When a professional accountant in business is pressured to become associated with self-interest
or intimidation threats (for example, misleading information or misleading information through the
actions of others) safeguards may be put in place such as consulting with superiors within the
employing organisation or with a relevant professional body.

139
 Business Assurance

If it is not possible to apply safeguards, the professional accountant should refuse to remain in
association with the information they consider to be unsafe. The professional accountant may also
consider resignation.

7.5 Acting with sufficient expertise

A professional accountant in business should not intentionally mislead an employer as to the
level of expertise or experience possessed and should seek appropriate advice and assistance
when required.
Circumstances when there is a threat to the performance of duties with the appropriate degree of
competence and due care are:
 Insufficient time for properly performing or completing the relevant duties
 Incomplete, restricted or otherwise inadequate information for performing the duties properly
 Insufficient training, experience and education
 Inadequate resources for the proper performance of the duties
Safeguards available to eliminate the threat or reduce it to an acceptable level:
 Obtain additional advice and training
 Ensure sufficient time to complete duties
 Consult, where appropriate, superior, independent experts, regulatory and professional body
When threats cannot be eliminated or reduced to an acceptable level, professional accountants in
business shall determine whether to refuse to perform the duties in question.

7.6 Financial interests

Professional accountants in business or their immediate or close family members may face self-
interest threats which would create a threat to objectivity.
Situations which may pose a problematic financial interest include the following:
 Holds a direct or indirect financial interest in the employing organisation and the value of
the financial interest could be directly affected by decisions made by the professional
accountant
 Eligible for a profit related bonus which could be directly affected by the professional
accountant's decisions
 Holds directly or indirectly share options in the employing organisation which will be
converted
 Share options will be qualified when performance targets are met in the employing
organisation
Safeguards available to eliminate the threat or reduce it to an acceptable level:
 Disclose all relevant interests and any future plans to trade in relevant shares, to those
charged with governance
 Set policies and procedures and an independent committee to determine the level or form of
remuneration of senior management
 Consult, where appropriate, with a superior, independent experts, regulatory and
professional bodies or, those charged with governance
 Internal and external audit procedures
 Up-to-date education on ethical issues and the legal restrictions and other regulations
around potential insider trading
A professional accountant in business shall neither manipulate information nor use confidential
information for personal gain.

140
 4: Code of ethics | Part C Professional standards and guidance

7.7 Inducements
Inducements would cause a self-interest threat and an intimidation threat. The professional
accountant in business or their immediate close family member may be offered, or may offer,
inducements such as gifts, hospitality or any other preferential advantages.
Receiving an offer
The self-interest threat (or confidentiality) occurs when an inducement is made in an attempt to:
 Unduly influence actions or decisions
 Encourage illegal or dishonest behaviour
 Obtain confidential information
An intimidation threat (or breach of confidentiality) will occur when an inducement is accepted
and followed by threats to make that offer public and damage the reputation of the professional
accountant in business or his immediate family members.
There is no significant threat to compliance with the fundamental principles if the offer is made in
the normal course of business.
The inducement shall not be accepted when the threats cannot be eliminated or reduced to an
acceptable level through the application of safeguards.
Making an offer
A professional accountant in business should not offer an inducement to improperly influence
the professional judgment of a third party.
When an unethical inducement is offered from the employing organisation, the professional
accountant should follow the principles and guidance regarding ethical behaviour.
Actions to be taken when there is an inducement offered:
 Inform higher levels of management or those charged with governance
 Inform third parties of the offer – ie a professional body
 Advise immediate or close family members of the situation after receiving such inducements

Self-test question 7
DEF is a company incorporated in Hong Kong. It is listed on the Hong Kong Stock Exchange. The
principal activities of the company are property investment, management and development.
Mr. Chan, DEF's Chief Executive ('CE'), Chairman of the Board and major shareholder, has asked
Simon, FCPA and DEF's financial controller, to falsify certain documents and accounting records of
DEF so that Mr. Chan can misappropriate $1 billion of DEF's cash for his personal investments. Mr.
Chan promises to pay back the $1 billion to DEF in a month and indicates that he will give Simon a
very favourable assessment for Simon's bonus and promotion evaluation for the current year;
otherwise, he will replace Simon with someone who will work better with him.
Required
Based on the information given above:
(a) Comment on the ethical issues; and (5 marks)
(b) Outline the possible actions Simon would need to take to address these ethical issues.
(5 marks)
(Total = 10 marks)
HKICPA May 2009
(The answer is at the end of the chapter)

141
 Business Assurance

8 Other issues

8.1 Client acceptance

Topic highlights
Before accepting a new engagement, the professional accountant in public practice should
consider whether there is any threat to compliance with the fundamental principles, that is any
potential threats to integrity or professional behaviour, for example, entity involvement in illegal
activities
The significance of any threats should be evaluated and safeguards should be applied to eliminate
them or reduce them to an acceptable level.
If it is not possible to reduce the threat to an acceptable level, the professional accountant in public
practice should decline the engagement.
For recurring entity engagement, acceptance decisions should be reviewed annually.

8.2 Engagement acceptance

A professional accountant must only accept engagement that he is competent to perform and
safeguards may be applied:
 Obtain appropriate understanding of the nature of the client's business, complexity of the
operations, specific requirement of the engagement, the relevant industries and the scope of
work
 Obtain and be familiar with the relevant regulations or reporting requirement
 Assigning sufficient competent staff
 Consider the use of experts
 Consider the deadline
 Comply with quality control policies and procedures to provide reasonable assurance that
specific engagements are accepted only when they can be performed competently

8.3 Changes in professional appointment

A professional accountant should determine whether there are any reasons for not accepting the
engagement. Safeguards may be applied such as the following:
 Discuss client's affairs with existing accountant
 Enquire of the existing accountant regarding information of which the proposed
accountant needs to be aware before deciding whether to accept the engagement
 Before any initiation to contact the existing accountant, there must be client's consent
 Any client's information to be released by the existing client, must be with the client's consent
or there must be a legal or ethical requirement for such disclosure

8.4 Marketing professional services

The professional accountant should be honest and truthful and should not exaggerate any claims
of services offered, qualifications and experience or make disparaging references about the work of
another professional accountant.

142
 4: Code of ethics | Part C Professional standards and guidance

8.5 Custody of entity's assets

A professional accountant should not keep, in custody, the entity's monies or other assets unless
permitted to do so. If the professional accountant, for instance, is entrusted with money or other
assets belonging to others, the following safeguards should be applied:
 Keep it separately from personal and firm's assets
 Only use the assets for intended purpose
 Keep proper accounting records for the assets
 Comply with laws and regulations

8.6 Integrity, objectivity and independence in insolvency

Receivership and liquidator appointment
When a material professional relationship with an entity exists, no partner in or employee of the
firm should accept appointment as receiver or as receiver and manager of that entity or liquidator of
the entity if the entity is insolvent or a trustee in bankruptcy.
A material professional relationship
Partner/employee of the firm is prohibited from appointment as receiver, manager, liquidator or
trustee if there has been a material professional relationship during the previous two years.
Material professional work
Audit work of such overall significance that a member's objectivity in carrying out a subsequent
insolvency appointment could be or could reasonably be prejudiced.
If the company goes into liquidation the company's rights remain vested in the company.
The auditor of a company which is in liquidation may be approached by the police for assistance
in inquiries (still need to consider confidentiality).
Audit following receivership
Where a partner in or an employee of a practice has been receiver of any of the assets of a
company, neither the practice nor any partner in or employee of the practice should accept
appointment as auditor of the company, or of any company which was under the control of the
receiver, for any accounting period during which the receiver acted or exercised control.
Acceptance of an insolvency appointment in relation to more than one company in a group of
companies or association may raise issues of conflict of interest.

143
 Business Assurance

Topic recap

Public interest in
accounting and auditing PROFESSIONAL ETHICS
services

• Integrity
• Objectivity
• Professional Accountant in
competence public practice
• Confidentiality
• Professional behaviour

• Self-interest Threats to
• Self-review fundamental Safeguards
• Management principles
• Advocacy
• Familiarity
• Intimidation

Specific examples

Accountant in public Accountant in business

practice

• Independence → examples • Potential conflicts

• Confidentially → duty of • Preparation of information
confidence but exceptions • Sufficient expertise
• Conflicts of interest • Financial interest
• Client acceptance • Inducements
• Changes in professional
appointment

144
 4: Code of ethics | Part C Professional standards and guidance

Answers to self-test questions

Answer 1
As a professional accountant in public practice, Peter has to consider compliance with the
fundamental principles included in the Code of Ethics (Revised) (the Code) when accepting a new
assurance client or continuing engagement of an existing client. The concessionary mortgage rate
offer and the close relationship between Peter, the audit engagement partner, and Charles, Head
of Consumer Credit, raise concerns on both self-interest and familiarity threats to independence.
By accepting gifts or hospitality from an assurance client, self-interest and familiarity threats may
be created, unless the value is clearly insignificant.
A self-interest threat occurs as a result of the financial or other interests of a professional
accountant or of an immediate or close family member. SMP staff or members of the assurance
team may benefit financially from its assurance client, BNT, by taking up the below market
mortgage rate offer.
A familiarity threat occurs when, because of a close relationship, a professional accountant
becomes too sympathetic to the interests of others. Peter's association with Charles in sport
activities in the last 3 years may indicate a potential close relationship affecting Peter's objectivity in
decision making but this is not clear from the information given how closely associated they have
become or whether it is only a business networking relationship.
The Code requires a professional accountant in public practice to evaluate the significance of any
threats. If threats are other than clearly insignificant, safeguards should be considered and applied
as necessary to eliminate or reduce such threats to an acceptable level.
The mortgage offer would be considered normal or not a problem if BNT lends to the assurance
staff members on commercial terms and lending is its normal business. However, the offer is an in-
house staff benefit. This will also be a benefit to the SMP assurance staff and other staff in the film
if accepted. It is within the context of the Code's guidelines on gifts and hospitality (preferential
treatment) because the interest rate charged is below the market rate. The concessionary rate
would apply to the borrower over a number of years, and represents a significant discount. The
financial amount involved is therefore unlikely to be modest. As such, SMP should conclude that to
accept such a benefit would represent a significant threat to the objectivity of the firm, through its
staff, in relation to the audit. SMP should refuse the offer.
To deal with the potential familiarity threat to independence, SMP should consider the following
safeguards or procedures:
 Involve an additional professional accountant to review the work done
 Remove Peter out from the team
 Discuss with those charged with governance in BNT the potential close association
 Document the safeguards and rationale in the planning document

Answer 2
(a) In accordance with Code of Ethics the relevant threats to independence in this case relating
to acceptance of a loan are: self-interest threat and familiarity threat.
The self-interest threat occurs when a firm or a member of the assurance team could
benefit from a financial interest in, or other self-interest conflict with, an assurance client,
such as a loan or guarantee to or from an assurance client or any of its directors or officers.
The familiarity threat occurs when, by virtue of a close relationship with an assurance
client, its directors, officers or employees, a firm or a member of the assurance team
becomes too sympathetic to the client's interests, such as by acceptance of gifts or

145
 Business Assurance

hospitality, unless the value is clearly insignificant, from the assurance client, its directors,
officers or employees.
The revised Code requires that if a member of the assurance team or his/her immediate
family member has a material indirect financial interest in the assurance client, the self-
interest threat created would be so significant that the only safeguards available to eliminate
the threat or reduce it to an acceptable level would be:
 Disposal of the indirect financial interest in total
 Disposal of a sufficient amount of it so that the remaining interest is no longer material
prior to the individual becoming a member of the assurance team
 Removal of the member of the assurance team from the assurance engagement
Similarly, there would be no problem if the client, whose normal course of business was to
lend, lent to audit staff members on normal commercial terms. However, the offer is a benefit
to audit and other firm staff, as the interest rate would be significantly below the market rate.
This puts it within the context of the guidelines on gifts and hospitality, because, although
strictly, it is neither, it is a benefit to staff.
Regarding gifts and hospitality, Audit staff members are entitled to accept gifts or hospitality
of trivial or inconsequential value. Clearly, what is considered trivial will vary from person to
person according to his circumstances.
However, it is important to note at this point, that, whatever the circumstances of individuals
are, the firm should decide on a rule that applies to all staff, and should not create a situation
where some staff members are entitled to the benefit and others are not.
When considering whether a benefit is trivial, the firm must consider the materiality of the
benefit to each recipient, or, in other words, the recipient to whom it would be least trivial.
In this question, the low rate would apply to the individuals over a number of years, and
represents a significant discount, much greater than that generally available to the public.
The amount is therefore unlikely to be trivial. As such, Kwok & Co should conclude that to
accept such a benefit would represent a significant threat to the objectivity of the firm,
through its staff, in relation to the audit, and should refuse the offer.
Regarding accepting loans, the audit firm could accept a loan from a client whose normal
course of business is lending on normal commercial terms. In such circumstance, it might be
wise for the audit firm to consider the need to put additional safeguards in place.
(b) The audit partner should consider the following issues:
First, as an employer, he should consider whether Kwok & Co wants to retain the benefit of
the training costs they have incurred to date in respect of the trainee and try to encourage
the audit assistant to stay.
Second, in terms of audit objectivity and independence, the partner should consider
whether he should take any steps in relation to the audit of Kowloon Bank should the trainee
work there. The partner should consider:
 The seniority of the engagement team member
 The nature of the role he would take up at Kowloon Bank
 The need to amend the audit plan and approach for future audits
As the audit assistant was only a junior member of the engagement team, it is unlikely that
the audit partner would need to take any steps. However, if the audit assistant is moving to
the bank's finance department, rather than the general business, the audit partner may
decide to review the approach as a precaution, particularly if the audit assistant has seen the
upcoming audit plan and strategy.

146
 4: Code of ethics | Part C Professional standards and guidance

Answer 3
(a) Section 290 of the Code of Ethics provides specific guidance on independence requirements
for audit and review engagements. Independence requires independence of mind and
independence in appearance.
Independence of mind is the state of mind that permits the expression of an opinion without
being affected by influences that compromise professional judgment, allowing an individual
to act with integrity, and exercise objectivity and professional scepticism.
Independence in appearance is the avoidance of facts and circumstances that are so
significant that a reasonable and informed third party, would be likely to conclude, weighing
all specific facts and circumstances, that a firm's or a member of the engagement team's
integrity, objectivity or professional scepticism have been compromised.
The provision of non-assurance services to assurance clients may create threats to the
independence of the firm, particularly with respect to perceived threats to independence
(independence in appearance).
Consequently, it is necessary to evaluate the significance of any threat created by the
provision of such services.
In some cases, it may be possible to eliminate or reduce the threat created by the application
of safeguards. In other cases no safeguards are available to reduce the threat to an
acceptable level.
(b) A valuation comprises the making of assumptions with regard to future developments, the
application of certain methodologies and techniques, and the combination of both in order to
compute a certain value for an asset.
A self-review threat may be created if Yu & Yu performs a valuation for the assets of
La'Monsa that are to be incorporated into the financial statements for the year ended
31 December 20X6.
If the valuation service involves the valuation of matters material to the financial statements
and the valuation involves a significant degree of subjectivity, the self review threat could not
be reduced to an acceptable level by the application of any safeguard. Accordingly, such
valuation services should be not provided; alternatively, the only course of action would be to
withdraw from the financial statement audit engagement.
If the brand and the machinery and equipment are material, Yu & Yu cannot accept the
engagement to provide valuation services unless they withdraw from the financial statement
audit engagement.
It is not easy to quote a market price for the brand. The valuation may involve a significant
degree of subjectivity in the assumptions regarding future developments of the business
after merger with another company. It is not advisable to accept the valuation of the brand
for La'Monsa.
If the services are neither material to the financial statements nor involving a significant
degree of subjectivity, the self-review threat could be reduced to an acceptable level by the
application of safeguards.
The net realisable value of plant and machinery can be quoted from the market. If the value
of the machinery and equipment is not material, and net realisable value rather than value in
use (which entails a significant degree of subjectivity in the assumptions regarding future
developments of the business after merger with another company) is adopted in the
valuation, Yu & Yu could reduce the self-review threat by applying the following safeguards:
 Involving an additional professional accountant who was not a member of the
assurance team to review the work done or otherwise advise as necessary

147
 Business Assurance

 Obtaining La'Monsa's acknowledgement of responsibility for the results of the work

performed by Yu & Yu
 Making arrangements so that personnel providing such services do not participate in
the audit engagement

Answer 4
(i) You should refuse the tickets.
Unless the value of the ticket is trivial and inconsequential, a member of an engagement
team should decline any offers which may be seen to be intended to influence the judgment
of a professional accountant.
It is difficult to be convinced from the independence perspective that a concert ticket worth
HK$8,000 be regarded as trivial and inconsequential and the acceptance of the tickets will
likely to create self-interest threat.
(ii) Your team may or may not accept the dinner invitation. It depends on whether the hospitality
will create a self-interest threat.
The engagement team should refuse any extravagant dinner as it will fall into a grey area as
to whether the offer would be an inducement or downright bribery.
However, the engagement team can accept any dinner offer that is part of business life.
(iii) You should refuse the contingent fee arrangement proposed by the Chairman.
The bonus arrangement creates self-interest threat to the audit engagement team as the
auditor's remuneration would be based on the outcome of a potential IPO.
A firm should not enter into a contingent fee arrangement for any assurance engagement as
payment arrangements based on outcomes create self-interest threat which cannot be
reduced to acceptable levels through the application of suitable safeguards.
(iv) The tax team can maintain a close working relationship with the audit client in the normal
business context and as long as no familiarity threat is created.
They can continue with the tax advisory work and the audit support work as long as there are
proper safeguards to prevent the tax team auditing their own work.
Auditing its own work will create a self-review threat for the team.
Safeguards can include appointing separate teams for the tax advisory and tax audit.

Answer 5
(a) The HKICPA Code of Ethics states that a professional accountant who acquires sensitive
information in the course of his work, should not use, nor appear to use, that information to
his own advantage or to the advantage of any third party with which he is connected.
The auditor should not disclose confidential client information to:
 Anyone who works outside the client's organisation.
 Anyone within the client organisation without a need to know.
 Anyone within the firm or other member firms of the auditor, unless there is a legal or
professional right or duty to disclose, or a written consent has been obtained.
Client information of a private and sensitive nature must be used responsibly, controlled, and
protected to prevent arbitrary and careless disclosure.
The auditor should maintain adequate security over working papers (in paper or electronic
form) and all client records in their possession.

148
 4: Code of ethics | Part C Professional standards and guidance

Confidentiality of information should be considered at all times. This includes public places
such as trains, restaurants and lifts, even in the auditor's office.
Confidential or proprietary information about the client which has been gained through
employment with the audit firm, must not be used for personal advantage or for the benefit of
third parties.
A client's name (unless it is public information) or logo can be used in service proposals,
marketing or recruiting materials only if the client's permission is obtained.
The requirement for confidentiality continues after the completion of an engagement, after
Partners and Professional Staff leave the audit firm, and even after the end of the
relationship between the auditor and the client.
Auditors may, in certain circumstances, be required by law to disclose information. Examples
of when such disclosures may be required are:
 Evidence in the course of legal proceedings involving the auditor (or in some, but by
no means all cases, a client).
 Disclosure to the appropriate public authorities of infringements of laws that are noted
by the auditor.
A professional duty or right to disclose may also arise when, for example:
 Complying with technical and professional standards including ethical requirements.
 The interests of the firm are being protected in legal proceedings.
(b) Pursuant to Section 133.1(a) of the Hong Kong Companies Ordinance (Section 412 under
the new Companies Ordinance), the parent company auditor in Hong Kong has a legal right
of access to the records of all companies in the group. Consequently, the subsidiary auditor
has a legal obligation to provide the parent company auditor with such subsidiary company
information and explanations as they may require. The subsidiary auditor should normally
co-operate fully with the parent company auditor, to furnish him with all the information which
he may reasonably require from the subsidiary auditor, and to ensure as far as the
subsidiary auditor is able that he is aware of any matters which he thinks might be significant
to the parent company auditor's opinion on the group financial statements.
An acknowledgement from the client should be obtained before any information is given.
The subsidiary auditor should provide the parent company auditor with the information he
requires by means of a meeting or through correspondence between their representatives.
The subsidiary auditor should normally prepare for this by identifying and listing any points
about the audit which he thinks might be significant to the auditor of the group financial
statements. In addition, he ought to list any points of difficulty which arose in the audit, the
conclusions that were reached, and the reasons for these conclusions. The subsidiary
auditor should make sure that all these points are brought out even if they are not the subject
of specific enquiry. In addition, he may of course answer all the reasonable questions which
the reviewer asks, showing him the relevant working papers as necessary.
There may be situations where the parent company auditor will insist on unrestricted access
to the working papers. The following suggested procedures may be considered:
 Access will only be granted after substantially all audit work has been completed and
the auditor satisfied that the working papers are complete.
 A signed access letter is obtained from the parent company auditor. This letter sets
out the conditions under which the access is provided.
 Access will only be granted in the subsidiary auditor's office and a member of
subsidiary auditor's staff should be present throughout.

149
 Business Assurance

Answer 6
(a) Washington – ethical issues
In accordance with the Code of Ethics, MKJ & Co should consider ethical issues in its entity
acceptance procedures. In considering accepting Washington as its client entity, MKJ & Co
should consider any relevant threats to independence which may impair the firm's objectivity
and independence.
Self-interest threat
There are no details mentioned regarding the fee income obtained from Washington.
However, as Washington will soon list, MKJ should ensure no more than 10%of its recurring
practice income (assuming advisory work, taxation and consultancy work to be performed
annually) should be derived from Washington. Obtaining over 10% could indicate undue
dependence on an entity and objectivity would be likely to be impaired resulting in a self-
interest threat.
MKJ & Co should review its proposed fee and should consider whether it should limit other
services so that independence is not impaired. An annual review would be required on
Washington if the fee is close to 10% of its total fee.
Self-review threat
A self review threat may be created when MKJ & Co provides advisory work and consultancy
work for Washington, especially when the works are on financial accounting.
Familiarity threat
The familiarity threat may occur when there exists a close relationship with an entity, its
directors, officers or employees; a firm or a member of the assurance team becomes too
sympathetic to the entity's interest.
In accordance with the facts, Mr. Otto, Washington's Financial Controller is an old friend of
one of the senior partners, Mr. Man. The firm should consider whether a different partner
should take the lead on Washington's work.
Conflict of interest
Within MKJ & Co's portfolio, there is an entity who is also a competitor of Washington. There
is nothing improper in a firm having two or more entities whose interests are in dispute, as
long as the work the firm does is not the subject of the dispute.
In this case, MKJ & Co's work should be managed so as to avoid the interests of one entity
adversely affecting the other. The firm should review its relationship with prospective entity ie
Washington and the rival entity before accepting/continuing the engagement. If a material
conflict of interest is identified, the firm should disclose sufficient information to entities so
that they can make an informed decision as to whether to continue with the firm.
Advocacy threat
Since Washington is about to list, if MKJ & Co agrees to attend the cocktail party, there may
be threats to independence through an advocacy threat. This occurs when the firm may be
perceived to be a promoter of shares in Washington, as the prospectus is being distributed
during the party. The firm should consider how likely this perception is, for example, whether
their name appears on the prospectus or the party invitation. In addition, they should
consider whether hospitality at an 'extravagant cocktail party' is 'clearly insignificant'.
(b) Safeguards
Self-interest threat – fee
MKJ & Co should start monitoring when the fee is approaching 10% of its total fee of the
firm. If there is undue dependence on Washington, MKJ should be selective of the
engagements.

150
 4: Code of ethics | Part C Professional standards and guidance

MKJ & Co should install appropriate safeguards especially the firm should not act in the
management role, making managerial decisions. The rule should be strictly complied with
as Washington will be listed in next financial year.
Familiarity threat
A familiarity threat may have been created. Mr. Man should not be assigned as the
engagement partner on the audit.
One of the audit seniors has become an employee of Washington, however since the
employee is to become Human Resources Manager, there is very little direct and significant
influence over the financial accounting aspect. MKJ & Co may instruct the partner in charge
to modify the audit plan normally used as a safeguard, but this appears to be an insignificant
risk.
Conflicts of interest
Some of the most common safeguards to manage this conflict of interest would be using
different engagement teams to handle Washington's work and its rival's work. The firm
should have standing instructions to prevent the leakage of confidential information or
prevent access to information.
Advocacy threat
MKJ & Co should not participate in any activities relating to the promotion of the shares of
Washington and should make clear to Washington's management that they cannot be
perceived to.

Answer 7
(a) Ethical issues
Since Simon is a salaried employee of DEF, Simon is a professional accountant in business
and is required to comply with the Code of Ethics for Professional Accountants.
A professional accountant in business should prepare or present financial and other
information fairly, honestly and in accordance with relevant professional standards.
Financial and non-financial information should be maintained in a manner that describes
clearly the true nature of business transactions, assets or liabilities and classifies and
records entries in a timely and proper manner.
Self-interest or intimidation threats may occur where a professional accountant in business
may be pressured (either externally or by the possibility of personal gain) to become
associated with misleading information or to become associated with misleading information
through the actions of others.
In this case, Mr. Chan's request for Simon to falsify certain documents and accounting
records of DEF in return for a favourable assessment for Simon's bonus and promotion
evaluation for the current year represents a self-interest threat.
Also, Mr. Chan's threat to replace Simon if Simon does not accede to the request represents
an intimidation threat.
(b) Actions to be taken
Since Mr. Chan is the CE and major shareholder of DEF, it is inappropriate to report the
fraud or suspected fraud to other senior management who are actually Mr. Chan's
subordinates.
As Mr. Chan is also the Chairman of the board of directors, reporting the matter to the
Chairman of the board of directors might not be desirable for Simon either.
DEF is a listed company and all listed companies in Hong Kong are required to establish an
audit committee, of which the Chairman should be an independent non-executive director.

151
 Business Assurance

Simon should thus report the matter to the Chairman of the audit committee.
As a last resort, Simon may consider making a report to an appropriate external authority
such as the police or the ICAC in line with the ethical guidance on the duty of confidentiality.
When in doubt, Simon is recommended to seek legal advice.
Simon should be aware that he himself commits a criminal offence if he helps Mr. Chan in
the planning or execution of his plan to misappropriate DEF's $1 billion cash.
Simon should also be aware that he may incur civil liability to third parties if he is involved in
Mr. Chan's unlawful conduct by assisting him in the planning or execution of the unlawful
conduct.

152
 4: Code of ethics | Part C Professional standards and guidance

Exam practice

DEL 21 minutes
Carol is a CPA working in Yvonne & Zoe CPA ('Y&Z') as a manager in charge of the audit of Daisy
Emma Limited ('DEL') for the year ended 30 June 20X1. DEL, which is not a public interest entity,
has recently offered Carol a part-time position as the company secretary to commence as soon as
possible.
Carol accepts DEL's offer this week on the grounds that she will only be required to carry out
routine administrative services to support the corporate secretarial function and to make decisions
in respect of corporate secretarial matters at the annual general meeting. In addition, Carol
considers that Y&Z's audit report on DEL's financial statements will be signed by her audit partner,
and Carol is not an audit partner at Y&Z.
Having been formally appointed as DEL's company secretary this week, Carol thinks she ought to
discuss the matter with Yvonne (who is Y&Z's partner in charge of the audit of DEL) in order to
implement certain safeguards just in case of any possible conflict of interest.
Required
(a) Analyse the situation of Carol in the context of the HKICPA's ethical requirements. (8 marks)
(b) Discuss any safeguards or actions Yvonne could implement in order to reduce the threats
against the HKICPA's ethical requirements to an acceptable level. (4 marks)

(Total = 12 marks)
HKICPA June 2012

153
 Business Assurance

154
chapter 5

Framework for assurance

engagements
Topic list

1 Overview of the Hong Kong Framework for 4 Reviews and other assurance engagements
Assurance Engagements 4.1 Review engagements
1.1 Hong Kong Framework for Assurance 4.2 Assurance engagements not dealing
Engagements with historical financial information
1.2 Adherence to professional standards 4.3 Investment circular reporting
and guidance engagements
2 Assurance engagements 5 Non-assurance engagements
2.1 Purposes of an assurance engagement
2.2 Elements of an assurance engagement
2.3 Assurance engagement or not?
2.4 Types of assurance engagements
2.5 Accepting and continuing appointment
3 The purpose of external audit engagements
3.1 Objective of external audit
3.2 Materiality
3.3 Professional scepticism

Learning focus

This chapter explains the basis of auditing and the distinction between audit and other review
assignments. Students are expected to know the Framework that governs these assurance
engagements.

155
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
1.02 Professional standards and guidance 3
1.02.01 Explain the importance of adherence to professional standards and
guidance
1.03 Legal and regulatory framework governing the profession 3
1.03.01 Explain the regulatory framework for assurance and non-assurance
engagements in Hong Kong
1.03.02 Explain the nature and purpose of assurance and non-assurance
engagements

156
 5: Framework for assurance engagements  Part C Professional standards and guidance

1 Overview of the Hong Kong Framework for Assurance

Engagements
Topic highlights
HKICPA has adopted the Clarity standards issued by IAASB.

The Hong Kong Institute of CPAs (HKICPA) is pursuing a policy of achieving convergence with
International Standards issued by the International Auditing and Assurance Standards Board
(IAASB).
The following table shows the list of Hong Kong Standards on Quality Control, Auditing, Assurance
and Related Services in issue at the time of writing:

Hong Kong Standards on Auditing

Preface
Preface (Amended) Amended Preface to the Hong Kong Quality Control, Auditing, Review,
Other Assurance and Related Services Pronouncements
Glossary
Glossary (Clarified) Glossary of Terms Relating to Hong Kong Standards on Quality Control,
Auditing, Review, Other Assurance and Related Services
Hong Kong Standards on Quality Control (HKSQCs)
HKSQC 1 (Clarified) Quality Control for Firms that Perform Audits and Reviews of Financial
Statements, and Other Assurance and Related Services Engagements
Hong Kong Framework for Assurance Engagements
Framework (Amended) Hong Kong Framework for Assurance Engagements
Hong Kong Standards on Auditing (HKSAs)
HKSA 200 Overall Objectives of the Independent Auditor and the Conduct of an
Audit in Accordance with Hong Kong Standards on Auditing
HKSA 210 Agreeing the Terms of Audit Engagements
HKSA 220 Quality Control for an Audit of Financial Statements
HKSA 230 Audit Documentation
HKSA 240 The Auditor's Responsibilities Relating to Fraud in an Audit of Financial
Statements
HKSA 250 (Clarified) Consideration of Laws and Regulations in an Audit of Financial
Statements
HKSA 260 (Revised) Communication with Those Charged with Governance
HKSA 265 (Clarified) Communicating Deficiencies in Internal Control to those Charged with
Governance and Management
HKSA 300 Planning an Audit of Financial Statements
HKSA 315 (Revised Identifying and Assessing the Risks of Material Misstatement through
2016) Understanding the Entity and Its Environment
HKSA 320 Materiality in Planning and Performing an Audit
HKSA 330 The Auditor's Responses to Assessed Risks
HKSA 402 (Clarified) Audit Considerations Relating to an Entity using a Service Organization
HKSA 450 Evaluation of Misstatements Identified during the Audit

157
 Business Assurance

Hong Kong Standards on Auditing

HKSA 500 Audit Evidence
HKSA 501 (Clarified) Audit Evidence – Specific Considerations for Selected items
HKSA 505 (Clarified) External Confirmations
HKSA 510 Initial Audit Engagements – Opening Balances
HKSA 520 (Clarified) Analytical Procedures
HKSA 530 (Clarified) Audit Sampling
HKSA 540 Auditing Accounting Estimates, Including Fair Value Accounting
Estimates, and Related Disclosures
HKSA 550 (Clarified) Related Parties
HKSA 560 Subsequent Events
HKSA 570 (Revised) Going Concern
HKSA 580 Written Representations
HKSA 600 Special Considerations – Audits of Group Financial Statements (Including
the Work of Component Auditors)
HKSA 610 (Revised Using the Work of Internal Auditors and Related Conforming
2013) Amendments
HKSA 620 (Clarified) Using the Work of an Auditor's Expert
HKSA 700 (Revised) Forming an Opinion and Reporting on Financial Statements
HKSA 701 Communicating Key Audit Matters in the Independent Auditor's Report
HKAS 705 (Revised) Modifications to the Opinion in the Independent Auditor's Report
HKSA 706 (Revised) Emphasis of Matter Paragraphs and Other Matter Paragraphs in the
Independent Auditor's Report
HKSA 710 Comparative Information – Corresponding Figures and Comparative
Financial Statements
HKSA 720 (Revised) The Auditor's Responsibilities Relating to Other Information
HKSA 800 (Revised) Special Considerations – Audits of Financial Statements Prepared in
Accordance with Special Purpose Frameworks
HKSA 805 (Revised) Special Considerations – Audits of Single Financial Statements and
Specific Elements, Accounts or Items of a Financial Statement
HKSA 810 (Revised) Engagements to Report on Summary Financial Statements
Hong Kong Standards on Review Engagements (HKSREs)
HKSRE 2400 Engagement to Review Historical Financial Statements
(Revised)
HKSRE 2410 Review of Interim Financial Information Performed by the
Independent Auditor of the Entity
Hong Kong Standards on Assurance Engagements (HKSAEs)
HKSAE 3000 Assurance Engagements Other Than Audits or Reviews of Historical
(Revised) Financial Information and Related Conforming Amendments
HKSAE 3402 Assurance Reports on Controls at a Service Organization
HKSAE 3410 Assurance Engagements on Greenhouse Gas Statements
HKSAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma
Financial Information Included in a Prospectus

158
 5: Framework for assurance engagements  Part C Professional standards and guidance

Hong Kong Standards on Auditing

Hong Kong Standards on Related Services (HKSRSs)
HKSRS 4400 Engagements to Perform Agreed-upon Procedures Regarding Financial
Information
HKSRS 4410 (Revised) Compilation Engagements
Hong Kong Standards on Investment Circular Reporting Engagements (HKSIRs)
HKSIR 200 Accountants' Reports on Historical Financial Information in Investment
Circulars
HKSIR 400 (Revised) Comfort Letters and Due Diligence Meetings

HKSIR 500 Reporting on Profit Forecasts, Statements of Sufficiency of Working

Capitfal and Statements of Indebtedness

These standards will be referred to later in this Learning Pack when detailed auditing issues are
introduced.

1.1 Hong Kong Framework for Assurance Engagements

This Framework is issued solely to facilitate understanding of the elements and objectives of an
assurance engagement and the engagements to which Hong Kong Standards on Auditing and
Assurance (HKSAAs) apply. HKSAAs cover Hong Kong Standards on Auditing (HKSAs), Hong
Kong Standards on Review Engagements (HKSREs), Hong Kong Standards on Investment
Circular Reporting Engagements (HKSIRs) and Hong Kong Standards on Assurance Engagements
(HKSAEs). This Framework is not a Standard.
This Framework provides a frame of reference for
(a) Assurance practitioners;
(b) Others involved with assurance engagements, including the intended users of an assurance
report and those engaging a practitioner (the 'engaging party'); and
(c) The HKICPA in its development of HKSAAs, Practice Notes and other papers.
Professional accountants are governed by the Code of Ethics and HKSQCs.

1.2 Adherence to professional standards and guidance

It is important for professional accountants to adhere to professional standards and guidance such
as the Code of Ethics for Professional Accountants ('the Code (Revised)'), the Hong Kong
Standards on Auditing ('HKSAs') or the Hong Kong Standards of Quality Control ('HKSQC1') as
professional accountants are seen to serve in the public interest.
HKICPA is the statutory licensing body of CPAs in Hong Kong. It is recognised globally and is in a
position to strengthen the accountancy profession and to contribute to the development of strong
international economies by establishing and promoting adherence to high-quality professional
standards, furthering the international convergence of such standards and speaking out on public
interest issues where the profession's expertise is most relevant.
Professional accountants are obliged to adhere to these values, which are reflected in the Code of
Ethics (Revised). By complying with professional standards, professional accountants contribute to
the efficient functioning of the economy by:
 Improving confidence in the quality and reliability of financial reporting;
 Encouraging the provision of high quality performance information (financial and non-
financial) within entities;

159
 Business Assurance

 Promoting the provision of high quality services by all members of the accountancy
profession; and
 Promoting the importance of adherence to the Code by all members of the accountancy
profession, including members in industry, commerce, the public sector, the not-for-profit
sector, academia, and public practice.

2 Assurance engagements

Topic highlights
Assurance engagements may give reasonable assurance or limited assurance.

2.1 Purposes of an assurance engagement

The purposes of an assurance engagement can be defined as to:
(a) Express a conclusion that provides an intended user with a level of assurance about the
subject matter
(b) Enhance credibility of information about a subject matter by evaluating whether the subject
matter conforms in all material aspects with suitable criteria
(c) Improve likelihood that information will meet the needs of an intended user

2.2 Elements of an assurance engagement

HK Framework
for Assurance
The definition of an assurance engagement is set out in the key term below. You should be familiar
Engagements.7 with it.

Key term
An assurance engagement is an engagement in which a practitioner aims to obtain sufficient
appropriate evidence in order to express a conclusion designed to enhance the degree of
confidence of the intended users other than the responsible party about the outcome of the
measurement or evaluation of an underlying subject matter against criteria (Framework para 10).

2.3 Assurance engagement or not?

2.3.1 A three party relationship
An assurance engagement must involve a three party relationship and they are: practitioner,
responsible party and intended users. For example, in an audit, it involves:

INTENDED USERS
Shareholders

PRACTITIONER RESPONSIBLE PARTY

Auditor Board of Directors

160
 5: Framework for assurance engagements  Part C Professional standards and guidance

Auditors (the practitioners) provide assurance to intended users (shareholders) about a subject
matter (the financial statements) that is the responsibility of a responsible party (the board of
directors).
The intended user is the person for whom the auditors prepare a report for a specific use or
purpose – usually the shareholders and others users that can be established by law.
The 'responsible party' is the person (or persons) who is responsible for the subject matter or
subject matter information of the assurance engagement.
(Refer also to B Kwok in his book, Financial Analysis in Hong Kong, for the tripartite relationship of
audit.)

2.3.2 Subject matter

Subject matter should be:
 Identified
 Located in a point in time or covering a period of time
 In the form of either data, systems and processes or behaviour
 In respect of financial or non-financial performance, systems or behaviour

2.3.3 Suitable criteria

Criteria should have the following characteristics:
(a) Relevance: relevant criteria contribute to conclusions that assist decision-making by the
intended users.
(b) Completeness: criteria are sufficiently complete when relevant factors that could affect the
conclusions in the context of the engagement circumstances are not omitted. Complete
criteria include, where relevant, benchmarks for presentation and disclosure.
(c) Reliability: reliable criteria allow reasonably consistent evaluation or measurement of the
subject matter including, where relevant, presentation and disclosure, when used in similar
circumstances by similarly qualified practitioners.
(d) Neutrality: neutral criteria contribute to conclusions that are free from bias.
(e) Understandability: understandable criteria contribute to conclusions that are clear,
comprehensive, and not subject to significantly different interpretations.

2.3.4 Sufficient appropriate evidence

The practitioner plans and performs an assurance engagement with an attitude of professional
scepticism to obtain sufficient appropriate evidence about whether the subject matter information is
free of material misstatement. The practitioner considers materiality, assurance engagement risk
(see section 2.3.6 below), and the quantity and quality of available evidence when planning and
performing the engagement, in particular when determining the nature, timing and extent of
evidence-gathering procedures.
Sufficiency is about the quantity of evidence.
Appropriateness is about quality of evidence (relevance and reliability).

2.3.5 Written assurance report

In a reasonable assurance engagement the practitioner's conclusion is expressed in the positive
form, for example: 'In our opinion internal control is effective, in all material respects, based on XYZ
criteria'.
In a limited assurance engagement, the practitioner's conclusion is expressed in the negative
form, for example, 'Based on our work described in this report, nothing has come to our attention
that causes us to believe that internal control is not effective, in all material respects, based on XYZ
criteria'.
(This is discussed further in section 2.4 and Chapter 19.)

161
 Business Assurance

2.3.6 Assurance engagement risk

This risk is defined as 'risk that the practitioner expresses an inappropriate conclusion when the
subject matter information is materially misstated'.
The components of assurance engagement risk are:
Inherent Risk + Control Risk + Detection Risk
Inherent risk: the susceptibility of the subject matter information to a material misstatement,
assuming that there are no related controls.
Control risk: the risk that a material misstatement that could occur will not be prevented, or
detected and corrected, on a timely basis by related internal controls. When control risk is relevant
to the subject matter, some control risk will always exist because of the inherent limitations of the
design and operation of internal control.
Detection risk: the risk that the practitioner will not detect a material misstatement that exists.
We shall look at the above risks in more detail in Chapter 8.

2.4 Types of assurance engagements

Topic highlights
In accordance with the amended Framework and HKSAE 3000 (Revised) Assurance
Engagements other than Audits of Historical Financial Information an assurance engagement will
HKSAE be classified on two dimensions:
3000.12(a)
An assurance engagement will be either a reasonable assurance engagement or a limited
assurance engagement (Framework paras 14 –15).
An assurance engagement will be either an attestation engagement or a direct engagement
(Framework paras 12 – 13).
Attestation engagements and direct engagements are discussed further in Chapter 19.

'Assurance' here means the professional accountants' satisfaction as to the reliability of the
assertion made by one party for use by another party.

2.4.1 Reasonable level of assurance

Reasonable assurance is accumulating evidence for the practitioner to conclude in relation to the
subject matter information taken as a whole.

Key term
Reasonable assurance in the context of an audit of financial statements is a high, but not an
absolute, level of assurance.

HKSA Professional accountants have gained sufficient appropriate evidence to conclude the subject
200.13m
matter conforms in all material aspects with identified suitable criteria. Professional accountants
should design the engagement so that the risk of expressing an inappropriate conclusion that
the subject to reduce risk of inappropriate conclusion respects with suitable criteria is reduced to an
acceptably low level. Reasonable assurance relates to the whole audit process.
For example, an audit provides a reasonable assurance level but not absolute assurance and the
report contains a positive assurance on assertions for example, 'the financial statements give a
true and fair view of …'.

162
 5: Framework for assurance engagements  Part C Professional standards and guidance

2.4.2 Limited level of assurance

Engagement risk must be reduced to an acceptable level under the circumstances but that risk will
be greater than for a reasonable assurance engagement.
For example: A review performed in accordance with HKSRE 2400 (Revised) Engagements to
Review Historical Financial Statements is a limited assurance engagement.
The conclusion is expressed in 'negative terms', for example:
'Based on the procedures performed and evidence obtained, nothing has come to our attention that
causes us to believe that the entity has not complied, in all material respects with XYZ law'
(Framework para 86).
2.4.3 No level of assurance
Here, the professional accountant is giving no assurance at all for the engagement.
(a) Agreed-upon procedures (HKSRS 4400) – the professional accountant and the entity
determine the procedures to be performed and professional accountants will provide a report
of factual findings as a result of undertaking those procedures.
(b) Compilation (HKSRS 4410 (Revised)) of financial or other information – professional
accountants use their accounting expertise to collect, classify and summarise financial
information, users of the compiled information will gain some benefits because professional
accountants carry out their work with professional competence and due care.
(c) Preparation of tax returns.
(d) Management consulting and advisory services.

2.5 Accepting and continuing appointment

Topic highlights
Assurance engagements should only be accepted if the firm meets the requirements of the Code of
Ethics for Professional Accountants and HKSQC 1 (Clarified).

The standard requires that practitioners ensure they comply with the Code of Ethics for
Professional Accountants and the Quality Control Standard (HKSQC 1 (Clarified)) with regard to
the assignment.

3 The purpose of external audit engagements

Topic highlights
An external audit is a type of assurance engagement that is carried out by a professional
accountant to give an independent opinion on a set of financial statements.

3.1 Objective of external audit

3.1.1 HKSA 200
HKSA 200.11 The objectives of external audit are laid out in HKSA 200 Overall Objectives of the Independent
Auditor and the Conduct of an Audit in Accordance with Hong Kong Standards on Auditing.

163
 Business Assurance

The objectives of an audit are:

(a) to obtain reasonable assurance about whether the financial statements as a whole are free
from material misstatement, whether due to fraud or error, thereby enabling the auditor to
express an opinion on whether the financial statements are prepared, in all material respects,
in accordance with an applicable financial reporting framework: and
(b) to report on the financial statements, and communicate as required by HKSAs, in
accordance with the auditor's findings.
An audit of financial statements is an example of an assurance engagement.

3.1.2 Statutory audit

Professional accountants will provide a reasonable level of assurance to the 'user', after
examination of a certain subject matter required by the entity. The most common example of an
audit is where an independent professional accountant is engaged by the board of directors of an
entity to examine the financial statements of the entity and issue an audit opinion to the
shareholders ('the users') of the entity in accordance with Hong Kong Companies Ordinance (CO)
and the Hong Kong Auditing Standards.
HKSA 200 sets out the following requirements for an audit. The firm must:
(a) Comply with ethical requirements
(b) Conduct the audit in accordance with HKSAs and determine the audit procedures
(c) Exercise professional judgment in planning and performing an audit of financial statements
(d) Obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level
that is consistent with the objective
(e) Plan and perform the audit with an attitude of professional scepticism
(f) Not represent compliance with HKSAs unless it has really complied fully
The statutory audit can bring various advantages to the entity and shareholders. The key benefit to
shareholders is the impartial view provided by the professional accountants. However, the entity
also benefits from professional accountants reviewing the financial statements and system as part
of the audit. Advantages might include recommendations being made in relation to accounting and
control systems and the possibility that professional accountants might detect fraud and error. An
auditor's report attached to the financial statements will add credibility to the financial statements
and users will rely on the information they provide to make decisions. Audited financial statements
will invite greater reliance to be placed on them by the users.

3.1.3 Audit process

The following are the key steps of the audit process:
Step 1 Determine audit approach as required by legislation and auditing standards.
Step 2 Ascertain the accounting system and internal controls by fact finding and
recording the system in operation.
Step 3 Assess the accounting system and internal controls on their reliability and
effectiveness in practice.
Step 4 Test the accounting system and internal controls by performing tests of controls.
Step 5 Test the financial statements by carrying out substantive testing.
Step 6 Review the financial statements to determine the overall reliability of the financial
statements.
Step 7 Express an opinion in the form of an audit report.

164
 5: Framework for assurance engagements  Part C Professional standards and guidance

3.1.4 Limitations of auditing

Audits only give reasonable assurance that the financial statements are free from material
misstatements.
The diagram below illustrates the limitations of auditing:
Audit evidence is sometimes
only probable and not certain:
Professional judgments
have to be made: • Judgment; and
• Audit option • Estimates
Audit report is issued a long time
• What to test? after the date of the statement of
• Risk assessment financial position:
• How much to test? • Up to date position is not
enhanced

Only selected items in the LIMITATIONS OF Audit report has inherent

financial statements are AUDITING limitation:
tested: • Standard format
• What to sample?
• Sampling risk

Limitations in accounting and control

systems:
• Non-routine transactions
• Human error
• Collusion and fraud
• Trade-off of cost and benefit
• Override of controls

3.1.5 True and fair

Where the professional accountant expresses an opinion on whether the financial statements are
presented fairly, in all material respects, or give a true and fair view, misstatements also include
those adjustments of amounts, classifications, presentation, or disclosures that, in the firm's
judgment, are necessary for the financial statements to be presented fairly, in all material respects,
or to give a true and fair view.
Instead of preparing financial statements under the fair presentation framework, financial
statements prepared by entities taking advantage of the reporting exemption are required to be
properly prepared in accordance with the revised SME-FRF & SME-FRS as these are the
applicable accounting standards for such companies for the purposes of complying with section
380(4)(b) under new Companies Ordinance (Cap. 622).

Key terms
True: Information is factual and conforms with reality. In addition, the information conforms with
required standards and law. The financial statements have been correctly extracted from the books
and records.
Fair: Information is free from discrimination and bias and in compliance with expected standards
and rules. The financial statements should reflect the commercial substance of the entity's
underlying transactions.

The professional accountant's task is to decide whether the financial statements for non-reporting
exempted companies under revised SME-FRF & SME-FRS, show a true and fair view.
Professional accountants are not responsible for establishing whether the financial statements are

165
 Business Assurance

correct in every particular detail. This is because it can take a great deal of time and trouble to
check the accuracy of even a very small transaction and the resulting benefit may not justify the
effort. Also financial accounting inevitably involves a degree of estimation which means that
financial statements can never be completely precise.

3.2 Materiality
HKSA 200.6 Materiality is an expression of the relative significance or importance of a particular matter in the
financial statements as a whole.
Any matter is material if its omission or misstatements would reasonably influence the economic
decisions of users. Materiality has both quantitative and qualitative aspects. A misstatement can be
quantitatively immaterial but qualitatively material eg omission of disclosure of major litigation.
The materiality level is determined at the planning stage to ensure any material misstatement in
the financial statements can be discovered. The materiality level must be considered by the auditor
in order to determine the nature, extent and timing of audit procedures and to evaluate the effect of
misstatements discovered.
Some useful guidelines for measuring the materiality level are given below:
 10% of pre-tax profits (normal criteria and applicable to most entities)
 5% of gross profits (applicable to trading entities)
 0.5–1% of revenue
 0.5–1% of total assets (applicable to asset holding companies)
Other factors should be considered.
The assurance given by the auditor is governed by the fact that the auditor uses judgment in
deciding what audit procedures to use and what conclusions to draw, and also by the limitations
of every audit.

3.3 Professional scepticism

Key term
Professional scepticism is an attitude that includes a questioning mind, being alert to conditions
HKSA 200.15 which may indicate possible misstatement due to error or fraud, and a critical assessment of audit
evidence.

Auditors should never assume the management is dishonest but should approach the audit with a
questioning mind and a critical assessment of audit evidence, being alert to conditions which may
indicate possible misstatement due to error or fraud. The professional accountant should adopt the
following behaviours:
 Plan and perform an audit with an attitude of professional scepticism
 Be aware when audit evidence contradicts other audit evidence obtained
 Raise awareness to audit evidence that casts doubt on the reliability of documents or
management representations
 Be cautious for any suspicious and unusual circumstances that may increase the risks of
misstatement of financial statements
 Avoid using unrealistic assumptions in designing audit procedures or evaluating audit
evidence
 Consider the reasonableness of responses
 Consider conditions that may indicate possible fraud

166
 5: Framework for assurance engagements  Part C Professional standards and guidance

4 Reviews and other assurance engagements

Topic highlights
Assurance services include a range of assignments, from external audits to review engagements.

4.1 Review engagements

As discussed earlier in this chapter, an audit can be used to give assurance to a variety of
stakeholders on many issues. However, an audit is an exercise designed to give a high level of
assurance and involves a high degree of testing and it is therefore costly. In some cases,
stakeholders may find that they receive sufficient assurance about an issue from a less detailed
engagement, for example, a review. A review can provide a cost-efficient alternative to an audit
where an audit is not required by law.

Key term
The objective of a review of financial statements under HKSRE 2400 is to obtain limited
HKSRE assurance, primarily by performing inquiry and analytical procedures, about whether the financial
2400.14 statements as a whole are free from material misstatement thereby enabling the practitioner to
express a conclusion on whether anything has come to the practitioner's attention that causes the
practitioner to believe the financial statements are not prepared, in all material respects, in
accordance with an applicable financial reporting framework.

The Preface to Hong Kong Quality Control, Auditing, Review, Other Assurance and Related
Services Pronouncements (The Preface) requires that HKSREs are to be applied in the reviews of
historical financial information. HKSRE 2400 (Revised) Engagement to Review Historical Financial
Statements should be applied when a professional accountant, other than the auditor of an entity,
undertakes an engagement to review historical financial statements. When an auditor of the
reporting entity undertakes the engagement to review financial statements, the auditor should apply
HKSRE 2410 Review of Interim Financial Information Performed by the Independent Auditor of the
Entity.
The major outcome for recipients of a review engagement is that the level of assurance they gain
from it is not as high as from an audit, although the procedures carried out in a review engagement
are similar to an audit. We discuss review reports in more detail in Chapter 19.

4.2 Assurance engagements not dealing with historical financial

information
It is HKSAE 3000 (Revised) Assurance Engagements other than Audits or Reviews of Historical
Financial Information that governs the assurance engagement other than audit and review of
historical financial information. Examples of engagements under HKSAE 3000 (Revised) are
compliance engagements and performance audits. Further details will be covered in Chapter 19.

4.3 Investment circular reporting engagements

The Preface requires that HKSIRs are to be applied in investment circular reporting engagements.
Further details will be covered in Chapter 19.

167
 Business Assurance

5 Non-assurance engagements
Topic highlights
No assurance is given for compilation or agreed-upon procedures engagements.

HKSRS 4400 Engagements to Perform Agreed-Upon Procedures Regarding Financial Information

applies to an agreed-upon procedures engagement where the professional accountant is to carry
out procedures of an audit nature, which the professional accountant, the entity and any
appropriate third parties have agreed and to report on factual findings.
HKSRS 4410 (Revised) Compilation Engagements governs a compilation engagement where it is
for the professional accountant to use his accounting expertise to collect, classify and summarise
financial information.
No assurance is expressed for the above engagements.

Self-test question
Discuss and explain the difference between the following engagements:
 An audit engagement
 A review engagement
 An agreed-upon procedures engagement
(12 marks)
HKICPA December 2013
(The answer is at the end of the chapter)

168
 5: Framework for assurance engagements  Part C Professional standards and guidance

Topic recap

ENGAGEMENT

Assurance Non-assurance
engagement engagement

True and fair

view
Reviews Audits conducted Agreed upon procedures,
and other under Hong Kong compilations
Companies Ordinance
Professional
scepticism

Limited Reasonable assurance

assurance

Negative Positive assurance Report factual findings

assurance

Moderate High level of assurance No assurance

assurance

169
 Business Assurance

Answer to self-test question

Answer
The major differences can be explained as follows:
Framework
An audit engagement should be conducted in accordance with Hong Kong Standards of Auditing
(HKSAs), while a review engagement and an agreed upon procedures engagement should be
conducted in accordance with HKSRE 2400 (Revised) Engagement to Review Historical Financial
Statements and HKSRS 4400 Engagements to Perform Agreed-upon Procedures Regarding
Financial Information respectively.
Assurance
An audit is designed to obtain reasonable assurance that the financial information is free from
material misstatement.
A review engagement is an exercise similar to an audit engagement, which is designed to give a
reduced degree of assurance (i.e. limited assurance) concerning the proper preparation of a set of
financial statements.
An agreed upon procedures engagement expresses no assurance on the financial information.
Report
An audit engagement provides a basis and confirms in the report an opinion as to whether the
financial statements give a true and fair view or are presented fairly, in all material respects, in
accordance with an applicable financial reporting framework.
A review engagement assesses whether any information obtained during the review indicates that
the financial statements do not give a true and fair view or are not presented fairly, in all material
respects, in accordance with the applicable financial reporting framework.
An agreed upon procedures engagement reports on factual findings only with no conclusion
provided. The recipients of the report must form their own conclusions from the report by the
auditor.
Procedures involved
The audit procedures required for an audit engagement are far more than a review engagement
and an agreed upon procedures engagement as an audit engagement provides a higher level of
assurance.
An audit requires procedures for the understanding, evaluating and testing of respective process
and controls, supplemented by a substantive analytical review and test of details.
In a review engagement, the auditor relies more heavily on procedures such as enquiry and
analytical review than on more detailed substantive testing such as testing accounting records
through inspection, observation or confirmation.
A review may bring significant matters affecting the financial information to the auditor's attention,
but it does not provide all of the evidence that would otherwise be required in an audit.
In an engagement to perform agreed-upon procedures, an auditor is engaged to carry out those
procedures of an audit nature to which the auditor and the entity and any appropriate third parties
have agreed and to report on factual findings.

170
 5: Framework for assurance engagements  Part C Professional standards and guidance

Exam practice

Noble Co 18 minutes
Your friend, a director of Noble Co, has written to you, in your capacity as an auditor, seeking
clarification on several audit matters. These concern the appointment of auditors to Noble Co and
the audit procedures they are likely to carry out. The following paragraphs have been extracted
from his letter to you.
'To date Noble Co has not required a formal audit and it will not do so for the foreseeable future.
However, the shareholders are now insisting that the annual financial statements must be audited
by a firm of CPAs. I need confirmation of the primary objective of the audit of a limited liability
company and also of how our shareholders and directors should benefit from an audit.'
Required
Write a letter to your friend which:
(a) states the primary objective of the audit of a limited liability company. (2 marks)
(b) outlines how the shareholders and directors of Noble Co should benefit from an audit of the
company's financial statements by a firm of Certified Public Accountants. (8 marks)
(Total = 10 marks)

171
 Business Assurance

172
Part D
Assurance engagements

This part discusses and explores different auditing techniques and standards employed in an
assurance engagement. Students are expected to have a good understanding of them and
appreciate the rationale or limitation associated. Further, students are expected to be able to
apply what they have learnt in various practical cases.

173
 Business Assurance

174
chapter 6

Quality control

Topic list

1 Principles and purpose 3 Quality control on an individual audit

2 Quality control at a firm level 3.1 Leadership responsibilities
2.1 Objectives of HKSQC 1 (Clarified) 3.2 Ethical requirements
2.2 Leadership responsibilities for quality 3.3 Acceptance/continuance of entity
within the firm relationships and specific audit
2.3 Relevant ethical requirements engagements
2.4 Acceptance and continuance of client 3.4 Assignment of engagement teams
relationship and specific engagements 3.5 Engagement performance
2.5 Human resources 3.6 Monitoring
2.6 Engagement performance 3.7 Quality control regulations
2.7 Monitoring

Learning focus

Issues relating to quality control are linked with both ethics and liability. In this chapter you will
study the principles and purpose of quality control and how they can be applied at firm and
individual audit level.

175
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
2.06 Quality control considerations 3
2.06.01 Explain the principles and purposes of quality control of audit and
other assurance engagements
2.06.02 Identify the features of a system of quality control relevant to a
specific firm
2.06.03 Choose and explain quality control procedures that are relevant to a
specific audit engagement
2.06.04 Assess and explain whether an engagement has been performed in
line with professional standards and whether reports issued are
appropriate

176
 6: Quality control | Part D Assurance engagements

1 Principles and purpose

Topic highlights
Audit quality is not defined in law or through regulations, nor do auditing standards provide a simple
definition.

Although not defined in law or through regulations, audit quality is necessary as the firm faces a
variety of business risks in its operations, such as:
 Disciplinary action against the firm from HKICPA
 Litigation against the firm
 Loss of entity due to competition, litigation or entity closure
 Bad publicity
Although each stakeholder in the audit will give a different meaning to audit quality, at its heart it is
about delivering an appropriate professional opinion supported by the necessary evidence and
objective judgments. Note you studied the roles of different stakeholders in more detail in
Chapter 1.
Many principles contribute to audit quality including good leadership, experienced judgment,
technical competence, ethical values, appropriate entity relationships, proper working practices and
effective quality control and monitoring review processes.
The standards on audit quality provide guidance to firms on how to put these principles into
practice.

2 Quality control at a firm level

Topic highlights
In Hong Kong, it is the Hong Kong Standard on Quality Control (HKSQC 1 (Clarified)) that ensures
that the firm and its staff comply with professional standards, and regulatory and legal
requirements.

The fact that professional accountants follow accepted auditing standards (such as HKSAs)
provides a general quality control framework within which audits should be conducted. There are
also specific quality control standards.

2.1 Objectives of HKSQC 1 (Clarified)

HKSQC1.11 Objectives
The objective of the firm is to establish and maintain a system of quality control designed to provide
it with reasonable assurance that the firm and its personnel comply with professional standards and
regulatory and legal requirements, and that reports issued by the firm or engagement partners are
appropriate in the circumstances.

The quality control standard ensures all firms (regardless of size) and their staff comply with
professional standards, regulatory and legal requirements.

177
 Business Assurance

Quality control policies and procedures should be implemented to maintain audit work of a high
standard. HKSQC 1 (Clarified) states that all quality control policies and procedures should be
documented and should be properly communicated to all the partners and staff.
The engagement partner should take responsibility for the overall quality on each audit
engagement to which that partner is assigned.
HKSQC 1 (Clarified) requires a firm to establish and maintain a system of quality control that
includes policies and procedures that address the issues relating to the following areas:
 Leadership responsibilities for quality within the firm
 Relevant ethical requirements
 Acceptance and continuance of entity relationships and specific engagements
 Human resources
 Engagement performance (see also below, the requirements of HKSA 220)
 Monitoring

2.2 Leadership responsibilities for quality within the firm

HKSQC1.18- The standard goes into some detail as to how a firm should manage its internal strategy, processes
19 and culture to firmly embed quality as an implicit principle in performing engagements. According to
the standard the firm's chief executive (or equivalent) or, the firm's managing board of partners (or
equivalent), must assume ultimate responsibility for the firm's system of quality control. It is the
actions and messages disseminated from the most senior management of the firm that ensures
specified norms of ethical behaviour, technical competence and quality service become those
promulgated throughout the firm. However, while accountability must remain with the most senior
management, responsibility for the design and implementation of formal systems of control may fall
to individuals or groups of individuals specifically appointed to undertake these tasks.
Such individuals must have:
 Sufficient and appropriate experience
 The ability to carry out the job
 The necessary authority to carry out the job
Within individual teams it is the engagement partner who takes on the role of leading the team and
ensuring that the firm's prescribed quality standards and procedures are adhered to.
Audit engagement partners operate in an environment of significant change and are required to
follow International Education Standard (IES) 8 Professional Competence for Engagement
Partners Responsible for Audits of Financial Statements (Revised). This standard requires audit
engagement partners to develop and maintain professional competence and undertake CPD to
enable this.

2.3 Relevant ethical requirements

HKSQC1.20 A firm is required to establish policies and procedures designed to provide it with reasonable
assurance that the firm and its personnel comply with relevant ethical requirements. The required
policies and procedures are discussed in Chapter 4 Section 2.9.

2.4 Acceptance and continuance of client relationship and

specific engagements
HKSQC1.26- HKSQC 1 (Clarified) requires a firm to establish policies and procedures for the acceptance and
28 continuance of client relationships and specific engagement. The detailed policies and procedures
are discussed in Chapter 7.

178
 6: Quality control | Part D Assurance engagements

2.5 Human resources

HKSQC1.29- The quest for quality will necessarily involve good HR practices. Competitive terms, good
31 conditions and potential for future progression may ensure the firm can recruit and retain excellent
staff but this is only one element in achieving excellence. The firm must also ensure staff are
equipped with the technical expertise and other resources they need to fulfil their responsibilities,
that they are motivated to carry out their professional duties to the highest ethical and technical
standards and that they are encouraged to further their own professional development in order to
benefit, not only themselves, but their firm and their profession.
The standard states that the firm must provide itself with:

'... reasonable assurance that it has sufficient personnel with the capabilities, competence, and
commitment to ethical principles necessary to perform its engagements in accordance with
professional standards and applicable legal and regulatory requirements, and to enable the firm or
engagement partners to issue reports that are appropriate in the circumstances'.

These will cover the following issues:

 Recruitment  Performance evaluation
 Capabilities  Competence
 Career development  Promotion
 Remuneration  Forecasts of HR requirements
The firm is responsible for the ongoing excellence of its staff, through continuing professional
development, education, work experience and coaching and mentoring schemes.

2.5.1 Assignment of engagement teams

The assignment of engagement teams is a very important determinant of quality. It is the role of the
audit engagement partner to ensure the right team is brought together to fulfil a particular audit
assignment and it is the audit engagement partner who holds responsibility for the overall audit
quality of any engagements to which he is assigned.
There should be policies in place to ensure that:
(a) Key members of entity's staff and those charged with governance are aware of the identity of
the audit engagement partner
(b) The engagement partner has the appropriate capabilities, competence, authority and time to
perform the role
(c) The engagement partner is aware of the responsibilities of the role he has undertaken to
perform
(d) The engagement partner is aware of the any conflicts of interest or threats to independence
which may bar a member of staff from being on the assurance team of an individual audit
The engagement partner should ensure that he assigns staff of sufficient capabilities, competence
and time to individual assignments so that he will be able to issue an appropriate report.

2.6 Engagement performance

HKSQC1.32-
The firm must take steps to ensure that engagements are performed in accordance with
47 professional standards and regulatory and legal requirements, and it is the responsibility of the
audit engagement partner to ensure that they do. Often these requirements are compiled by a firm
into a manual of standard engagement procedures which is issued to professional staff.

179
 Business Assurance

However, engagement performance goes beyond compliance and requires the following skills:
 Direction
 Supervision
 Review
 Consultation
 Quality control review
Many of these issues will be discussed in the context of an individual audit assignment (see below).
2.6.1 Consultation
The firm shall establish policies and procedures designed to provide it with reasonable assurance
that:
(a) Appropriate consultation takes place on difficult or contentious matters
(b) Sufficient resources are available to enable appropriate consultation to take place
(c) The nature, scope and conclusions of such consultations are documented
(d) Conclusions resulting from consultations are implemented

The firm may provide itself with reasonable assurance where necessary through external
consultation with other firms, or the Institute. When there are differences of opinion on an
engagement team, a report should not be issued until the disagreement has been resolved. The
conclusions reached should be documented and implemented. Sometimes, the involvement of the
quality control reviewer may be required. The firm should have procedures in place for dealing with
and resolving differences of opinion.

2.6.2 Quality control reviews

Key terms
A peer review is a review of an audit file carried out by another partner in the assurance firm.
A hot review is a peer review carried out before the audit report is signed.
A cold review is a peer review carried out after the audit report is signed.

Quality reviews usually include an appraisal of working paper preparation, audit programmes,
internal control, audit reports, staff functions, scheduling, supervision, client relations, and training.
Whether a quality review will be undertaken for a specific engagement should be determined by
criteria laid down in pre-determined policies established by the firm. Quality reviews are always
undertaken on audits of the financial statements of listed entities and it is the responsibility of the
engagement partner to find a suitable reviewer to undertake the work and ensure any contentious
matters are resolved before the auditor's report is issued. The review will include an evaluation of
any significant judgments made by the assurance team during the engagement and discussion of
any matters which arise. The firm must also have procedures in place by which it can assess
whether other engagements require review (i.e. those other than listed entities).
Each firm will have an established format for the quality control reviews it carries out: within this
prescribed format standards will be laid down for the nature, timing and extent of the review, what
qualifications and personal qualities need to be demonstrated by the reviewer and how the
outcomes and processes of the review should be documented.

180
 6: Quality control | Part D Assurance engagements

Quality control reviews

Nature, timing and Usually the review includes discussion with the engagement partner,
extent review of the financial statements or other subject matter information
and the report. It will consider whether the final opinion is appropriate.
There may also be a review of working papers relating to the most
significant judgments made.
Eligibility The reviewer must through their technical expertise and independence
be qualified to undertake the review.
Documentation Documentation must show that the firm's criteria for a review were met,
that the review was finalised before the report was issued and include
a representation that the reviewer is not aware of any unresolved
issues.
All entities The review should include all the following:
 Discussion of significant matters with the engagement partner
 Review of the financial statements or other subject matter
information and the proposed report
 Review of selected engagement documentation relating to
significant judgments the engagement team made and the
conclusions it reached
 Evaluation of the conclusions reached in formulating the report and
consideration of whether the proposed report is appropriate
Listed entities  The engagement team's evaluation of the firm's independence in
relation to the specific engagement
 Whether appropriate consultation has taken place on matters
involving differences of opinion or other difficult or contentious
matters, and the conclusions arising from those consultations
 Whether working papers selected for review reflect the work
performed in relation to the significant judgments and support the
conclusions reached

2.7 Monitoring
HKSQC1.48 The standard states that firms must have policies in place to ensure that their quality control
procedures consistently meet the following criteria:
Quality control procedures are: Quality control procedures:
 Relevant  Operate effectively
 Adequate
Effectively the standard requires firms to continually evaluate and, where necessary, improve their
quality controls to ensure that they consistently achieve high standards, reporting to senior
management on the findings of quality monitoring.
There are two types of monitoring activity:

Ongoing evaluation of the An ongoing evaluation might include such questions as, 'has it
system of quality control kept up to date with regulatory requirements'?
Periodic inspection of a sample A period inspection cycle would usually take place over a
of completed engagements period of say, three years, in which time, at least one
engagement per engagement partner would be inspected.

181
 Business Assurance

The staff responsible for monitoring the control system are also required to evaluate the impact of
any deficiencies identified. If the deficiencies are found to be single occurrences as a result of a
specific set of circumstances corrective action might not be needed. Monitors are more concerned
with systematic or repetitive deficiencies that require corrective action to strengthen
performance and the reliability of internal controls in the future.
From time to time monitoring may highlight evidence that suggests an inappropriate opinion might
have been issued in the auditor's report, and the firm may wish to seek legal advice. Where this is
the case, the firm should follow the recommendations of their counsel.
The firm should also have policies and procedures in place in how to deal with complaints or
allegations that the firm has failed to comply with professional standards including a process for
investigating and defending these claims. Findings should be fed back into the quality control
system to strengthen it in the future.
Responses to identified deficiencies:
 Remedial action with an individual
 Communication of findings with the training department
 Changes in the quality control policies and procedures
 Disciplinary action, if necessary

Self-test question 1
You established your own CPA practice six years ago which has now grown into a 15-staff firm.
Your firm has been the auditor of an unlisted company, PQR Investment Limited ('PQR'), for six
years. The shareholders of PQR have recently injected HK$90 million of new capital into PQR with
a view to acquiring companies in India, Thailand and Japan.
Required
Discuss what your CPA firm should consider before continuing to serve as the auditor of PQR in
the forthcoming year. In particular, your discussion should be put in the context of PQR's
circumstances.
(13 marks)
HKICPA June 2011
(The answer is at the end of the chapter)

3 Quality control on an individual audit

Topic highlights
HKSA 220 requires firms to implement quality control procedures over individual audit
engagements.

HKSA 220 Quality Control for an Audit of Financial Statements sets down requirements regarding
quality control on individual audits. This HKSA applies the general principles of the HKSQC 1
(Clarified). The engagement team should implement quality control procedures that are applicable
to the individual audit engagement under the direction of the audit engagement partner.
The objective of the auditor is to implement quality control procedures at the engagement level that
provide the auditor with reasonable assurance that the audit complies with professional standards
and applicable legal and regulatory requirements and that the auditor's report issued is appropriate
in the circumstances.

182
 6: Quality control | Part D Assurance engagements

3.1 Leadership responsibilities

HKSA 220.8 The engagement partner is required to set an example and instil a commitment in the team with
regard to the importance of quality.

The engagement partner shall take responsibility for the overall quality on each audit engagement
to which that partner is assigned.

Engagement partners should emphasise the importance of audit quality and the fact that quality is
essential in performing audit engagements to the engagement team such as:
 Performing work that complies with professional, regulatory and legal requirements;
 Complying with the firm's quality control policies and procedures;
 Issuing auditor's reports that are appropriate in the circumstances; and
 The engagement team's ability to raise issues without fear of reprisals.

3.2 Ethical requirements

HKSA 220.9 - In respect of independence requirements the standard refers to the HKICPA Code of Ethics, which
11 you studied in Chapter 4.
The HKSA also contains some detailed guidance about independence in particular.

HKSA 220
The engagement partner shall form a conclusion on compliance with independence requirements
that apply to the audit engagement. In doing so, the engagement partner shall:
(a) Obtain relevant information from the firm and, where applicable, network firms, to identify
and evaluate circumstances and relationships that create threats to independence;
(b) Evaluate information on identified breaches, if any, of the firm's independence policies and
procedures to determine whether they create a threat to independence for the audit
engagement;
(c) Take appropriate action to eliminate such threats or reduce them to an acceptable level by
applying safeguards. The engagement partner shall promptly report to the firm any inability
to resolve the matter for appropriate actions.

The engagement partner should be on constant alert for evidence of non-compliance with the
ethical Code and any threats to the independence of the assurance team. Inquiry and observation
on ethical matters among the engagement partner and other members of the engagement team
may occur as often as is deemed necessary throughout the audit engagement. If matters come to
the engagement partner's attention through the firm's systems or otherwise that indicate that the
independence of a member of the engagement team is in any way compromised, the partner
should consult with other senior members of the firm to devise an appropriate course of action,
which may include removal of the individual from the team, appropriate disclosures to the entity or
other safeguards which you studied in detail in Chapter 3.

3.3 Acceptance/continuance of entity relationships and specific

audit engagements
HKSA The partner is required to ensure that the requirements of HKSQC 1 (Clarified) in respect of
220.12-13 accepting and continuing with audits are adhered to. If information emerges during the audit that
may have caused the partner to decline it he should disclose this to the firm and immediate action
may need to be taken.

183
 Business Assurance

If the engagement partner obtains information that indicate the firm shall decline the audit
engagement, the engagement partner is required to communicate that information promptly to the
firm, so that the firm and the engagement partner can take the necessary actions.

HKSA 220.14 3.4 Assignment of engagement teams

As discussed in the previous section, the assignment of appropriate teams is also the responsibility
of the audit engagement partner. He must ensure that the team is sufficiently qualified and
experienced as a unit to perform the particular engagement to which he has been assigned.
The engagement partner should also be satisfied that the engagement team collectively has the
appropriate capabilities, competence and time available to it to perform the audit engagement in
accordance with professional standards and regulatory and legal requirements. The overall
objective is to enable an auditor's report that is appropriate in the circumstances to be issued.

3.5 Engagement performance

The engagement partner is required to take responsibility for the direction, supervision and
HKSA 220.15 performance of the audit engagement in compliance with professional standards and regulatory
and legal requirements; and the auditor's report being appropriate in the circumstances.

3.5.1 Direction
It is the engagement partner who gives overall direction to the audit. Other auditing standards list
among his responsibilities the requirement to holds a meeting with the engagement team to
discuss the audit scope and plan, in particular the associated risks. This standard suggests that
direction includes reminding or informing members of the engagement team of:
 Their responsibilities (including objectivity of mind and professional scepticism)
 Objectives of the work to be performed
 The nature of the entity's business
 Risk-related issues
 Problems that may arise
 The detailed approach to the performance of the engagement

3.5.2 Supervision
The audit is supervised overall by the engagement partner, but at an operational level supervision
is given by senior team members to more junior members. More experienced members of the team
will also review the work carried out by more junior members at appropriate stages during the
engagement. The reviews should include the following:
(a) Monitoring the progress of the audit engagement
(b) Reviewing the capabilities and competence of individual team members, including whether
they have sufficient time and understanding to carry out their work competently and within
the audit plan
(c) Addressing significant issues arising during the audit engagement and modifying the audit
plan if necessary
(d) Identifying matters to be referred to more experienced engagement team members

3.5.3 Review
Review includes consideration of whether the following requirements have been met:
(a) The work has been performed in accordance with professional standards and regulatory and
legal requirements.
(b) Significant matters have been raised for further consideration.

184
 6: Quality control | Part D Assurance engagements

(c) Appropriate discussions have taken place, any conclusions have been documented and
implemented.
(d) There is a need to revise the nature, timing and extent of work performed.
(e) The work performed supports the conclusions reached and is appropriately documented.
(f) The evidence obtained is sufficient and appropriate to support the auditor's report.
(g) The objectives of the engagement procedures have been achieved.
Before the audit report is issued, the engagement partner must be sure that sufficient and
appropriate audit evidence has been obtained to support the audit opinion.
3.5.4 Consultation
The engagement partner should be satisfied that members of the engagement team have
undertaken appropriate consultation on any contentious matter. This may be within the
engagement team, or between the engagement team and others at the appropriate level either
within or outside the firm. The technical partner or a panel of partners may be involved.
The engagement partner should be involved in these consultations and be satisfied that the
matters are resolved satisfactorily and any actions are documented and implemented.
From time to time differences of opinion may arise between the engagement partner and the team,
or between the engagement partner and the quality control reviewer. The firm should have an
established procedure for resolution of differences of opinion.

3.5.5 Quality control review

As discussed earlier, the audit engagement partner is responsible for appointing a reviewer, if the
criteria for a review is met. He is then responsible for discussing significant matters arising with the
reviewer and for ensuring the audit report is not issued until the quality control review has been
completed and any contentious matters resolved.
A quality control review should include:
(a) An evaluation of the significant judgments made by the engagement team
(b) An evaluation of the conclusions reached in formulating the audit report
HKSA 220 requires the evaluation to include:
(a) Discussion of significant matters with the engagement partner;
(b) Review the proposed auditor's report and the financial statements;
(c) Review of selected audit documentation relating to the significant judgments the
engagement team made and the conclusions it reached; and
(d) Evaluation of the conclusion reached for composing the auditor's report.
For listed entities' audits, an engagement quality control reviewer is required to consider the
following factors:
(a) Independence – the engagement team's evaluation of the firm's independence in relation to
the specific audit
(b) Consultation – appropriate consultation taken place on matters to resolve differences of
opinion or other difficult or contentious matters
(c) Documentation – whether audit documentation selected for review reflects the work
performed in relation to the significant judgments and support the conclusions reached
An engagement quality control reviewer shall evaluate the significant judgments made by the
engagement team for engagement quality control review of a listed entity:
(a) HKSA 315 (Revised 2016) – significant risks identified during the engagement;
(b) HKSA 330 – responses to those risks;

185
 Business Assurance

(c) HKSA 240 – engagement team's assessment and responses to risks of fraud;
(d) Judgments made for materiality and significant risks;
(e) The significance and disposition of corrected and uncorrected misstatements identified
during the audits;
(f) Matters communicated to management and those charged with governance and other
parties such as regulatory bodies; and
(g) The appropriateness of the auditor's report to be issued.

3.5.6 Differences of opinion

HKSA 220 requires the engagement team to follow the firm's policies and procedures for dealing
with and resolving any such differences of opinion.

3.6 Monitoring
HKSA 220.23 The audit engagement partner is required to take account of the results of monitoring the firm's
quality control systems and consider whether they have any impact on the specific audit to which
he is assigned. The engagement partner considers:
 Whether deficiencies noted in that information may affect the audit engagement; and
 Whether the measures the firm took to rectify the situation are sufficient in the context of that
audit.

3.7 Quality control regulations

Regulations for quality control on audits are the same for all audit firms regardless of their size and
structure. However, it is logical to see that their impact on large and small firms will be different.
A large firm may establish international quality control procedures on a global scale and certainly at
least on a national or regional basis. They are also likely to have sufficient resources in-house to
carry out its full range of control functions. Small, single-partner firms may need to make use of
external experts in order to fulfil all of its obligations.

Self-test question 2
You are an audit senior working for the firm Chan & Chan. You are currently carrying out the audit
of Kleaner Co ('Kleaner'), a manufacturer of waste paper bins. You are unhappy with Kleaner's
inventory valuation policy and have raised the issue several times with the audit manager who has
dealt with the entity for a number of years and does not see what you are making a fuss about. He
has refused to meet you on site to discuss these issues.
The former engagement partner to Kleaner retired two months ago. As the audit manager had dealt
with Kleaner for so many years, the other partners have decided to leave the audit of Kleaner in his
capable hands.
Required
What are the quality control issues arising in the situation above?
(The answer is at the end of the chapter)

186
 6: Quality control | Part D Assurance engagements

Self-test question 3
HKPR Ltd ('HKPR') is an established PR agency with revenue of HK$265m for the period ending
December 31 20X3. The company has fifteen offices worldwide with the head office located in
Hong Kong. You have been assigned to carry out the engagement quality control review of HKPR.
During your review you noted the following.
(a) Proposed audit procedures identified HK$6m of revenue included in the current period that
should have been recognised in the period ending December 31 20X4. The directors agreed
with the proposed audit adjustment. No further audit work was carried out.
(b) Problems with controls testing in the interim audit resulted in trade payables being assessed
as a high risk area. Planned audit procedures on trade payables were assigned to Karen
Pei, an audit junior, who wanted to build her experience in this area.
(c) Cash and bank was identified as a low risk area in the audit plan. Planned audit procedures
were carried out by the audit manager as Karen Pei needed extra time to complete the audit
of trade payables.
Required
Comment on the situation outlined above.
(The answer is at the end of the chapter)

Self-test question 4
Fashion Limited is a garment manufacturer based in mainland China and listed in Hong Kong.
Audit Partner A and Manager C have been assigned as the audit engagement partner and audit
engagement manager of Fashion Limited for 5 years and 10 years respectively. The audit
engagement team maintains a very good relationship with Fashion Limited's management team.
During the year, the performance of Fashion Limited deteriorated significantly as Fashion Limited
lost several major customers. There may be a risk of impairment of Fashion Limited's fixed assets.
However, both the management and audit engagement team believe that no impairment of fixed
assets should be made in the year. Partner B has been newly assigned as the engagement quality
control reviewer of the audit of Fashion Limited for the current year.
HKSA 220 Quality Control for an Audit of Financial Statements sets out the requirements and
provides guidance regarding quality control of individual audits.
Required

(a) Explain the differences in the roles and responsibilities of Partner A and Partner B in Fashion
Limited's audit. (5 marks)
(b) In response to the facts and circumstances above, what would you recommend Partner B
doing to discharge his role and responsibilities as an engagement quality control reviewer?
(6 marks)
HKICPA December 2015 (amended)
(The answer is at the end of the chapter)

187
 Business Assurance

Topic recap

QUALITY CONTROL POLICIES

AND PROCEDURES

Firm level Audit level

HKSQC I HKSA 220

Ÿ Leadership Ÿ Direction
Ÿ Ethics Ÿ Supervision
Ÿ Acceptance / continuing Ÿ Review
Ÿ Human resources Ÿ Consultation
Ÿ Engagement performance Ÿ Quality control review
Ÿ Monitoring

188
 6: Quality control | Part D Assurance engagements

Answers to self-test questions

Answer 1
HKSQC 1 (Clarified) Quality Control for Firms that Perform Audits and Reviews of Financial
Statements, and Other Assurance and Related Services Engagements requires your firm to
consider and document certain matters before continuing to serve as PQR's auditor.
Those matters include:
 The integrity of PQR (i.e. its shareholders, directors and management);
 Whether your firm is competent to do the work; and
 Whether your firm meets ethical requirements in relation to the work.
There is no clear evidence compromising the integrity of PQR even though you may question the
source of the new funding into PQR.
As your firm has been the auditor of PQR for six years, competency is not likely to be questioned.
However, the increase of PQR's scale of activities and its forthcoming overseas acquisitions may
challenge your firm's competency.
Challenges may include the industries, locations and sizes of those companies being acquired as
well as the forms of investments (e.g. equity, debt or quasi-equity) and the availability of properly
audited financial statements.
Being associated with PQR (as its auditor) for six years may indicate a close relationship. However,
it is not entirely clear if the extent of relationship may pose any familiarity threat to your firm.
You should be satisfied that appropriate procedures regarding the continuance of client relationship
and audit engagement with PQR have been followed, and that conclusions reached in this regard
are appropriate and have been documented.

Answer 2
Several quality control issues are raised in the scenario:
Engagement partner
An engagement partner is usually appointed to each audit engagement undertaken by the firm, to
take responsibility for the engagement on behalf of the firm. Assigning the audit to the experienced
audit manager is not sufficient.
The lack of an audit engagement partner also means that several of the requirements of HKSA 220
about ensuring that arrangements in relation to independence and directing, supervising and
reviewing the audit are not in place.
Conflicting views
In this scenario the audit manager and the audit senior have conflicting views about the valuation of
inventory. This does not appear to have been handled well, with the audit manager refusing to
discuss the issue with the audit senior.
HKSA 220 requires that the audit engagement partner takes responsibility for settling disputes in
accordance with the firm's policy in respect of resolution of disputes as required by HKSQC 1
(Clarified). In this case, the lack of an engagement partner may have contributed to this failure to
resolve the disputes. In any event, at best, the failure to resolve the dispute is a breach of the firm's
policy under HKSQC 1 (Clarified). At worst, it indicates that the firm does not have a suitable policy
for resolving such disputes as required by HKSQC 1 (Clarified).

189
 Business Assurance

Answer 3
(a) Lack of follow up
Revenue of HK$6m was found to be allocated in the incorrect period. This is 2.3% of total
revenue and so is a material misstatement. The misstatement may not be an isolated
occurrence and no further or extended audit procedures have been carried out. In addition, it
does not seem that the audit plan or materiality has been reviewed.
A review by an appropriate team member should have identified that further work needed to
be performed. The audit manager may not have had time to carry out a review of revenue
testing due to the matter discussed in subsection (c) of this question
Work has not been carried out in line with professional standards as the audit firm has not
gained sufficient and appropriate evidence that revenue is not misstated. This places the
audit firm at risk of issuing an incorrect auditor's opinion.
(b) Allocation of audit work
Under HKSQC 1.31, the firm shall establish policies and procedures in order to:
 Assign appropriate personnel with the necessary competence, and capabilities to
perform engagements in accordance with professional standards and applicable legal
and regulatory requirements; and
 Enable the firm or engagement partners to issue reports that are appropriate in the
circumstances.
The audit procedures for trade payables should have been assigned to a more experienced
team member as this is a material and risky area and thus the requirements on HKSQC 1
have not been met.
It would be more appropriate for Karen Pei to gain experience of trade payables auditing at a
client where trade payables is not a high risk area. By allocating higher level work to low-
level staff, the firm is placing itself at risk of missing a more subtle audit issue and issuing an
inappropriate auditor's opinion.
(c) Allocation of audit work
The audit manager has had to carry out audit procedures on a low risk area in the financial
statements as the junior member of the team needed to spend extra time on a high risk area.
The audit manager's time would be better spent supervising the audit team and reviewing
their work, concentrating on any high risk areas. The less time the audit manager is able to
spend on these areas, the more likely the firm is to miss a problem and issue an incorrect
auditor's opinion.
The situation may have been avoided if the higher level work had been allocated to a more
senior member of the audit team. It also seems that the audit manager did not properly
supervise the audit team by tracking the progress of the engagement and making sure
individual staff had sufficient time to carry out their work.

Answer 4
(a) Partner A, as the audit engagement partner, shall take full responsibility for the overall
quality of the Fashion Limited audit engagement.
Partner A should emphasise the importance of audit quality to the audit engagement team
such as:
 Performing work that complies with professional, regulatory and legal requirements;
 Complying with the firm's quality control policies and procedures;
 Issuing an auditor's report that is appropriate in the circumstances; and
 The audit engagement team's ability to raise issues without fear of reprisals.

190
 6: Quality control | Part D Assurance engagements

Partner A should discuss significant matters arising with Partner B and ensure the audit
report is not issued until the quality control review has been completed and any contentious
matters have been resolved.
Partner B, as the engagement quality control reviewer, has the following responsibilities:
 Discuss significant matters with Partner A;
 Review the proposed auditor's report and the financial statements;
 Review selected audit documentation relating to the significant judgment the audit
engagement team made and the conclusion reached; and
 Evaluate the conclusion reached for compiling the auditor's report.
Since Fashion Limited is a listed company, Partner B should also consider the following:
 The audit engagement team's evaluation of the firm's independence in relation to the
audit engagement;
 Whether appropriate consultation has taken place on matters involving differences of
opinion or other difficult or contentious matters, and the conclusions arising from those
consultations; and
 Whether documentation selected for review reflects the work performed in relation to
the significant judgments, and supports the conclusions reached.
(b) As Fashion Limited is a listed company, Partner B, in carrying out his role as the quality
control reviewer, should consider the following facts and circumstances:
Independence
Partner B should assess whether the audit engagement team has formed an appropriate
judgment on the firm's independence in relation to Fashion Limited's audit engagement.
As Partner A has only been working on the audit engagement for 5 years, Partner A is not
subject to the rotation requirement. However, Partner A and Manager C maintain a very
good relationship with the management team. Partner B should remind the audit
engagement team to thoroughly assess the audit engagement team's familiarity threat to the
audit engagement and if there is a need to reconsider the team mix. The audit engagement
team should document thoroughly their consideration and conclusion of the firm and its
independence in relation to Fashion Limited.
Partner B should review the relevant assessment documented by the audit engagement
team and review its correspondence with those charged with governance on such matters
(e.g. relevant discussion in the Audit Committee report).
Significant judgment in assessing the fixed asset impairment
On any significant accounting and auditing matter, Partner B should challenge the audit
engagement team to ensure that they have considered all the relevant facts and
circumstances, with sufficient audit evidence gathered before reaching their conclusion.
Partner B should discuss with the audit engagement team their review of management's
assessment of fixed asset impairment, understand the audit engagement team's point of
view and audit evidence obtained that supported the audit engagement team's conclusion.
Partner B should also review the relevant working papers that the audit engagement team
prepared in supporting the work performed, evidence obtained, judgment and conclusion
relating to the fixed asset impairment review. Partner B should review the auditor's report
and financial statements to ensure that relevant and sufficient disclosure relating to the fixed
asset impairment has been made.
Partner B should also ensure the audit engagement team has sufficient communication with
those charged with governance (e.g. the Audit Committee) relating to the fixed asset
impairment, and should review the audit engagement team's correspondence with those
charged with governance on such matters (e.g. relevant discussion in the Audit Committee
report).

191
 Business Assurance

Exam practice

Independence and familiarity 14 minutes

(excluding case reading time)
You are the audit manager of a Hong Kong CPA firm and are currently planning the audit of ABC
Industrial Limited ('ABC') for the year ended 31 December 20X4. ABC is a company incorporated in
Hong Kong and is engaged in the manufacture of a wide range of Chinese herbal health products.
Sales of ABC products, which consist of sixty-nine product lines, are mainly made to major chain
stores and drug retailers in Hong Kong. You and the engagement partner have been serving ABC
since its listing on the Hong Kong Stock Exchange six years ago.
After discussion with ABC's management and a review of last year's audit file, the following
information has come to your attention:
(1) Goods are manufactured centrally at ABC's factory in GuanXi, China, and are then stored in
the Company's warehouses either in GuanXi or in Hong Kong.
(2) The inventory is stored in three warehouses in Hong Kong, and two warehouses in GuanXi.
All warehouses are owned by the Company. In order to minimise operating costs, the
Company occasionally leases out its unused warehouse spaces to its customers to
temporarily store the products which it has already sold to them.
(3) ABC uses a perpetual inventory system to keep its inventory. All warehouses are closed at
the reporting date to allow a full physical inventory taking. However, production in the
GuanXi factory will not stop during the physical inventory taking.
(4) ABC uses standard costing to value its inventory. At the year-end, the inventory value will be
adjusted as and when necessary to absorb cost variances in order to approximate actual
production cost in accordance with relevant accounting standards. From previous
experience, adjustments rarely deviate more than 3% from the standard cost.
(5) Year-end inventory accounts for approximately 23% of ABC's total assets, and is expected to
be disclosed in ABC's financial statements as follows:
$'000
Raw materials 8,800
Work in progress 13,290
Finished goods 20,730
42,820
(6) Raw materials largely comprise bulk inventories of various Chinese herbs, which are stored
separately in storage containers of different sizes either at the factory or the two warehouses
nearby. ABC keeps more than 500 different herbs. Many of these raw materials are used in
more than one product and some are expensive Chinese herbs. Most have long use-by-
dates provided that they are properly stored. The identification of Chinese herbs requires
expert knowledge since many different herbs with significantly different costs and effects
have a similar appearance. The costs of different classes of the herb could vary materially
even for the same Chinese herb.
(7) Work in progress largely comprises mixed or semi-processed herbs, which are stored in
several locations throughout the factory, either in large sealed vats awaiting processing or in
sealed mixing containers attached to various machines in the factory. Therefore, it is not
possible for the staff of ABC to directly observe the conditions of the work in progress.
Production is fully automated within a sealed environment once raw materials are input.
As required by the licensing terms, ABC employs several qualified Chinese herb experts to
ensure compliance with quality standards.

192
 6: Quality control | Part D Assurance engagements

(8) A typical product of ABC has a two-year use-by-date from the date of production.
(9) Inventory levels of one product line, Series X, have increased steadily throughout the year
under review. ABC's management assured you that since this is a new line, it would take
time for the market to get used to it.
(10) The recent launch of a new product, Z, resulted in poorer than expected sales.
Consequently, ABC has excess inventory in finished goods, amounting to HK$3,800,000.
The use-by-date of this product is eleven months after the reporting date.
Required
In accordance with HKSQC 1 (Clarified) and HKSA 220:
(a) Explain the engagement partner's responsibility regarding compliance with the
independence requirements; and (5 marks)
(b) Determine whether the familiarity threat has been properly addressed in this audit
engagement. (3 marks)
(Total = 8 marks)
HKICPA May 2005 (amended)

193
 Business Assurance

194
chapter 7

Changes in auditor
appointment
Topic list

1 Reasons for change of auditors 4 Engagement letters

1.1 Why do entities change their auditors? 4.1 Purpose of sending an engagement
2 Appointment of auditors letter
2.1 Eligibility for appointment 4.2 When to send an engagement letter
2.2 Appointment under new Companies 4.3 Contents of an engagement letter
Ordinance (Cap. 622) 5 Books and documents
2.3 Auditor's rights and duties 5.1 Audit documentation
2.4 Outgoing auditors 5.2 Ownership
2.5 Professional clearance 5.3 The right of lien
3 Client acceptance procedures 5.4 Third party rights to information
3.1 Procedures before accepting nomination 5.5 Entity's rights to information
3.2 Procedures after accepting nomination 5.6 Assembly of the final audit file
3.3 Procedures for the transfer of books, 5.7 Changes to audit documentation in
papers and information following a new exceptional circumstances after the date
appointment of the auditor's report
3.4 Issues relating to the acceptance 5.8 Transfers of books and documents on a
decision change of appointment decision
3.5 Client screening

Learning focus

It is very important for professional accountants to understand the rules with regard to the
appointment of auditors and changes in auditors. The contents of an engagement letter can
be vitally important if there is subsequently a dispute between auditor and client as to the
nature of the engagement. Consequently, it should never be regarded as routine
correspondence.

195
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
2.03 Client and engagement acceptance procedures 3
2.03.01 Explain the reasons why entities change their auditors /
professional accountants
2.03.02 Explain the requirements relating to the appointment of auditors
under the Hong Kong Companies Ordinance
2.03.03 Explain the procedure for a change of auditors
2.03.04 Explain the rights of the auditors in the process of a change of
auditors
2.03.05 Explain the professional clearance procedures
2.03.06 Explain the matters to be considered and the procedures that an
audit firm/professional accountant should carry out before
accepting a specified new client/engagement including:
2.03.06.01 Client acceptance
2.03.06.02 Engagement acceptance
2.03.06.03 Agreement of the terms of engagement
2.03.07 Identify the issues relating to the agreement of the scope and
terms of an engagement with a client
2.03.08 Explain the procedures for the transfer of books, papers and
information following a new appointment

196
 7: Changes in auditor appointment | Part D Assurance engagements

1 Reasons for change of auditors

Topic highlights
Common reasons behind entities changing their auditor include audit fee, auditor not seeking re-
election and the size of entities.

1.1 Why do entities change their auditors?

Entities change their auditors for a variety of reasons. The reason may be because the entity is
seeking to access new or better quality services; or because they disagree with an opinion issued
in a report. The entity may disagree with conservative accounting treatments that in management's
opinion do not present the entity's results fairly, or there may be another reason for a deterioration
in the relationship of trust. Equally, an auditor may decline to perform audit services for a client for
ethical reasons, such as unpaid fees or a conflict of interest. Although not required to disclose the
reasons for the change, investors may be interested to know why an entity has made a change as
it sometimes acts as a signal of financial difficulties or poor governance.
The list below summarises some of the main reasons an entity may change its auditors:
(a) Fee reduction – a company may wish to reduce its audit costs and may, for example
choose to switch from a 'Big Four' firm to a mid-tier firm in order to obtain a lower fee
(b) Compliance with the Code of Ethics – undue dependence on an entity, for example
(c) Competitive market. Lowballing and significant low fees (see Chapter 3) can induce clients
to change their auditors in order to make a saving
(d) Dispute with entity on accounting policies, although new accounting standards have
gone some way to redress this by giving less scope for judgment
(e) Breakdown in relationship due to audit rotation, intimidation, threatened litigation and so
on
(f) Doubt cast on the integrity of management, the auditor declines the appointment
(g) Entity's request for provision of other services or better quality services which the current
firm is unable to provide
(h) Retiring auditor not to be nominated for re-appointment

2 Appointment of auditors

Topic highlights
The new Companies Ordinance (Cap. 622) sets out the legal requirements associated with the
appointment and removal of auditors.

2.1 Eligibility for appointment

Under section 393 of the new Companies Ordinance (Cap. 622), only a practice unit is eligible for
appointment as auditor of a company.
The following are disqualified for appointment as auditor of a company:
(a) A person who is an officer or employee of the company.
(b) A person who is a partner or employee of a person mentioned in paragraph (a).

197
 Business Assurance

(c) A person who:

(i) Is, by virtue of paragraph (a) or (b), disqualified for appointment as auditor of any other
undertaking that is a subsidiary undertaking, or a parent undertaking, of the company
or is a subsidiary undertaking of that parent undertaking; or
(ii) Would be so disqualified if the undertaking were a company.

2.2 Appointment under new Companies Ordinance (Cap. 622)

2.2.1 Appointment of auditors under different circumstances
An auditor must be appointed for each financial year of a company under section 394 of the new
Companies Ordinance (Cap. 622).
(i) Appointment of first auditor by directors (section 395 of new Companies Ordinance
(Cap. 622)
For a newly incorporated Hong Kong company under the new Companies Ordinance
(Cap. 622), if the company is required to hold an annual general meeting in accordance
with section 610 of the new Companies Ordinance (Cap. 622) in respect of its first financial
year, the directors may appoint the auditor of the company for that first financial year at any
time before the annual general meeting.
If the company is not required to hold an annual general meeting in accordance with
section 610 of the new Companies Ordinance (Cap. 622) in respect of its first financial year,
the directors may appoint the auditor of the company for that first financial year at any time
before the appointment period in relation to the next financial year.
(ii) Appointment of auditor by company members (section 396 of new Companies
Ordinance (Cap. 622)
A company must appoint the auditor of the company for a financial year by a resolution
passed at the annual general meeting held in respect of the previous financial year, unless
an annual general meeting is not required to be held under section 612 of the new
Companies Ordinance (Cap. 622).
A company must appoint the auditor of the company for a financial year by a resolution
passed at a general meeting, if no annual general meeting is required and no person is
deemed to be reappointed as auditor of the company for the financial year.
If, at the annual general meeting held in respect of the previous financial year, a company
has not appointed the auditor of the company for a financial year, the company must make
the appointment by a resolution passed at another general meeting.
(iii) Appointment to fill casual vacancy (section 397 of new Companies Ordinance
(Cap. 622)
The directors may appoint a person to fill a casual vacancy in the office of auditor of the
company. If the directors have not done so within one month after the casual vacancy
occurs, the members may, by a resolution passed at a general meeting, appoint a person to
fill the casual vacancy.
(iv) Appointment of auditor by Court (section 398 of new Companies Ordinance (Cap. 622)
The Court may, on application by a member of a company, appoint the auditor of the
company for a financial year if:
 In the case of a company required to hold an annual general meeting in respect of the
previous financial year at the annual general meeting, no person has been appointed
as auditor of the company for the financial year or no annual general meeting has
been held

198
 7: Changes in auditor appointment | Part D Assurance engagements

 In the case of a company not required to hold an annual general meeting at the end of
the appointment period in relation to the financial year, no person has been appointed
as auditor of the company for the financial year; and no person is deemed to be
reappointed as auditor of the company for the financial year
 In the case when no auditor has been appointed for the company for its first financial
year
 In the case appoint when no auditor has been appointed to fill a casual vacancy in the
office

2.2.2 Procedures to change auditors under new Companies Ordinance

(Cap. 622)
Under section 400 of new Companies Ordinance (Cap. 622), special notice is required for
resolution for appointing auditor in some cases and on receipt of a special notice, the company
must send a copy of it to the proposed auditor, the person who is the last auditor of the company ,
whose term of office as auditor has expired
Under section 401 of new Companies Ordinance (Cap. 622), copies of written resolution for
appointment must be sent to proposed auditor and last appointed auditors.

2.2.3 Terms of office of auditor

Generally a person appointed as auditor of a company holds office in accordance with the terms of
the appointment or until the company holds its annual general meeting or by a written resolution
passed when the annual general meeting is not held (section 402 of new Companies Ordinance
(Cap. 622)).
If the company is not required to hold an annual general meeting in respect of a financial year and
at the end of the appointment period in relation to the next financial year, no person has been
appointed as auditor of the company for that next financial year, the person who is the auditor of
the company as at the end. of that appointment period is deemed to be reappointed, at that time,
as auditor of the company for that next financial year on the same terms of appointment. (section
403 of new Companies Ordinance (Cap. 622)).

2.2.4 Auditor's remuneration

Under section 404 of new Companies Ordinance (Cap. 622), the remuneration of an auditor of a
company appointed by the members may be fixed by a resolution passed at a general meeting.
The remuneration of an auditor of a company appointed by the directors, may be fixed by the
directors when making the appointment, if not, by passing a resolution at a general meeting.
The remuneration of an auditor of a company appointed by the Court may be fixed by the Court
when making the appointment, if not, by passing a resolution at a general meeting.

2.3 Auditor's rights and duties

Topic highlights
The Hong Kong Companies Ordinance gives auditors both rights and duties. This allows auditors
to have sufficient power to carry out an independent and effective audit.

The rights and duties of auditors are set out in the Hong Kong Companies Ordinance, to ensure
that the auditors have sufficient power to carry out an effective audit.

199
 Business Assurance

2.3.1 Statutory duties

Under section 405 of new Companies Ordinance (Cap. 622), a company's auditor must prepare a
report for the members on any financial statements prepared by the directors, a copy of which is
laid before the company in general meeting or is sent to a member before general meeting or
otherwise circulated, published or issued by the company, during the auditor's term of office.
The auditors must consider the following:
(a) Whether the financial statements have been prepared in accordance with the relevant
legislation
(b) Whether the statement of financial position shows a true and fair view of or presents fairly
the entity's affairs at the end of the period and the statement of profit or loss and other
comprehensive income and cash flow statement show a true and fair view of the results for
the period
(c) Whether adequate accounting records have been kept
(d) Whether the financial statements are in agreement with the accounting records and returns
(e) Whether the information in the directors' report is consistent with the financial statements
(f) Whether disclosure of directors' benefits has been made in accordance with the Hong Kong
Companies Ordinance

2.3.2 Statutory rights

The auditors must have certain rights to enable them to carry out their duties effectively and they
are as follows:
Qualified privileges – section 410 of new Companies Ordinance (Cap. 622)
In the absence of malice, an auditor of a company is not liable to any action for defamation at the
suit of any person in respect of any statement made by the auditor in the course of performing
duties as auditor of the company.
In addition, a person is not liable to any action for defamation at the suit of any person in respect
of the publication of any document :
(a) Prepared by an auditor of a company in the course of performing duties as auditor of the
company; and
(b) Required by this Ordinance – to be delivered to the Registrar; or to be sent to any member
of the company or any other person.
Right to access information – section 412 of new Companies Ordinance (Cap. 622)
An auditor of a company has a right of access to the company's accounting records.
An auditor of a company may require a person that is a related entity of the company, or was a
related entity of the company at the time to which the information or explanation relates, to provide
the auditor with any information or explanation that the auditor reasonably requires for the
performance of the duties as auditor of the company.
If an auditor has required a person to provide any information or explanation, the person must
provide the information or explanation as soon as practicable after being required.
If a subsidiary undertaking of a company is not a company incorporated in Hong Kong, an auditor
of the company may require the company to obtain from any of the persons such as:
 The subsidiary undertaking;
 A person who:
(i) Is an officer or auditor of the subsidiary undertaking; or
(ii) Was an officer or auditor of the subsidiary undertaking at the time to which the
information or explanation relates; or

200
 7: Changes in auditor appointment | Part D Assurance engagements

(iii) Holds or is accountable for any of the subsidiary undertaking's accounting records; or
(iv) Held or was accountable for the subsidiary undertaking's accounting records at the
time to which the information or explanation relates.
Any information or explanation that the auditor reasonably requires for the performance of the
duties as auditor of the company. If an auditor has required a company to obtain any information
or explanation from a person, the company must take all reasonable steps to obtain the
information or explanation as soon as practicable after being required.
Right to attend general meetings – section 411 of new Companies Ordinance (Cap. 622)
A person appointed as auditor of a company is entitled :
(a) To attend any of the company's general meetings; and
(b) To be heard, at any of the company's general meetings, on any part of the business of the
meeting that concerns the person as auditor of the company.

2.3.3 Enhancement of auditor's rights

The new Companies Ordinance (Cap. 622)enhances the rights of auditors. Pursuant to section 412
of the new Companies Ordinance (Cap. 622), auditors may require information and explanation for
the performance of their duties from a wider range of persons, including persons holding or
accountable for any accounting records of the company or a Hong Kong incorporated subsidiary of
the company.
It also empowers auditors to require the company to obtain information and explanation for the
performance of their duties from persons holding or accountable for the accounting records of
a non-Hong Kong incorporated subsidiary.
A person who contravenes section 412 of Companies Ordinance (Cap. 622) commits an offence
and is liable to a fine at level 4 ($25,000) under section 413 of Companies Ordinance (Cap. 622)
and, in the case of a continuing offence, to a further fine of $700 for each day during which the
offence continues unless the person can prove reasonable that he is not practicable to provide the
information or explanation.
If a person makes or knows a statement to an auditor of a company that conveys or purports to
convey any information or explanation that the auditor requires, is misleading, false or deceptive
materially, the person is liable :
(a) On conviction on indictment to a fine of $150,000 and to imprisonment for two years; or
(b) On summary conviction to a fine at level five and to imprisonment for six months.

2.4 Outgoing auditors

A person's appointment as auditor of a company is terminated if:
(a) The term of office expires
(b) The person resigns from office
(c) The person ceases to be auditor
(d) The person is removed from office
(e) A winding up order is made in respect of the company
Where a firm is appointed, by the firm name, as auditor of a company, the appointment is also
terminated if every person who is regarded as being appointed as auditor by section 399 of new
Companies Ordinance (Cap. 622):
(a) Ceases to be a partner in the firm before the term of office expires; or
(b) Ceases to be eligible, or becomes disqualified, for appointment as auditor of the company
before the term of office expires.
Where a body corporate is appointed as auditor of a company, the appointment is also terminated
if the body corporate is dissolved.

201
 Business Assurance

2.4.1 Resignation of auditor under section 417 of new Companies Ordinance

(Cap. 622)
A person may resign from the office of auditor by giving the company a notice in writing that is
accompanied by a statement required to be given and this statement should under section 424 of
new Companies Ordinance (Cap. 622). The statement should state whether there are any
circumstances connected with the resignation that should be brought to the attention of the
company's members or creditors, a statement of those circumstances; or there are no such
circumstances.
The resignation shall be effective at the end of the day on which notice is given to the company or
else specified a time for resignation to be effective and the company must deliver the notification to
the Company Registrar within 15 days beginning on the date on which a company receives a
notice of resignation, if not the company would be penalised.

2.4.2 Cessation of auditor under section 418 of new Companies Ordinance

(Cap. 622)
If, while holding office as auditor of a company, a person ceases to be eligible, or becomes
disqualified, for appointment as auditor of the company, the person:
(a) Immediately ceases to be auditor of the company; and
(b) Must notify the company of the cessation in writing within 14 days from the date of the
cessation.
Without complying to the section, the person would be penalised.

2.4.3 Removal of auditor under section 419 of new Companies Ordinance

(Cap. 622)
A company may by an ordinary resolution passed at a general meeting remove a person from
the office of auditor despite—
(a) Any agreement between the person and the company; or
(b) Anything in the company's articles.
Special notice is required for an ordinary resolution and on receipt of a special notice, the
company must send a copy of it to the person proposed to be removed.
The company must deliver a notice in the specified form of that fact to the Registrar for registration
within 15 days beginning on the date on which it is passed, if not the company will be penalised.
The removed auditor can still claim any compensation or damages in respect of the cessation as
auditor.

2.4.4 Outgoing auditor's rights

Resigning auditor – section 421 of new Companies Ordinance (Cap. 622)
Resigning auditor, having given a notice of resignation with a statement of circumstances, may by
another notice given to the company with the notice of resignation, require the directors to
convene a general meeting of the company for receiving and considering the explanation of the
circumstances connected with the resignation that the person places before the meeting.
Subsequently, the directors must convene a general meeting for a date falling within 28 days
after the date on which the notice convening the meeting is given. Every director who failed to take
all reasonable steps to secure that a general meeting was convened as required, would be liable to
penalty.

202
 7: Changes in auditor appointment | Part D Assurance engagements

If a general meeting is convened under section 421, the person who resigns from the office of
auditor:
(a) May give the company a statement by the person that sets out in reasonable length the
circumstances surrounding the resignation;
(b) May request the company to comply with the requirement of :
 To state, in every notice of the meeting given to the members, that the statement has
been made; and
 To send a copy of the statement to every member to whom a notice of the meeting is
or has been given; or
 If the company has not sent a copy of the statement to every member to whom a
notice of the meeting is or has been given, the requirement to ensure that the
statement is read out at the meeting.
(c) Is entitled to be given every notice of, and every other item of communication, relating to the
general; to attend the general meeting and to be heard at the general meeting on any part of
the business of the meeting that concerns the last appointed auditor.

2.4.5 Cessation statement in relation to written resolution

The person may, within 14 days after receiving a copy of the written resolution from the company:
(a) Give the company a statement by the person that sets out in reasonable length the
circumstances surrounding the termination of the appointment as auditor
(b) Require the company to send a copy of the statement to every member at the same time
when the written resolution is circulated
On application by the company or by anyone who claims to be aggrieved, the Court may order that
the company is exempted from complying with the requirement, if it is satisfied that the person who
has given a statement and made a requirement has abused the right to do so; or has used such a
right to secure needless publicity for defamatory matter.

2.4.6 Outgoing Auditor's Statement of Circumstances

Duty of resigning auditor to give statement
A person who resigns from office must, on the resignation, give the company:
(a) If the person considers that there are circumstances connected with the resignation that
should be brought to the attention of the company's members or creditors, a statement of
those circumstances; or
(b) If the person considers that there are no such circumstances, a statement to that effect.
Duty of auditor who retires or is removed to give statement
A person whose appointment as auditor is terminated must, on the termination, give the company :
(a) If the person considers that there are circumstances connected with the termination that
should be brought to the attention of the company's members or creditors, a statement of
those circumstances; or
(b) If the person considers that there are no such circumstances, a statement to that effect.
Such a person must send a statement to the company so that it will be received by the company at
least 14 days before the end of the appointment period in relation to the next financial year; or
in any other case, within 14 days beginning on the date of termination. This does not apply if the
person's appointment is terminated and the person is appointed as auditor of the company for a
term immediately following the term of office that expires; or is deemed to be reappointed as
auditor of the company for the next financial year. If the person fails to send the statement would
be penalised.

203
 Business Assurance

Company's and aggrieved person's responses to statement of circumstances

If a company is given a statement of circumstances, the company must, within 14 days beginning
on the date on which it receives the statement send a copy of the statement to every member of
the company; or apply to the Court for an order directing that copies of the statement are not to be
sent which it receives the statement.
A person who claims to be aggrieved by a statement of circumstances may, within 14 days
beginning on the date on which the company receives the statement, apply to the Court for an
order directing that copies of the statement are not to be sent.
If the Court is satisfied that the person has abused the use of the statement of circumstances or is
using the statement to secure needless publicity for defamatory matter, the Court must direct that
copies of the statement are not to be sent and may order the person, though not a party to the
application, to pay the applicant's costs on the application in whole or in part.

2.5 Professional clearance

Section 440 of the Code of Ethics (Revised) – Changes in Professional Appointment
A proposed nominee should conduct professional clearance procedures before accepting the
nomination.
With the permission of the prospective client, the proposed nominee should write to the last
appointed auditor and ask if there are any unusual circumstances of which the proposed nominee
should be aware before accepting the nomination. The proposed nominee should not accept the
engagement if the prospective client fails to deal with the change of auditor in accordance with
Hong Kong Companies Ordinance or fails to give permission for communication with the last
appointed auditor.
The last appointed auditor should advise the proposed nominee immediately if there is any
professional or other reason of which the proposed nominee should be aware and in addition,
the circumstances surrounding the proposed change and disclose fully all information needed by
the proposed nominee to enable him to make decision in respect of accepting the nomination.
If the last appointed auditors have suspicions of unlawful acts by directors which have not yet
been proved, they should inform the nominee auditor of any matters that ought to be investigated.
If the replacement of the last appointed auditor is prompted by disagreement over matters such as
the truth and fairness of the entity's financial statements or the selection of accounting policies or
methods used in auditing, the proposed nominee should obtain the full views of the last appointed
auditors. In addition, the proposed nominee should discuss with the entity the areas of
disagreement. The proposed nominee should be prepared to accept nomination only if he is
satisfied it is ethically appropriate to do so.
This is an example of an initial communication.

Dear Sirs
We have been nominated to act as auditors of …………………….. Limited.
In order to assist us in determining whether to accept such nomination, we should be grateful if you
would advise if there are any circumstances surrounding the proposed change of which we should
be aware.
Yours faithfully,

204
 7: Changes in auditor appointment | Part D Assurance engagements

2.5.1 Changing auditors of a listed entity

Section 441 of the Code of Ethics (Revised) – Change of Auditors of a Listed Issuer of the
Stock Exchange of Hong Kong
If there are any disagreements between auditors and the client, the issues should be raised with
the audit committee so that the committee may help to resolve the issues with management and to
complete the audit.
The last appointed auditor should write a letter of resignation/termination to the audit committee
and the board of directors in the event of the resignation or refusing re-appointment, which lists any
disagreements or unresolved issues relating to the audit.
The proposed nominee should request a copy of the letter of resignation/termination and any
correspondence from the listed entity. If the entity refuses to send the proposed nominee the letter
of resignation/termination, the proposed nominee can only decline to accept nomination.
The last appointed auditor should remind the listed entity of its obligation under the Listing Rules
and should ensure the letter of resignation/termination has been brought to the attention of the
shareholders. Any disputes should be reported to the audit committee.

Self-test question 1
Engineering Materials Manufacturing Company Limited is a company listed on the Hong Kong
Stock Exchange. Engineering Materials Manufacturing Company and its subsidiaries ('EMM'), are
principally engaged in the manufacture and trading of engineering materials, including steel, iron,
aluminium, cement, timber and asphalt. EMM's customers are mainly construction and engineering
companies in mainland China, Hong Kong and other Asian countries. As at 31 December 20X6,
over 90% of EMM's assets were located in mainland China.
In view of the booming economy in mainland China, EMM embarked on an expansion plan two
years ago to double the group's revenue within five years. EMM plan to implement this strategy
through acquisition of other manufacturers as well as setting up new plant in strategic locations in
the Mainland. In the last two years, an increasing trend in revenue and receivables has been noted.
On 21 December 20X6, EMM succeeded in issuing debentures of US$130,000,000 at an interest
rate of 9.5% per annum. The debentures are listed on an overseas exchange. The proceeds
received were used partly to repay bank loans when they were due, while the remaining cash was
kept in banks in mainland China.
EMM's previous auditor, XYZ & Co, was re-appointed in April 20X6 after it reported on EMM's
financial statements for the year ended 31 December 20X5. However, XYZ & Co resigned in
November 20X6.
XYZ & Co had proposed a fee which doubled the fee it charged EMM in the last year but EMM did
not accept the increment. According to EMM, they wanted to change auditors periodically to ensure
independence. According to XYZ & Co, the firm is prepared to rotate the engagement partner in
accordance with quality control standards.
The directors of EMM approached ABC & Co in January 20X7 and proposed to appoint them as
the auditor of EMM's financial statements for the year ended 31 December 20X6.
Required
Determine XYZ & Co's ethical obligations in relation to the change in auditors.
HKICPA May 2007 (amended)
(The answer is at the end of the chapter)

205
 Business Assurance

3 Client acceptance procedures

Topic highlights
HKSQC 1 (Clarified) sets out what a firm must consider and document in relation to accepting or
continuing an engagement which is the integrity of the entity, whether the firm is competent to do
the work and whether the firm meets ethical requirements in relation to the work.

HKSQC1.26
HKSQC 1 (Clarified)
The firm shall establish policies and procedures for the acceptance and continuance of entity
relationships and specific engagements designed to provide the firm with reasonable assurance
that it will only undertake or continue relationships and engagements where it:
(a) Has considered the integrity of the entity and does not have information that would lead it
to conclude that the entity lacks integrity
(b) Is competent to perform the engagement and has the capabilities, time and resources to do
so
(c) Can comply with relevant ethical requirements

The firm should obtain such information as it considers necessary in the circumstances before
accepting an engagement with a new entity, when deciding whether to continue an existing
engagement, and when considering acceptance of a new engagement with an existing entity.
Where issues have been identified, and the firm decides to accept or continue the entity
relationship or a specific engagement, it should document how the issues were resolved.

3.1 Procedures before accepting nomination

The following procedures should be carried out before accepting nomination:
(a) Ensure that there are no ethical issues which are a barrier to accepting nomination ie
changes in auditor's independence
(b) Ensure that the auditor is professionally qualified to act and that there are no legal or
technical barriers
(c) Ensure that the existing resources are adequate in terms of staff, expertise and time
(d) Obtain references for the directors if they are not known personally to the audit firm
(e) Consult the last appointed auditors to ensure that there are not any reasons behind the
vacancy which the new auditors ought to know. This is also a courtesy to the last appointed
auditors
(f) Obtain and review available financial statements
(g) Make inquiries of third parties such as those charged with governance, or internal auditors
etc
(h) Consider unusual high business risk – any complex transactions, aggressive deals or
attitude towards matters such as aggressive interpretation of accounting standards or the
internal control environment
(i) Consider management's attitude towards compliance with regulatory or contractual
obligations
(j) Consider any indication of money laundering or other criminal activities committed by
management

206
 7: Changes in auditor appointment | Part D Assurance engagements

For an existing entity, the firm should consider its ability to continue the engagement and if there is
any significant change in management/financial condition which affects the firm's ability to
continue the relationship. The firm should reassess the integrity of management if there is a
change in management.

3.2 Procedures after accepting nomination

As previously set out the firm should ensure that the last appointed auditors' removal or
resignation has been properly conducted in accordance with the Hong Kong Companies
Ordinance and that the new auditors' appointment is valid. The new auditors should obtain a
copy of the resolution passed at the general meeting appointing them as the entity's auditors. An
engagement letter should be submitted to the entity for finalising the engagement terms, which we
shall look at later.

3.3 Procedures for the transfer of books, papers and information

following a new appointment
Section 414 of new Companies Ordinance (Cap. 622)
A person who is or has been an auditor of a company does not contravene any duty owed by the
person as such auditor in law by reason only that the person gives work related information to
another person:
(a) Who is an auditor of the company;
(b) Who has been appointed as auditor of the company but whose term of office has not yet
begun; or
(c) To whom the company has offered the position as auditor but who has not yet been
appointed.
Section 440 Code of Ethics (Revised)
The last appointed auditor shall provide promptly the requested information to the newly appointed
auditors. The information shall be relevant to the entity's affairs and no charge shall be made
unless there is good reason to the contrary.
The working papers belong to the last appointed auditor who is under no legal obligation to pass
his working papers to the newly appointed auditors for review. However, the last appointed auditor
has an ethical obligation to respond to the newly appointed auditor's specific inquiries and shall
pass the working papers relating to matters of continuing accounting significance in respect of
those specific areas.

HKSQC1.28, 3.4 Issues relating to the acceptance decision

A19
HKSA220.12- HKSQC 1 (Clarified) gives a list of matters that the auditors might consider in relation to the
13 acceptance decision.

207
 Business Assurance

Matters to consider

Integrity of  The identity and business reputation of the entity's principal owners, key
an entity management, related parties and those charged with governance
 Nature of the entity's operations, including its business practices
 Information concerning the attitude of the entity's principal owners, key
management, those charged with governance towards matters such as
aggressive interpretation of accounting standards/internal control
environment
 Whether the entity is aggressively concerned with keeping the firm's fees
as low as possible
 Indications of an inappropriate limitation in the scope of work
 Indications that the entity might be involved in money laundering or other
criminal activities
 The reasons for the proposed appointment of the firm and non-
reappointment of the last appointed auditors
 Identity and business reputation of related parties
Competence  Do firm personnel have knowledge of relevant industries/subject matters?
of the firm
 Do firm personnel have experience with relevant regulatory or reporting
requirements, or the ability to gain the necessary skills and knowledge
effectively?
 Does the firm have sufficient personnel with the necessary capabilities and
competence?
 Are experts available, if needed?
 Will staff need further training to do the work?
 Are individuals meeting the criteria and eligibility requirements to perform
the engagement quality control review available where applicable?
 Is the firm able to complete the engagement within the reporting deadline?

In addition, the firm needs to consider whether acceptance would create any conflicts of interest.

HKSQC1 (Clarified)
The firm shall establish policies and procedures on continuing an engagement and the client
relationship, addressing the circumstances where the firm obtains information that would have
caused it to decline the engagement had that information been available earlier. Such policies and
procedures shall include consideration of:
(a) The professional and legal responsibilities that apply to the circumstances, including whether
there is a requirement for the firm to report to the person or persons who made the
appointment or, in some cases, to regulatory authorities; and

(b) The possibility of withdrawing from the engagement or from both the engagement and the
entity relationship.

Such procedures might include discussions with the entity's management and those charged with
governance, and, if required, discussions with the appropriate regulatory authority.

208
 7: Changes in auditor appointment | Part D Assurance engagements

There are requirements for the engagement partner in relation to specific engagements as follows:

HKSA 220
The engagement partner shall be satisfied that appropriate procedures regarding the acceptance
and continuance of client relationships and audit engagements have been followed, and shall
determine that conclusions reached in this regard are appropriate.
If the engagement partner obtains information that would have caused the firm to decline the audit
engagement if that information had been available earlier, the engagement partner shall
communicate that information promptly to the firm, so that the firm and the engagement partner can
take the necessary action.

Self-test question 2
You are the audit partner of ABC CPA Hong Kong and have just received a request from ABC CPA
London on a fee proposal for the audit of Peter Hong Kong Limited, a subsidiary of Peter Limited
which is the potential audit client of ABC CPA London for the year ending 30 June 20X3. During
the client acceptance procedures, you have identified that the spouse of your fellow tax partner is
the Chief Financial Officer of Peter Hong Kong Limited.
Required
What independence issues should you consider for the engagement acceptance of the audit of
Peter Hong Kong Limited and what relevant safeguards should be in place?
(8 marks)
HKICPA June 2013
(The answer is at the end of the chapter)

3.5 Client screening

Many firms would use a checklist to screen potential clients. Entities can be divided into
categories based on the level of risk associated with their business practices: as low risk for entities
who demonstrate a high level of effective internal control and strong performance or high risk for
entities who have a history of poor performance, lack of finance, weak internal controls, integrity
issues or unclear related party transactions. For high risk entities firms may consider employing
specialists in response to diagnosed risks to act as an independent reviewer.
The following flow chart summarises the acceptance procedures for new and existing clients:

209
 Business Assurance

ACCEPT THE ENGAGEMENT?

HKSQC 1 (Clarified) – Firm wide
HKSA 220 – Specific engagement

CONSIDER:
Ethical issues (the Code)
Legal and technical barriers; and
Management integrity

NEW CLIENT EXISTING CLIENT

PROCEDURES: PROCEDURES:
Obtain details of last appointed auditors Consider ability to serve
Consult last appointed auditors Consider any significant change
Review available financial statements Consider change in management
Inquire of a third party

ACCEPT THE ENGAGEMENT

Ensure last appointed auditors' removal or resignation have been

properly conducted
Special notice reviewed
Obtain a copy of resolution passed
Perform professional clearance
Submit engagement letter
Verify opening balances (HKSA 510 (See Chapter 14))

210
 7: Changes in auditor appointment | Part D Assurance engagements

4 Engagement letters
Topic highlights
Certain issues must be agreed in writing when an audit is accepted.

4.1 Purpose of sending an engagement letter

Before any professional work is undertaken, an engagement letter should be issued.
Under HKSA 210 Agreeing the Terms of Audit Engagements, before the start of any professional
work, the auditor and its entity should agree, in writing, the scope and nature of the work to be
undertaken. This is through the engagement letter. The purposes of the engagement letter are:
 To help avoiding misunderstanding with respect to the engagement
 To confirm auditor's acceptance of the engagement
 To confirm the objective and scope of the audit
 To clearly state the auditor's duties and responsibilities of the entity
 To state the form of report it is going to issue
 To prevent misunderstandings between the auditor and the entity
 To confirm the fee basis and any verbal arrangements in writing

4.2 When to send an engagement letter

The engagement letter is issued or revised in the following situations:
HKSA  For new clients, the engagement letter should be sent before any professional work has
210.A22
been started.
HKSA 210.13  For recurring audits, whenever there is a significant change in circumstances, a revised
engagement letter should be sent. The engagement partner should consider whether there is
a need for a new engagement letter annually.
 For group companies, the auditor will send an engagement letter relating to the group as a
whole and identifies the components for which they are appointed as auditors.

HKSA 4.3 Contents of an engagement letter

210.10,
Appendix 1 The engagement letter should state the auditor's and the client's statutory duties and
responsibilities.
The following is a list of the sections that will or might appear in an engagement letter:
(a) Objective of the financial statement audit
(b) Directors' responsibilities– keeping proper accounting records, and making them available to
the auditors
(c) Auditor's responsibilities – to form an opinion on the entity's financial statements as to
whether they show a true and fair view and comply with the Hong Kong Companies
Ordinance
(d) Scope of auditor's work – ie applicable legislation, regulations and auditing standards, review
accounting system, collection of audit evidence, and tests of internal controls
(e) Form of reports for the engagement
(f) Stating an unavoidable risk that some material misstatements may still be undiscovered due
to inherent limitations of an audit
(g) Expectation of receiving written representations from the management

211
 Business Assurance

(h) Requirement for the auditor to communicate KAMs in the auditor's report (for a listed
company)
(i) Expectation of management providing access to all information relevant to the preparation of
the financial statements and disclosures of which they are aware
(j) Any additional work required from auditor – bookkeeping, taxation or other services
(k) Irregularities and fraud – primary responsibility is on directors
(l) Fees and basis of charge
(m) The effective date of the engagement letter
(n) Letter of acknowledgement from the board

Self-test question 3
Win Limited is your new audit client. You are engaged to perform the audit of its financial
statements for the year ended 31 December 20X5. Based on a discussion with the Chief Financial
Officer of Win Limited, your audit engagement manager has prepared a draft engagement letter as
set out below:

[Date]
To the Board of Directors of Win Limited

Objective of services
You have requested that we audit the financial statements of Win Limited. We are pleased to
confirm our acceptance and our understanding of this audit engagement by means of this letter.
The objectives of our audit are to obtain reasonable assurance about whether the financial
statements as a whole are free from material misstatement, whether due to fraud or error, and to
issue an auditor's report that includes our opinion. Reasonable assurance is a high level of
assurance, but is not a guarantee that an audit conducted in accordance with Hong Kong
Standards on Auditing (HKSAs) will always detect a material misstatement when it exists.
Misstatements can arise from fraud or error and are considered material if, individually or in the
aggregate, they could reasonably be expected to influence the economic decisions of users taken
on the basis of these financial statements.
Scope of audit
The audit will be conducted in accordance with HKSAs issued by the Hong Kong Institute of
Certified Public Accountants. Those standards require that the auditor complies with ethical
requirements. As part of an audit in accordance with HKSAs, we exercise professional judgment
and maintain professional scepticism throughout. We also:
(a) Identify and assess the risks of material misstatement of the financial statements, whether
due to fraud or error, design and perform audit procedures responsive to those risks, and
obtain audit evidence that is sufficient and appropriate to provide a basis for our opinion. The
risk of not detecting a material misstatement resulting from fraud is higher than for one
resulting from error, as fraud may involve collusion, forgery, intentional omissions,
misrepresentations, or the override of internal control.
(b) Obtain an understanding of internal control relevant to the audit in order to design audit
procedures that are appropriate in the circumstances, but not for the purpose of expressing
an opinion on the effectiveness of the entity's internal control. However, we will communicate
to you in writing concerning any significant deficiencies in internal control relevant to the
audit of the financial statements that we have identified during the audit. Any such report may
not be provided to third parties without our prior written consent. Such consent will be
granted only on the basis that such reports are not prepared with the interests of anyone

212
 7: Changes in auditor appointment | Part D Assurance engagements

other than the Company in mind and that we accept no duty or responsibility to any other
party as concerns the reports.
(c) Evaluate the appropriateness of accounting policies used and the reasonableness of
accounting estimates and related disclosures made by you.
(d) Conclude on the appropriateness of your use of the going concern basis of accounting and,
based on the audit evidence obtained, whether a material uncertainty exists related to events
or conditions that may cast significant doubt on the Company's ability to continue as a going
concern. If we conclude that a material uncertainty exists, we are required to draw attention
in our auditor's report to the related disclosures in the financial statements or, if such
disclosures are inadequate, to modify our opinion. Our conclusions are based on the audit
evidence obtained up to the date of our auditor's report. However, future events or conditions
may cause the Company to cease to continue as a going concern.
(e) Evaluate the overall presentation, structure and content of the financial statements, including
the disclosures, and whether the financial statements represent the underlying transactions
and events in a manner that achieves fair presentation.
Because of the inherent limitations of an audit, together with the inherent limitations of internal
control, there is an unavoidable risk that some material misstatements may not be detected, even
though the audit is properly planned and performed in accordance with HKSAs.
................
...............
Fees
Our fees are computed on the basis of the time spent on your affairs by the partners and our staff
and on the levels of skill and responsibility involved plus out-of-pocket expenses. Unless otherwise
agreed, our fees will be billed at appropriate intervals during the course of the audit and will be due
on presentation.
We propose an audit fee of HK$100,000. Upon the issuance of our clean auditor's report, we are
entitled to collect an additional fee of HK$50,000.
Agreement of terms
Once it has been agreed, this letter will remain effective, from one audit appointment to another,
until it is replaced. Please sign and return the enclosed copy of this letter to indicate your
acknowledgement of, and agreement with, the arrangements for our audit of the financial
statements including our respective responsibilities.
Yours faithfully,

LEE & Co.

Certified Public Accountants
Date

We agree to the terms of this letter.

(Signed)
................................. Director, for and on behalf of the Board of Win Limited
Date

213
 Business Assurance

Required
(a) Advise as to what other essential information should be added to this engagement letter.
(8 marks)

(b) Justify the appropriateness of the fee arrangement mentioned in this engagement letter.
(4 marks)
HKICPA June 2016 (amended)
(The answer is at the end of the chapter)

5 Books and documents

Topic highlights
Audit working papers belong to the auditor. Sometimes, the terms 'working papers' or 'work papers'
are used.

HKSA 230.5,
7-11
5.1 Audit documentation
Audit documentation refers to the record of audit procedures performed, relevant audit evidence
obtained, and the conclusions the auditor reached.
In accordance with HKSA 230 Audit Documentation, the auditor prepares, on a timely basis, audit
documentation that provides:
 A sufficient and appropriate record of the basis for the auditor's report
 Evidence that the audit was performed in accordance with HKSAs and applicable legal and
regulatory requirements.
HKSA 230 requires that the auditor prepares audit documentation on a timely basis in order to
enhance the quality of the audit. This is to allow sufficient time to review and evaluate the audit
evidence obtained and conclusions reached before the auditor's report is finalised.

5.1.1 Nature, form, content and extent of audit procedures performed

The auditor shall prepare audit documentation that is sufficient to enable an experienced auditor
having no previous connection with the audit, to understand. It should include:
 The nature, extent and timing of the audit procedures performed to comply with HKSAs and
applicable legal and regulatory requirements
 The results of the audit procedures performed and the audit evidence obtained
 Significant matters arising during the audit ie significant risks or difficulties in applying audit
procedures

5.2 Ownership
Audit working papers are owned by the auditor. In the event of auditors taking over an audit
from another firm, they are not entitled to take over all the audit files that that firm has put together
on the entity.

214
 7: Changes in auditor appointment | Part D Assurance engagements

The HKSA states that in order to ensure continuity of an entity's affairs, the last appointed auditors
must provide the new auditors with all the reasonable carry-over information they request, and
they should do this promptly. The last appointed auditor should ensure that he transfers all the
books and documents belonging to the entity to the new auditors without delay. He is only allowed
to keep entity's books where he is entitled to exercise a lien.

5.3 The right of lien

Key term
A lien is a supplier's right to retain possession of a customer's property until the customer pays
what is owed to the supplier.

If the last appointed auditor is still owed fees by the client, he may have a right under common law
to exercise a lien over some of the client's books. General liens over property can rarely be
established. However, it may be possible for an auditor to have a particular lien when a client owes
a debt specifically in respect of that property.
A right of particular lien will only exist where the following conditions are fulfilled:
 The documents must be the property of the entity itself (not a closely related third party)
 The documents must have come into the professional accountant's possession by proper
means
 The work must have been done and a fee note rendered in respect of it
 The fee must relate to the retained documents

5.4 Third party rights to information

As discussed in Chapter 4, the auditor owes a duty of confidentiality to the client. This means that
documents containing information about the client should not be given to third parties unless:
 The client agrees to the disclosure before it is made
 Disclosure is required by statute or court order
 Disclosure is otherwise in accordance with the Code of Ethics

5.5 Entity's rights to information

Audit working papers are the property of the auditor and as such, the client has no right of
access to them. The firm may allow the client access to the working papers if it so chooses.
However, the position is more complicated when the work undertaken is something other than
audit. For example, if the firm puts together the financial statements on behalf of the client, those
financial statements will belong to the client.
With tax work, documents created in carrying out tax compliance work will belong to the client.

HKSA 230.14 5.6 Assembly of the final audit file

The auditor should assemble the audit documentation in an audit file and complete the
administrative process of assembling the final audit file on a timely basis after the date of the
auditor's report. After the assembly, the auditor should not delete or discard audit documentation of
any nature before the end of its retention period, which is no shorter than five years from the date
of the auditor's report.
There is further discussion on audit documentation in Chapter 8.

215
 Business Assurance

5.7 Changes to audit documentation in exceptional

HKSA 230.16
circumstances after the date of the auditor's report
If, in exceptional circumstances, the auditor performs new or additional audit procedures or draws
new conclusions after the date of the auditor's report, the auditor shall document:
 The circumstances encountered
 The new or additional audit procedures performed
 When and by who the resulting changes to audit documentation were made and reviewed
 The specific reasons for making them

5.8 Transfer of books and documents on a change of

appointment decision
5.8.1 Section 440 Code of Ethics (Revised)
Section 440 of the Code of Ethics (Revised) states the following with regards to the transfer of
books and documents following a change of appointment:

The last appointed auditor shall provide promptly the requested information to the newly appointed
auditors. The information shall be relevant to the entity's affairs and no charge shall be made
unless there is good reason to the contrary.

The working papers belong to the last appointed auditor who is under no legal obligation to pass
his working papers to the newly appointed auditors for review. However, the last appointed auditor
has an ethical obligation to respond to the newly appointed auditor's specific inquiries and shall
pass the working papers relating to matters of continuing accounting significance in respect of
those specific areas.

216
 7: Changes in auditor appointment | Part D Assurance engagements

Topic recap

CHANGES IN AUDITOR
APPOINTMENT

Appointment Removal/resignation

Rights and duties in

Issues to consider accordance with Hong Kong
Companies Ordinance

Ethical HKSQC I Audit documentation Belongs to the

auditor

Legal Engagement letter

Risk
– Sets out scope /
analysis
responsibilities
– Update when necessary
– Disclosure of terms

Client
screening

New Existing
client client

217
 Business Assurance

Answers to self-test questions

Answer 1
XYZ & Co's ethical obligations in relation to the change in auditors of EMM are governed by the
Code of Ethics for Professional Accountants ('the Code'). In particular, XYZ & Co should comply
with the requirements of Section 441 'Change of Auditors of a Listed Issuer of the Stock Exchange
of Hong Kong' since EMM is listed on the Hong Kong Stock Exchange.
According to Section 441 of the Code, XYZ & Co should prepare a Letter of Resignation addressed
to the audit committee and the board of directors of EMM.
The Letter of Resignation should disclose all the occurrences that, in the opinion of XYZ & Co,
affect the relationship between EMM and XYZ & Co. Such occurrences include, but are not limited
to, 'disagreements' and/or 'unresolved issues'.
According to the Code, ABC & Co should make a request in writing to XYZ & Co to ask if there are
any unusual circumstances surrounding the proposed change which ABC & Co should be aware of,
so that ABC & Co may determine whether it should accept the nomination.
On receipt of the written request, XYZ & Co should act expeditiously. If there are no professional or
other reasons why ABC & Co should not accept the nomination, XYZ & Co should reply
accordingly without delay.
If XYZ & Co considers it appropriate to discuss EMM's affairs with ABC & Co, XYZ & Co should
request EMM's permission to do so freely. If permission is not granted, XYZ & Co should report that
fact to ABC & Co (who should not accept the nomination).
If, in the opinion of XYZ & Co, there are matters of which ABC & Co should be made aware, XYZ &
Co should inform ABC & Co of those factors of which, in the opinion of XYZ & Co, ABC & Co
should be aware. XYZ & Co may, for example, inform ABC & Co that the reasons advanced by
EMM for the change are not in accordance with the facts.
For example, XYZ & Co may inform ABC & Co of the fact that it proposed a rotation of the
engagement partner as an appropriate safeguard against the familiarity threat to independence,
and that EMM did not accept the increase in audit fee.
If EMM are Hong Kong incorporated listed issuers, s 140A(2) of the Companies Ordinance requires
an auditor who resigns from office before the expiry of his term , if the resignation is to be effective,
to include in his resignation a statement of any circumstances connected with his resignation which
he considers ought to be brought to the notice of members or creditors of the company, or a
statement that there are no such circumstances.

Answer 2
A family member of a partner of ABC CPA Hong Kong is an officer of Peter Hong Kong Limited and
this constitutes a serious threat to independence. These are familiarity threat, self-interest threat
and intimidation threat due to the family and personal relationships. The significance of the threats
is assessed as follows:
 The individual's responsibilities on the assurance engagement. Whether the tax partner is a
member of the audit engagement team and provides any advices on the audit.
 The closeness of the relationship. A spouse is an immediate family member as defined in the
Code of Ethics.
 The role of other party at the entity. We need to assess the responsibilities of the Chief
Financial Officer in the entity. Normally, the Chief Financial Officer is responsible for the
accounting and financial functions of the entity who will prepare the accounting information
for the audit.

218
 7: Changes in auditor appointment | Part D Assurance engagements

Based on the above assessment, the threat is considered to be significant. ABC CPA Hong Kong
should inform ABC CPA London of the threat and determine the appropriate measures to eliminate
the threats such as:
 Removing the tax partner from the engagement team.
 Changing the role of the spouse of the Tax Partner to a position which does not involve the
accounting and financial functions of the entity.
 Declining the engagement.
ABC CPA Hong Kong should not provide any assurance service to ABC CPA London on its
services rendered on Peter Limited, including group reporting, as long as the threat still
exists.

Answer 3
(a) Under HKSA 210 Agreeing the Terms of Audit Engagements, before the start of any
professional work, the auditor and the audited entity should agree, in writing, the scope and
nature of the work to be undertaken.
Accordingly, the engagement letter prepared by the audit engagement manager does not
contain enough information to satisfy the requirements under HKSA 210. The following
content should be added to the engagement letter:
Directors' responsibilities
(a) Preparing the financial statements which give a true and fair view in accordance with
the applicable financial reporting framework and any regulatory requirements, such as
the Hong Kong Companies Ordinance;
(b) Keeping sufficient accounting records, and making them available to the auditor;
(c) For such internal control as the directors determine is necessary to enable the
preparation of financial statements that are free from material misstatement, whether
due to fraud or error; and
(d) Provide the auditor with access to all information of which the directors are aware that
is relevant to the preparation of the financial statements and disclosures, such as the
company's books of account and all other relevant records and documentation,
including minutes of all management and shareholders' meetings and other matters.
Auditor's responsibilities
(a) Forming an opinion on whether the entity's financial statements show a true and fair
view and comply with the Hong Kong Companies Ordinance; and
(b) Other reporting when there are certain other matters which, according to the
circumstances, may need to be dealt with in the auditor's report. For example, where
the financial statements do not give details of directors' remuneration or of loans to
officers, the Hong Kong Companies Ordinance requires the auditor to disclose such
matters in the auditor's report.
Scope of audit
(a) The auditor has a professional responsibility to report if the financial statements do not
comply in any material respect with Hong Kong Financial Reporting Standards issued
by the HKICPA, unless in the audit opinion the noncompliance is justified in the
circumstances. In determining whether or not the departure is justified, the auditor
considers (a) whether the departure is required in order for the financial statements to
give a true and fair view: and (b) whether adequate disclosure has been made
concerning the departure.

219
 Business Assurance

(b) The auditor will communicate to directors in writing concerning any significant
deficiencies in internal control relevant to the audit of the financial statements that the
auditor has identified during the audit.
(c) Any such other report which does form part of the audit opinion may not be provided
to third parties without the auditor's prior written consent. Such consent will be granted
only on the basis that such reports are not prepared with the interests of anyone other
than the company in mind and that the auditor accepts no duty or responsibility to any
other party as concerns the reports.
(d) As part of the auditor's audit procedures, the auditor will request the management to
provide written confirmation concerning representations which the auditor has
received from the management during the course of the audit on matters having a
material effect on the financial statements.
(e) The auditor is also entitled to attend all general meetings of the company and to
receive notice of all such meetings.
(f) The responsibility for safeguarding the assets of the company and for the prevention
and detection of fraud, error and non-compliance with law or regulations rests with the
directors.
(g) Once the auditor has issued the auditor's report, the auditor has no further direct
responsibility in relation to the financial statements for that period.
Form of reports for the engagement
The form and content of the auditor's report may need to be amended in the light of the audit
findings.
(b) The additional audit fee of HK$50,000 is considered as a contingent fee arrangement which
is prohibited under Section 290 of the Code of Ethics for Professional Accountants.
Contingent fees are fees which are calculated on a predetermined basis relating to the
outcome of a transaction or the result of the services performed by the firm.
Payment arrangements based on outcomes would create self-interest and advocacy threats.
The threats created would be so significant that they cannot be reduced to acceptable levels
through the application of suitable safeguards.
All contingent fee arrangements shall be prohibited.

220
 7: Changes in auditor appointment | Part D Assurance engagements

Exam practice

ZZZ Holding Limited 32 minutes

Initially established approximately fifteen years ago, ZZZ Holdings Limited ('ZZZ') is a listed
company on the Main Board of the Hong Kong Stock Exchange. ZZZ's primary business is the
manufacture and sale of a wide range of decorative and entertainment lighting. ZZZ has over 6,000
employees and four factories in mainland China.
Ms Apple Au is the founder (and the Chief Executive) of ZZZ and has always placed a great
emphasis on innovation, quality control and quality assurance. ZZZ has more than 50 research
engineers and develops over 100 new models each year. ZZZ also has a broad portfolio of
patented products and is constantly developing more innovative products with more advanced
technology. In May 20X8, ZZZ's previous auditor (Red and Blue) retired and declined to stand for
re-appointment after reporting on the financial statements for the year ended 31 December 20X7 in
ZZZ's annual general meeting.
In August 20X8, Ms Au invited Ms Orange Or's firm (Gold and Silver) to be the new auditor.
Ms Au had met Ms Or (an audit partner of Gold and Silver) through her secondary school alumni
dinner in 20X7.
Gold and Silver has recently been engaged in three initial public offering exercises and is very
short of manpower. Ms Or is in the process of assessing this prospective engagement. ZZZ's
Accounting Manager has provided Ms Or with the audited financial statements for the year ended
31 December 20X7 and the unaudited management accounts for the eight months ended
31 August 20X8.
Required
(a) Briefly explain the procedures (other than the independence consideration)
Gold and Silver should carry out before the acceptance of Ms Au's invitation. (6 marks)
(b) Following on from part (a) above, explain how Ms Or should assess
the integrity of Ms Au and the key management of ZZZ. (6 marks)
(c) Explain the ethical obligations of Gold and Silver regarding the change in auditors. (6 marks)
(Total = 18 marks)
HKICPA September 2008

221
 Business Assurance

222
chapter 8

Planning, materiality and

risk assessment
Topic list

1 Audit planning 4 Risk

1.1 The importance of planning 4.1 Audit risk
1.2 The audit strategy and the audit plan 4.2 Business risk
1.3 Agreeing the terms of audit engagement 5 Risk assessment
2 Understanding the entity and its 5.1 Identifying and assessing the risks of
environment material misstatement
2.1 Why understanding is important 5.2 Risks of material misstatement at
2.2 Impact of the internal audit function financial statement level or assertion
3 Materiality level
3.1 Applying materiality in the context of 5.3 Significant risks
financial reporting and auditing 5.4 Automation risk
3.2 Purposes for setting materiality levels in 6 Overall responses to assessed risk of
the context of an audit of financial material misstatement
statements 6.1 Overall responses to risks of material
3.3 Materiality for the financial statements as misstatement at financial statement
a whole level
3.4 Materiality for the particular classes of 6.2 Overall responses to risks of material
transactions, account balances or misstatements at assertion level
disclosures
3.5 Performance materiality
3.6 Factors considered in setting materiality

Learning focus

Audit planning is a very important part of the audit process because it sets the direction for the
audit, based on an assessment of the risks relevant to the entity.

223
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
2.05 Planning and risk assessment 3
2.05.01 Identify and explain:
2.05.01.01 The need for planning an audit
2.05.01.02 The contents of the overall audit strategy and the audit plan
2.05.01.03 The relationship between the overall audit strategy and the audit
plan
2.05.02 Develop and document an audit plan
2.05.03 Explain how auditors obtain an initial understanding of the entity
and its environment including the use of preliminary analytical
review procedures
2.05.04 Explain the components of audit risk
2.05.05 Assess the risk of material misstatement at the financial
statement level and assertion level
2.05.06 Recognise and suggest overall responses to assessed risk
2.05.07 Recognise and suggest specific procedures to respond to
assessed risks
2.07 Documentation 3
2.07.01 Document an audit plan
2.08 Materiality 3
2.08.01 Define materiality and demonstrate how it should be applied in
the context of financial reporting and auditing

224
 8: Planning, materiality and risk assessment | Part D Assurance engagements

1 Audit planning

Topic highlights
Auditors must plan their work so that it is undertaken in an effective manner. The auditors formulate
an overall audit strategy which is translated into a detailed audit plan for audit staff to follow.

HKSA 300.2,
4, 6
1.1 The importance of planning
An effective and efficient audit relies on proper planning procedures. The planning process is
covered in general terms by HKSA 300 Planning an Audit of Financial Statements which states that
the objective of the auditor is to plan the audit so that the engagement is performed in an effective
manner.
Auditors should undertake the following:
(a) Plan the audit to enable it to be carried out in the most effective and efficient manner
(b) Consider whether to continue the entity relationship in the case of an existing entity
(c) Ensure the terms of the engagement are understood
(d) Consider ethical guidance including independence
(e) Consider entity acceptance procedures and professional clearance
(f) Establish the overall audit strategy for the audit and update any changes during the course
of the audit
(g) Develop and document an overall audit strategy for the expected scope and conduct of audit
in order to reduce audit risk to an acceptably low level
(h) Develop and document an audit plan which sets out the nature, extent and timing of planned
audit procedures
The audit strategy and plan should be revised during the audit when there are changes in
conditions or unexpected results are obtained.
Adequate planning benefits the audit in the following ways:
 Helping the auditor to devote appropriate attention to important areas of the audit
 Helping the auditor identify and resolve potential problems on a timely basis
 Helping the auditor properly organise and manage the audit engagement so that it is
performed in an effective and efficient manner
 Assisting in the selection of engagement team members with appropriate levels of
capabilities and competence to respond to anticipated risks, and the proper assignment of
work to them
 Facilitating the direction and supervision of engagement team members and the review of
their work
 Assisting, where applicable, in co-ordination of work done by auditors of components and
experts
Audit procedures should be discussed with the entity's management, staff and/or audit committee
in order to co-ordinate audit work, including that of the internal audit function. However, all audit
procedures remain the responsibility of the external auditors.

225
 Business Assurance

1.1.1 Preliminary engagement activities

Planning activities establish an overall audit strategy for the engagement and develop an audit
plan in order to reduce audit risk to an acceptably low level.
HKSA 300 requires that, at the beginning of the current audit engagement, the auditor must
perform the following preliminary engagement activities:
 Perform procedures regarding the continuance of the client relationship and the specific
audit engagement (HKSA 220)
 Evaluate compliance with ethical requirements such as independence (HKSA 220)
 Establish an understanding of the terms of the engagement (HKSA 210)
Performing the preliminary engagement activities assists the auditor in identifying and evaluating
events or circumstances that may adversely affect the auditor's ability to plan and perform the audit
engagement.

1.2 The audit strategy and the audit plan

Key term
The audit strategy sets the scope, timing and direction of the audit, and guides the development
HKSA of the more detailed audit plan.
300.7-8

Each entity is unique and an audit strategy should be adapted to suit the particular requirements
and characteristics of the entity concerned. A strategy should be derived from the audit
engagement partner's understanding of the entity and its particular environment, which indicate
where the most significant risks of misstatements lie. The audit partner's responsibilities in this
regard are set out in HKSA 315 (Revised 2016) – see below.
However, there are common elements to all strategies which are presented in the table that
follows:

The audit strategy: matters to consider

Characteristics of the  Relevant financial reporting framework
engagement
 Industry regulation
 Expected scope of audit
 Characteristics of business segments
 Existence of an internal audit function and its work
 Use of service organisations
 Effect of information and communications technology on audit
procedures
 Availability of entity staff and information
Reporting objectives,  Entity's timescale for reporting and accounting policies
timing of the audit and
 New accounting standards
nature of
communications  Organisation of meetings with management and those charged with
governance
 Discussions with management and those charged with governance
 Expected communications with third parties

226
 8: Planning, materiality and risk assessment | Part D Assurance engagements

The audit strategy: matters to consider

Significant factors,  Determination of materiality
preliminary
 Areas identified with higher risks of material misstatement
engagement activities,
and knowledge gained  Results of previous audits
on other engagements  Need to maintain professional scepticism
 Evidence of management's commitment to design, implementation
and maintain sound internal controls
 Volume of transactions
 Significant business developments
 Significant industry developments and conditions
 Significant changes in the financial reporting framework
 Other significant recent developments
 Any going concern issues
Nature, timing and  Selection of engagement team
extent of resources  Assignment of work to team members
 Engagement budget

Key term
The audit plan converts the audit strategy into a more detailed plan and includes the nature, timing
HKSA 300.9 and extent of audit procedures to be performed by engagement team members in order to obtain
sufficient appropriate audit evidence to reduce audit risk to an acceptably low level.

The audit plan shall include the following:

(a) A description of the nature, timing and extent of planned risk assessment procedures
(b) A description of the nature, timing and extent of planned further audit procedures at the
assertion level
(c) Other planned audit procedures required to be carried out for the engagement to comply with
HKSAs
The planning for these procedures occurs over the course of the audit as the audit plan develops.
Any changes made during the audit engagement to the overall audit strategy or audit plan, and the
reasons for such changes, shall be included in the audit documentation.

1.2.1 Documenting the audit plan

The auditor should document the overall audit strategy and the audit plan, including any significant
changes made during the audit engagement.
The auditor's documentation of the audit plan is sufficient to demonstrate the planned nature,
timing and extent of risk assessment procedures, and further audit procedures at the assertion
level for each material class of transaction, account balance, and disclosure in response to the
assessed risks.
Standard audit programmes or completion checklists could be used by the auditor who should
appropriately tailor them to reflect the particular engagement circumstances.
The auditor's documentation of any significant changes to the originally planned overall audit
strategy and to the detailed audit plan includes the reasons for the significant changes and the
auditor's response to the events, conditions, or results of audit procedures that resulted in such
changes. A record of the significant changes to the overall audit strategy and the audit plan, and

227
 Business Assurance

resulting changes to the planned nature, timing and extent of audit procedures, explains the overall
strategy and audit plan finally adopted for the audit and demonstrates the appropriate response to
significant changes occurring during the audit.
The form and extent of documentation depend on such matters as the size and complexity of the
entity, materiality, the extent of other documentation, and the circumstances of the specific audit
engagement.

HKSA 210.3 1.3 Agreeing the terms of audit engagement

In accordance with HKSA 210 the objective of the auditor is to accept or continue an audit
engagement only when the basis upon which it is to be performed has been agreed, through:
 Establishing whether the pre-conditions for an audit are present
 Confirming that there is a common understanding between auditor and management or
those charged with governance of the terms of the audit engagement

1.3.1 Preconditions for an audit

Preconditions for an audit are the use by management of an acceptable financial reporting
framework for preparation of its financial statements and the agreement by management and
those charged with governance on which an audit is conducted.
The auditor must:
(a) Determine whether the financial reporting framework to be applied in the preparation of the
financial statements is acceptable
(b) Obtain the agreement of management that it acknowledges and understands its
responsibility:
 For the preparation of financial statements in accordance with the applicable financial
reporting framework
 For establishing the internal controls necessary for enabling the preparation of
financial statements free from material misstatements
 For providing the auditor with access to information, any additional information upon
request and unrestricted access to persons within the entity for audit evidence

1.3.2 Agreeing terms with management or those charged with governance

The auditor must agree the terms of the audit engagement with management or those charged with
governance. The agreed terms of the audit engagement include matters such as:
(a) The objective and scope of the audit of the financial statements.
(b) The responsibilities of the auditor and management.
(c) Identification of the applicable financial reporting framework for the preparation of the
financial statements.
(d) Reference to the expected form and content of any reports to be issued by the auditor and a
statement that there may be circumstances in which a report may differ from its expected
form and content. This may be done in an engagement letter or any suitable form of written
agreement.

228
 8: Planning, materiality and risk assessment | Part D Assurance engagements

2 Understanding the entity and its environment

Topic highlights
The auditor is required to obtain an understanding of the entity and its environment in order to be
able to assess the risks of material misstatement.

2.1 Why understanding is important

HKSA 315.3 Obtaining an understanding of the entity and its environment is an essential aspect of performing an
audit in accordance with HKSAs. The main standard we are concerned with here is HKSA 315
(Revised 2016) Identifying and Assessing the Risks of Material Misstatement through Understanding
the Entity and its Environment. HKSA 315 (Revised 2016) states that the objective of the auditor is
to identify and assess the risks of material misstatement whether due to fraud or error, at the
financial statement and assertion levels, through understanding the entity and its environment,
including the entity's internal control, thereby providing a basis for designing and implementing
responses to the assessed risks of material misstatement.
HKSA 315.5-6 The auditor must perform risk assessment procedures to provide a basis for the identification
and assessment of the risks of material misstatement at the financial statement and assertion
levels. These must include:
 Inquiries
 Analytical procedures
 Observation and inspection

Key term
Risk assessment procedures are audit procedures performed to obtain an understanding of the
entity and its environment, including the entity's internal control, to identify and assess the risks of
material misstatement, whether due to fraud or error, at the financial statement and assertion level.

The auditor must gather, review and analyse information through observation, inquiry and
discussion to create a picture of the whole entity in order to understand the particular risks the
entity faces, whether these are from its internal structure and control systems (fraud, human error,
aggressive targets putting management under undue pressure, high volume of transactions or
inexperienced staff) or the wider environment (political, technological, economic or market factors
which may expose the business to unforeseen challenges or uncertainty).
With this information, the auditor may then develop appropriate procedures in order to ascertain
where the most significant risks of material misstatement lie. Auditors may use data from prior
periods and knowledge built up from previous audits, but must evaluate the information for current
reliability.

229
 Business Assurance

The following table provides a simple summary of this important point:

Obtaining an understanding of the entity and its environment

Why?  To identify and assess the risks of material misstatement in the financial statements
whether due to fraud or error other factors
 To enable the auditor to design and perform further audit procedures
 To provide a frame of reference for exercising audit judgment, for example, when
setting audit materiality and identifying special audit areas
 To evaluate sufficient and appropriate audit evidence
 To develop expectations for use when performing analytical procedures
What?  Industry, regulatory and other external factors, including the applicable financial
reporting framework
 Nature of the entity, including operations, ownership and governance, investments,
structure and financing
 Entity's selection and application of accounting policies
 Objectives and strategies and related business risks that might cause material
misstatement in the financial statements
 Measurement and review of the entity's financial performance
 Internal control
 Control environment
 Entity's risk assessment process
 Information system
 Entity's communication of financial reporting matters
 Control activities relevant to the audit
 Activities to monitor internal control over financial reporting
How?  Inquiries of management the internal audit function and others within the entity
 Analytical procedures to highlight areas of high risk
 Observation and inspection of activities and operations of the entity
 Prior period knowledge
 Entity acceptance or continuance process
 Discussion by the engagement team of the susceptibility of the financial
statements to material misstatement and the application of the applicable financial
reporting framework
 Information from other engagements undertaken for the entity
 Reconsider the nature, extent and timeliness of substantive testing

Key term
Analytical procedures consist of the evaluations of financial information through analysis of
HKSA 520.4 plausible relationships among both financial and non-financial data. They also encompass such
investigation as is necessary of identified fluctuations or relationships that are inconsistent with
other relevant information or that differ from expected values by a significant amount.

230
 8: Planning, materiality and risk assessment | Part D Assurance engagements

2.2 Impact of the internal audit function

As explained in section 2.1 above, the HKSA 315 (Revised 2016) considers the way in which the
internal audit function affects this stage of the audit. The key points it makes in respect of this are
as follows:

HKSA 315.A6 2.2.1 Risk assessment procedures and related activities

- A13
Inquiries of management, the internal audit function and others within the entity
 Apart from obtaining information from management and those responsible for financial
reporting, the auditor can obtain information through inquiries with the internal audit function,
if the entity has such a function, and others within the entity.
 HKSA 260 (Revised) identifies the importance of effective two-way communication in
assisting the auditor to obtain information from those charged with governance in this regard.
 Inquiries of employees involved in initiating, processing or recording complex or unusual
transactions may help the auditor evaluate the appropriateness of the selection and
application of certain accounting policies.
 Inquiries directed towards in-house legal counsel may provide information about litigation,
compliance with laws and regulations etc.
 Inquiries of marketing or sales personnel may provide information about changes in the
entity's marketing strategies, sales trends or contractual arrangements with customers.
 Inquiries directed to the risk management function (or those performing such roles) may
provide information about operational and regulatory risks that may affect financial reporting.
 Inquiries directed to information systems personnel may provide information about system
changes, system or control failures, or other information system-related risks.
 As obtaining an understanding of the entity and its environment is a continual, dynamic
process, the auditor's inquiries may occur throughout the audit engagement.
Inquiries of the internal audit function
If an entity has an internal audit function, inquiries of the appropriate individuals within the function
may provide information that is useful to the auditor in obtaining an understanding of the entity and
its environment, and in identifying and assessing risks of material misstatement at the financial
statement and assertion levels.
In performing its work, the internal audit function is likely to have:
 Obtained insight into the entity's operations and business risks
 Findings based on its work, such as identified control deficiencies or risks, that may
provide valuable input into the auditor's understanding of the entity, the auditor's risk
assessments or other aspects of the audit
Inquiries of particular relevance may be about matters the internal audit function has raised with
those charged with governance and the outcomes of the function's own risk assessment process.
If, based on responses to the auditor's inquiries, it appears that there are findings that may be
relevant to the entity's financial reporting and the audit, the auditor may consider it appropriate to
read related reports of the internal audit function.
In addition, according to HKSA 240, if the internal audit function provides information to the auditor
regarding any actual, suspected or alleged fraud, the auditor takes this into account in the
auditor's identification of risk of material misstatement due to fraud.

231
 Business Assurance

Appropriate individuals within the internal audit function with whom inquiries are made are those
who, in the auditor's judgment, have the appropriate:
 Knowledge
 Experience
 Authority
This will normally include the chief internal audit executive or, depending on the circumstances,
other personnel within the function. The auditor may also consider it appropriate to have periodic
meetings with these individuals.
Considerations specific to public sector entities
Auditors of public sector entities often have additional responsibilities with regard to internal
control and compliance with applicable laws and regulations. Inquiries of appropriate individuals in
the internal audit function can assist the auditors in identifying the risk of material non-compliance
with applicable laws and regulations and the risk of deficiencies in internal control over financial
reporting.
Audit evidence for elements of the control environment
The auditor may also consider how management has responded to the findings and
recommendations of the internal audit function regarding identified deficiencies in internal
control relevant to the audit, including whether and how such responses have been implemented,
and whether they have been subsequently evaluated by the internal audit function.

HKSA 315.A109 2.2.2 The entity's internal audit function

- A116
 If the entity has an internal audit function, obtaining an understanding of that function
contributes to the auditor's understanding of the entity and its environment, including internal
control, in particular the role that the function plays in the entity's monitoring of internal
control over financial reporting. This understanding, together with information obtained from
inquiries of management can assist the auditor in identification and assessment of the risks
of material misstatement.
 The responsibilities of an internal audit function may include performing procedures and
evaluating the results to provide assurance to management and those charged with
governance regarding the design and effectiveness of risk management, internal
control and governance processes. If so, the internal audit function may play an important
role in the entity's monitoring of internal control over financial reporting.
 The auditor's inquiries of appropriate individuals within the internal audit function may help
the auditor obtain an understanding of the nature of the internal audit function's
responsibilities. If the auditor determines that the function's responsibilities are related to
the entity's financial reporting, the auditor may obtain further understanding of the activities
performed, or to be performed, by the internal audit function by reviewing the internal audit
function's audit plan for the period, if any, and discussing that plan with the appropriate
individuals within the function.
 If the nature of the internal audit function's responsibilities and assurance activities are
related to the entity's financial reporting, the auditor may also be able to use the work of
the internal audit function to modify the nature or timing, or reduce the extent, of audit
procedures to be performed directly by the auditor in obtaining audit evidence. Auditors may
be more likely to be able to use the work of an entity's internal audit function when it appears,
for example, based on experience in previous audits or the auditor's risk assessment
procedures, that the entity has an internal audit function that is adequately and appropriately
resourced relative to the size of the entity and the nature of its operations, and has a direct
reporting relationship to those charged with governance.
 If, based on the auditor's preliminary understanding of the internal audit function, the auditor
expects to use the work of the internal audit function to modify the nature or timing, or reduce
the extent, of audit procedures to be performed, HKSA 610 (Revised 2013) applies.

232
 8: Planning, materiality and risk assessment | Part D Assurance engagements

 As is further discussed in HKSA 610 (Revised 2013), the activities of an internal audit
function are distinct from other monitoring controls that may be relevant to financial
reporting, such as reviews of management accounting information that are designed to
contribute to how the entity prevents or detects misstatements.
 HKSA 200 discusses the importance of the auditor planning and performing the audit with
professional scepticism, including being alert to information that brings into question the
reliability of documents and responses to inquiries to be used as audit evidence. Accordingly,
communication with the internal audit function throughout the engagement may provide
opportunities for internal auditors to bring such information to the auditor's attention. The
auditor is then able to take such information into account in the auditor's identification and
assessment of risks of material misstatement.

Self-test question 1
In performing an audit of financial statements, auditors should have or obtain knowledge of the
business sufficient to enable them to identify and understand the events, transactions and practices
that, in the auditors' judgment, may have a significant effect on the financial statements or on the
audit or the auditor's report.
Required
(a) State how obtaining an understanding of the entity can assist the auditor in the planning of
an audit engagement.
(b) Assume that you have been recently appointed as an auditor of a large electronic
manufacturing company in Hong Kong with subsidiary operations in Guangzhou. Discuss
some of the matters you would consider in obtaining knowledge of the business under the
following headings:
(i) General economic factors
(ii) The industry
(iii) The entity
(The answer is at the end of the chapter)

3 Materiality

Topic highlights
Materiality should be calculated at the planning stages of all audits. The calculation or
estimation of materiality should be based on experience and judgment.
Materiality should be reviewed throughout the audit and revised if necessary. An item might be
material due to its nature, value or impact on the readers of the financial statements.
Assessing whether an omission or misstatement may influence the decision-making by users,
requires consideration of the characteristics of those users and how the information may be used.

3.1 Applying materiality in the context of financial reporting and

auditing
The objective of the auditor is to obtain reasonable assurance about whether the financial
statements as a whole are free from material misstatement. Therefore, the auditor is required to
identify and assess the risks of material misstatements in the audit process.

233
 Business Assurance

The consideration of materiality is divided into:

 HKSA 320 Materiality in Planning and Performing an Audit – materiality in planning and
performing an audit of financial statements; and
 HKSA 450 Evaluation of Misstatements Identified during the Audit – materiality in evaluating
the effect of identified misstatements on the audit and of uncorrected misstatements on the
financial statements.
The auditor has to satisfy both HKSAs.

3.1.1 Materiality in the context of an audit

The objective of the auditor is to apply the concept of materiality in planning and performing the
audit and to evaluate the effect of identified and uncorrected misstatements, if any, on the financial
statements. The auditor must consider the risk of material misstatement in disclosures in addition
to account balances and classes of transactions. The auditor's determination of materiality is a
matter of professional judgment.

3.1.2 Materiality in the context of financial reporting

A financial reporting framework such as the HKFRS, discusses the concept of materiality in the
context of the preparation and presentation of financial statements. The concept of materiality is
discussed differently in different financial reporting frameworks.
For example, in HKSA 1 (Revised), materiality is defined as follows:

'Omissions or misstatements of items are material if they could, individually or collectively,

influence the economic decisions that users make on the basis of the financial statements.
Materiality depends on the size and nature of the omission or misstatement judged in the
surrounding circumstances. The size or nature of the item, or a combination of both, could be the
determining factor'.

3.2 Purposes for setting materiality levels in the context of an

audit of financial statements

Key term
Materiality is an expression of the relative significance or importance of a particular matter in the
context of financial statements as a whole.

HKSA 320.2, In the context of the audit:

5-6
 Misstatements, including omissions, are considered to be material if they, individually or in
the aggregate, could reasonably be expected to influence the economic decisions of users
taken on the basis of the financial statements
 Judgments about materiality are made in the light of surrounding circumstances and are
affected by the size and/or nature of a misstatement
 Judgments about matters that are material to users of the financial statements are based on
a consideration of the common financial information needs of users (not the effect on specific
individual users)
Auditors need to use professional judgment in determining materiality. The level of materiality is
affected by the auditor's perception of the financial information needs of the users of the financial
statements.

234
 8: Planning, materiality and risk assessment | Part D Assurance engagements

The concept of materiality is applied by the auditor in:

(a) Planning and performing the audit
(b) Evaluating the effect of identified misstatements on the audit
(c) Evaluating the effect of uncorrected misstatements on the financial statements ie the nature
of the uncorrected misstatements
(d) Forming the opinion in the auditor's report

3.2.1 Materiality in audit planning

Materiality considerations during audit planning are extremely important. The assessment of
materiality at this stage should be based on the most recent and reliable financial information and
will help to determine an effective and efficient audit approach.
Materiality assessment will help the auditors to decide:
(a) The cut off point on how much information should be obtained (quantity) and what type of
information is relevant (nature).
(b) Whether to use sampling techniques.
(c) What level of error is likely to lead to a qualified audit opinion. It serves the objective of
audit – ie express an opinion whether the financial statements are prepared, in all material
respects, in accordance with an applicable financial reporting framework.
The resulting combination of audit procedures should help to reduce audit risk to an appropriately
low level.
HKSA 320 requires an auditor to determine at least two types of materiality in planning an audit:
(a) Materiality for the financial statements as a whole
(b) Performance materiality

3.2.2 Materiality and its relationship with audit risk

Auditors should consider materiality and its relationship with audit risk in conducting the audit.
Auditors should plan and perform the audits so as to provide them with sufficient (quantity)
evidence to give reasonable assurance that the financial statements are free from material
misstatement and give a true and fair view.
Auditors should consider materiality when determining the nature, extent and timeliness (NET) of
audit procedures. Auditors need to consider both materiality levels for quantity and quality factors,
therefore it is necessary to set an acceptable materiality level as the benchmark.
There is an inverse relationship between materiality and the level of audit risk – the higher the
materiality level, the lower the audit risk and vice versa.

3.2.3 Materiality in misstatements identified

Auditors should assess whether the aggregate of uncorrected misstatements that have been
identified during the audit is material in all aspects when evaluating whether the financial
statements have been prepared within an applicable financial reporting framework. We will
discuss this further when studying HKSA 265 (Clarified) in Chapter 15.
If the auditor has identified a material misstatement resulting from error, the auditor should
communicate the misstatements to the appropriate level of management and consider the need to
report it to those charged with governance in accordance with HKSA 260 (Revised).

235
 Business Assurance

3.3 Materiality for the financial statements as a whole

HKSA 320.10
HKSA 320 states that the auditor, using professional judgment, shall determine materiality for the
financial statements as a whole, when establishing the overall audit strategy. Materiality at the
overall statement level may be different from the assertion level depending on the specific risks
identified. A chosen benchmark such as profit before tax, gross profit or net asset value could be
taken as a starting point to determine the materiality for the financial statements as a whole.

HKSA
320.A10
3.4 Materiality for the particular classes of transactions, account
balances or disclosures
Auditors shall determine the materiality level or levels to be applied to those particular classes of
transactions, account balances or disclosures that are expected to be influential to the users of
financial statements. Where misstatements of lesser amounts than materiality for the financial
statements as a whole could affect the economic decisions of users, materiality levels for those
particular balances must be set. In deciding whether this is necessary auditors should consider:
 Whether law, regulations or the applicable financial framework affect users' expectations
 The key disclosures in relation to the industry in which the entity operates
 Whether separate disclosure in the financial statements is required

3.5 Performance materiality

Key term
Performance materiality means the amount set by the auditor at less than materiality for the
HKSA 320.9 financial statements as a whole to reduce to an appropriately low level the probability that the
aggregate of uncorrected and undetected misstatements exceeds materiality for the financial
statements as a whole. If applicable, performance materiality also refers to the amount or amounts
set by the auditor at less than the materiality level or levels for particular classes of transactions,
account balances or disclosures.

Planning the audit solely to detect individually material misstatements fails to take into account the
aggregated effect of individually immaterial misstatements on the overall financial statements.
The auditor is therefore required to determine performance materiality for purposes of:
(a) Assessing the risks of material misstatement
(b) Determining the nature, timing and extent of further audit procedures
It may relate to a particular class of transactions, account balance or disclosure.
As for the determination of materiality at the financial statement level, there is no single formula for
performance materiality.
The determination of performance materiality involves the exercise of professional judgment and is
affected by:
(a) The auditor's understanding of the entity, updated during the performance of the risk
assessment procedures
(b) The nature and extent of misstatements identified in previous audits and the auditor's
expectations in relation to misstatements in the current period.
If the auditor concludes that a lower materiality than that initially determined is appropriate for the
financial statements as a whole, the auditor must determine:
 Whether it is necessary to revise performance materiality
 Whether the nature, extent and timing of the further audit procedures remain appropriate

236
 8: Planning, materiality and risk assessment | Part D Assurance engagements

3.6 Factors considered in setting materiality

The auditor should consider the following factors regarding the entity when setting the materiality
level:
 The elements of the financial statements (eg assets, liabilities, equity, revenue, expenses).
 Whether there are items on which the attention of the users of the entity's financial
statements tends to be focused (eg for the purpose of evaluating financial performance
users may tend to focus on profit, revenue or net assets).
 The nature of the entity and the industry and economic environment in which the entity
operates.
 The entity's ownership structure and the way it is financed (eg if an entity is financed solely
by debt rather than equity, users may put more emphasis on assets, and claims on them,
than on the entity's earnings).
 The relative volatility of the benchmark chosen for materiality.
The determination of materiality is not a mechanical exercise without the appropriate consideration
of the facts and circumstances surrounding the audit engagement. An exercise of professional
judgment is involved.

Self-test question 2
Mary Limited is a company listed on the Main Board of The Hong Kong Stock Exchange and is
engaged in the manufacturing and trading of garments.
You are the auditor of Mary Limited and are performing audit planning for the year ending 30 June
20X3. The following financial information has been extracted from the latest management accounts
prepared by the management of Mary Limited:

For the nine months For the year For the year
ended 31 March 20X3 ended 30 June 20X2 ended 30 June 20X1
(HK$'000) (HK$'000) (HK$'000)
Revenue 1,000,000 2,000,000 1,500,000
Profit before tax from 500 10,000 7,000
continuing operations
Net current (200) 2,000 2,500
assets/(liabilities)
Shareholders' equity 3,000 5,000 8,000
Required
(a) What is materiality? In setting the planning materiality for Mary Limited's financial statements
as a whole, what factors (including client information and your understanding about the
client) you should consider? (5 marks)
(b) Auditors often select a benchmark item from the financial statements and apply a percentage
when setting materiality. Propose a possible range of benchmarks and the source
documents containing them in the case of Mary Limited. What are your considerations when
you decide a benchmark and the percentage? What documentation you would suggest for
such work? (6 marks)
(c) Based on the information provided by Mary Limited, the profit before tax from continuing
operations for the nine months ended 31 March 20X3 includes the following items:
(i) Impairment of property, plant and equipment of HK$3 million; and
(ii) Share-based payment expenses on granting one-off share options to a director of
Mary Limited of HK$2 million.

237
 Business Assurance

Required
How would you consider the impact of the above unusual items when determining materiality
for Mary Limited?
What is your response to these unusual items in concluding a benchmark and its amount or
magnitude? (4 marks)
(Total = 15 marks)
HKICPA June 2013
(The answer is at the end of the chapter)

4 Risk
4.1 Audit risk

Topic highlights
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated. It is a function of the risk of material misstatement (inherent
risk and control risk) and the risk that the auditor will not detect such misstatement (detection
risk).

Key term
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated.

HKSA Audit risk has two major components. One is dependent on the entity, and is the risk of material
200.13c misstatement arising in the financial statements (inherent risk and control risk). The other is
dependent on the auditor, and is the risk that the auditor will not detect material misstatements in
the financial statements (detection risk).

238
 8: Planning, materiality and risk assessment | Part D Assurance engagements

Audit risk can be represented by the audit risk model:

Audit risks

Risks of material misstatement Detection risks

At financial At assertion level

statement level

Inherent risks Control risks

Auditors perform risk assessment procedures to Perform procedures in

understand the entity and its environment and response to assessed
then assess the risks (Chapter 10). risks to reduce audit
risks to an acceptably
low level (See Chapters
11, 12, 13, 14, and 15)

4.1.1 Inherent risk

Key term
Inherent risk (IR) is the susceptibility of an assertion about a class of transactions, account
HKSA balance or disclosure to a misstatement that could be material either individually or when
200.13n
aggregated with other misstatements, before consideration of any related controls.

Inherent risks exist on two levels: at the entity level and for single items or balances, where there is
a significant risk of misstatement (assertion level). The risk of misstatement may be through error
particularly in the cases of very complex transactions, an inexperienced management team or lax
internal controls. Examples include the temptation to overstate sales in order to increase revenue,
or wrongful timing of revenue recognition and so forth.
The level of inherent risk is affected by the nature of the entity; the experience and ethos of its
management; the industry within which it operates; the degree to which that industry is regulated;
and also the strategies it chooses to pursue.
The degree of inherent risk is a matter for the auditors' professional judgment which must be based
on their understanding of the entity, its management, the nature of its transactions and the
reliability of the accounting systems. Where knowledge is limited then the inherent risk is deemed
to be high.

239
 Business Assurance

Factors affecting the entity

Integrity and risk profile of Domination by a powerful individual may cause problems
senior management
Management quality and Changes in management and quality of financial management
experience
Aggressive targets put Examples include tight reporting deadlines, or market or financing
pressure on management expectations
Profile of product or service Potential problems include technological obsolescence or over-
offering dependence on single product
Industry environmental Competitive conditions, regulatory requirements, technological
factors developments, sudden drop or rise in customer demand
Information and Problems include lack of supporting documentation, concentration
communications technology of expertise in key people, or unauthorised access

Factors affecting individual account balances or transactions (assertion level)

Financial statement accounts The risk is particularly high for complex transactions or balances
prone to misstatement that require a high degree of estimation or where internal control
and systems are unreliable
Complex accounts Accounts which require expert valuations or are subjects of
current professional discussion may be considered complex
Assets at risk of being lost or Cash, inventory, portable non-current assets (such as notebook
pilfered computers)
Quality of accounting This depends on the controls over and competence and efficiency
systems of individual departments (sales, purchases, cash etc)
High volume transactions The accounting system may have problems coping with sudden
peaks in demand
Unusual transactions Transactions for large amounts, with unusual names, or which are
not settled promptly (recognition problems particularly likely if they
occur at the end of the reporting period)
Transactions processed outside of the system, which may relate
to specific entities or which are processed by particular individuals
and therefore are not subject to usual internal process controls
Staff Structural or technological changes, key people leaving, changes
to working terms or conditions may all lead to low morale and a
higher risk of fraudulent or careless behaviour

4.1.2 Control risk

The second element of the risk of material misstatement in the financial statements is control risk.

Key term
Control risk (CR) is the risk that a misstatement that could occur in an assertion about a class of
HKSA transaction, account balance or disclosure and that could be material, either individually or when
200.13n
aggregated with other misstatements, will not be prevented or detected and corrected on a timely
basis by the entity's internal control.

240
 8: Planning, materiality and risk assessment | Part D Assurance engagements

A preliminary assessment of control risk at the planning stage of the audit is required to
determine the level of controls and substantive testing to be carried out. The Canadian Institute of
Chartered Accountants' ('CICA') Research Study 'Extent of Audit Testing' identified four major
factors affecting the level of control risk and they are as follows:
(a) Evaluation of internal control. In general, the stronger the internal controls, the lower the
risk. After the assessment of control risk, auditors should carry out tests of control to obtain
reasonable assurance that the internal controls on which they intend to rely are operating
effectively during the reporting period. Controls testing will be examined in more detail in
Chapter 11.
(b) Work performed by internal and other auditors. If the audit client has an internal audit
function and the auditors decided to rely on the work performed by the internal auditors after
the assessment, the control risk can be adjusted to lower. In addition, if the auditor can rely
on the work performed by another independent auditor in the case of subsidiaries or
branches, the control risk can also be lowered. Use of the work of others will be discussed
further in Chapter 14.
(c) The nature of audit trail. As defined by CICA, audit trail refers to the documentary evidence
either of compliance with internal control procedures or of the transfer of accounting
information from its point of origin through intermediate records to its final inclusion in the
general ledger. Lack of audit trail suggests high control risk.
(d) Computerised accounting system. The existence of such a system and the use of the
computer as an audit tool will affect the assessment of control risk made by the auditor. We
will discuss this further in Chapter 20.

4.1.3 Detection risk

Key term
Detection risk (DR) is the risk that the procedures performed by the auditor to reduce audit risk to
HKSA an acceptably low level will not detect a misstatement that exists and that could be material, either
200.13e
individually or when aggregated with other misstatements.

The third element of audit risk is detection risk. This is the component of audit risk over which the
auditors have a degree of control, because, if risk is too high to be tolerated, the auditors can carry
out more work to reduce this aspect of audit risk. Sampling risk and non-sampling risk are
relevant and will be examined later.
Detection risk relates to the inability of the auditors to examine all evidence. Audit evidence is
usually persuasive rather than conclusive so some detection risk is usually present, allowing the
auditors only to seek 'reasonable assurance' not absolute assurance. Detection risk relates to the
nature, timing and extent of the auditor's procedures that are determined by the auditor to reduce
audit risk to an acceptably low level. It is therefore a function of the effectiveness of an audit
procedure and of its application by the auditor.
There is an inverse relationship between IR and CR versus DR.

HIGH

Assessed risks of material Therefore

misstatement at more audit DR
the assertion level work
IR × CR

241
 Business Assurance

4.2 Business risk

Topic highlights
Business risk is the risk arising to the entity through being in operation.

Key terms
Business risk is the risk resulting from significant conditions, events, circumstances, actions or
HKSA 315.4b inactions that could adversely affect an entity's ability to achieve its objectives and execute its
strategies, or from the setting of inappropriate objectives and strategies. It is split into three
categories:
Financial risks are the risks arising from the financial activities or financial consequences of an
operation, for example, cash flow issues or overtrading.
Operational risks are the risks arising with regard to operations, for example, the risk that a major
supplier will be lost and the entity will be unable to operate.
Compliance risk is the risk that arises from non-compliance with the laws and regulations that
surround the business.

Business risk includes all risks facing the business. In other words, inherent audit risk may include
business risks.
In response to business risk, the directors institute a system of controls. These will include controls
to mitigate against the financial aspect of the business risk. These are the controls some of which
control risk incorporates.
Therefore, although audit risk is very financial statements focused, business risk does form part of
the inherent risk associated with the financial statements, not least, because if the risks materialise,
the going concern basis of the financial statements could be affected.

5 Risk assessment
Topic highlights
When the auditor has obtained an understanding of the entity, he shall identify significant risks and
assess the risks of material misstatement in the financial statements.

HKSA 315.25 5.1 Identifying and assessing the risks of material misstatement
HKSA 315 (Revised 2016) says that the auditor shall identify and assess the risks of material
misstatement at the financial statement level and at the assertion level for classes of
transactions, account balances and disclosures.
It requires the auditor to take the following steps:
Step 1 Identify risks throughout the process of obtaining an understanding of the entity and its
environment.
Step 2 Assess the identified risks, and evaluate whether they relate more pervasively to the
financial statements as a whole.
Step 3 Relate the risks to what can go wrong at the assertion level.
Step 4 Consider the likelihood of the risks causing a material misstatement.

242
 8: Planning, materiality and risk assessment | Part D Assurance engagements

Key term
Assertions are representations by management, explicit or otherwise, that are embodied in the
HKSA 315.4a financial statements, as used by the auditors to consider the different types of potential
misstatements that may occur. We look at these in detail in Chapter 9.

Auditors should determine risks that require special audit consideration ('significant risks') and
consider whether controls are implemented to mitigate these risks.
Auditors should evaluate the design of the entity's controls and should determine the
implementation of the entity's controls. If it is not possible or impracticable to reduce the risks of
material misstatement at the assertion level to an acceptably low level with audit evidence obtained
by substantive testing, then the auditor should evaluate the design and implementation of the
entity's controls.

5.2 Risks of material misstatement at financial statement level or

assertion level
As said in the previous section, under HKSA 315 (Revised 2016), auditors should identify and
assess the risks of material misstatement at the financial statement level and at the assertion
level for classes of transactions, account balances and disclosures.
So what is the difference between the two levels? The two can be contrasted in the following table:

Differences between financial statement level and assertion level

At the financial statement level At the assertion level

 Applying to the financial statements as a  Not able to reduce the risks of material
whole misstatement to an acceptably low level with
audit evidence obtained only from
 Able to reduce audit risk to an
substantive procedures
acceptably low level
 Refer to specific classes of transactions,
 More pervasive to the financial
accounts balances
statements as a whole
 Risks arise from the particular characteristics
 Affect many assertions
of a class of transaction
 Risks from a deficient control
 Identify controls that are likely to prevent,
environment which includes
detect or correct material misstatements
management's attitudes towards good
internal control practice  Comprises of inherent risk and control risk
 Deficiencies in controls, in particular of  Combined assessment of the risk of material
management's lack of competence misstatement
 Aggressive business strategies  Auditor would perform tests of controls to
support the risk assessment
 Significant business risk: such as fraud
 Complexity of business operation
 High pressure on performance
measures and reviews
 Cannot focus on a specific risk
 Concern about the entity as a going
concern

243
 Business Assurance

Differences between financial statement level and assertion level

Factors to consider Factors to consider

 Management integrity  Accounts likely to be susceptible to
misstatements (ie required many
 Management experience and knowledge
adjustments in previous year's audit or
 Unusual pressures on management (ie accounts that include estimated amounts)
plan to go public, bonuses tied to sales
 Complexity of underlying transactions (eg
or profits)
financial instruments)
 Nature of entity's business
 Degree of judgment involved in determining
 Industry factors ie special regulations account balances (eg provision for
and reporting changes contingent liabilities and warranty expenses)
 Susceptibility of assets to loss or
misappropriation
 Completion of unusual transactions
particularly near the year end
 Transactions not subject to ordinary
processing ie special treatment of
transaction (significant risk)

5.3 Significant risks

Topic highlights
Significant risks are complex or unusual transactions that may indicate fraud, or other risks or are
unusual in their characteristics. Routine and non-complex transactions are less likely to give rise to
significant risk than unusual transactions.

Key term
Significant risks are those that require special audit consideration.
HKSA 315.4e
Significant risks are often related to:
HKSA
315.27-29  Non-routine transactions
 Judgmental matters

5.3.1 Significant risks relating to non-routine transactions

Non-routine transactions are transactions which occur occasionally due to either their size or
nature. They are deemed to be of significant risk because there is more:
 Management intervention or overriding in accounting treatment
 Complex accounting principles or calculations
 Manual intervention for data collection and processing
 Opportunity for control procedures not to be followed

244
 8: Planning, materiality and risk assessment | Part D Assurance engagements

5.3.2 Significant risks relating to judgmental matters

Risks of material misstatement may be greater for matters that require the use of accounting
estimates which involve a degree of uncertainty. Auditors must consider:
 Whether accounting principles for accounting estimates have been followed
 Possible interpretations of revenue recognition, and how management may have construed
the transaction
 That the judgment used may be subjective or complex (or unduly optimistic as to the
outcome!)
 The basis for any assumptions about the effects of future events such as fair value
Where there is a significant risk the auditor must thoroughly investigate the entity's controls
pertaining to that risk

5.4 Automation risk

Many companies have taken advantage of the huge strides in information and communications
technology to automate the processing of routine transactions, resulting in little or no manual
intervention, with the result that there is no longer a physical audit trail. Where audit evidence
exists only in electronic form, the auditors should concentrate on tests of controls rather than
substantive procedures.

Self-test question 3
'Zoooom.com' is a retailer of cameras and specialist camera equipment. The company makes all
sales via its website, and has built a strong reputation for selling branded cameras at discounted
prices. All customers are offered 28 days to return any ordered goods to Zoooom.com for a full
refund with no questions asked.
Customers are required to register with Zoooom.com before making a purchase. All customer
details including names, email addresses, credit card details and purchase history are stored in a
data warehouse. This data is used together with cookies in the Zoooom.com website to target
marketing offers to individual customers.
Zoooom.com makes additional revenue by selling advertising space on its website to other related
business, for example, to companies offering photograph printing services or photograph
magazines.
Until 20X3, Zoooom.com only made sales within Hong Kong. However, in August 20X3 the
company launched a new international website allowing sales to be made to customers in
Singapore and Malaysia. Zoooom.com spent HK$150k developing its website for overseas use
and an additional HK$250k advertising in those countries.
Unfortunately, there were some teething issues with the company's deliveries in Singapore. In
November and December 20X3, Zoooom.com received a large number of complaints from
Singaporean customers that goods ordered and paid for never arrived. After an investigation into
the practices of the third party delivery company, Zoooom.com decided to use a new, more reliable
company for delivery in Singapore. The contract with the original company was terminated on 29
December 20X3.
Required
Identify the key risks of material misstatement for the audit of the financial statements of
Zoooom.com for the period ending 31 December 20X3

(The answer is at the end of the chapter)

245
 Business Assurance

6 Overall responses to assessed risk of material

misstatement

Topic highlights
The overall audit strategy and detailed audit plan may need to be revised to address the assessed
risk of material misstatement.

6.1 Overall responses to risks of material misstatement at

financial statement level
HKSA 330.A1 Under HKSA 330 The Auditor's Responses to Assessed Risks, overall responses include issues
such as emphasising to the team the importance of professional scepticism, allocating more staff,
using experts or providing more supervision.
Overall responses to address the risks of material misstatement at the financial statement level will
be changes to the general audit strategy or re-affirmations to staff of the general audit strategy in
order to reduce the audit risk to an acceptably low level. Documentation is required.
For example:
 Emphasising to audit staff the need to maintain professional scepticism
 Assigning additional or more experienced staff to the engagement team
 Providing more training to audit staff
 Providing more supervision on the audit
 Incorporating more unpredictability into the audit procedures
 Making general changes to the nature, timing or extent of audit procedures
 Consider the use of expert
 Collect more pervasive evidence
The evaluation of the control environment that will have taken place as part of the assessment of
the entity's internal control will help the auditor determine what type of audit approach to take.

Some general guidelines

Risk at financial  No specific additional response

statement level is  Maintain professional scepticism
low
Risk at financial  Remind the engagement team to maintain professional scepticism
statement level is  Assign more experienced staff
normal to medium  Budget in more review and supervision
 Consider resigning from the engagement
Risk at financial  Remind the engagement team to maintain professional scepticism
statement level is  Assign more experienced staff
high  Budget more review and supervision
 Assign an expert if required, for example if computer fraud is
suspected
 Do not rely on entity's internal controls and use substantive procedures
only
 Perform audit procedures in unexpected manner
 Consider resignation from engagement

246
 8: Planning, materiality and risk assessment | Part D Assurance engagements

6.2 Overall responses to risks of material misstatements at

assertion level
HKSA 330.6- HKSA 330 says that the auditor shall design and perform further audit procedures whose nature,
7, 10, 18-19 extent and timing are based on and are responsive to the assessed risks of material misstatement
at the assertion level.

AUDIT PROCEDURES

NATURE EXTENT TIMING

 Determine whether to  Quantity of a specific  Perform further audit
perform tests of controls or audit procedures to be procedures at an
substantive testing or both performed interim stage or at
period end
 Substantive approach –  Required judgment on
perform only substantive materiality  Perform audit
testing (No effective procedures before the
 Higher risk = increase
controls); or period end – to identify
extent
significant matters at
Combined approach – use
 Use sampling approach early stage of audit
both tests of controls and
substantive testing  Higher risk = perform
substantive tests nearer
to or at period end
rather than earlier dates
or perform at
unpredictable times

6.2.1 Tests of controls

Key term
Tests of controls are audit procedures designed to evaluate the operating effectiveness of
HKSA 330.4b controls in preventing, or detecting and correcting, material misstatements at the assertion level.

When the auditor's risk assessment includes an expectation that controls are operating effectively,
the auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence
that the controls are operating in a satisfactory manner.
The auditor shall also undertake tests of controls when it will not be possible to obtain sufficient
appropriate audit evidence simply from substantive procedures alone. This might be the case if the
entity conducts its business using IT systems which do not produce documentation of the
transactions.
In carrying out tests of controls, auditors shall use inquiry, among other procedures, such as re-
performance and inspection.
When considering timing in relation to tests of controls, the purpose of the tests will be important.
For example, if the entity carries out a year-end inventory count, controls over the inventory count
can only be tested at the year-end. Other controls will operate all year round, and the auditor may
need to test that those controls have been effective throughout the period.

247
 Business Assurance

Some controls may have been tested in prior audits and the auditor may choose to rely on previous
evidence that they are effective. If this is the case, the auditor shall obtain evidence about any
changes since the controls were last tested and shall test the controls if they have changed. In any
case, controls shall be tested for effectiveness at least once in every three audits.
If the related risk has been designated a significant risk, the auditor shall not rely on testing done in
prior years, but shall perform testing in the current year.

6.2.2 Substantive procedures

Key term
Substantive procedures are audit procedures designed to detect material misstatements at the
HKSA 330.4a assertion level. They consist of tests of details of classes of transactions, account balances and
disclosures, and substantive analytical procedures.

The auditor shall always carry out substantive procedures on material items. HKSA 330 says
that irrespective of the assessed risks of material misstatement, the auditor shall design and
perform substantive procedures for each material class of transactions, account balance and
disclosures.
In addition, the auditor shall carry out the following substantive procedures:
 Agreeing or reconciling the financial statements to the underlying accounting records
 Examining material journal entries
 Examining other adjustments made in preparing the financial statements
Substantive procedures fall into two categories: substantive analytical procedures and tests of
details. The auditor must determine when it is appropriate to use which type of substantive
procedure.
Substantive analytical procedures as substantive procedures tend to be appropriate for large
volumes of predictable transactions (for example, wages and salaries). Tests of details may be
appropriate to gain information about account balances for example, inventory or trade receivables.
Tests of details rather than substantive analytical procedures are likely to be more appropriate with
regard to matters which have been identified as significant risks, but the auditor must develop
procedures that are specifically responsive to that risk, which may include substantive analytical
procedures. Significant risks are likely to be the most difficult to obtain sufficient appropriate audit
evidence about.

Self-test question 4
(a) In a recent global internal audit summit conference, one of the speakers, who is the Chief
Internal Auditor of a global Fortune 500 company, said 'Internal controls can only provide
reasonable assurance but not absolute assurance. Fraud can always exist even when a
company has perfect internal controls.'
Required
Do you agree with this statement? Explain your view. (4 marks)
(b) Situation 1
You are the auditor of the trading branch of a multinational company which has only five
employees working in its Hong Kong office. The multinational company sets a good tone at
the top. All books and records of the branch are prepared and maintained by one accounting
staff member using the spreadsheet software, Microsoft Excel. The annual turnover and
profit of the Hong Kong branch for the year are approximately HK$20,000,000 and
HK$300,000 respectively.

248
 8: Planning, materiality and risk assessment | Part D Assurance engagements

Situation 2
You are engaged to audit a principal subsidiary of a listed company. The prior year's audited
results indicated that all key controls in place at the subsidiary were operating effectively.
During the interim audit, the management confirmed that there had been no change of
processes and key personnel who operate the key processes. The annual turnover of the
subsidiary is approximately HK$500,000,000.
Situation 3
The same facts as in situation (ii), except that during the interim audit, the management
confirmed that there were changes in the purchase processes during the year. In addition,
the potential understatement of accounts payable is considered as a significant risk by the
engagement team.
Required
Suggest and explain your audit approach for each of the above situations. Would you
recommend a test of details, a test of controls, or a combination of both in your suggested
audit approach? (9 marks)
(Total = 13 marks)
HKICPA December 2014
(The answer is at the end of the chapter)

249
 Business Assurance

Topic recap

Must be
AUDIT PLANNING documented

UNDERSTANDING THE Inquiries

ENTITY Analytical procedures
Observation and inspection

Must identify RISK ASSESSMENT Materiality

significant risks

Financial Performance
statements as materiality
a whole

Responding to
Business risk Audit risk
assessed risk

Financial risk Risk of material

Audit strategy Detection risk
Operating risk misstatement
Compliance risk

Audit plan: At financial At assertion

detailed statement level level
procedures

Nature Inherent risk Control risk

(Tests of controls /
substantive
procedures)
Extent
Timing

250
 8: Planning, materiality and risk assessment | Part D Assurance engagements

Answers to self-test questions

Answer 1
(a) Understanding the entity can help the auditor in:
(i) Fully understanding the client's industry, business and organisation
(ii) Assessing the engagement risks
(iii) Communicating with client's staff
(iv) Assessing the reliability of written representations from management
(v) Determining the appropriateness of accounting policies and disclosures
(b) (i) General economic factors include:
- General level of economic activity (e.g. recession, growth etc.)
- Inflation
- Interest rates and availability of financing
- Government policies
- Foreign currency rates
- Commodity prices
(ii) Industry factors include:
Market competition
Changes in product technology
Business risk because of high technology
Environmental regulation and problems
(iii) The entity factors include:
Beneficial owners and related parties
Capital structure including any recent or planned changes
Acquisitions, mergers or disposal of business
Sources and methods of financing
Independence of board of directors

Answer 2
(a) Materiality is an expression of the relative significance or importance of a particular matter in
the context of financial statements as a whole.
The consideration of materiality is divided into:
 HKSA 320 Materiality in Planning and Performing an Audit
 HKSA 450 Evaluation of Misstatements Identified during the Audit
The following factors or the understanding of client may be considered:
 The elements of the financial statements (e.g., assets, liabilities, equity, revenue,
expenses).
 Whether there are items on which the attention of the users of Mary Limited's financial
statements tends to be focused (e.g., for the purpose of evaluating financial
performance users may tend to focus on profit, revenue or net assets).

251
 Business Assurance

 The nature of the entity and the industry and economic environment in which the entity
operates.
 The entity's ownership structure and the way it is financed (e.g., if an entity is financed
solely by debt rather than equity, users may put more emphasis on assets, and claims
on them, than on the entity's earnings).
The relative volatility of the benchmark chosen for materiality.
The determination of materiality is not a mechanical exercise without the appropriate
consideration of the facts and circumstances surrounding the audit engagement. The
exercise of professional judgment is involved.
(b) Examples of benchmarks that may be appropriate for the materiality setting, include the
following:
 Categories of reported income such as profit before tax
 Total revenue, gross profit and total expenses
 Total equity or net asset value.
 In relation to the chosen benchmark, relevant financial data ordinarily include:
 Prior periods' financial results and financial positions
 The period-to-date financial results and financial position
 Budgets or forecasts for the current period, adjusted for significant changes in the
circumstances of the entity (e.g., a significant business acquisition)
 Relevant changes of conditions in the industry or economic environment in which the
entity operates.
Mary Limited is a listed entity, and profit before tax from continuing operations is often used
as the benchmark of the financial statements because that is typically what users of the
financial statements primarily focus on. When profit before tax from continuing operations is
volatile, other benchmarks may be more appropriate, such as gross profit or total revenues.
Determining a percentage to be applied to a chosen benchmark involves the exercise of
professional judgment. There is a relationship between the percentage and the chosen
benchmark, such that a percentage applied to profit before tax from continuing operations
will normally be higher than a percentage applied to total revenue.
A technique that is often used to determine materiality involves estimating profit before tax
from continuing operations for the current period and then applying a percentage in the
range of 5-10% to that amount. Other percentages may be used based on the professional
judgment of the auditor.
The auditor shall include in the audit documentation the amounts and the factors considered
in determination of materiality for the financial statements as a whole.
(c) Materiality for the financial statements as a whole is determined for Mary Limited based on a
percentage of profit before tax from continuing operations, circumstances that give rise to an
exceptional decrease or increase in such profit may lead us to conclude that materiality for
the financial statements as a whole is more appropriately determined using a normalised
profit before tax from a continuing operations figure based on past results.
When we decide to normalize the benchmark amount, it may be appropriate to:
 Remove the unusual circumstance from the current period results;
 Use a simple average of the current period and two or more preceding periods; or
 Use another method to estimate the amount for the current period.
In considering whether it is appropriate to normalise the benchmark, we need to consider the
trend in the benchmark.

252
 8: Planning, materiality and risk assessment | Part D Assurance engagements

Answer 3
Risks of material misstatement
Revenue recognition is a key financial statement risk area. The following risks apply:
 Risk that revenue from sales is overstated due to customers being able to return goods up to
28 days after the period end (insufficient provision made for post-year end returns as returns
tend to be higher for an e-commerce business than sales carried out face-to-face)
 Risk of advertising revenue being recognised in the incorrect period, or being misstated due
to potentially complex online advertising arrangements. Recognition of advertising revenue
can be complex and the engagement team will need to understand the terms and conditions
for recognition.
 This is Zoooom.com's first period of trading in two new foreign markets, increasing the risk
that foreign currencies have been translated incorrectly resulting in a misstatement of
revenue or costs.
 Risk of overstated revenue, as Zoooom.com may still need to provide refunds to customers
in Singapore after the period end for goods ordered but not yet delivered by the period end.
Other financial statement risk areas include the following:
 Risk that the costs of developing the overseas website have been capitalised incorrectly,
resulting in an overstatement of assets and understatement of expenses.
 Increased risk that taxation relating to sales in Singapore and Malaysia may not have been
calculated correctly as this is Zoooom.com's first year of trading in those countries.
 Risk that Zoooom.com may not have disclosed a contingent liability in the financial
statements if the original delivery company legally contests the termination of its contract.
 There is an increased risk of overstatement of inventory at Zoooom.com due to the rapid
development of camera equipment meaning it quickly becomes obsolete.

Answer 4
(a) Internal controls can only provide reasonable assurance but not absolute assurance as there
are inherent limitations such as:
(a) The cost of control not outweighing the benefits
(b) The potential for human error
(c) Collusion between employees
(d) Possibility of controls being by-passed or over-ridden by management
(e) Controls being designed to cope with routine but not unusual transactions
Human error and potential for fraud are the most serious challenges to internal control, as
any control system is only operating effectively as long as the people operate it.
If employees decide to commit fraud by collusion, or management commit fraud by
overriding systems, they probably do so in the knowledge that they can manipulate the
accounting system to conceal their fraudulent activity.
(b) Situation 1
A test of details audit approach is suggested.
Though the branch seems to have a good control environment that is subject to a good tone
at the top, the branch's lack of segregation of duties due to a limited number of staff could be
a problem.
There is no accounting control that can be relied on, as all books and records are kept by the
same accounting staff which indicates that there is no process for review and approval.

253
 Business Assurance

Situation 2
An audit approach which combines tests of controls with tests of details is suggested.
The principal subsidiary seems to have effective controls in place. The engagement team
may be able to rely on the accounting controls.
The auditor should perform procedures to verify management's representation to validate
any change of process and key personnel during the year.
Test of details are also required for areas that are designated as significant risk.
There is a rebuttable presumption that management override of controls and fraud risk in
revenue recognition are significant risks, so that tests of details should be performed.
Situation 3
An audit approach which combines tests of controls with tests of details is suggested.
The engagement team should perform a walkthrough test to confirm its understanding of the
changes in the purchase and payable cycle, identify and evaluate the key controls.
The engagement team should also perform a validation test to ensure the key controls are
effective during the year.
Test of details should be performed to address the significant risk in account payables, eg
send account payable confirmation, perform purchase cut-off test.

254
 8: Planning, materiality and risk assessment | Part D Assurance engagements

Exam practice

ABC Industrial Limited 18 minutes

You are the audit manager of a Hong Kong CPA firm, Ng, Tung & Co ('NTC'), and are currently in
charge of the audit of ABC Industrial Limited ('ABC') for the year ended 31 December 20X5. Your
firm has been the auditor of ABC since its incorporation in Hong Kong. In the audits of the financial
statements of ABC during the last five years, your firm was satisfied with the internal controls of
ABC and did not issue any modified opinion on the financial statements.
ABC is a company incorporated in Hong Kong and manufactures a wide range of medium-end
cosmetic products. Sales are mainly made to major chain stores and drug retailers in Europe and
the USA. ABC is wholly owned by the Cheung family and has a simple management structure.
Managers of the respective departments report directly to the Managing Director, Mr Paul Cheung.
During the course of the audit, the following information has come to your attention:
(1) Due to the rebound of the economy, ABC has seen a significant turnover of accounting staff
during the year under review. After six years of service with the company, the manager of
the accounts department, Ms Hung, left the company in late November 20X5 and moved to a
listed company as a financial controller.
(2) ABC has adopted a perpetual inventory system. The warehouse staff conduct an interim
physical count at the end of every month for 15% of the stock items on a rotation basis.
Except for those which can be properly reconciled, all differences between the book and the
physical taking results are adjusted to the results of the physical taking.
(3) A full physical inventory taking was conducted at the end of the reporting period. Inventory
with a book value of approximately HK$900,000 was written off as a result of this exercise.
Members of your engagement team observed the full physical inventory taking at the end of
the reporting period and reported that it was properly conducted. However, upon further
inquiry, you discovered that all the members of ABC's 'counting team', which was
responsible for the inventory count, were drawn from the warehouse staff. In addition, Mr
Wong, the staff member in charge of ABC's 'checking team', which was supposed to
supervise the counting team, was the husband of ABC's shipping and warehouse manager,
Mrs Helen Wong.
(4) During a meeting with ABC's financial controller, Ms Guo, you were informed that Mr Wong,
a nephew of Mr Paul Cheung, had been working with ABC for more than ten years and was
considered to be trust-worthy by ABC's management. Mr Wong was originally the manager
of ABC's personnel and administration department, and had no involvement in either the
sales or purchases of the company previously. Mr Wong was only temporarily assigned to
the accounts department upon Ms Hung's resignation to take over the supervision work of
that department until a suitable candidate was found, and thus inevitably became head of the
'checking team' during the physical inventory taking. The company has been diligently
looking for a replacement for Ms Hung but without any success. Based on Ms Guo's
assessment of the current labour market, it was unlikely that ABC could recruit a suitable
accounting manager before the financial statements for the year ended 31 December 20X5
are finalised.

255
 Business Assurance

(5) Your audit assistant was unable to perform certain usual sales and purchases cut-off tests
as the books and records of ABC after the year-end had not been written up-to-date due to a
shortage of manpower in the accounts department. Your assistant was unable to examine
the documentary controls of inventory movements after the period end. As an alternative test,
your audit assistant circularised trade receivables and trade payables that showed significant
balances in the ledger at the period end, and reviewed the board minutes after the year-end.
The response rates for both the trade receivables and the trade payables circularisation tests
were considered to be satisfactory, and your assistant reported that no material discrepancy
was found from the confirmation procedures.
(6) Since March 20X5, ABC has been exploring the Mainland market by dispatching goods to a
number of drug stores in Guangdong Province on a consignment basis. Revenue from these
consignment arrangements is recognised on a monthly basis upon revenue information
supplied by the respective drug stores, confirming the amount of goods eventually sold to the
ultimate customers. Invoices are then issued by ABC to the drug stores. The drug stores are
allowed the standard credit period of 60 days, from the invoice issuance date. According to
the records, goods with a cost of HK$5,000,000 have been sent to various drug stores on
this basis during the year. In the draft financial statements, ABC recognised revenue of
HK$6,000,000 from these consignment arrangements. This represents about 10% of the
revenue for the year. Consignment goods of HK$2,000,000 were included as the year-end
inventory, representing about 10% of the total inventory.
Required
Assess the risk of material misstatements at the financial statement level. You should write down
the specific circumstances of ABC that you have considered and your judgment about the risk level.
(10 marks)
HKICPA May 2006 (amended)

256
chapter 9

Audit evidence, procedures,

audit methodologies and
audit sampling
Topic list

1 Audit evidence 4 Audit sampling

1.1 The need for audit evidence 4.1 Introduction to audit sampling
1.2 Sufficient appropriate audit evidence 4.2 Design of the sample
2 Financial statement assertions 4.3 Sample size and risk
2.1 Audit procedures to obtain audit 4.4 Performing audit procedures on items
evidence selected
3 Audit methodologies 4.5 Deviation or misstatements
3.1 Overview 4.6 Projecting misstatements
3.2 Risk-based audit 4.7 Evaluation of sample results
3.3 'Top-down' approach 5 Audit documentation
3.4 Systems audit versus system-based 5.1 Requirement of audit documentation
audit 5.2 Reasons for audit documentation
3.5 Balance sheet approach 5.3 Audit files
3.6 Transaction cycle approach 5.4 Standardised and automated working
3.7 Directional testing papers
3.8 Cost and performance efficiency of 5.5 Safe custody and retention of working
different audit methodologies papers
3.9 Summary of approaches 5.6 Significant matters
5.7 Assembly of the final audit file
5.8 Changes to audit documentation in
exceptional circumstances after the date
of the auditor's report

Learning focus

In this chapter you will study the different types of audit tests used to obtain audit evidence.
The tests used and evidence required will depend on the specific balances or transactions
being tested and also the areas where a higher risk of misstatement has been identified.

257
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
2.04 Audit methodologies 3
2.04.01 Describe the key features of the following audit methodologies:
2.04.01.01 Risk-based auditing
2.04.01.02 Top-down auditing
2.04.01.03 System-based auditing
2.04.01.04 Systems audit
2.04.01.05 Balance sheet approach
2.04.01.06 Transaction cycle approach
2.04.01.07 Directional testing
2.04.02 Understand the cost and performance efficiency of different audit 2
methodologies
2.07 Documentation 3
2.07.02 Explain the need for and the importance of audit documentation
2.09 Audit procedures 3
2.09.01 Define audit sampling
2.09.02 Explain the need for sampling
2.09.03 Apply the basic principles of sampling
2.09.04 Assess and explain the results of sampling
2.10 Audit evidence 3
2.10.01 Explain the procedures by which audit evidence may be
obtained
2.10.02 Assess the appropriate and sufficiency (relevance and reliability)
of different sources of audit evidence
2.10.03 Explain the assertions contained in the financial statements and
their use in obtaining evidence

258
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

1 Audit evidence

Topic highlights
Auditors must obtain sufficient appropriate audit evidence. Audit evidence can be in the form of
tests of controls or substantive procedures.

1.1 The need for audit evidence

HKSA 500.5 Audit evidence is the proof the auditor uses to substantiate an opinion as a result of all the
procedures performed. There must be sufficient evidence of suitable quality in order for the auditor
to reach a reasonable conclusion on which to base an opinion.

Key term
Audit evidence is information used by the auditor in arriving at the conclusions on which the
HKSA 500.5c auditor's opinion is based. Audit evidence includes both information contained in the accounting
records underlying the financial statements and information obtained from other sources.

What constitutes audit evidence? Evidence includes the accounting data on which the balances in
the financial statements are based, and any other information sought by the auditors, such as
confirmations from third parties or management assertions. Audit evidence is cumulative in nature
and is obtained from procedures carried out during the course of the audit. It is not expected, or
realistic, that auditors might look at all the information that exists.
Under HKSA 500 Audit Evidence, the auditor is required to:
(a) Obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on
which to base the audit opinion
(b) Ascertain the accuracy and completeness of the evidence
(c) Use assertions for classes of transactions, account balances and presentation and
disclosures in sufficient detail to form a basis for the assessment of risks of material
misstatements
It is management's responsibility to prepare financial statements based upon the accounting
records.

1.2 Sufficient appropriate audit evidence

HKSA 500.6, HKSA 500 requires that the auditor shall design and perform audit procedures that are appropriate
A4-5, A7 in the circumstances for the purpose of obtaining sufficient appropriate audit evidence. 'Sufficiency'
and 'appropriateness' are closely linked and apply to both tests of controls and substantive
procedures.

Key terms
Sufficiency is the measure of the quantity of audit evidence.
HKSA 500.5
Appropriateness is the measure of the quality or relevance and reliability of the audit evidence.

How much audit evidence is required depends on the level of risk in the area being audited, and
the quality of evidence which may be obtained. If the evidence is both highly relevant and reliable
then it may suffice. The quality of evidence can be measured by various criteria which we cover in
the paragraphs below.

259
 Business Assurance

1.2.1 Relevance and reliability of audit evidence

Relevance of audit evidence may be affected by the direction of testing and deals with the logical
connection with the purpose of the audit procedures or the assertion under consideration.
Reliability of audit evidence is influenced by the source and its nature, and the circumstances
under which the audit evidence is obtained. Controls over preparation of the information and the
maintenance of the information are relevant.
To be able to form an opinion the auditor must form an opinion as to whether information provided
by the entity is sufficiently reliable for the auditor's purposes (HKSA 500). This entails:
 Obtaining audit evidence about the accuracy and completeness of the information
 Evaluating whether the information is sufficiently accurate and detailed for the auditor's
purposes
The following checklist may help in assessing the reliability of audit evidence:

Source Quality of evidence

External Audit evidence from external sources is more reliable than that obtained from
the entity's records because it is from an independent source outside the
entity
Auditor Evidence obtained directly by auditors is more reliable than that obtained
indirectly or by inference
Entity Evidence obtained from the entity's records is more reliable when the related
control system operates effectively
Written Evidence in the form of documents (paper or electronic) or written
representations are more reliable than oral representations, since oral
representations can be retracted
Originals Original documents are more reliable than photocopies or facsimiles, which
can easily be altered by the entity

Auditors must use professional judgment and exercise professional scepticism when
evaluating the sufficiency and appropriateness of audit evidence to support the audit opinion.

1.2.2 Assessing the appropriateness and sufficiency of different sources of

audit evidence
Sources of audit evidence
The auditor can only provide reasonable assurance that the financial statements contain no
material misstatements. The auditor can use different sources and methods to obtain audit
evidence, including sampling and analytical procedures to form audit opinion.
A particular audit procedure may provide audit evidence that is relevant to a particular assertion.
Audit evidence can be collected from internal or external sources, for example:
(a) Internal sources of audit evidence include: accounting records, management reports and
documents, internal control, assets, management and other employees.
(b) External sources of audit evidence include: documents from suppliers, customers, bankers,
professionals eg lawyers, surveyors and lenders to the entity.
Performing some audit procedures such as analysing, reviewing, reperforming or reconciling can
collect audit evidence and through the performance of such audit procedures, the auditor may
determine whether the accounting records are consistent and agree to the financial statements.
Consistent audit evidence, that is obtained from different sources or a different nature, can give
more assurance than from items of audit evidence considered individually.

260
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

In determining the sufficiency and sources of evidence required to support the audit opinion, the
auditor normally considers the following:
(i) Relevance and reliability of information obtained
(ii) Materiality of the items being audited
(iii) The cost of collection of audit evidence
(iv) The consistency of audit evidence obtained from different sources
Sources of information
The auditor is required to consider whether the collected information from the following sources is
also relevant to identifying risks of material misstatement:
(i) Client acceptance or continuous process
(ii) Information obtained from other engagements the engagement partner has performed for the
entity
(iii) The auditor's previous experience with the entity
(iv) Audit procedures conducted in previous audits
Auditors should determine whether changes have occurred since the previous audit that may affect
its relevance to the current audit.

2 Financial statement assertions

Topic highlights
Audit procedures are designed to obtain evidence about the financial statement assertions.
Assertions relate to classes of transactions and events, account balances at the period-end,
and presentation and disclosure.

Key term
Assertions are representations by management, explicit or otherwise, that are embodied in the
HKSA 315.4 financial statements, as used by the auditor to consider the different types of potential
misstatement that may occur.

HKSA 315. The auditor will carry out procedures that are designed to test the assertions made by
A111
management. HKSA 315 (Revised 2016) identifies these as follows:
HKSA 315.
A124 Assertions used by the auditor
Assertions about Occurrence: transactions and events that have been recorded or
classes of disclosed, have occurred, and such transactions and events pertain to the
transactions and entity
events and Completeness: all transactions and events that should have been
related recorded have been recorded, and all related disclosures that should
disclosures for have been included in the financial statements have been included
the period under
audit Accuracy: amounts and other data relating to recorded transactions and
events have been recorded appropriately and related disclosures have
been appropriately measured and described
Cut-off: transactions and events have been recorded in the correct
accounting period
Classification: transactions and events have been recorded in the proper
accounts

261
 Business Assurance

HKSA 315.
A124 Assertions used by the auditor

Presentation: transactions and events are appropriately aggregated or

disaggregated and clearly described, and related disclosures are relevant
and understandable in the context of the requirements of the applicable
financial reporting framework
Assertions about Existence: assets, liabilities, and equity interests exist
account Rights and obligations: the entity holds or controls the rights to assets,
balances and and liabilities are the obligations of the entity
related
disclosures at Completeness: all assets, liabilities and equity interests that should have
the period-end been recorded have been recorded, and all related disclosures that
should have been included in the financial statements have been included
Accuracy, valuation and allocation: assets, liabilities, and equity
interests have been included in the financial statements at appropriate
amounts and any resulting valuation or allocation adjustments have been
appropriately recorded, and related disclosures have been appropriately
measured and described
Classification: assets, liabilities and equity interests have been recorded
in the proper accounts
Presentation: assets, liabilities and equity interests are appropriately
aggregated or disaggregated and clearly described, and related
disclosures are relevant and understandable in the context of the
requirements of the applicable financial reporting framework
Assertions about The assertions above (adapted as appropriate) may be used when
other considering the potential misstatements that may occur in disclosures not
disclosures directly related to recorded classes of transactions, events, or account
balances, for example risks arising from financial instruments.

2.1 Audit procedures to obtain audit evidence

Topic highlights
Audit evidence can be obtained by inspection, observation, inquiry and confirmation, recalculation,
re-performance and analytical procedures.

HKSA The auditor obtains audit evidence by undertaking audit procedures to do the following:
500.A10-25
(a) Obtain an understanding of the entity and its environment to assess the risks of material
misstatement, whether due to fraud or misstatement, at the financial statement and assertion
levels (risk assessment procedures)
(b) Test the operating effectiveness of controls in preventing, or detecting and correcting,
material misstatements at the assertion level (tests of controls)
(c) Detect material misstatements at the assertion level (substantive procedures)
The auditor must always perform risk assessment procedures to provide a satisfactory
assessment of risks.
Tests of controls are necessary to test the controls to support the risk assessment, and are used
when there is expectation of the operating effectiveness of controls and also when substantive
procedures alone do not provide sufficient appropriate audit evidence.

262
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

Substantive procedures must always be carried out for material classes of transactions, account
balances and disclosures.
The audit procedures described in the table below can be used as risk assessment procedures,
tests of controls and substantive procedures.

Key terms
Tests of controls are designed to evaluate the operating effectiveness of controls preventing, or
HKSA 330.4 detecting and correcting, material misstatements at the assertion level.
Substantive procedures are audit procedures designed to detect material misstatements at the
assertion level.
They are generally of two types:
 Substantive analytical procedures
 Tests of details of classes of transactions, account balances and disclosures

Auditors obtain evidence by one or more of the following procedures.

Procedures

Inspection of Inspection of tangible assets that are recorded in the accounting records confirms
tangible assets existence, but does not necessarily confirm rights and obligations or valuation.
Confirmation that assets seen are recorded in accounting records gives
evidence of completeness.
Inspection of This is the examination of documents and records, both internal and external, in
documentation paper, electronic or other forms. This procedure provides evidence of varying
or records reliability, depending on the nature, source and effectiveness of controls over
production (if internal).
Inspection can provide evidence of existence (eg a document constituting a
financial instrument), but not necessarily about ownership or value. In addition,
inspecting an executed contract may provide audit evidence to the entity's
application of accounting policies, such as revenue recognition.
Observation This involves watching a procedure or process being performed (for example,
post opening). It is of limited use, as it only confirms the procedure took place
when the auditor was watching, and because the act of being observed could
affect how the procedure or process was performed.
Inquiry This involves seeking information from entity staff or external sources.
Strength of evidence depends on the knowledge and integrity of source of
information. Inquiry alone does not provide sufficient audit evidence to detect a
material misstatement at assertion level nor is it sufficient to test the operating
effectiveness of controls.
Confirmation This is the process of obtaining a representation of information or of an existing
condition directly from a third party eg confirmation from bank of bank balances.
Confirmations are used to obtain audit evidence about the absence of certain
conditions.
Recalculation This consists of checking the mathematical accuracy of documents or records
and can be performed through the use of IT.
Reperformance This is the auditor's independent execution of procedures or controls that were
originally performed as part of the entity's internal control.
Analytical Evaluating and comparing financial and/or non-financial data for plausible
procedures relationships. Also include the investigation of identified fluctuations and
relationships that are inconsistent with other relevant information or deviate
significantly from predicted amounts.

263
 Business Assurance

Self-test question 1
In auditing various accounts, there may be a choice of the types or amounts of evidence available
to evaluate management's assertions. For the following three accounts, describe some high quality
forms of evidence that the auditor should obtain.
(a) The net balance in accounts receivable
(b) The additions to non-current assets
(c) The accounts payable
(The answer is at the end of the chapter)

3 Audit methodologies
3.1 Overview
Relies on analysis Efficient as limits
of audit risk substantive testing

Controls testing focused on control

environment
Directs resources to areas where Normally undertaken with risk-
there is risk of misstatement based approach

Reliance on analytical
procedures

Top-down approach Risk-based audit Balance sheet

approach
Reduced level of
detailed testing

Most common approach to

substantive audit
Considers business risk which may
lead to material misstatement AUDIT METHODOLOGIES

Systems audit Directional testing Transaction cycle

approach

Auditor predominantly tests Method of undertaking substantive Substantiates the transactions which
controls and systems testing based on double entry principle appear in the financial statements

Management Segregation of Security

policy duties

264
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

3.2 Risk-based audit

Topic highlights
Risk-based auditing refers to the development of an audit strategy in response to identified risk
factors in an entity's business environment. Auditors use judgment to determine what level of risk
pertains to different areas of an entity's systems and devise appropriate audit tests which target the
most high-risk areas.

Under the risk-based approach audit resources are directed most heavily towards those areas that
have been identified as those where a misstatement is most likely to occur. This increases the
opportunities for detecting misstatements and avoids excessive time being spent testing areas
where the risk is relatively low.
The use of risk-based auditing has grown in response to two main factors:
(a) Increased complexity in the business environment augmenting the danger of fraud or
misstatement. Computerised systems where access and intervention by unauthorised
personnel are harder to detect, growing internationalisation of business and higher levels of
cross-border transactions add to the complexity.
(b) Auditors are under increased pressure to deliver an improved level of service while keeping
fee levels down.

3.3 'Top-down' approach

Topic highlights
With a 'top-down' approach (sometimes known as the business risk approach) controls testing is
targeted at high level controls and the amount of substantive testing is reduced.

HKSA 315 (Revised 2016) (which you studied in Chapter 8) requires that, as part of obtaining an
understanding of the entity and its environment, auditors consider the entity's own process for
assessing its business and environmental risks, and the potential impact that these might have on
the risk of material misstatements in the financial statements.
This 'business risk' approach was developed because sometimes the risk of the financial
statements being misstated arises predominantly from the business risks of the entity, as
discussed in Chapter 8.
Auditors must consider:
 Which factors lead to the problems which may cause material misstatements
 How the audit may contribute to the business pursuing its goals
The business risk audit works by repeating the risk management steps used by the directors in
running the business. The auditors will check that the financial statement objectives have been
met, through a wider investigation as to whether the entity has successfully attained its other
business objectives and through using the process of analysis as a way of furthering their own
understanding about the entity, its management and the environment in which it operates.
This approach has been called a 'top-down' approach, because it starts with a high level view of
the business and its objectives and works back down to the financial statements. It is more
traditional to start with the balances themselves and work up.

265
 Business Assurance

The procedures used have to be modified accordingly:

Audit procedure Effect of 'top-down' approach

Tests of Controls testing is focused on the control environment and corporate

controls governance rather than the detailed procedural controls tested under
traditional approaches
Analytical Analytical procedures are used more heavily in a business risk approach
procedures as they are consistent with the auditor's desire to understand the entity's
business rather than to prove the figures in the financial statements
Detailed testing The combination of the above two factors, particularly the higher use of
analytical procedures will result in a lower requirement for detailed testing,
although substantive testing will not be eliminated completely

The other advantage of a business risk approach is there is greater opportunity for the auditor to
add value to the entity's business and to enhance risk management strategies for the business in
the future.

3.3.1 Advantages of top-down approach

There are a number of reasons why firms who use the (top-down) approach prefer it to historic
approaches:
(a) Adds more value as the approach focuses on the business as a whole
(b) Audit attention focused on high level controls and extensive use of analytical procedures
increases audit efficiency and therefore reduces cost
(c) Does not focus on routine processes, which technological developments have rendered less
prone to misstatement than has historically been the case
(d) Responds to the importance that regulators and the government have placed on corporate
governance in recent years
(e) Lower engagement risk (risk of auditor being sued) through broader understanding of the
entity's business and practices

3.4 Systems audit versus system-based audit

3.4.1 Systems audit

Topic highlights
An auditor may predominantly test controls and systems, but substantive testing can never be
eliminated entirely.

As part of any audit, auditors assess the quality and effectiveness of the accounting system.
An auditor will focus especially on the system of controls put in place by the directors and ascertain
whether they believe it is effective enough for them to be able to rely on it for the purposes of their
audit. If they believe that the system is effective, auditors will carry out tests of controls to ensure
that the control system operates and, at the same time, auditors will reduce the amount of
substantive testing.
Increasingly, auditors must take consideration of computer systems. Auditors may accept an
assurance engagement to undertake this task outside of the main audit and to report on their
findings.

266
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

The following are the key areas on which they are likely to concentrate in order to establish how
reliable the systems are:

Factors Questions asked

Management  Does management have a written statement of policy with regard to
policy computer systems?
 Is it compatible with management policy in other areas?
 Is it adhered to?
 Are the policies sufficient and effective?
 Is it updated when the systems are updated?
 Does it relate to the current system?
Segregation  Is there adequate segregation with regard to data input?
of duties
 Are there adequate system controls (eg passwords) to enforce
segregation of duties?
Security  Is there a security policy in place? This may include physical security
such as locked doors, access security such as passwords and data
security such as anti-virus software
 Is it adhered to?
 Is it sufficient and effective?

The system audit file usually contains the auditor's notes and procedures of the internal control and
accounting system on an entity. The documentation and the tests of controls performed may be
separately filed in a system audit file which is often assembled in the interim visit and updated in
the final visit.

3.4.2 System-based audit

System-based auditing is an audit methodology designed to check upon the adequacy and
effectiveness of internal controls in both financial and non-financial systems. This audit approach
employs a systematic method to identify core problems by examining the system in question to
identify the causes of problems and to come up with a fundamental remedy.
For example, a system-based audit would examine the overall financial system without stopping to
point out the known problems in order to reach the root cause and recommend how to address the
problems. System-based auditing focuses on the most strategic and high risk areas.

3.5 Balance sheet approach

Topic highlights
An auditor may choose predominantly to carry out substantive tests on year end balances.

3.5.1 Balance testing

The balance sheet approach is the most common approach to the substantive part of the
audit, after controls have been tested.
The statement of financial position (balance sheet) shows a 'snapshot' of the financial position of
the business at a point in time. It follows that if it is fairly stated and the previous snapshot was
fairly stated then it is reasonable to undertake lower level testing on the transactions which connect
the two, for example, analytical procedures (examined in Chapter 8).

267
 Business Assurance

Therefore under this approach, the auditors seek to concentrate efforts on substantiating the
closing position in the year, shown in the statement of financial position, having determined that the
closing position from the previous year (also substantiated) has been correctly transferred to be the
opening position in the current year.

3.5.2 Relationship with business risk approach

It is stated above that the substantive element of an audit undertaken under a business risk
approach is restricted due to the high use of analytical procedures. However, the element of
substantive testing which remains in a business risk approach can be undertaken under the
balance sheet approach.
In some cases, particularly small entities, the business risks may be strongly connected to the fact
that management is concentrated in one person. Another feature of small entities may be that their
statement of financial position is uncomplicated and contains one or two material items, for
example, receivables or inventory.
When this is the case, it is often more cost-effective to undertake a highly substantive
approach than to undertake a business risk assessment, as it is relatively simple to obtain the
assurance required about the financial statements from taking that approach.

3.5.3 Limitations of the balance sheet approach

When not undertaken in conjunction with a risk-based approach or systems testing, the level of
detailed testing can be high, rendering it costly.

3.6 Transaction cycle approach

Cycles testing is in some ways closely linked to systems testing, because it is based on the same
systems.
When auditors take a cycles approach, they test the transactions which have occurred, resulting in
the entries in the statement of profit or loss and other comprehensive income or statement of
financial position (for example, sales transactions, inventory purchases, asset purchases, wages
payments, and other expenses).
They would select a sample of transactions and test that each transaction was complete and
processed correctly throughout the cycle. In other words, they substantiate the transactions which
appear in the financial statements.

3.7 Directional testing

Topic highlights
Directional testing is a method of discovering misstatements and omissions in financial statements.

Directional testing is a method of undertaking detailed substantive testing. Substantive testing

seeks to discover misstatements and omissions, and the discovery of these will depend on the
direction of the test.
Broadly speaking, substantive procedures can be said to fall into two categories:
 Tests to discover misstatements (resulting in over or understatement)
 Tests to discover omissions (resulting in understatement)

268
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

3.7.1 Tests designed to discover misstatements

These tests will start with the financial statement records in which the transactions are recorded
and check from the entries to supporting documents or other evidence. Such tests should detect
any overstatement and also any understatement through causes other than omission.

3.7.2 Tests designed to discover omissions

These tests must start from outside the accounting records and then check back to those records.
Understatements through omission will never be revealed by starting with the financial statement itself
as there is clearly no chance of selecting items that have been omitted from the financial statement.

3.7.3 Directional testing and double entry

The concept of directional testing derives from the principle of double entry bookkeeping, in that for
every debit there is a corresponding credit, (assuming that the double entry is complete and that
the financial statement records balance). Therefore, any misstatement of a debit entry will result
in either a corresponding misstatement of a credit entry or a misstatement in the opposite
direction, of another debit entry.
By designing audit tests carefully the auditors are able to use this principle in drawing audit
conclusions, not only about the debit or credit entries that they have directly tested, but also about
the corresponding credit or debit entries that are necessary to balance the books.
So, by performing the primary tests the auditors obtain audit assurance in other audit areas.
Successful completion of the primary tests will therefore result in them having tested all financial
statement areas both for overstatement and understatement.
The major advantage of the directional audit approach is its cost-effectiveness:
(a) Assets and expenses are tested for overstatement only, and liabilities and income for
understatement only, that is, items are not tested for both overstatement and understatement.
(b) It audits directly the more likely types of transactional misstatement, ie unrecorded income
and improper expense (arising intentionally or unintentionally).

3.8 Cost and performance efficiency of different audit

methodologies
As part of the planning process for any audit, the auditor must select the appropriate audit
methodology to apply in the audit, in order to deliver the objectives of the audit in the most efficient
manner possible. Possible methodologies are:
 Risk-based audit
 Top-down approach
 Systems audit
 Balance sheet approach
 Transaction cycle approach
Each methodology will incur costs and will offer different levels of efficiency in terms of the hours of
work necessary to deliver the audit objectives. Remember that the auditor must decide on the
appropriate blend of system testing and substantive procedures, as in the diagram below.

269
 Business Assurance

Although an audit can be carried out with 100% substantive procedures, it is not possible to carry
out a 100% systems audit. There must always be some substantive testing before an audit opinion
can be delivered.
We shall look at each of the methodologies in turn.

3.8.1 Risk-based audit

Risk-based audit relies on analysing audit risk into its component parts (inherent risk, control risk
and detection risk) and then choosing the appropriate volume of audit procedures to reduce
detection risk to the level necessary that audit risk is at the acceptable level.
The analysis of risk must be carried out before detailed audit work commences and will require
some hours of the time of an experienced auditor which may be expensive. But, once this analysis
has been performed, only a limited number of hours of substantive auditing is required, so this
methodology can be efficient.

3.8.2 Top-down approach

The top-down approach operates by looking at the business and its objectives and working back
down to the financial statements. This needs a detailed understanding of the business and its
strategy, requiring highly skilled analysis combined with a minimum of substantive procedures.
It will not be efficient to audit a small company using the top-down approach. Sufficient audit
evidence can be gathered more economically using a highly substantive approach. However a top-
down approach is likely to be an efficient way of auditing a large entity.

3.8.3 Systems audit

A system audit concentrates on testing the controls in operation in a business, but as mentioned
above there must always be some substantive testing. A systems audit on its own will never
produce sufficient evidence to support an audit opinion.

3.8.4 Balance sheet approach

The balance sheet approach to auditing concentrates on vouching the carrying amounts of each
of the assets and liabilities recognised in the statement of financial position by gathering evidence
to support each of the financial statement assertions embodied therein. If the closing net assets are
proved to be fairly stated and it is known that the opening net assets are fairly stated, then the
transactions linking the two (for example, sales and cost of sales) need only be tested using
analytical procedures.

270
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

For a small entity, the cost of auditing using the balance sheet approach will be low, since junior
auditors can be employed to carry out the work, and there will only be a moderate volume of work
to be done. Therefore this is the most efficient methodology for auditing a small entity.
For a large entity, the cost of the balance sheet approach will be prohibitive since the number of
individual assets and liability balances to be vouched will be large. Therefore, this is not an efficient
methodology for auditing a large entity.

3.8.5 Transaction cycle approach

The transaction cycle approach tests a sample of transactions to make sure that they are
processed correctly throughout each cycle of the business. For example, in the sales cycle
transactions can be tested from the first receipt of an order all the way through to despatching the
goods and receiving payment.
Once again, this would be prohibitively expensive as an audit approach in a large entity, although it
could be used as part of an efficient audit of a small entity.
In every case the auditor must use their professional judgment to decide on a methodology that will
generate sufficient audit evidence and offer value for money to the client at the same time.

3.9 Summary of approaches

Approach Key feature
Risk-based audit Directs resources most heavily towards areas where misstatements
are most likely to occur.
Top-down approach Targets controls testing at high level controls and reduces
substantive testing.
Systems audit Focuses on systems of controls and establishing the reliability of the
system.
Balance sheet approach Concentrates efforts on substantiating the closing position at the
period end.
Transaction cycle Tests that transactions are complete and correctly processed
approach throughout the specific cycle.
Directional testing Derives from the principle of double entry bookkeeping that for every
debit there is a corresponding credit.

Note: In many cases the audit approach will involve aspects of more than one of the methods
referred to above.

4 Audit sampling
Topic highlights
Auditors usually seek evidence from less than 100% of items of the balance or transaction being
tested by using sampling techniques.

HKSA 500.10 HKSA 500 Audit Evidence requires that when designing tests of controls and tests of details, the
auditor shall determine means of selecting items for testing that are most effective in meeting the
purpose of the audit procedures.

271
 Business Assurance

Some testing procedures do not involve sampling, such as:

(a) Testing 100% of items in a population
In some circumstances, auditors may decide that it will be appropriate to test the entire
population of items. Auditors are unlikely to test 100% of items when carrying out tests of
controls, but 100 % testing may be appropriate for certain substantive procedures. 100%
examination may be appropriate in the following circumstances:
(i) If the population is made up of a small number of high value items;
(ii) There is a significant high risk of material misstatement and other means do not
provide sufficient appropriate audit evidence, then 100% examination may be
appropriate; or
(iii) The repetitive nature of a calculation or other process performed automatically by
an information system makes a 100% examination more effective.
(b) Testing specific items
The auditor may alternatively select certain items from a population because of specific
characteristics they possess. The selection is based on auditor's judgment. The results of
items selected in this way cannot be projected onto the whole population but may be used in
conjunction with other audit evidence concerning the rest of the population. Specific items
tested may include the following:
(i) High value or key items: The auditor may select high value items or items that are
suspicious, unusual or prone to misstatement.
(ii) All items over a certain amount: Selecting items this way may mean a large
proportion of the population can be verified by testing a few items.
(iii) Items to obtain information about the entity's business, the nature of transactions, or
the entity's accounting and control systems.
(iv) Items to test procedures, to see whether particular procedures are being performed.
Testing specific items does not provide audit evidence concerning the remainder of the
population.

4.1 Introduction to audit sampling

HKSA Auditors are required to carry out audits efficiently, cost effectively and within time constraints.
530.4-5 Audit sampling offers innumerable benefits in achieving this and is common practice on most
audits. HKSA 530 (Clarified) Audit Sampling states that 'the objective of the auditor, when using
audit sampling is to provide a reasonable basis for the auditor to draw conclusions about the
population from which the sample is selected.'

Key terms
Audit sampling involves the application of audit procedures to less than 100% of the items within
HKSA a population of audit relevance such that all sampling units have a chance of selection in order to
530.5a, b, g
provide the auditor with a reasonable basis on which to draw conclusions about the entire
population.
Population is the entire set of data from which a sample is selected and about which an auditor
wishes to draw conclusions.
Statistical sampling is any approach to sampling that involves random selection of a sample, and
the use of probability theory to evaluate sample results, including measurement of sampling risk.
Non-statistical sampling is the approach to sampling where the auditor does not use statistical
methods and draws a judgmental opinion about the population.

272
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

4.2 Design of the sample

4.2.1 Suitable for the purpose
HKSA 530.6 HKSA 530 (Clarified) requires an auditor to consider the following when designing an audit sample:
(a) Consider the purpose of the audit procedure
Auditors must consider:
(i) The specific audit objectives and the audit procedures which are most likely to
achieve them
(ii) The nature and characteristics of the audit evidence sought, possible deviation or
misstatement conditions and the rate of expected deviation or misstatements
This will help them to define what constitutes a misstatement or deviation and what
population to use for sampling.
(b) Consider the characteristics of the population from which the sample will be drawn:
(i) For tests of controls, the auditor should make an estimate of the expected rate of
deviation based on expectation through investigation of the relevant controls or on the
examination of a small number of items from the population. If the expected rate of
deviation is above a certain level, the auditor will normally reject further tests of
controls.
(ii) For tests of details, the auditor may decide to test a large sample size or test 100%
if the expected misstatement is high.
4.2.2 Drawn from a well defined population
To be representative the population from which the sample is drawn must be defined suitably for
the specific audit objectives. The auditor needs to define the characteristic that he wishes to test in
order to limit the total population. How he defines them may depend on whether he is seeking to
test for overstatement or understatement and what he is believes he may detect.
The population may be divided into sampling units in many different ways. For example, for
receivables it may be an individual receivables balance or, in monetary unit sampling, $1 of the
total receivables balance. Auditors must define the sampling unit in order to obtain an efficient and
effective sample to achieve the particular audit objectives.

Key term
Sampling units are the individual items constituting a population.

HKSA 530.5f HKSA 530 (Clarified) requires that the auditor 'shall select items for the sample in such a way that
each sampling unit in the population has a chance of selection'. This requires that all items in the
population have an opportunity of being selected.

273
 Business Assurance

There are five selection methods available:

Random selection Ensures that all items in the population have an equal chance of selection,
eg by use of random number tables or computerised generator.
Systematic The number of sampling units in the population is divided by the sample
selection size to give a sampling interval. The auditor will need to determine the
sampling units within the population are not structured in such a way that
the sampling interval corresponds with a particular pattern in the population.
Haphazard The auditors selects the sample without following a structured technique,
selection avoiding any conscious bias or predictability and thus attempting to
ensure that all items in the population have a chance of selection. This
method is not appropriate when using statistical sampling.
Sequence or This involves selection of blocks of items from within the population. Block
block selection selection cannot ordinarily be used in audit sampling as most populations
are structured. The technique is rarely an appropriate sample selection
technique when the auditor intends to draw valid inferences about the
entire population based on the sample.
Monetary Unit The sample size, selection and evaluation results are in conclusion in
Sampling (MUS) monetary amounts. The auditor would direct his effort to the larger value
(Value-weighted items because they have a greater chance of selection as compared to
sampling) smaller sample sizes.

Key terms
Stratification is the process of dividing a population into subpopulations, each of which is a group
of sampling units, which have similar characteristics (often in monetary value).

Each sampling unit can only belong to one, specifically designed stratum, therefore reducing the
variability within each stratum. This enables the auditors to direct audit effort towards items which,
for example, contain the greatest potential monetary misstatement. Ways of dividing items into
strata include by age or by amount.

4.3 Sample size and risk

HKSA 530.7, HKSA 530 (Clarified) requires that the auditor 'must determine a sample size sufficient to reduce
A10-11 sampling risk to an acceptably low level'. While inevitable and beneficial in many ways, the use of
sampling introduces an element of sampling risk. This is the risk is that the auditor's conclusion is
skewed by the particular data selected and that a different outcome may have been reached had
the whole population been subject to the audit procedure. Ultimately, this could lead to an
assessment that a particular system of control is effective, when in fact it is not; or conversely, that
a system is not effective, when in fact, it is. The auditor must use professional judgment to assess
this risk and apply procedures to ensure it is reduced to an acceptably low level.

Key terms

HKSA 530.5c Sampling risk arises from the possibility that the auditor's conclusion, based on a sample may be
different from the conclusion if the entire population were subjected to the same audit procedure.
HKSA 530.5d Non-sampling risk is the risk that the auditor reaches an erroneous conclusion for any reason not
related to sampling risk.

274
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

Sampling risk can lead to two types of erroneous conclusions:

Tests of controls  Controls are more effective than they actually are (1)
 Controls are less effective that they actually are (2)
Tests of details  Material misstatement does not exist when in fact it does (1)
 Material misstatement exists when in fact it does not (2)

(1) Auditors are most concerned with this type of erroneous conclusion as it affects audit
effectiveness and is more likely to lead to an inappropriate audit opinion.
(2) These types of erroneous conclusion affect audit efficiency as it would lead to additional
work.
Sampling risk may be reduced by increasing the sample size for both tests of control and
substantive procedures while non-sampling risk, may be reduced by effective engagement
planning, supervision and review.
How much sampling risk an auditor will tolerate depends on the degree of reliance on the results of
the procedure in question. Larger sample sizes generate lower risks and a higher degree of
tolerance.
When designing a sample, the auditor also determines tolerable rate of deviation and tolerable
misstatement for the subsequent evaluation of the results.
Non-sampling risk arises from factors that cause the auditor to reach an erroneous conclusion for
any reason not related to the size of the sample. For example, most audit evidence is persuasive
rather than conclusive, the auditor might use inappropriate procedures or the auditor might
misinterpret evidence or fail to recognise a misstatement or deviation.

4.4 Performing audit procedures on items selected

HKSA 530.9- HKSA 530 (Clarified) requires that the auditor shall perform audit procedures, appropriate to the
11 purpose, on each item selected. If the audit procedure is not applicable to the selected item, the
auditor is required to perform the procedure on a replacement item.

4.4.1 Unable to apply the designed audit procedures

If the auditor is unable to apply the designed audit procedures, or suitable alternative procedures to
a selected item, the auditor is required to treat that item as a deviation from the prescribed control
in the case of tests of controls; or misstatement in the case of tests of details.

4.5 Deviation or misstatements

HKSA 530.12 Based on the sampling results, HKSA 530 (Clarified) requires the auditor to:
(a) Investigate the nature and cause of any deviation or misstatements identified; and
(b) Evaluate their possible effect on the purpose of the audit procedure and on other areas of
audit.

4.5.1 Possibility of fraud

In analysing the deviations and misstatements identified, the auditor may observe that many have
a common feature ie type of transactions, location, period of time.
The auditor may decide to identify all items in the population that possess the common feature in
such circumstances, and extend audit procedures to those items.
Such deviations or misstatements may be intentional and may indicate the possibility of fraud.

275
 Business Assurance

4.5.2 Anomaly

Key term
Anomaly is defined as a misstatement or deviation that is demonstrably not representative of
HKSA 530.5e misstatements or deviations in a population.

In the extremely rare circumstances, when the auditor considers a misstatement or deviation
discovered in a sample to be an anomaly, the auditor shall obtain a high degree of certainty that
such misstatement or deviation is not representative of the population. The auditor shall perform
additional procedures to obtain sufficient appropriate audit evidence that the misstatement or
deviation does not affect the remainder of the population. However, for anomalies, projecting
misstatements to the population is not required.

HKSA 530.14 4.6 Projecting misstatements

(a) For tests of details HKSA 530 (Clarified) requires the auditor to project misstatements found
in the sample to the population in order to obtain a broad view of the scale of misstatement
and its effect.
Any unexpectedly high misstatement amount in a sample may cause the auditor to believe
material misstatements exist in a class of transactions or account balance; and
(b) For tests of controls, no projection of deviations is necessary since the sample deviation rate
is also the projected deviation rate for the population as a whole.
However if deviations in the way the controls are applied by the entity are identified, the
auditor should consider the direct effect of the identified deviations, what they reveal about
the effectiveness of internal controls and their effect on the audit approach, as significant
deviations will affect the amount of substantive procedures needed. An unexpectedly high
sample deviation rate may lead to an increase in the assessed risk of material misstatement.

4.7 Evaluation of sample results

4.7.1 Analysis of misstatements in the sample
HKSA 530.15 HKSA 530 (Clarified) requires the auditor to evaluate:
(a) The results of the sample; and
(b) Whether the use of audit sampling has provided a reasonable basis for conclusions about
the population that has been tested.
The tolerable rate of deviation and tolerable misstatement determined during the design of the
audit sampling can be used in the evaluation of the sample results.

Key terms

HKSA 530.5j Tolerable rate of deviation is the rate of deviation from prescribed internal control procedures set
by the auditor in respect of which the auditor seeks to obtain an appropriate level of assurance that
the rate of deviation set by the auditor is not exceeded by the actual rate of deviation in the
population.

HKSA 530.5i Tolerable misstatement is a monetary amount set by the auditor in respect of which the auditor
seeks to obtain an appropriate level of assurance that the monetary amount set by the auditor is
not exceeded by the actual misstatement in the population.

276
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

The auditor may perform the following procedures when he concludes that audit sampling has not
provided a reasonable basis for conclusions about the population tested:
(a) Request management to investigate identified misstatements, potential misstatements and
to make necessary adjustments
(b) Modify nature, extent and timing of further audit procedures to achieve desired assurance
When determining whether the sample provides a reasonable basis for the conclusions about the
population as a whole, the auditor should first set a level of tolerable misstatement. If when the
results of the test sample are projected for the population as a whole, and any anomalous results
taken into account, this level is exceeded, then the sample must be considered as not providing a
reasonable basis for conclusions about the population as a whole.

4.7.2 Projection of misstatements

For tests of details, the auditor should project monetary misstatements found in the sample to the
population, and should consider the effect of the projected misstatements on the audit objective
being tested and on other areas of the audit. The projected misstatements should be compared to
the tolerable misstatement.

Self-test question 2
Consider each of the following independent situations:
(a) The auditor used non-statistical (judgmental) sampling techniques to determine an
appropriate sample size of 20 in testing the proper authorisation of purchases. After
randomly selecting 20 purchase transactions, the auditor performed appropriate testing and
found that three of the 20 transactions were not properly authorised.
(b) The auditor used attribute sampling techniques to test a key authorisation control. For a 5%
risk of over reliance, a tolerable deviation rate of 10% and an expected population deviation
rate of zero, the auditor determined the minimum sample size to be 29. The auditor selected
29 items using a systematic sampling technique, and found that one transaction was not
properly authorised.
Required
For each of the scenarios, (a) and (b), discuss the relevant issues in determining whether the
auditor can place reliance on the key control.
(The answer is at the end of the chapter)

5 Audit documentation

Topic highlights
It is important to document audit work performed in working papers to:
 Enable reporting partner to ensure all planned work has been completed adequately
 Provide details of work done for future reference;
 Assist in planning and control of future audits
 Encourage a methodical approach

277
 Business Assurance

5.1 Requirement of audit documentation

Key term
Audit documentation is the record of audit procedures performed, relevant audit evidence
HKSA 230.6a obtained and conclusions reached. The terms 'working papers' or 'work papers' are also sometimes
used.

HKSA 230.5, In accordance with HKSA 230 Audit Documentation, the auditor prepares, on a timely basis, audit
7, 8 documentation that provides:
(a) A sufficient and appropriate record of the basis for the auditor's report
(b) Evidence that the audit was planned and performed in accordance with HKSAs and
applicable legal and regulatory requirements
HKSA 230 requires that the auditor shall prepare audit documentation on a timely basis in order to
enhance the quality of the audit and to improve the review and evaluation process of the audit
evidence obtained and conclusions reached before the auditor's report is finalised.

5.1.1 Nature, form, content and extent of audit procedures performed

HKSA 230 requires working papers to be sufficiently complete and detailed to provide an overall
understanding of the audit to an independent third party who had not been involved. Auditors are
not expected to record everything they consider. Therefore, judgment must be used as to the
extent of working papers, based on the following general rules.

Key term
An experienced auditor refers to an individual who has practical audit experience and a
HKSA 230.6c reasonable understanding of the audit processes, HKSAs and applicable legal and regulatory
requirements, the business environment in which the entity operates and the auditing and financial
reporting issues relevant to the entity's industry.

The auditor shall prepare audit documentation that is sufficient to enable an experienced auditor
having no previous connection with the audit, to understand:
(a) The nature, extent and timing of the audit procedures
(b) The results of the audit procedures performed
(c) Significant matters arising during the audit ie significant risks or difficulties in applying audit
procedures (See Section 5.6)
The form and content of working papers are affected by matters such as:
(a) The size and complexity of the entity
(b) The nature of the audit procedures to be performed
(c) The identified risks of material misstatement
(d) The significance of the audit evidence obtained
(e) The nature and extent of exceptions identified
(f) The need to document a conclusion or the basis for a conclusion not readily determinable
from the documentation of the work performed or audit evidence obtained
(g) The audit methodology and tools used

278
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

5.1.2 Examples of working papers

Work at different
stages in audit Information to be put in working file
Audit planning  Evidence of the planning process including audit programmes and
any changes thereto
Understanding the Information obtained in understanding the entity and its environment,
entity and its including its internal control, such as the following:
environment  Information concerning the legal documents, agreements and
minutes
 Extracts or copies of important legal documents, agreements and
minutes
 Information concerning the industry, economic environment and
legislative environment within which the entity operates
 Extracts from the entity's internal control manual
Evidence gathering  Analyses of transactions and balances
 Analyses of significant ratios and trends
 Identified and assessed risks of material misstatements
 A record of the nature, timing, extent and results of audit
procedures
 Evidence that the work performed was supervised and reviewed
 An indication as to who performed the audit procedures and when
they were performed
Communication  Evidence of the auditor's consideration of the work of the internal
with internal and audit function and conclusions reached
external parties
 Copies of communications with other auditors, experts and other
third parties
 Copies of letters or notes concerning audit matters communicated
or discussed with management or those charged with
governance, including the terms of the engagement and material
weaknesses in internal control
 Details of audit procedures applied regarding components whose
financial statements are audited by another auditor
 Letters of representation received from the entity
 Notes of discussions about significant matters with management
and others
Final stage of audit  Conclusions reached by the auditor concerning significant aspects
of the audit, including how exceptions and unusual matters, if any,
disclosed by the auditor's procedures were resolved or treated
 Copies of the financial statements and audit reports
 In exceptional circumstances, the reasons for departing from a
basic principle or essential procedure of an HKSA and how the
alternative procedures performed achieve the audit objective.

279
 Business Assurance

5.2 Reasons for audit documentation

Audit documentation is necessary for the following reasons:
(a) It provides evidence of the auditor's basis for a conclusion including the assumptions behind
any judgments used.
(b) It demonstrates that the audit was conducted in accordance with HKSAs, HKFRSs and any
other legal and regulatory requirements.
(c) It records the plan and performance of the audit.
(d) It acts as a tool to team members responsible for supervision to direct, supervise and review
audit work as it is carried out.
(e) It enables the team to be accountable for its work.
(f) It allows a record of matters of continuing significance to be retained.
(g) It enables the conduct of quality control reviews and inspections (whether internal or
external).

5.3 Audit files

Working paper files may be classified into the following categories depending on whether their
contents are of ongoing importance or whether they relate to the current reporting period only.

Key term
An audit file is one or more folders or other storage media in physical or electronic form,
HKSA 230.6b containing the records that comprise the audit documentation for a specific engagement.

Audit files: working papers

Permanent audit files (containing  Engagement letters
information of continuing
 New client questionnaire
importance to the audit)
 The memorandum and articles of association
 Other legal documents such as prospectuses, leases,
sales agreements
 Details of the history of the entity's business
 Board minutes of continuing relevance
 Previous years' signed financial statements, analytical
review and management letters
 Accounting systems notes, previous years' control
questionnaires
Current audit files (containing  Financial statements
information of relevance to the
 Financial statements checklists
current year's audit).
 Management accounts details
These should be compiled on a
timely basis after the completion of  Reconciliations of management accounts and financial
the audit and should contain: statements
 A summary of unadjusted misstatements
 Report to partner including details of significant events
and misstatements

280
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

Audit files: working papers

 Review notes (retain until archive)
 Audit planning memorandum
 Time budgets and summaries
 Representation letter
 Management letter
 Notes of board minutes
 Communications with third parties such as experts or
other auditors

The working paper files should also contain information covering each audit area. These should
include the following:
 A lead schedule including details of the figures to be included in the financial statements
 Problems encountered and conclusions drawn
 Audit programmes
 Risk assessments
 Sampling plans
 Analytical procedures
 Details of substantive tests and tests of controls
If it later becomes necessary to add to or modify the documentation after it has been assembled,
then the following should be noted:
 Who made the changes, when they were made, and by whom they were reviewed
 The reasons behind the change
 Whether there was any effect on the auditors' conclusions
Changes are made to an audit file after the audit report has been signed, only in exceptional
circumstances. The following should be recorded:
 The circumstances
 The audit procedures performed, evidence obtained, conclusions drawn
 When and by whom changes to audit documents were made and reviewed

5.4 Standardised and automated working papers

The use of standardised working papers, for example, checklists and specimen letters, may
improve the efficiency of audit work but they can be dangerous because they may lead to auditors
mechanically following an approach without using audit judgment.
Automated working paper packages have been developed which can make the documenting of
audit work much easier. Such programs aid preparation of working papers, lead schedules, the trial
balance and the financial statements themselves. These are automatically cross-referenced,
adjusted and balanced by the computer.
The advantages of automated working papers are as follows:
(a) The risk of misstatements is reduced
(b) The working papers will be neater and easier to review
(c) The time saved will be substantial as adjustments can be made easily to all working papers,
including those summarising the key analytical information
(d) Standard forms do not have to be carried to audit locations
(e) Audit working papers can be transmitted for review via email or fax facilities

281
 Business Assurance

5.5 Safe custody and retention of working papers

Judgment may have to be used in deciding the length of holding working papers, and further
consideration should be given to the matter before their destruction. Working papers are the
property of the auditors. They are not a substitute for, nor part of, the entity's accounting records.
Auditors must follow ethical guidance on the confidentiality of audit working papers. They may, at
their discretion, release parts of or whole working papers to the entity, as long as disclosure does
not undermine 'the independence or validity of the audit process'. Information should not be made
available to third parties without the permission of the entity.
After assembling the papers, the auditor should not delete or discard audit documentation of any
nature before the end of its retention period, which is no shorter than five years from the date of the
auditor's report, in accordance with HKSQC1 (Clarified).
In exceptional cases, where the auditor finds it necessary to modify existing audit documentation or
add new audit documentation after the assembly of the final audit file has been completed, the
auditor is required to document:
 The specific reasons for making them
 When and by whom they were made and reviewed

5.6 Significant matters

HKSA 230.A8 The auditor shall prepare audit documentation that is sufficient to enable an experienced auditor,
having no previous connection with the audit, to understand significant matters arising during the
audit. Examples of significant matters include the following:
(a) Matters that give rise to significant risks
(b) Results of audit procedures relating to the revision of auditor's assessment of the risks of
material misstatement and the auditor's responses to those risks
(c) Results of audit procedures indicating the financial statements could be material misstated;
(d) Difficulties auditor faced in applying necessary audit procedures
(e) Findings causing modification to the audit opinion or the addition of an emphasis of matter
paragraph
(f) Discussion of significant matters to any party
(g) How the auditor addressed the inconsistency when information is inconsistent with auditor's
conclusion of the significant matter

5.7 Assembly of the final audit file

HKSA HKSQC1 (Clarified) requires firms to establish policies and procedures for engagement teams to
230.14-16 complete the assembly of final engagement files on a timely basis after the engagement reports
have been finalised. For audit engagements, a time limit would ordinarily not be more than 60 days
after the date of the auditor's report.
The auditor should maintain confidentiality, safe custody, integrity, accessibility and retrievability of
the audit documentation.

282
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

5.8 Changes to audit documentation in exceptional

circumstances after the date of the auditor's report
HKSA 230.13 If, in exceptional circumstances, the auditor performs new or additional audit procedures or draws
new conclusions after the date of the auditor's report, the auditor shall document:
 The circumstances encountered
 The new or additional audit procedures performed
 When and by whom the resulting changes to audit documentation were made and reviewed
 The specific reasons for making them

283
 Business Assurance

Topic recap

Relate to
Financial statement – classes of
assertions transactions
– account balances
– presentation and
disclosure

Must be AUDIT EVIDENCE

documented

Relevant Direction

Sufficient Appropriate

Reliable Source

Audit
Risk-based
methodology

Risk
Top-down assessment
Audit
procedure procedures

Systems-based/ Test of
systems audit Ÿ Inspection controls
Ÿ Observation
Ÿ Inquiry
Ÿ Confirmation Substantive Can never be
Balance sheet Ÿ Recalculation procedures eliminated entirely
approach Ÿ Reperfomance
Ÿ Analytical procedure

Statistical
Transaction
cycle approach Sampling

Non-statistical

Directional
testing – Sample design
– Sample size
– Projecting
misstatements
– Evaluating results

284
 9: Audit evidence, procedures, audit methodologies and audit sampling | Part D Assurance engagements

Answers to self-test questions

Answer 1
(a) The balance of gross accounts receivable can best be assessed by the use of a receivables
circularisation. The allowance for doubtful accounts would be assessed by reviewing
management's credit policies, ageing the accounts receivable, examining credit reports or
financial statements for major companies, and verifying subsequent remittances. Analytical
procedures would also be used.
(b) The additions to the non-current asset account can best be verified by an examination of the
client's capitalisation policies and an examination of both the schedule of additions to non-
current assets, and a review of the repairs and maintenance expense account to ensure that
no items that should be capitalised are included as expenses. Any rental or lease agreement
should also be reviewed to ensure that nothing that should be capitalised has been
expensed.
(c) The accounts payable can be examined by the use of confirmation to test balances, or by a
reconciliation with suppliers' statements.

Answer 2
(a) In determining reliance on this key control, the auditor has used non-statistical sampling.
Therefore, the decision as to whether or not the auditor would place reliance on this key
control without the undertaking of any further work depends on the auditor's expectations.
Such a high deviation rate would be unusual for accepting the control as operating
effectively, unless further audit evidence substantiating the initial assessment is obtained.
(b) The auditor has sampled the minimum size for zero expected deviations from the control
condition. As soon as one deviation is identified, as has occurred in this case, the auditor
cannot rely on the key control.

285
 Business Assurance

Exam practice

DEF Ltd 10 minutes

DEF Ltd has a head office and sells footwear accessories through twenty retail outlets in Hong
Kong. All cash receipts in the form of cash and credit cards are recorded in the cash till of each
outlet. A cash float in the range of $8,000 to $15,000 is maintained at each outlet to provide change
for the till and cover various routine expenses. All cash takings for the previous day are banked at
the beginning of each working day. Cash till reconciliation is performed by a sales assistant and is
further reviewed by the shop supervisor at the end of each working day. The reconciliation and the
relevant supporting documents are sent to the accounts department daily for further processing.
A & B have been the auditors of DEF Ltd for a number of years. During the current year's audit of
DEF Ltd, A & B have reviewed the internal controls on cash in hand and performed all tests of
controls they considered necessary.
In addition, DEF Ltd has received a bank loan ($10,000,000 repayable over four years) in order to
expand the business during the year. A & B have reviewed the internal controls on the bank loan
and have found that it would be more efficient to rely solely on substantive audit procedures.
Required
In the context of A & B's audit of DEF Ltd,
(a) Explain the difference between sampling risks and non-sampling risks. (3 marks)
(b) Explain how stratification may help to increase the effectiveness of substantive audit
procedures. (3 marks)
(Total = 6 marks)
HKICPA September 2006 (amended)

286
chapter 10

Fraud and irregularities

Topic list

1 Fraud 2 Laws and regulations

1.1 What is fraud? 2.1 Legal requirements relating to an entity
1.2 Characteristics of fraud 2.2 Responsibility of management and those
1.3 Fraud and the auditor charged with governance
1.4 Risk assessment 2.3 Responsibility of the auditor
1.5 Overall responses to assessed risks 2.4 Indications of non-compliance with laws
of material misstatement due to fraud and regulations
at the financial statement level 2.5 Audit procedures when non-compliance
1.6 Fraud risk factors is identified or suspected
1.7 Misstatements indicating suspected 2.6 Communicating/reporting identified or
fraud suspected non-compliance
1.8 Overall responses to assessed risks
of material misstatement due to fraud 3 Following up illegal acts or fraud during the
at the assertion level audit
1.9 Analytical procedures performed near 3.1 Ethical Requirements
the end of the audit 3.2 HKSA 240
1.10 Unable to continue the engagement 3.3 HKSA 250 (Clarified)
1.11 Written representations 3.4 Money laundering
1.12 Communication to management and
those charged with governance
1.13 Documentation

Learning focus

The extent of auditors' responsibilities in relation to fraud and error is a critical element of the
public's perception of the auditor's role. The requirements of HKSA 240 in this regard are core
knowledge for this chapter and may have to be applied in practical scenarios.

287
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
2.05 Planning and risk assessment 3
2.05.08 Explain the effect of fraud and misstatements on audit planning and
work
2.05.09 Explain the effect of laws and regulations, and non-compliance
therewith, on audit planning and procedures
2.12 Completion procedures
2.12.04 Explain the follow up on illegal act or fraud found while performing 3
an audit especially in the case of money laundering or corruption

288
 10: Fraud and irregularities | Part D Assurance engagements

1 Fraud

Topic highlights
When carrying out risk assessment procedures, the auditor shall also consider the risk of fraud or
non-compliance with laws and regulations causing a misstatement in financial statements.

1.1 What is fraud?

Key term
Fraud is an intentional act by one or more individuals among management, those charged with
HKSA governance, employees or third parties involving the use of deception to obtain an unjust or illegal
240.11a
advantage.

HKSA 240.3 Fraud may be perpetrated by an individual, or colluded in, with people internal or external to the
business. When management or those charged with governance are involved in fraud, it is called
management fraud. When employees are involved it is called employee fraud.
Specifically, there are two types of fraud causing material misstatements in financial statements:
 Fraudulent financial reporting
 Misappropriation of assets

1.1.1 Fraudulent financial reporting

Key term
Fraudulent financial reporting involves intentional misstatements, including omissions of
HKSA 240. amounts or disclosures in financial statements, to deceive financial statement users.
A2

Management may intend to influence financial statement users' perceptions as to the entity's
performance and profitability.
This may include the following:
 Omission of amounts or disclosures in the financial statements
 Improper disclosure eg deception such as manipulation, falsification, alteration of accounting
records
 Intentional misapplication of accounting principles eg delay in recognition
 Concealing important information
 Engaging in complex transactions, leading to inability to collect audit trail
 Recording fictitious journal entries
 Improper use of assumptions or estimates in financial reporting
 Intentionally to reduce earnings for tax planning
 Manipulation, falsification or alteration of accounting records or other documentations
Such fraud may be due to pressure and incentives and may arise due to management overriding
controls and by aggressive earnings management in order to maximise bonuses. Companies

289
 Business Assurance

about to list may contain higher risk in this area due to pressure to meet market expectations or a
desire to maximise compensation based on performance. The auditor should be aware if there are
matters like unsuitable revenue recognition, inappropriate accruals, liabilities, provisions and
reserves accounting or large number of immaterial breaches of financial reporting requirements.
Material misstatements due to fraudulent financial reporting are often due to revenue recognition
and this is significant risk.

1.1.2 Misappropriation of assets

Key term
Misappropriation of assets involves the theft of an entity's assets and is often perpetrated by
HKSA 240.A5 employees in relatively small and immaterial amounts.

Misappropriation of assets is often perpetrated by single employees in relatively small amounts,

although aggregated this amount may become material. However, misappropriation may also
involve collusion among a group of employees or management which often makes it more difficult
to detect. Collusion or management involvement often makes it easier to create false records to
conceal the fraudulent activity.
Misappropriation of assets is a serious threat to an entity. Even when it involves minor pilfering of
stock or cash by employees. It indicates an environment of weak internal control and possibly poor
relationships between senior management and employees. However, management may be equally
guilty and often have a greater opportunity for exploiting weaknesses in the control systems to
conceal their fraudulent activities. These activities can take the following forms:
(a) Embezzling receipts (for example, diverting them to private bank accounts)
(b) Wrongfully taking possession of physical non-current assets or intellectual property either for
personal use or to sell on (for example, stealing stock, or selling data)
(c) Creating false ledger or payroll entries to cause an entity to pay for goods which have not
been ordered or received (payments to fictitious suppliers or employees)
(d) Using an entity's assets as collateral for a personal loan or loan to a related party

1.2 Characteristics of fraud

HKSA 240A1 Fraud involves:
(a) Incentive or pressure to commit fraud – this may mean management is under pressure to
achieve unfeasible earnings or may indicate personal financial difficulties
(b) An opportunity – this may be the presence of large amounts of cash or inventory and the
ability to override an internal control without detection
(c) Rationalisation of committing a fraudulent act – individuals may possess an attitude or
character that allow them knowingly and intentionally to commit a dishonest act. Poor
management-employee relations may create an attitude of disregard for internal controls.

1.3 Fraud and the auditor

HKSA 240 The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements
provides guidance to auditors in this area.

HKSA 240.4
1.3.1 Responsibilities of management
The primary responsibility for the prevention and detection of fraud is with both those charged with
governance and the management of an entity. It is important that management and those charged
with governance place a strong emphasis on fraud prevention and fraud deterrence.

290
 10: Fraud and irregularities | Part D Assurance engagements

This is effected by a commitment to a culture of honesty, ethical behaviour and active

oversight by those charged with governance.
Management can:
(a) Implement and operate an adequate accounting and internal control system to reduce the
possibility of fraud and error
(b) Acts in stewardship with regard to the property entrusted to them by shareholders
(contractual duty of care)
(c) Develop a code of conduct
(d) Establish an internal audit function
(e) Set up an audit committee

HKSA 240.5-8 1.3.2 Responsibilities of auditors

An auditor conducting an audit is responsible for obtaining reasonable assurance that the financial
statements taken as a whole are free from material misstatement, whether caused by fraud or error.
When planning or performing audit procedures or evaluating and reporting on results, in order to
reduce the audit risks to an acceptably low level, the auditor should consider the risks of material
misstatements in the financial statements due to fraud and error. (This is mandatory!) The
risk of not detecting material misstatements from fraud is higher than the risk of not detecting a
material misstatement due to error.
Auditors should:
 Obtain sufficient appropriate audit evidence regarding the assessed risks of material
misstatement due to fraud.
 Respond appropriately to fraud or suspected fraud identified during the audit.
 Maintain an attitude of professional scepticism throughout the audit, recognising the
possibility that material misstatements due to fraud could exist, considering the honesty and
integrity of management and those charged with governance.
 Evaluate the design of the entity's related controls, including relevant control activities and
determine whether they have been implemented.
The auditor cannot be held responsible for the prevention of fraud and error and the risk of not
detecting a material misstatement. The risk is greater for frauds that are due to sophisticated and
organised schemes designed to conceal it such as intentional misrepresentations made to the
auditors or deliberate failure to record transactions.
Although the auditor may suspect or identify the occurrence of fraud, the auditor does not make
legal determinations of whether fraud has actually occurred.

HKSA
240.15-18,
1.4 Risk assessment
25-26, 31 HKSA 240 requires a discussion among the team members that places particular emphasis on
how and where the financial statements may be susceptible to fraud.

291
 Business Assurance

1.4.1 Risk assessment procedures

Risk assessment procedures to obtain information in identifying the risks of material
misstatement due to fraud shall include the following:
(a) Inquiries of management regarding:
(i) Management's assessment of the risk that the financial statements may be
materially misstated due to fraud
(ii) Management's process for identifying and responding to the risks of fraud
(iii) Management's communication to those charged with governance in respect of its
process for identifying and responding to the risk of fraud
(iv) Management's communication to employees regarding its views on business
practices and ethical behaviour
(v) Knowledge of any actual, suspected or alleged fraud.
(b) Inquiries of appropriate individuals within the internal audit function for knowledge of
any actual, suspected or alleged fraud, and its views on the risks of fraud.
(c) Obtaining an understanding of how those charged with governance oversee
management's processes for identifying and responding to the risk of fraud and the internal
control established to mitigate these risks.
(d) Inquiries of those charged with governance for knowledge of any actual, suspected or
alleged fraud and seek views on the adequacy of accounting system, management's process
for identifying risks of fraud and internal control.
(e) Evaluating whether any unusual or unexpected relationships have been identified in
performing analytical procedures that may indicate risk of material misstatement due to
fraud.
(f) Considering whether any other information may indicate risk of material misstatement due
to fraud such as information obtained from the auditor's entity acceptance and retention
processes, and experience gained on other engagements performed for the entity.
(g) Evaluating whether any fraud risk factors are present.

1.4.2 Identification and assessment of the risk of material misstatement due

to fraud
As required by HKSA 240, and in accordance with HKSA 315 (Revised 2016), the auditor shall
identify and assess the risks of material misstatement due to fraud:
 At the financial statement level
 At the assertion level for classes of transactions, account balances and disclosures
These risks shall be treated as significant risks.
The auditor shall obtain an understanding of the entity's related controls, including control activities,
relevant to such risks.

1.4.3 Presumed risk of fraud in revenue recognition

Material misstatement due to fraudulent financial reporting relating to revenue recognition may
result in both overstatement or understatement of revenue, for example:
 Recording fictitious revenue
 Using aggressive revenue recognition
 Improperly delaying recognition of revenue
Therefore, HKSA 240 requires the auditor, based on a presumption that there are risks of fraud in
revenue recognition, to evaluate which types of revenue, revenue transactions or assertions give
rise to such risks.

292
 10: Fraud and irregularities | Part D Assurance engagements

Those entities such as listed entities that may have pressures or incentives on management to
commit fraudulent financial reporting, may face greater risks of fraud in revenue recognition.
The auditor shall document the reasons for concluding that there is no presumption that there are
risks of fraud in revenue recognition.

1.4.4 Presumed risk of control override

Management is in a unique position to perpetrate fraud because of its ability to override controls.
Because this risk is present in all entities and is therefore presumed HKSA 240 requires that,
irrespective of the auditor's assessment of the risks of management override of controls, the auditor
must design and perform audit procedures to respond to this risk.
The following are examples of audit procedures:
(a) Test the appropriateness of journal entries recorded in the general ledger and other
adjustments made in the preparation of the financial statements by:
(i) Inquiring of individuals responsible for financial reporting process
(ii) Testing collected journal entries and other adjustments made at the end of the period.
(b) Review accounting estimates for bias and evaluate whether the circumstances producing the
bias represents a risk of material misstatement due to fraud.
(i) If there is an indication of a possible management bias the auditor shall re-evaluate
the accounting estimate taken as a whole
(ii) Perform a retrospective review of management judgments and assumptions relating to
significant accounting estimates reflected in the financial statements of the prior year.
(c) For significant transactions that are outside the normal course of business for the entity, the
auditor shall evaluate whether the business rationale of the transactions suggests fraud.
The auditor should consider:
(i) Whether the transactions are complex
(ii) Whether management has discussed the accounting treatment with those charged
with governance
(iii) Management placing more emphasis on the need for a particular accounting treatment
(iv) Non-consolidated related parties that are not properly authorised
(v) Unidentified related parties and the related transactions.

1.5 Overall responses to assessed risks of material misstatement

due to fraud at the financial statement level
HKSA In accordance with HKSA 330 The Auditor's Responses to Assessed Risks, the auditor must
240.28-29, 32 determine overall responses to address the assessed risks of material misstatement due to fraud
at the financial statement level. In this regard, the auditor must:
(a) Assign and supervise staff responsible taking into account their knowledge, skill and ability
i.e. individuals with specialised skill and knowledge
(b) Increase professional scepticism ie increase sensitivity in the selection of nature and
extent of documentation for material transactions and increase recognition of the need for
management explanations or representations for material matters
(c) Evaluate whether the accounting policies may be indicative of fraudulent financial reporting
(d) Incorporate unpredictability in the selection of the nature, timing and extent of audit
procedures to be performed ie adjusting the timing of audit procedures or using different
sampling methods

293
 Business Assurance

As we mentioned above, management fraud is more difficult to detect than employee fraud
because of management's ability to override controls and therefore manipulate accounting records.
HKSA 240 states that when auditor has to respond to the risk of management override of controls,
it is mandatory to perform procedures to:
(a) Test the appropriateness of journal entries and other adjustments
(b) Review accounting estimates for bias
(c) For significant transactions outside the normal course of business, evaluate whether they
have been entered into to engage in fraudulent financial reporting or to conceal
misappropriation of assets

1.6 Fraud risk factors

Key term
Fraud risk factors are events or conditions that indicate an incentive or pressure to commit fraud
HKSA or provide an opportunity to commit fraud.
240.11b

HKSA 240 HKSA 315 (Revised 2016) states that the auditor shall evaluate whether fraud risk factors exist
Appendix 1 when collecting information from risk assessment procedures or when performing related activities.
When obtaining an understanding of the entity and its environment and the internal control, an
auditor should consider whether the information obtained indicates any fraud risk factors. However,
remember that fraud risk factors may not necessarily indicate the existence of fraud.
Auditors should exercise professional judgment in determining whether actual fraud is present.
When the following fraud risk factors appear there is a chance for fraudulent reporting to occur:

Fraud risk factors relating to fraudulent financial reporting

Operating  Missing vouchers
 Falsified documents and unsatisfactory explanations
 Evidence of dispute
 Unexplained reconciliations or incomplete accounting records
 Computer files failure – lack of records
 Significant related party transactions occurred not in the ordinary
course of business
 Dominant position in the market that may result in inappropriate or non-
arm's length transactions
 Many estimates involved in the financial statements
 Significant bank accounts or subsidiaries or branches operations in tax-
haven countries
Financial  Financial and profitability levels being threatened due to high degree of
competition, rapid changes in business environment
 Major decline in customer demand and increasing business failure
 Negative cash flow and operating losses
 New accounting/statutory/regulatory requirement
 Threat of bankruptcy/foreclosure/takeover

294
 10: Fraud and irregularities | Part D Assurance engagements

Fraud risk factors relating to fraudulent financial reporting

Pressure on  Management required to meet profitability or trend levels
management
 Entity needs to obtain additional funds by debt or equity financing
 Entity about to list, therefore required to meet exchange listing
requirement
 Meet financial targets established by those charged with governance or
listing rules
Nature of  Significant related party transactions not in the course of ordinary
entity's business
business
 Complex corporate structure
environment
 Multi-location businesses
Management  Dominance by management
style
 Non-operating internal controls – ie cut off or failure to correct
 Reluctance of management to communicate with third party
 High staff turnover
 Ineffective accounting and information systems
 Ineffective implementation of ethical standards
 Investigation by Government/Police
 Consistent failure to correct known material weaknesses in internal
controls
 Low morale among senior management
 Frequent disputes between management and auditors
 Limit of audit scope imposed by management
Analytical Auditor should consider any unusual or unexpected relationships that may
procedures indicate risks of material misstatement due to fraud.

When the following fraud risk factors appear there is a good chance for misappropriation of assets
to occur:

Fraud risk factors relating to misappropriation of assets

Employees/  Personal financial positions and ease to access to cash or other assets
management  Adverse relationships between entity and employees give motive for the
misappropriation of assets
Nature of  Circumstances occur where employees have large amount of cash on
entity's hand
business  Inventory items are small in size but are of high value
environment
 Easily convertible assets
 Non-current assets are of small size and marketable

295
 Business Assurance

Fraud risk factors relating to misappropriation of assets

Internal  Inadequate internal controls over assets
controls  Inadequate segregation of duties
 Inadequate oversight of senior management and employees responsible
for assets
 Inadequate recordkeeping, authorisation and approval and physical
safeguards over cash investments
 Lack of documentation of transactions
 Lack of security in automated records
 Lack of complete and timely reconciliation of assets
 Inadequate management understanding of information technology
Management  Management disregarding the need for monitoring or reducing risks of
style misappropriation of assets
 Non-financial management's excessive participation
 Continuous disputes between management and shareholders

The size, complexity and ownership characteristics of the entity have a significant influence on the
consideration of relevant fraud risk factors. For example, a larger entity may have better internal
controls to prevent fraud.

1.7 Misstatements indicating suspected fraud

HKSA HKSA 240 requires the auditor to evaluate whether the misstatement identified is indicative of fraud
240.35-36 and evaluate the implications of the misstatement in relation to other aspects of the audit,
particularly the reliability of management representations.
If the auditor believes the misstatements identified are the result of fraud which involved
management (ie by management collusion), the auditor shall re-evaluate the assessment of the
risks of material misstatement due to fraud and the impact on nature, extent and timing of audit
procedures.
When numerous immaterial misstatements are identified at a specific location, it may indicate there
is a risk of material misstatement due to fraud. The auditor should consider whether the fraud
involves senior management as this would affect the reliability of written representations. This may
indicate employees, management or third party's collusion.

1.7.1 Discussion among the engagement team

According to HKSA 240, discussion among the engagement team shall place particular emphasis
on how and where the entity's financial statements may be susceptible to material misstatement
due to fraud, including how fraud might occur.

1.8 Overall responses to assessed risks of material misstatement

due to fraud at the assertion level
According to HKSA 240, the auditors shall design and perform further audit procedures by
changing the nature, extent and timing of audit procedures that are responsive to the assessed
risks of material misstatement due to fraud at the assertion level.

296
 10: Fraud and irregularities | Part D Assurance engagements

The following illustrates the change in nature, extent and timing of audit procedures:

Changing the nature of  Obtain more reliable and relevant audit evidence
audit procedures  Obtain additional corroborative evidence
 Use more physical inspection or observation
 Consider the source of audit evidence, ie more external
evidence rather internal audit evidence, ie use more external
confirmations
Changing the extent of  Increasing sample sizes
audit procedures  Performing analytical procedures at a more detailed level
 Using CAATs for more extensive testing of electronic
transactions and account files
Changing the timing of  Modifying the timing of substantive procedures
audit procedures  Performing substantive testing at or near the period end
 Electing to apply substantive procedures to transactions
occurring earlier in or throughout the reporting period

1.9 Analytical procedures performed near the end of the audit

HKSA 240.34 HKSA 240 requires the auditor when forming the overall conclusion to evaluate whether analytical
procedures that are performed near the end of the audit indicate a previously recognised risk of
material misstatement due to fraud. Auditors should consider any unusual relationships involving
year-end revenue and income. Overall, this requires professional judgment.

1.10 Unable to continue the engagement

HKSA 240.38 When the auditor encounters exceptional circumstances that affect the auditor's ability to
continue performing the audit, HKSA 240 requires the auditor to:
(a) Determine the professional and legal responsibilities applicable in the circumstances ie
obligatory disclosure; or
(b) Consider the appropriateness to withdraw from the engagement.
Examples of exceptional circumstances include the following:
(a) No appropriate action regarding fraud is undertaken by the entity, where auditor considers
necessary;
(b) The auditor considers there is significant risk of material and pervasive fraud; or
(c) The auditor has significant concern about the competence or integrity of management or
those charged with governance.
If the auditor decides to withdraw from the engagement, he shall:
(a) Discuss with the appropriate level of management and those charged with governance about
the withdrawal; or
(b) Determine whether there is obligatory reporting to regulatory authorities.

1.11 Written representations

HKSA 240.39 HKSA 240 requires the auditor to obtain written representations from management and those
charged with governance that they:
(a) Acknowledge their responsibility for the design, implementation and maintenance of
internal control to prevent and detect fraud;

297
 Business Assurance

(b) Have disclosed to the auditor management's assessment of the risk of fraud in the financial
statements;
(c) Have disclosed to the auditor their knowledge of fraud/suspected fraud involving
management, employees with significant roles in internal control, and others where fraud
could have a material effect on the financial statements;
(d) Have disclosed to the auditor their knowledge of any allegations of fraud/suspected
fraud communicated by employees, former employees, analysts, regulators or others; or
(e) Acknowledge the effects of those uncorrected financial misstatements aggregated as a
whole that are immaterial to the financial statements.

1.12 Communication to management and those charged with

governance
HKSA If the auditor identifies fraud or receives information that a fraud may exist, the auditor shall report
240.40-43 this on a timely basis to the appropriate level of management.
If the auditor identifies or suspects fraud involving management, employees with significant roles in
internal control, and others where fraud could have a material effect on the financial statements, he
shall communicate this on a timely basis to those charged with governance.
The auditor also needs to consider whether there is a responsibility to report to the regulatory or
enforcement authorities – the auditor's professional duty of confidentiality may be overridden
by laws and statutes in certain jurisdictions.
For material deficiencies in internal controls, the auditor should communicate with management.

1.13 Documentation
HKSA 240.44 The auditor must document:
 The significant decisions as a result of the team's discussion of fraud;
 The identified and assessed risks of material misstatement due to fraud;
 The overall responses to assessed risks;
 Results of specific audit tests;
 Any communications with management; or
 Reasons for concluding that the presumption that there is a risk of fraud related to revenue
recognition is not applicable.

Self-test question 1
Tom is the Human Resources Manager of XXXX Limited in Hong Kong. XXXX Limited has a
number of production and management contracts with the public sector. Tom has created ten
fictitious employees in the company's factory payroll. A number of pay cheques were issued to
these ten fictitious employees from October to December 20X6.
TUV & Co have been the auditors of XXXX Limited for the last two years, and the audit for the year
ended 31 December 20X6 is currently in progress. Before the discovery of Tom's activities, TUV &
Co had assessed the risk of material misstatement due to fraud at the financial statement level as
low after performing the specific risk assessment procedures as required by auditing standards.
Required
(a) Explain the possible impacts of Tom's activities on XXXX Limited's financial statements.
(6 marks)

298
 10: Fraud and irregularities | Part D Assurance engagements

(b) Explain how Tom's activities may affect the risk assessment and the audit work responsive
to the assessed risk of material misstatement due to fraud. (9 marks)
(Total = 15 marks)
HKICPA May 2007
(The answer is at the end of the chapter)

Self-test question 2
(a) What are the three key characteristics of fraud? (3 marks)
(b) A low profile Hong Kong listed company has over 70% of its issued shares held by the Chief
Executive ('CE') and an executive director ('ED'). Both the CE and the ED are from very
wealthy backgrounds. They are heavily involved in the daily operations of the listed company.
All sales and purchase transactions have to be approved by the CE and the ED. The CE and
the ED review the financial results with the respective department heads on a weekly basis.
The company's board of directors emphasizes ethical behaviour. The board usually sets an
achievable budget. Meeting the financial budget is also not the only criterion in assessing
employees' performance. The company has maintained a healthy and stable performance in
the past five years and a relatively high dividend pay-out ratio compared with similar
companies in the industry.
Required
Assume you are the audit engagement manager assessing the risk of fraud at this listed
company. Discuss and explain your risk assessment based on the three key characteristics
of fraud. (6 marks)
(Total = 9 marks)
HKICPA December 2014
(The answer is at the end of the chapter)

2 Laws and regulations

Topic highlights
Auditors must be aware of laws and regulations as part of their planning and must be aware of any
statutory duty to report non-compliance by the entity.

2.1 Legal requirements relating to an entity

Entities are increasingly subject to laws and regulations with which they must comply.
HKSA 250 (Clarified) Consideration of Laws and Regulations in an Audit of Financial Statements
provides guidance on the auditor's responsibility to consider laws and regulations in an audit of
financial statements. Note that in June 2017, HKICPA issued HKSA 250 (Revised) Considerations
of Laws and Regulations in an Audit of Financial Statements, Including Related Conforming
Amendments to Other Hong Kong Standards in response to new requirements in the HKICPA
Code of Ethics for Professional Accountants addressing non-compliance with laws and regulations.
This revised standard is effective from 15 July 2017 but is not examinable at the December 2017
and June 2018 examination sessions.

299
 Business Assurance

The provisions of those laws or regulations have a direct effect on the entity's financial statements
in that they determine the reported amounts and disclosures in the financial statements.
Other laws or regulations are to be complied with by management but these laws and regulations
do not have a direct effect on an entity's financial statements.

Key term
Non-compliance refers to acts of omission or commission by the entity, either intentional or
unintentional, which are contrary to the prevailing laws or regulations.

HKSA 250.11 Such acts include transactions entered into by the entity, or on its behalf by its management or
employees. It does not include personal misconduct. Non-compliances may result in financial
consequences, like fines and litigation and non-financial consequences, such as loss of reputation.

2.2 Responsibility of management and those charged with

governance
HKSA 250.3 It is management's responsibility, with the oversight of those charged with governance, to ensure
that the entity complies with the relevant laws and regulations.
The following policies and procedures, among others, may be implemented by management to
assist in the prevention and detection of non-compliance with laws and regulations.
(a) Monitor legal requirements and ensure that operating procedures are designed to meet
these requirements;
(b) Institute and operate appropriate systems of internal control including internal audit and
an audit committee;
(c) Develop, publicise and follow a code of conduct;
(d) Ensure employees are properly trained and understand the code of conduct;
(e) Monitor compliance with the code of conduct and act appropriately to discipline
employees who fail to comply with it;
(f) Engage legal advisers to assist in monitoring legal requirements; or
(g) Maintain a register of significant laws with which the entity has to comply within its
particular industry and a record of complaints.

HKSA 250.4- 2.3 Responsibility of the auditor

8, 10
As with fraud, the auditor is not, and cannot be held responsible for preventing and detecting non-
compliance. There is an unavoidable risk that some material misstatements in the financial
statements go undetected, even though the audit is properly planned and performed.

2.3.1 Categories of laws and regulations

HKSA 250 (Clarified) distinguishes the auditor's responsibilities in relation to compliance with two
different categories of law and regulation as follows:
(a) The provisions of those laws and regulations generally recognised to have a direct effect on
the determination of material amounts and disclosures in the financial statements
(b) Other laws and regulations that do not have a direct effect on the determination of the
amounts and disclosures in the financial statements, but compliance may be fundamental to
the business operations ie causing going concern problems or material penalties
For those which have a direct effect the auditor is required to obtain sufficient appropriate audit
evidence regarding compliance. For other laws and regulations the auditor is required to perform
procedures to help identify non-compliance (see section 2.3.4).

300
 10: Fraud and irregularities | Part D Assurance engagements

2.3.2 Obtaining an understanding of the entity and its environment

HKSA 250 (Clarified) requires the auditor to obtain a general understanding of:
(a) The legal and regulatory framework applicable to the entity, industry or the business
segment the entity operates
(b) How the entity is complying with that framework

2.3.3 Ways to obtain a general understanding of the legal and regulatory

framework
Auditors may use the following ways to obtain general understanding of the legal and regulatory
framework:
(a) Use the auditor's existing understanding of the entity's industry, regulatory and other
external factors
(b) Update the understanding of those laws and regulations that directly determine the
reported amounts and disclosures in the financial statements
(c) Inquire of management as to other laws or regulations that may be expected to have a
fundamental effect on the operations of the entity
(d) Inquire of management concerning the entity's policies and procedures regarding
compliance with laws and regulations
(e) Inquire of management the policies or procedures adopted for identifying, evaluating and
accounting for litigation claims

2.3.4 Objective of the auditors

Under HKSA 250 (Clarified), the objectives of the auditor are to:
(a) Obtain sufficient appropriate audit evidence regarding compliance with the provisions of
those laws and regulations generally recognised to have a direct effect on the determination
of material amounts and disclosures in the financial statements
(b) Perform specified audit procedures to help identify instances of non-compliance with other
laws and regulations that may have a material effect on the financial statements
(c) Respond appropriately to non-compliance or suspected non-compliance with laws and
regulations identified during the audit

2.3.5 Risks of material misstatement due to non-compliance with laws and

regulations
Certain factors will increase the risks of material misstatement due to non-compliance with laws
and regulations not being detected by the auditor.
(a) There are many laws and regulations, relating principally to the operating aspects of an
entity, that typically do not affect the financial statements and are not captured by the
entity's information systems relevant to financial reporting;
(b) Non-compliance may involve conduct designed to conceal it, such as collusion, forgery,
deliberate failure to record transactions, management override of controls or intentional
misrepresentations being made to the auditor; or
(c) Whether an act constitutes non-compliance is ultimately a matter for legal determination by a
court of law.
Laws and regulations governing a business entity can vary enormously. Whether an act constitutes
non-compliance is a legal matter that may be beyond the auditor's professional competence,
although the auditor may have a fair idea in many cases through his knowledge and training.
Ultimately such matters can only be decided by a court of law.

301
 Business Assurance

The further removed non-compliance is from the events and transactions normally reflected in the
financial statements, the less likely the auditor is to become aware of it or recognise non-
compliance.

2.3.6 Other laws and regulations

The auditor should recognise that certain other laws and regulations may have a fundamental
effect on the operations of the entity, ie they may cause the entity to cease operations or call into
question the entity's continuation as a going concern. For example, non-compliance with the
requirements of the entity's licence or other title to perform its operations could have such an
impact (for example, for a bank, non-compliance with capital or investment requirements).
The auditor must perform the following audit procedures to help identify instances of non-
compliance with other laws and regulations that may have a material effect on the financial
statements:
(a) Inquiring of management and, where appropriate, those charged with governance, as to
whether the entity is in compliance with such laws and regulations; and
(b) Inspecting correspondence, if any, with the relevant licensing or regulatory authorities.
The auditor must request written representations from management that all known instances of
non-compliance or suspected non-compliance with laws and regulations whose effects should be
considered when preparing the financial statements have been disclosed to the auditor.

2.4 Indications of non-compliance with laws and regulations

The auditor must remain alert throughout the audit to the possibility that other audit procedures
may bring instances of non-compliance or suspected non-compliance to the auditor's attention.
These audit procedures could include:
(a) Reading minutes;
(b) Making inquiries of management and in-house/external legal advisers regarding litigation,
claims and assessments; or
(c) Performing substantive tests of details of classes of transactions, account balances or
disclosures.
The following factors may indicate non-compliance with laws and regulations:
(a) Investigations by regulatory authorities and government departments;
(b) Payment of fines or penalties;
(c) Payments for unspecified services or loans to consultants, related parties, employees or
government employees;
(d) Sales commissions or agents' fees that appear excessive;
(e) Purchasing at prices significantly above/below market price;
(f) Unusual payments in cash;
(g) Unusual transactions with companies registered in tax havens;
(h) Payment for goods and services made to a country different to the one in which the goods
and services originated;
(i) Payments without proper exchange control documentation;
(j) Existence of an information system that fails to provide an adequate audit trail or sufficient
evidence;
(k) Unauthorised transactions or improperly recorded transactions; or
(l) Adverse media comment.

302
 10: Fraud and irregularities | Part D Assurance engagements

2.5 Audit procedures when non-compliance is identified or

suspected
HKSA If the auditor becomes aware of information concerning an instance of non-compliance or
250.18-21 suspected non-compliance with laws and regulations, the auditor shall obtain:
(a) An understanding of the nature of the act and the circumstances in which it has occurred
(b) Further information to evaluate the possible effect on the financial statements

2.5.1 Evaluation of the possible effect on the financial statements

Auditors should evaluate:
(a) The potential financial consequences of non-compliance with laws and regulations on the
financial statements whether fines, penalties or litigation claims
(b) Whether the potential financial consequences require disclosure
(c) Whether the seriousness of the potential financial consequences would affect the
presentation of the financial statements
The implications of non-compliance in relation to other aspects of the audit have to be evaluated.
The auditor should consider risk assessment, reliability of written representations, performance of
control activities and level of management or employees involved, especially when involving
highest authority within an entity.
When no remedial actions are taken by management and those charged with governance on the
non-compliances, auditors should consider withdrawal from the engagement and should consider
seeking legal advice first.

2.5.2 Insufficient information about suspected non-compliances

If the auditor suspects there may be non-compliance, the auditor must discuss the matter and the
findings with management and, where appropriate, those charged with governance.
The auditor must consider the need to obtain legal advice from entity's in-house legal counsel or
external legal counsel if sufficient information is not provided and the matter is material.
If it is not considered appropriate to consult with the entity's legal counsel or the auditor is not
satisfied with the opinion from the entity's legal counsel, the auditor may consider it appropriate to
consult the auditor's legal counsel.
Finally, if the auditor cannot obtain sufficient information about suspected non-compliances, the
auditor must evaluate the impact of the lack of sufficient appropriate audit evidence on the auditor's
opinion.

2.6 Communicating/reporting identified or suspected non-

compliance
HKSA The auditor shall communicate with those charged with governance, but if the auditor suspects that
250.25-28 those charged with governance are involved, the auditor shall communicate with the next higher
level of authority such as the audit committee or supervisory board. If this does not exist, the
auditor shall consider the need to obtain legal advice.
The auditor shall consider the impact on the auditor's report if he concludes that the non-
compliance has a material effect on the financial statements and has not been adequately reflected
or is prevented by management and those charged with governance from obtaining sufficient
appropriate audit evidence to evaluate whether non-compliance is material to the financial
statements. The auditor shall express a qualified opinion or disclaim an opinion on the financial
statements on the basis of a limitation on the scope of the audit under HKSA 705 (Revised).

303
 Business Assurance

The auditor shall determine whether identified or suspected non-compliance has to be reported to
the regulatory and enforcement authorities. Although the auditor must maintain the fundamental
principle of confidentiality, in some jurisdictions the duty of confidentiality may be overridden by
law or statute.

3 Following up illegal acts or fraud during the audit

Topic highlights
A firm of Certified Public Accountants must establish policies and procedures in order to meet its
responsibilities in relation to money laundering.

3.1 Ethical requirements

In December 2016, an appendix containing amendments to the Code of Ethics for Professional
Accountants was published which will become effective on 15 July 2017, although early adoption is
permitted. The Appendix describes the ethical requirements that must be met by a professional
accountant in public practice or business when responding to non-compliance with laws and
regulations (known as NOCLAR). NOCLAR was covered in detail in Chapter 4 of this Learning
Pack.

3.2 HKSA 240

HKSA Where the auditor becomes aware of a suspected or actual instance of fraud which could have a
240.40-43 material effect on the financial statements, he would:
(a) Consider whether the matter may be one that ought to be reported to a proper authority in
the public interest; and where this is the case
(b) Except when he is prohibited by law from informing any party other than the proper authority
or when the matter casts doubt on the integrity of those charged with governance, discuss
the matter with those charged with governance, including any audit committee

3.2.1 Duty to notify those charged with governance in writing

In respect of an identified suspected or actual instance of fraud which could have a material effect
on the financial statements, the auditor would make a report direct to a proper authority in the
public interest without delay and without informing those charged with governance in advance in
situations where:
(a) The auditor concludes that the matter ought to be reported to a proper authority in the
public interest
(b) The auditor is prohibited by law from informing any party other than the proper authority or
the matter casts doubt on the integrity of those charged with governance
An auditor who can demonstrate that he has acted reasonably and in good faith in informing an
authority of an instance of fraud which he thinks has been committed would not be held by the
court to be in breach of duty to the client even if, an investigation or prosecution having occurred,
it were found that there has been no offence.
An auditor may need to take legal advice before making a decision on whether the matter should
be reported to a proper authority in the public interest.
The implications of identified fraud depend on the circumstances. For example, an otherwise
insignificant fraud may be significant if it involves senior management. In such circumstances, the
reliability of evidence previously obtained may be called into question, since there may be doubts
about the completeness and truthfulness of representations made and about the genuineness of

304
 10: Fraud and irregularities | Part D Assurance engagements

accounting records and documentation. There may also be a possibility of collusion involving
employees, management or third parties.

3.3 HKSA 250 (Clarified)

HKSA The auditor shall obtain:
250.25-28
(a) An understanding of the nature of the act and the circumstances in which it has occurred
(b) Further information to evaluate the possible effect on the financial statements
The auditor shall evaluate the implications of non-compliance in relation to other aspects of the
audit, including the auditor's risk assessment and the reliability of written representations, and take
appropriate action.
The auditor may discuss the findings with those charged with governance where they may be able
to provide additional audit evidence.
The auditor may consider it appropriate to consult with the entity's in-house legal counsel or
external legal counsel about the application of the laws and regulations.
The auditor evaluates the implications of non-compliance in relation to other aspects of the audit,
including the auditor's risk assessment and the reliability of written representations.
The auditor may consider withdrawal from the engagement, where withdrawal is possible under
applicable law or regulation.
In some jurisdictions, the auditor of a financial institution has a statutory duty to report the
occurrence, or suspected occurrence, of non-compliance with laws and regulations to the
supervisory authorities.

3.4 Money laundering

In recent years accountants and auditors have become subject to anti-money laundering (AML)
regulations. This is largely due to the work of the inter-governmental body, the Financial Action
Task Force on Money-Laundering (FATF).
A firm of Certified Public Accountants must establish sound policies and procedures to ensure that the
firm meets its responsibilities under the relevant regulation in which the firm is operating. It is important
that everyone who is a member of an audit engagement team is aware of the regulations, the firm's
policies and procedures, and their own responsibilities regarding money laundering activities.

Key terms
Money laundering is a process by which criminals attempt to conceal the true origin and
ownership of the proceeds of criminal activities. It is a way in which money earned from criminal
activities ('dirty money') is transferred and transformed so it appears to have come from a
legitimate source ('clean money'). Money laundering includes a wide range of potential crimes
including possessing, dealing with, or concealing the proceeds of crime.

3.4.1 Money laundering activities and process

Money laundering activities could include the following:
 Acquiring, using or possessing the proceeds of criminal activities such as drug trafficking and
terrorist activities, or retaining control over the proceeds of tax evasion.
 Benefits obtained through bribery or corruption.
 Inciting, aiding, counselling or concealing such activities.

305
 Business Assurance

The three stages of the money laundering process are placement, layering and integration:
 Placement is putting money into financial products or instruments, including life policies,
pension arrangements, unit trusts, travellers cheques, and bank deposits.
 Layering is creating a series of transactions so that the original source of funds is
obscured and difficult to trace.
 Integration is converting the proceeds of money laundering into a legitimate form.

3.4.2 Accountants' actions related to money laundering

For accountants there are specific ways that they could commit offences relating to money
laundering. These could include the following:
 Handling the proceeds of criminal activity, or advising on the use of such proceeds.
 Failure to report knowledge or suspicion of money laundering activities to the appropriate
authority.
 Making a disclosure which is likely to prejudice an investigation into money laundering
(known as 'tipping off').
 Failure to comply with the specific regulatory requirements in relation to money laundering in
the jurisdiction in which the accountant is operating.

3.4.3 Policies and procedures related to money laundering

The policies and procedures that a firm of Certified Public Accountants should establish in order to
meet its responsibilities in relation to money laundering are described below:
(a) Appointment of a Money Laundering Reporting Officer (MLRO)
The MLRO is a nominated officer who is responsible for receiving and evaluating reports of
suspected money laundering from colleagues within the firm, and making a decision as to
whether further inquiry is required and if necessary making reports to the appropriate
external body. The MLRO should have an appropriate level of seniority and experience and
would usually be a senior partner.
(b) Customer identification procedures
This is often referred to as customer due diligence (CDD), or 'know your client' (KYC)
procedures.
The point of these procedures is to ensure that the firm has verified the identity of clients
(whether the client is an individual or an entity), and has obtained evidence of that identity.
For an individual, typical evidence of identity would be a passport, driving licence, and
evidence of address such as a utility bill. For an entity evidence may include a certificate of
incorporation. The identification process for an entity would also involve identification of key
management personnel and those people in control of the entity, and an assessment as to
whether any connected individuals are politically exposed persons (PEP).
(c) Enhanced record keeping
Records must be kept of clients' identity, the firm's business relationship with them, and
details of transactions with the client. All records should be kept for five years after the end of
the business relationship or completion of the transactions. Internal and external reports
made in connection to money laundering should also be securely kept for five years.
(d) Communication and training
All relevant employees should receive training so that they are aware of the main provisions
of money laundering regulations, and so that they know how to recognise and deal with
activities which may be money laundering. The training programme should be offered to all
members of the firm with an involvement in audit engagements. Training should also be
provided on the firm's internal policies and procedures with relation to money laundering.
In particular, all staff should be aware of appropriate lines of communication, and who they

306
 10: Fraud and irregularities | Part D Assurance engagements

should report suspicions of money laundering activities to. Training should be considered for
all staff, including support staff who do not carry out an advisory role.
(e) Internal controls, risk assessment, management and monitoring
The firm should establish systems and controls to effectively manage the risk that the firm is
exposed to in terms of money laundering activities. This could include:
 Client screening procedures to minimise the risk of taking on a new client with a high
risk of money laundering activities.
 Systems and controls to ensure that training is taken/attended and understood by all
relevant employees.
 Systems that allow periodic testing that the firms' policies and procedures comply with
legislative and regulatory requirements.
All of the above contribute to the acceptance and following of firm-wide practices by all relevant
individuals and can be seen as quality control measures.
3.4.4 Money laundering in Hong Kong
The Financial Action Task Force (FATF), the international AML standard-setter, completed an
evaluation on Hong Kong's AML regime in 2008 and concluded inter alia that we should provide
statutory backing and appropriate sanctions for customer due diligence (CDD) and record-keeping
requirements for financial institutions, and put into place an AML regulatory framework for
remittance agents and money changers.
At present, the requirements on CDD and record keeping by financial institutions are implemented
mainly through guidelines issued by the Monetary Authority (MA), the Securities and Futures
Commission (SFC) and the Insurance Authority (IA) respectively. Hong Kong is required by FATF
to implement improvement measures to address these deficiencies. Failure to do so will result in
enhanced scrutiny by FATF and could subject Hong Kong to counter measures by other FATF
members, which would hinder our development as an international financial centre.
In October 2012, the FATF recognised that Hong Kong had made significant progress in
addressing the deficiencies identified in the 2008 Mutual Evaluation Report. The FATF agreed that
Hong Kong should now report on any further improvements to its Anti-Money
Laundering/Combating the Financing of Terrorism (AML/CFT) system on a biennial update basis.

3.4.5 The Anti-Money Laundering and Counter-Terrorist Financing (Financial

Institutions) Ordinance
The Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance ('the
Ordinance') was gazetted on 8 July 2011. The Ordinance came into effect on
1 April 2012. The Ordinance provides for the imposition of requirements relating to customer due
diligence and record-keeping on specified financial institutions, and provides for the powers of the
relevant authorities.
The Ordinance seeks to improve Hong Kong's anti-money laundering regime by better alignment of
the financial sector with prevailing international standards.
The major proposals adopted by the Ordinance include the following:
(a) Codifying the customer due diligence requirements, which refer to the measures enabling
financial institutions to establish the identity of each customer, and record-keeping
requirements in line with the prevailing international standards as promulgated by the FATF
(b) Subjecting specified financial institutions, namely banks and deposit-taking companies
(collectively referred to as authorised institutions), licensed corporations in the securities
sector, authorised insurers, appointed insurance agents, authorised insurance brokers,
money service operators and the Postmaster General to the statutory requirements provided
in the new legislation

307
 Business Assurance

(c) Empowering the Monetary Authority (MA), the Securities and Futures Commission (SFC),
the Insurance Authority (IA) and the Customs and Excise Department (C&ED) as the
respective relevant authorities to supervise compliance with the statutory requirements by
the specified financial institutions
(d) Providing for supervisory and criminal sanctions for contravention of the statutory customer
due diligence and record-keeping requirements
(e) Putting in place a licensing regime for money service operators to be administered by C&ED
(f) Establishing an independent review tribunal to review decisions made by the relevant
authorities to impose supervisory sanctions and decisions related to money service operator
licensing matters
The statutory customer due diligence and record-keeping requirements largely reflect the existing
requirements set out in the administrative guidelines issued by MA, SFC and IA.
Provision of criminal sanctions in addition to supervisory sanctions will ensure that Hong Kong has
an effective AML regime. Many jurisdictions, including the UK, the US, Singapore, Italy and Norway,
have provided for criminal offences under their AML legislation in dealing with breaches of CDD
and record-keeping requirements.

308
 10: Fraud and irregularities | Part D Assurance engagements

Topic recap

Attitude of RISK ASSESSMENT

professional PROCEDURES
scepticism

RISK OF RISK OF MONEY

RISK OF FRAUD
NON-COMPLIANCE LAUNDERING
WITH LAWS
AND REGULATIONS

Auditor's • Client screening

Intentional Sufficient Appropriate Theft
understanding • Appoint MLRO
misstatements
and responsibility • Risk indicators
• Types of offence
• Tipping off

Search for
indication of
Management Auditor Risk Responses Reporting non-compliance
responsibilities responsibilities assessment
procedures

Action on
discovery of
Presumed risk non-compliance
of fraud in
revenue recognition

309
 Business Assurance

Answer to self-test question

Answer 1
(a) The possible impacts of Tom's activities on the financial statements of XXXX Ltd for the year
ended 31 December 20X6 are as follows:
 XXXX Ltd's bank and cash were misappropriated via the payments to ten fictitious
employees.
 Staff costs are overstated, and, therefore, XXXX Ltd's overall expenditure. XXXX Ltd's
profit is understated.
 Staff benefits or staff-related costs/deductions are overstated, eg employees'
insurance and severance payment provisions.
 If staff costs are capitalised in inventories or other forms of assets (eg development
expenditure), the reported amount of those assets is overstated.
 In cases where XXXX Ltd has cost-plus contracts with its customers (ie cost-
reimbursement plus margin arrangement), an overstatement of staff costs may
overstate the amount of revenue (reimbursement from customers).
 A contingent liability may arise due to a possible breach of contract if one of the
purposes of overstating the headcount is to fulfil contract requirements (eg headcount
requirements as set out in contracts with the Government).
 There may be a going concern issue due to the violation of contractual requirements
and other regulations for XXXX Ltd to carry on operating (and winning contracts) in the
public sector outsourcing market.
 TUV & Co's risk assessment at the financial statement level (as low) may not be
appropriate as the internal controls of XXXX Ltd on its payroll may be weak or subject
to management manipulation. This could cause material misstatements in other
aspects of XXXX Ltd's financial statements to exist.
(b) Before the discovery of Tom's activities, TUV & Co had assessed the risk of material
misstatement due to fraud at the financial statement level as low after performing the specific
risk assessment procedures as required by HKSA 240.
Tom's activities indicate there are weaknesses in how those charged with governance
exercise oversight of management processes for identifying and responding to the risks of
fraud in the entity and also weaknesses in the overall control environment.
As the HR Manager of XXXX Ltd, Tom holds a senior position. Management override of
controls exists.
TUV & Co should also consider whether or not there is any evidence suggesting the
susceptibility of XXXX Ltd to management fraud and the competence and integrity of
management.
The insertion of fictitious employees into the payroll indicates a lack of controls in XXXX Ltd's
payroll and cheque payment procedures. The internal controls that management has
established to mitigate these risks are proved to be ineffective.
Depending on the pervasiveness of the audit evidence, TUV & Co may need to revise its
assessment of the risk of material misstatement at the financial statement level to medium or
high.

310
 10: Fraud and irregularities | Part D Assurance engagements

If TUV & Co obtains evidence indicating that the misappropriation of assets (pay cheques) is
restricted to Tom for the last three months of the year ended 31 December 20X6 and if the
amount of cash misappropriated is material to XXXX Ltd, TUV & Co may need to revise its
assessment of the risk of material misstatement of the occurrence of staff costs and the
existence of bank and cash to medium or high.
TUV & Co may also need to assess the risk of material misstatement of the completeness
assertion of staff costs and bank & cash (due to possible misappropriation of cheques or
cash by Tom to genuine employees) as medium or high. [Some candidates may argue that
the payment to fictitious employees is based on payroll records which are false. Therefore,
the controls in bank & cash may well be effective, but the controls in payroll records had
broken down so that Tom could create fictitious employees and working/attendance records.]
According to HKSA 330, TUV & Co's responses to address the assessed risks of material
misstatement due to fraud at the assertion level should include changing the nature, timing,
and extent of audit procedures.
Changing the nature of audit procedures
As the key risks include the existence of employees, the occurrence of staff costs and the
existence and completeness of bank and cash, substantive procedures may become more
important, eg physical verification meetings with individual employees, physical observation
of pay cheque distribution, matching the payroll to personnel files and vouching clock cards
or time sheets.
Without Tom's activities, TUV & Co may rely on the internal controls of XXXX Ltd and carry
out more tests of controls in the payroll and pay cheque procedures.
Changing the timing of audit procedures
In some cases, audit work at an interim date can make the year end audit more effective.
However, Tom's activities took place during the last three months of the year ended
31 December 20X6, and any audit conclusions reached based on audit procedures
completed at an interim date may not be extended to the year end.
Therefore, it is not effective to carry out any substantial amount of audit work at an interim
date.
Changing the extent of audit procedures
TUV & Co may increase sample sizes when performing tests of details eg physical
verification meetings with individual employees, physical observation of pay cheque
distribution, matching payroll to personnel files and vouching clock cards or time sheets.
TUV & Co may perform analytical procedures at a more detailed level, eg comparison of
wages and salaries, MPF, staff-related costs/deductions of different periods, and among
different shifts, product lines and factories. Without Tom's activities, TUV & Co may perform
these analytical procedures at the company level only.

Answer 2
(a) The three key characteristics of fraud are:
(i) Incentive or pressure to commit fraud – management is under pressure to achieve
unfeasible earnings or aggressive budget
(ii) Opportunity to commit fraud – management has the ability to override an internal
control without detection
(iii) Rationalisation of committing a fraudulent act – individual may possess an attitude or
character that allows them knowingly and intentionally to commit a dishonest act

311
 Business Assurance

(b) The risk of both management fraud and employee fraud is low. This is because:
 Low incentive or pressure for management to commit fraud as the key management
are also the owners of the company.
 Management is less focused on share price appreciation and publicity but more on the
profitability of the company.
 The board usually sets achievable budget; the incentive and pressure for employees
to commit fraud greatly depends on the linkage of meeting the budget and employees'
remunerations.
 Since meeting the financial budget is not the only criterion in assessing employees'
performance because other key performance indicators ("KPIs") count, there is less
risk for employees to manipulate the financial results.
 Low opportunity for employees to commit fraud as the CE and the executive director
are heavily involved in the daily operation.
 They exercise strong controls in the day-to-day operations, including monitoring
controls eg business performance review on a weekly basis, and transaction level
controls eg reviewing and approving all sales and purchase transactions.
 Management set strong tone at the top and emphasizes ethical behaviour which helps
cultivate employee a positive attitude to honest act and give less rationalization for
employees to commit any fraudulent act.

312
 10: Fraud and irregularities | Part D Assurance engagements

Exam practice

ABC Limited 36 minutes

ABC Limited ('ABC') is a company incorporated in Hong Kong. ABC's business was very
successful during the period 20X5-X8, and most of its customers are financial institutions based in
the US. Mr Kwok is a CPA (Practising) and has just started planning the audit of ABC's financial
statements for the year ended 30 June 20X9. Ms. Chan, the Chief Executive of ABC, has
discussed the following matters with Mr. Kwok:
(1) Notwithstanding the recent US sub-prime mortgage crisis, Ms. Chan does not think
customers in the US will have any difficulties in settling trade debts. However, a general
allowance at 1% of the outstanding balances has been maintained as a contingency reserve
against losses from irrecoverable and doubtful receivables.
(2) Ms. Chan provides certain figures from ABC's accounting records to Mr. Kwok as follows:
Unaudited Audited
Year ended 30 Jun 20X9 Year ended 30 Jun 20X8
$'million $'million
Trade receivables from customers in the US 27 20
Trade receivables from other customers 6 5
Total trade receivables 33 25

$'million $'million
Sales to customers in the US 110 100
Sales to other customers 55 50
Total sales 165 150
(3) Ms. Chan expects ABC to be ready for listing on the Hong Kong Stock Exchange in the near
future in order to stay competitive.
(4) Ms. Chan explains that ABC has recently changed the remuneration package for senior
managerial staff linking it more directly to ABC's sales.
(5) Ms. Chan explains that ABC has recently established an affiliated entity in the US to provide
certain support services for ABC's main products.
Required
(a) Define the auditor's responsibility towards the risks of fraud in financial statements.
(3 marks)
(b) Define fraud risk factors and describe the three conditions that are generally present when
fraud exists. (3 marks)
(c) Explain four main fraud risk factors identified from the audit of ABC's financial statements for
the year ended 30 June 20X9. (8 marks)
(d) Explain how, as part of the audit of ABC's financial statements, Mr. Kwok may identify any
unusual or unexpected relationships amongst the figures provided by Ms. Chan (point (2)
above) that may indicate risks of material misstatement due to fraud. (6 marks)

(Total = 20 marks)
HKICPA May 2009

313
 Business Assurance

T&F Limited 29 minutes

Trading & Factory Limited ('T&F') has been producing and selling outdoor furniture and garden
ornaments to North America for about ten years. T&F's founder, Mr. Lee, has occupied the roles of
Chairman and Chief Executive for three years, and has largely dominated its board of directors.
T&F struggled financially during 20X8-X9, but it has managed to survive through the recession and
has recently presented the unaudited management accounts for the year ended 31 December
20Y0 to its auditor. Extracted below are certain key financials for the years 20X9 and 20Y0.
Extracts from Extracts from
unaudited management accounts audited financial statements
for the year ended for the year ended
31 December 20Y0 31 December 20X9
HK$'000 HK$'000
Sales 482,100 254,300
Gross margin 30% 29%
Net profit before tax 98,100 16,200
Current ratio 0.9 1.2
Following the recent revival in performance, Mr. Lee has expressed T&F's desire to go for a listing
within a year or two.
Due to the lack of financial expertise on the board and without a separate audit committee, T&F's
board has been relying on the management letter from its auditor to monitor the operating
effectiveness of its internal controls.
Required
(a) Explain the auditor's responsibilities for the prevention and detection of fraud in financial
statements and describe the three pre-requisites generally present when a fraud takes place.
(6 marks)
(b) Identify and explain three fraud risk factors (other than any weaknesses in T&F's corporate
governance) from the perspective of T&F's auditor. (10 marks)
(Total = 16 marks)
HKICPA June 2011

314
chapter 11

Internal control and tests of

controls
Topic list

1 Internal control systems 4 Internal controls in a computerised

1.1 Control environment environment
1.2 Entity's risk assessment process 4.1 General controls
1.3 Information system relevant to financial 4.2 Application controls
reporting 4.3 Documentation
1.4 Control activities 4.4 Testing of automated controls
1.5 Monitoring of controls 5 Communicating deficiencies in internal
1.6 Controls for significant risks control
1.7 Limitations of accounting and control 5.1 Meaning of deficiencies
systems 5.2 Requirement of auditor
2 The use of internal control systems by 5.3 Action taken by management and those
auditors charged with governance
2.1 Recording accounting and control
systems
3 Tests of controls
3.1 Confirming understanding
3.2 When to perform tests of controls
3.3 Reliance on evidence obtained in prior
periods
3.4 Increase the extent of tests of controls
3.5 Evaluating the operating effectiveness of
controls

Learning focus

Auditors should evaluate the internal control system in order to determine whether to rely on
the entity's internal controls in order to reduce the level of substantive testing.

315
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
2.09 Audit procedures 3
2.09.05 Explain the importance of internal control to auditors and the
execution of tests of control
2.09.06 Explain how auditors identify weaknesses in internal control
systems and how those weaknesses limit the extent of auditors'
reliance on those systems
2.10 Audit evidence 3
2.10.04 Explain the need to modify the audit strategy and audit plan
following the results of tests of control
2.13 Reporting 3
2.13.01 Discuss and provide examples of how the reporting of internal
control weaknesses and recommendations to overcome those
weaknesses are provided to management
4.02 Categories and types of controls 3
4.02.01 State examples of controls in a computerised system
4.02.02 Define and give examples of general and application controls

316
 11: Internal control and tests of controls | Part D Assurance engagements

1 Internal control systems

Topic highlights
The auditors must understand the accounting system and control environment in order to
determine their audit approach.

Key term
Internal control is the process designed, implemented and maintained by those charged with
governance, management, and other personnel to provide reasonable assurance about the
HKSA 315.4c
achievement of the entity's objectives with regard to reliability of financial reporting, effectiveness
and efficiency of operations and compliance with applicable laws and regulations.

HKSA 315 (Revised 2016) Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and its Environment deals with the whole area of controls.
Internal control has five elements:
 The control environment
 The entity's risk assessment process
 The information system relevant to financial reporting
 Control activities
 Monitoring of controls
HKSA 315 (Revised 2016) requires that the auditor shall obtain an understanding of internal
controls relevant to the audit. Most controls relevant to the audit are likely to relate to financial
reporting but there might be controls relevant to operations and compliances objectives. It is a
matter of the auditor's professional judgment whether a control, individually or in combination with
others, is relevant to the audit.
In obtaining an understanding of internal control, the auditor must understand and evaluate the
design of the internal control (ie is it capable of preventing, detecting and correcting material
misstatements?) and the implementation of that control (ie has it been operated correctly in that
year?) by performing procedures in addition to inquiry of the entity's personnel. In the following sub-
sections, we look at each of the elements of internal control in turn.

1.1 Control environment

Key term
The control environment is the framework within which operational controls operate. Its
effectiveness is very much determined by management's attitudes, awareness of risk and actions
and the importance placed on internal control within the entity.

1.1.1 Effect of control environment on auditor's risk assessment

HKSA 315.14 The control environment sets the tone for an organisation. It provides discipline and structure and
strongly influences the control consciousness of the people within the organisation. A strong control
environment, supported by a clear and effectively communicated commitment from senior
management influences the auditor's assessment of the effectiveness of other controls.

317
 Business Assurance

It does not, on its own, guarantee the effectiveness of the overall control system, but reduces the
risks of material misstatement. A weak control environment can undermine the effectiveness of
specific operational controls.
Controls are more likely to operate well in an environment where they are regarded as being of
importance, that is, in entities where the ethos is set at the most senior levels of the company that
honest and transparent behaviour is paramount and deviations from ethical practice will not be
accepted. The responsibility for individual areas is then cascaded down through tiers of
management in the form of operational controls. The auditors, will perform procedures to ascertain
whether certain controls exist and are routinely adhered to. For example, the auditor may check
that a particular payment has been made to a supplier on an approved list.
HKSA 315 (Revised 2016) states that auditors must understand an entity's control environment.
The types of check described above are relatively easy to perform as walk-through tests but
auditors must also use observation and inquiry to assess whether:
 Management, with the oversight of those charged with governance, has created and
maintains a culture of honesty and ethical behaviour
 The strengths in the control environment provide an adequate foundation for the other
elements of internal control and whether those elements are weakened by deficiencies in the
control environment
The following table illustrates this:

Control environment
Management's integrity  Essential elements which influence the effectiveness of the
and ethical values design, administration and monitoring of controls; and
 Overall attitude, awareness and actions of management on
the internal control system
Commitment to  Management's assessment of the competency levels for
competence particular roles and how those levels translate into requisite
skills and knowledge
Participation by those  Independence from management
charged with  Experience and stature
governance
 Extent of involvement and scrutiny of activities
 Type of difficult questions resolved in between internal and
external auditors
 Whether they understand the entity's business transactions
Management's  Approach to taking and managing business risks
philosophy and  Attitudes and actions towards financial reporting
operating style
 Attitudes towards information processing and accounting
functions and personnel
Organisational The framework within which an entity's activities for achieving its
structure objectives are planned, executed, controlled and reviewed
(including segregation of duties, job rotation and so on)
Assignment of authority How authority and responsibility for business activities are
and responsibility allocated and how reporting lines and authorisation controls are
organised
Human resource How recruitment, induction, training, performance monitoring and
policies and practices career progression plans, work place counselling, remuneration,
and grievance and discipline matters are conducted

Finally, the auditor should form a conclusion as to whether the control environment is strong or
weak.

318
 11: Internal control and tests of controls | Part D Assurance engagements

1.2 Entity's risk assessment process

HKSA 315.15 HKSA 315 (Revised 2016) says that the auditor must understand and evaluate the internal
processes of an entity for the following:
 Identification of the business risks which may affect financial reporting objectives
 Estimating their significance
 Assessing their likelihood
 Responding effectively to the issues identified.
The entity's risk assessment process assists the auditor in identifying risks of material
misstatement. If the auditor believes the process fails to reflect the risk position of the entity, the
auditor then evaluates whether this is because of any serious weakness in internal control.
If there is no process for risk identification in place at all, the auditor should discuss with
management whether the business risks relevant to the financial reporting objectives have been
assessed and addressed appropriately. The auditor shall evaluate whether the absence of a
documented risk assessment process is appropriate in the circumstances, or determine whether it
represents a significant deficiency in overall internal control.

1.3 Information system relevant to financial reporting

Key term
The information system relevant to financial reporting is a component of internal control that
includes the financial reporting system, and consists of the procedures and records established to
initiate, record, process and report entity transactions (as well as events and conditions) and to
maintain accountability for the related assets, liabilities and equity.

HKSA The auditor must obtain an understanding of the information system relevant to financial reporting
315.18-19 objectives, and the following in particular:
(a) The classes of transactions in the entity's operations that are of most significance to the
financial statements
(b) The procedures, within both computerised and manual systems, by which those transactions
are initiated, recorded, processed, corrected, and transferred to the general ledger and
reported in the financial statements
(c) The underlying accounting records, supporting information, and specific accounts in the
financial statements, in respect of initiating, recording, processing and reporting transactions
(d) How the information system records events and conditions, other than transactions, that are
significant to the financial statements
(e) The financial reporting process used to prepare the entity's financial statements, including
significant accounting estimates and disclosures
(f) Controls surrounding journal entries, including non-standard journal entries used to record
unusual one-off transactions or adjustments
The auditor should also obtain an understanding of how the entity communicates financial
reporting roles and responsibilities and significant matters relating to financial reporting to
management and those charged with governance or regulatory authorities.

319
 Business Assurance

1.4 Control activities

Key term
Control activities are the policies and procedures that help ensure that management directives
are carried out.

HKSA HKSA 315 (Revised 2016) states that the auditor shall obtain an understanding of control activities
315.20-21 relevant to the audit. This includes an understanding of how the entity has responded to risks
arising from IT. By relevant the standard means those the auditor deems it necessary to
understand in order to assess the risks of material misstatement at the assertion level, and which
are necessary to design further audit procedures responsive to the assessed risks.
Control activities that are relevant to the audit are:
(a) Control activities that relate to significant risks or relate to risks for which substantive
procedures alone do not provide sufficient appropriate audit evidence; or
(b) Those that are considered to be relevant in the judgment of the auditor.
Examples include activities relating to authorisation, information processing, performance reviews,
physical controls and segregation of duties.

Examples of control activities

Authorisation  Transactions should be approved by an appropriate person. For
example, overtime should be approved by departmental managers
Information  General IT controls – policies and procedures that relate to many
processing applications such as program change controls
 Application controls – applying to the processing of individual
applications
Performance  Reviews and analyses of actual performance versus budgets,
review forecasts
 Comparing different sets of data by analysing of the relationships
and investigate the difference
 Comparing internal data with external sources of information
 Review of functional or activity performance
Physical  Physical security of assets for prevention of theft of assets
controls
 Authorisation for access to computer programs and data files
 Periodic counting and comparison with amounts shown on control
records

320
 11: Internal control and tests of controls | Part D Assurance engagements

Examples of control activities

Segregation  Segregation implies a number of people being involved in the
of duties accounting process
 Segregation of function. The key functions that should be
segregated are the carrying out of a transaction, recording that
transaction in the accounting records and maintaining custody of
assets that arise from the transaction
 The various steps in carrying out the transaction should also be
segregated

1.5 Monitoring of controls

Key term
Monitoring of controls is a process to assess the effectiveness of internal control performance
over time. It involves assessing the effectiveness of controls on a timely basis and taking
necessary remedial actions.

HKSA HKSA 315 (Revised 2016) requires that the auditor shall obtain an understanding of the major
315.22-24 activities that the entity uses to monitor internal control over financial reporting, including those
related to the control activities relevant to the audit, and how the entity initiates corrective actions to
deficiencies in its controls. The entity will use ongoing monitoring activities that are often built
into the entity's routine operations, including regular management and supervisory activities or
separate evaluations or a combination of the two.
Monitoring control is also used to ensure that controls continue to operate effectively over time.
If the entity has an internal audit function, the auditor shall assess whether the internal audit
function is relevant to the audit through obtaining an understanding of the nature of its
responsibilities and how the internal audit function fits in the organisational structure, and the
activities performed/to be performed.
The auditor shall also obtain an understanding of the sources of the information used in the
monitoring activities and the basis on which management considers it reliable.
Some of the monitoring controls are:
 Supervision of others – checking by others
 Comparison of actual performance to budgets and analysis of the variances
 Relationship of financial or operational data – sensitivity analysis
 Ratio analysis
 Review reconciliations
 Internal audit function's evaluation

1.6 Controls for significant risks

HKSA 315.29 HKSA 315 (Revised 2016) requires that if the auditor has determined that a significant risk exists,
the auditor shall obtain an understanding of the entity's controls relevant to these significant risks.
Auditors should consider whether management has specifically responded to these significant risks
by:
 Implementing control activities such as a review of assumptions by experts or senior
management
 Documenting the processes for estimation
 Approval by those charged with governance

321
 Business Assurance

Be aware, any failure by management to implement controls to significant risk is an indicator of a

significant deficiency in internal control.

1.7 Limitations of accounting and control systems

An internal control system can provide reasonable assurance but not absolute assurance that the
objectives are reached, because there are inherent limitations.
(a) The costs of control not outweighing their benefits
(b) The potential for human error
(c) Collusion between employees
(d) The possibility of controls being by-passed or overridden by management
(e) Controls being designed to cope with routine but not unusual transactions
These limitations indicate why auditors are unable to obtain all their audit evidence from tests of the
systems of internal control. Human error and potential for fraud are the most serious challenges
to any internal control system, as any system is only as reliable as the people who operate it. An
entity may be sensitive to the warning signs and can encourage good working practices such as
segregation of duties and rotation of staff, ensuring all holiday is taken and so on. However, if
employees decide to commit frauds by collusion, or management commit frauds by overriding
systems, they probably do so in the knowledge that they can manipulate the accounting system to
conceal their fraudulent activity.

Self-test question 1
Peace Limited discovered that some bank balances of its factory in the Mainland was unaccounted
for and a finance manager was suspected to have been involved. The loss has been reported to
the local police. The police were trying to locate the finance manager. Initial findings of the
investigation indicated that the loss amount was approximately HK$20 million.
Peace Limited's management investigated the cause and nature of the loss of funds in the factory
and identified that the finance manager stole the company chop and issued a few cheques to
withdraw money from Peace Limited's bank account to his personal bank account. Then, the
finance manager removed these transactions from the bank statements downloaded from the
internet banking facility before sending them to the head office in Hong Kong.
Required
(a) Identify the possible internal control deficiencies relating to the misappropriation of funds by
the finance manager. (4 marks)
(b) Suggest the relevant control activities management should have implemented to address the
deficiencies identified. (7 marks)
(Total = 11 marks)
HKICPA June 2013 (amended)
(The answer is at the end of the chapter)

322
 11: Internal control and tests of controls | Part D Assurance engagements

2 The use of internal control systems by auditors

Topic highlights
The auditors shall assess the adequacy of the systems as a basis for the financial statements and
shall identify risks of material misstatements to provide a basis for designing and performing
further audit procedures.

Auditors are only concerned with assessing policies and procedures which are relevant to the
financial statements. Auditors shall:
 Assess the adequacy of the accounting system as a basis for preparing the financial
statements
 Identify the types of potential misstatements that could occur in the financial statements
 Consider factors that affect the risk of misstatements
 Design appropriate audit procedures
The assessment of the controls of an entity will have an impact on that risk assessment.
Risks arising from poor control environments are unlikely to be confined to particular assertions
in the financial statements, and, if severe, may even raise questions about whether the financial
statements are capable of being audited, that is, if control risk is so high that audit risk cannot be
reduced to an acceptable level.
On the other hand, some control procedures may be closely connected to an assertion in the
financial statements, for example, controls over the inventory count are closely connected with the
existence and completeness of inventory in the financial statements.
There may be occasions where substantive procedures alone are not sufficient to address the risks
arising. Where such risks exist, auditors shall evaluate the design and determine the
implementation of the controls, that is by controls testing. This is most likely to be the case in a
system which is highly computerised and which does not require much manual intervention.

2.1 Recording accounting and control systems

Topic highlights
The auditors must keep a record of the entity's systems which must be updated each year. This
can be done through the use of narrative notes, flowcharts, questionnaires or checklists.

There are several techniques for recording the assessment of control risk, that is, the system. One
or more of the following may be used depending on the complexity of the system:
 Narrative notes
 Flowcharts
 Questionnaires
 Checklists
Whatever method of recording is used, the record will usually be retained on the permanent file and
updated each year. We will look at the use of questionnaires in a little more detail here. There are
two types, each with a different purpose:

323
 Business Assurance

 Internal Control Questionnaires (ICQs) are used to ask whether controls exist which meet
specific control objectives. Although there are many different forms of ICQ in practice, they
all conform to the following basic principles:
(a) They comprise of a list of questions designed to determine whether desirable controls
are present
(b) They are formulated so that there is one to cover each of the major transaction cycles
Since it is the primary purpose of an ICQ to evaluate the system rather than to describe it,
one of the most effective ways of designing the questionnaire is to phrase the question so
that all the answers can be given as 'YES' or 'NO' with a 'NO' answer indicating a deficiency
in the system.

Example
Are purchase invoices checked to goods received notes before being passed for payment?
YES/NO/COMMENT
A 'NO' answer to the question clearly indicates a deficiency in the company's payment procedures.
 Internal Control Evaluation Questionnaires (ICEQs) are used to determine whether there
are controls which prevent or detect specified errors or omissions. This is achieved by
reducing the control criteria for each transaction stream down to a handful of key questions
(or control questions). The characteristic of these questions is that they concentrate on the
significant errors or omissions that could occur at each phase of the appropriate cycle if
controls are deficient.

Example
Is there reasonable assurance that:
Receipt of goods or services is required in order to establish a liability?
Each key control question is supported by detailed points to be considered.

Example
Is segregation of duties satisfactory?
Are controls over relevant master files satisfactory?
Is there a record that all goods received have been checked for weight or number and quality and
damage?

324
 11: Internal control and tests of controls | Part D Assurance engagements

3 Tests of controls

Topic highlights
If the auditors believe the system of controls is strong, they may choose to test controls to assess
whether they can rely on the controls having operated effectively.

Key term
Tests of controls are the audit procedures designed to evaluate the operating effectiveness of
HKSA 330.4b controls in preventing, or detecting and correcting, material misstatements at the assertion level.

3.1 Confirming understanding

In order to confirm their understanding of the control systems, auditors will often carry out walk-
through tests. This is where they pick up a transaction and follow it through the system to see
whether all the key controls identified during inquiry of relevant parties were in operation with
regard to that transaction.
For any material deficiencies in the internal control system, the auditor must communicate to:
 Those charged with governance
 Management of an appropriate level of responsibility

3.2 When to perform tests of controls

HKSA 330.10 Under HKSA 330 The Auditor's Responses to Assessed Risks, tests of controls are tests
performed to obtain audit evidence about the effectiveness of the:
 Design of the accounting and internal control systems as documented during the risk
assessment process, ie whether they are suitably designed to prevent, or detect and correct,
material misstatement at the assertion level
 Operation of the internal controls identified throughout the period of intended reliance
Auditors should consider the following to obtain audit evidence about the operating effectiveness of
the controls:
 How controls were applied
 The consistency with which they were applied during the period
 By whom and by what means they were applied

325
 Business Assurance

When should auditors perform tests of controls?

When auditor's risk assessment When substantive procedures alone do

includes an expectation of the not provide sufficient appropriate audit
operating effectiveness of control, the evidence, the auditor is required to
auditor is required to test those controls perform tests of controls to obtain audit
to support the risk assessment. evidence about their operating
effectiveness.

3.2.1 Auditor's responsibility for tests of controls

The auditor should identify and assess the risks of material misstatements at the financial
statement level and at the assertion level for classes of transactions, account balances and
disclosures.
The auditor should determine risks that require special audit consideration and consider whether
the controls are implemented.
If it is not possible or practicable to reduce the risks of material misstatement at the financial
statement level to an acceptably low level with audit evidence obtained by substantive testing, then
the auditor should evaluate the design and implementation of the entity's controls.
For some circumstances, it may be necessary to obtain audit evidence supporting the effective
operation of indirect controls ie reviewing exception reports or reviewing controls over the
accuracy of the information in the reports.

3.2.2 Methods to perform tests of controls

HKSA 330 requires that, in designing and performing tests of controls, the auditor shall perform
other audit procedures such as the following to obtain audit evidence about the operating
effectiveness of the controls.
Other audit procedures may include:
(a) Inspection of documents supporting controls or events to gain audit evidence that internal
controls have operated properly, e.g. verifying that a transaction has been authorised

(b) Inquiries about internal controls which leave no audit trail, eg determining who actually
performs each function not merely who is supposed to perform it

(c) Reperformance of control procedures, eg reconciliation of bank accounts, to ensure they

were correctly performed by the entity

(d) Examination of evidence of management views, eg minutes of management meetings

(e) Testing of internal controls operating on computerised systems or over the overall IT
function, e.g. access controls

(f) Observation of controls to consider the manner in which the control is being operated
Deviations in the operation of controls (caused by change of staff or similar) may increase control
risk and tests of controls may need to be modified to confirm effective operation during and after
any change.
The use of computer-assisted audit techniques (CAATs) may be appropriate and these are
discussed in detail in Chapter 20.

326
 11: Internal control and tests of controls | Part D Assurance engagements

In a continuing engagement, the auditor will be aware of the accounting and internal control
systems through work carried out previously but will need to update the knowledge gained and
consider the need to obtain further audit evidence of any changes in control.

3.3 Reliance on evidence obtained in prior periods

HKSA The auditor performs audit procedures to establish the continuing relevance of audit evidence
330.13-15 obtained in prior periods when the auditor plans to use the audit evidence in the current period.
In determining whether it is appropriate to use audit evidence about the operating effectiveness of
controls obtained in previous audits, the auditor shall consider the following:
(a) The effectiveness of other elements of internal control, including the control environment, the
entity's monitoring of controls, and the entity's risk assessment process

(b) The risks arising from the characteristics of the control, including whether it is manual or
automated
(c) The effectiveness of general IT controls
(d) The effectiveness of the control and its application by the entity, including the nature and
extent of deviations in the application of the control noted in previous audits, and whether
there have been personnel changes that significantly affect the application of the control
(e) Whether the lack of a change in a particular control poses a risk due to changing
circumstances
(f) The risks of material misstatement and the extent of reliance on the control
For example, in performing the prior audit, the auditor may have determined that an automated
control was functioning as intended. The auditor obtains audit evidence to determine whether
changes to the automated control have been made that affect its continued effective functioning,
for example, through inquiries of management and the inspection of logs to indicate what controls
have been changed.
Consideration of audit evidence about these changes may support either increasing or
decreasing the expected audit evidence to be obtained in the current period about the operating
effectiveness of the controls.

3.3.1 Audit evidence from tests of controls

When the auditor intends to use audit evidence about the operating effectiveness of controls
obtained in prior audits, the auditor should obtain audit evidence about whether changes in those
specific controls have occurred subsequent to the previous audit. To do so, the auditor should
make enquiries in combination with observation or inspection procedures.
If the auditor plans to rely on controls that have changed since they were last tested, the auditor
should test the operating effectiveness of such controls in the current audit. Changes may affect
the relevance of the audit evidence obtained in prior periods such that there may no longer be a
basis for continued reliance.
The auditor considers testing the controls, if any, over the entity's preparation of information used
by the auditor in applying analytical procedures. When such controls are effective, the auditor has
greater confidence in the reliability of the information and, therefore, in the results of analytical
procedures. Alternatively, the auditor may consider whether the information was subjected to audit
testing in the current or prior period.

3.3.2 Significant risks

For any controls intended to mitigate any significant risk related to the assessed risk of material
misstatement at the assertion levels, auditor must obtain audit evidence about the operating
effectiveness of those controls from tests of controls performed in the current period. The auditor
cannot rely on evidence obtained from prior period.

327
 Business Assurance

3.3.3 Tests on controls for an interim period

When auditor has performed tests of controls during an interim period, the auditor should obtain
audit evidence about significant changes to those controls subsequent to the interim period and
determine what additional audit evidence should be obtained for the remaining period.

3.3.4 Audit evidence from substantive testing

The use of audit evidence from the performance of substantive procedures in a prior audit is not
sufficient to address a risk of material misstatement in the current period. In most cases, audit
evidence from the performance of substantive procedures in a prior audit provides little or no audit
evidence for the current period. In order for audit evidence obtained in a prior audit to be used in
the current period as substantive audit evidence, the audit evidence and the related subject matter
must not fundamentally change.
As required by HKSA 500, if the auditor plans to use audit evidence obtained from the performance
of substantive procedures in a prior audit, the auditor performs audit procedures during the current
period to establish the continuing relevance of the audit evidence.
When relevant to the audit, the auditor also considers other information such as:
 Information obtained from the auditor's client acceptance or continuance process
 Experience gained on other engagements performed for the entity, for example,
engagements to review interim financial information

3.3.5 Communication of deficiencies in internal control

Significant deficiencies in internal controls shall be communicated in writing to those charged with
governance in a report to management in accordance with HKSA 260 (Revised) and HKSA 265
(Clarified).
Such a report would be issued at the conclusion of the interim audit or at the conclusion of the final
audit if no interim audit is undertaken.

3.4 Increase the extent of tests of controls

HKSA 330.9 HKSA 330 requires that, in designing and performing tests of controls, the auditor shall obtain more
persuasive audit evidence, the greater the reliance the auditor places on the effectiveness of a
control.
The auditor shall consider the following factors when determining the extent of tests of controls:
(a) Frequency of the performance of the control
(b) Length of time during the audit period that the auditor is relying on the operating
effectiveness of internal controls
(c) The expected rate of deviation in internal controls
(d) Relevance and reliability of the audit evidence regarding the operating effectiveness of the
control at assertion level
(e) Extent of audit evidence from tests of other controls
The auditor may use sampling techniques when performing tests of controls and the sample size
for tests of controls may be affected by:
 Auditor's risk assessment
 Tolerable rate of deviation
 Expected rate of deviation of the tested population
 Auditor's desired level of assurance

328
 11: Internal control and tests of controls | Part D Assurance engagements

The auditor's assessed risk of material misstatement would increase when there is an
unexpectedly high sample deviation rate of tests of controls.

3.5 Evaluating the operating effectiveness of controls

HKSA 330.17 HKSA 330 requires that if deviations from controls upon which the auditor intends to rely are
detected, the auditor shall determine whether:
 Any additional tests of controls are necessary;
 Substantive testing is needed to be performed to address the potential risks of misstatement
 Consider whether the tests of controls performed provide an appropriate basis for auditors to
rely on the controls.
The auditor shall evaluate whether misstatements that have been detected by substantive
procedures indicate existence of a significant deficiency in internal control.

Self-test question 2
Assume you are Daniel Lai, an audit partner of ABC CPA Co. ('ABC'). Recently you accept a new
audit engagement of a listed company in Hong Kong, Big Bang Limited ('Big Bang').
Big Bang is principally engaged in apparel manufacturing with annual turnover exceeding US$500
million. Its organisation structure is simple with only one manufacturing plant in China and a
trading company in Hong Kong.
After understanding the processes and controls in place in the sales rebates cycle, Daniel
considered a control reliance testing approach for sales rebates is preferable in view of efficiency
and effectiveness. However, after completing the test of control, the audit team reported to Daniel
that one sample of the sales rebates was not properly supported by the approved documents.
Required
Discuss whether Daniel should continue a control reliance testing approach for sales rebates and
what additional audit procedures are required. (6 marks)
HKICPA December 2013 (amended)
(The answer is at the end of the chapter)

4 Internal controls in a computerised environment

Topic highlights
There are special considerations for auditors when a system is computerised. IT controls comprise
general and application controls.

The overall objective and scope of an audit do not change in a computer environment. However, as
the means of processing of transactions and the media of storage of data are different from those
of a manual system.
The internal controls in a computerised environment include both manual procedures and
procedures designed into computer programs. Such control procedures comprise two types of
control, general controls and application controls. (The impact of IT on the audit process is
covered in more detail in Chapter 20.)

329
 Business Assurance

Key terms
General controls are policies and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued proper operation of
information systems. General controls commonly include controls over data centre and network
operations; system software acquisition, change and maintenance; access security; and application
system acquisition, development and maintenance. Examples include IT policies, standards, and
guidelines pertaining to IT security and information protection, application software development
and change controls, segregation of duties, service continuity planning, IT project management,
etc.
Application controls are manual or automated procedures that typically operate at a business
level. Application controls can be preventative or detective in nature and are designed to ensure
the integrity of the accounting records. Accordingly, application controls relate to procedures used
to initiate, record, process and report transactions or other financial data. Examples include system
edit checks of the format of entered data to help prevent possible invalid input, system enforced
transaction controls that prevent users from performing transactions that are not part of their
normal duties, and the creation of detailed reports and transaction control totals that can be
balanced by various units to the source data to ensure all transactions have been posted
completely and accurately.

4.1 General controls

The overall audit objective in reviewing the general controls is to ensure that the controls and
procedures are adequate to provide secure, effective and efficient day-to-day operation of the
computer facilities. Examples of controls and procedures which together form the general controls
are shown in the following table.

General controls Examples

Development of computer Standards over systems design, programming and
applications documentation
Full testing procedures using test data
Approval by computer users and management
Segregation of duties so that those responsible for design
are not responsible for testing
Installation procedures so that data is not corrupted in
transition
Training of staff in new procedures and availability of
adequate documentation

330
 11: Internal control and tests of controls | Part D Assurance engagements

General controls Examples

Prevention or detection of Segregation of duties
unauthorised changes to
Full records of program changes
programs
Password protection of programs so that access is limited to
computer operations staff
Restricted access to central computer by locked doors,
keypads
Maintenance of programs logs
Virus checks on software: use of anti-virus software and
policy prohibiting use of non-authorised programs or files
Back-up copies of programs being taken and stored in other
locations
Control copies of programs being preserved and regularly
compared with actual programs
Stricter controls over certain programs (utility programs) by
use of read-only memory
Testing and documentation Complete testing procedures
of program changes
Documentation standards
Approval of changes by computer users and management
Training of staff using programs
Controls to prevent wrong Operation controls over programs
programs or files being
Libraries of programs
used
Proper job scheduling
Controls to prevent Password protection
unauthorised amendments
Restricted access to authorised users only
to data files
Authorisation of jobs prior to processing (eg authorised data
input forms)
Controls to ensure Storing extra copies of programs and data files off-site
continuity of operation
Protection of equipment against fire and other hazards
Back-up power sources
Disaster recovery procedures, eg availability of back-up
computer facilities
Maintenance agreements and insurance

The auditors will wish to test some or all of the above general controls, having considered how they
affect the computer applications significant to the audit.
General controls that relate to some or all applications are usually interdependent controls, ie their
operation is often essential to the effectiveness of application controls. As application controls may
be useless when general controls are ineffective, it will be more efficient to review the design of
general controls first, before reviewing the application controls.

331
 Business Assurance

Case study
In June 2012, the Royal Bank of Scotland updated the software which processed bank payments.
The update was corrupted and for over a week the bank was unable to process customers'
payments (such as wages and payments to suppliers) and customers were unable to use ATM
machines for cash withdrawals or to access their accounts. Compensating their many million
customers for the computer failure is reported as costing the bank around £100 million
(approximately $210 million).

4.2 Application controls

The purpose of application controls is to establish specific control procedures over the
accounting applications in order to provide reasonable assurance that all transactions are
authorised and recorded, and are processed completely, accurately and on a timely basis.
Before evaluating the application controls, it will be necessary for an auditor to obtain a reasonable
understanding of the system. The auditor will obtain an understanding of the following:
(i) Indicating the major transactions
(ii) Describing the transaction flow and main output
(iii) Indicating the major files maintained
(iv) Providing approximate figures for transaction volumes
Application control requirements may be divided into:
(i) Input control
(ii) Processing control
(iii) Master/ Standing Data File control
(iv) Output control
Application controls include the following:

Application Examples
controls
Controls over input: Manual or programmed agreement of control totals
completeness
Document counts
Edit checks of input data
Numerical sequence checks with manual follow-up of exception
reports
One-for-one checking of processed output to source documents
Programmed matching of input to an expected input control file
Procedures over resubmission of rejected controls
Controls over input: Programs to check data fields (for example, value, reference
accuracy number, date) on input transactions for plausibility:
 Digit verification (reference numbers are as expected)
 Reasonableness test (sales tax to total value)
 Existence checks (customer name)
 Character checks (no unexpected characters used in reference)
 Necessary information (no transaction passed with gaps)
 Permitted range (no transaction processed over a certain value)
Manual scrutiny of output and reconciliation to source
Agreement of control totals (manual/programmed)

332
 11: Internal control and tests of controls | Part D Assurance engagements

Application Examples
controls
Controls over input: Manual checks to ensure information input was:
authorisation
 Authorised
 Input by authorised personnel
Controls over Similar controls to input must be in place when input is completed, for
processing example, batch reconciliations
Screen warnings can prevent people logging out before processing is
complete
Controls over One-to-one checking
master files and
Cyclical reviews of all master files and standing data
standing data
Record counts (number of documents processed) and hash totals
(for example, the total of all the payroll numbers) used when master
files are used to ensure no deletions
Controls over the deletion of accounts that have no current balance

Controls may be carried out by IT personnel, users of the system, a separate control group and
may be programmed into application software. The auditors may wish to test the following
application controls:

Testing of application controls

Manual controls If manual controls exercised by the user of the application system are
exercised by the capable of providing reasonable assurance that the system's output is
user complete, accurate and authorised, the auditors may decide to limit
tests of controls to these manual controls.
Controls over If, in addition to manual controls exercised by the user, the controls to
system output be tested use information produced by the computer or are contained
within computer programs, such controls may be tested by examining
the system's output using either manual procedures or computers.
Such output may be in the form of magnetic media, microfilm or
printouts. Alternatively, the auditor may test the control by performing it
with the use of computers.
Programmed In the case of certain computer systems, the auditor may find that it is
control procedures not possible or, in some cases, not practical to test controls by
examining only user controls or the system's output. The auditor may
consider performing tests of controls by using computers, reprocessing
transaction data or, in unusual situations, examining the coding of the
application program.

As we have already noted, general controls may have a pervasive effect on the processing of
transactions in application systems. If these general controls are not effective, there may be a risk
that misstatements occur and go undetected in the application systems. Although weaknesses in
general controls may preclude testing certain application controls, it is possible that manual
procedures exercised by users may provide effective control at the application level.

333
 Business Assurance

4.3 Documentation
Adequate documentation of both general and application controls is crucial. Proper documentation
by the entity ensures that adequate and up-to-date system documentation is maintained. The entity
should have procedures to ensure that:
(i) System documentation is sufficiently comprehensive
(ii) Documentation is updated to reflect system amendments
(iii) A back-up copy of the documentation is held
Without good documentation, it will be difficult to ensure that controls operate on a continuous
basis and there will also be greater likelihood of error. Good documentation procedures reduce the
risk of users making mistakes or exceeding their authority. A review of comprehensive, up to date
documentation should aid the auditor in gaining an understanding and may help to identify
particular audit risks.

Self-test question 3
You are the audit senior on the XYZ Limited ('XYZ') audit. XYZ is a distributor of hair care products
including shampoos, conditioners and mousses. XYZ uses an online computer system. No goods
are manufactured in-house. XYZ maintains an inventory of raw materials and subcontracts the
manufacture of its products to third parties. Approximately 50 suppliers and ten sub-contractors are
used and all have proven themselves to be reliable. All finished goods are sent to customers
directly from the sub-contractors, who send a weekly statement to XYZ. Your assistant has
prepared the following notes about the inventory system.
Purchase orders are automatically generated by the computer when inventories of any raw material
fall below 70% of the prior month's usage. The purchase orders contain the following details:
 Date
 Supplier name and address
 Raw materials needed
Three copies of the purchase order are produced and distributed as follows:
Copy 1 – to warehouse to enable follow up of late orders
Copy 2 – filed by accounts clerk in date order
Copy 3 – sent to supplier
When raw material inventories are received, the bar code attached to the delivery boxes by the
supplier is scanned into the system. A two-part Goods Received Note ('GRN') is then produced:
Copy 1 – matched to warehouse copy of purchase order by stores staff
Copy 2 – filed by accounts clerk in date order
The scanning process is aborted if the codes do not match those on the master file. Production
orders are generated on receipt of a firm order from customers.
The inventory master file contains details of existing inventory items including code and warehouse
location; and approved suppliers and sub contractors.
Orders will only be generated to suppliers and sub-contractors recorded on the master file.
Required
(a) Identify any deficiencies in the internal controls of XYZ. Discuss the implications of each of
the deficiencies you have identified.
(b) Assume that your Computer Information System 'CIS' audit division is to perform tests of
controls for the inventory systems described. Make a list for the CIS audit manager of the
key tests that you recommend him to perform.
(The answer is at the end of the chapter)

334
 11: Internal control and tests of controls | Part D Assurance engagements

4.4 Testing of automated controls

An automated control can be expected to function consistently unless the program is changed. In
order to determine the automated control continues to function effectively, the auditor could test:
 Changes in program controls
 Effectiveness of general IT controls
 The record of IT security
The auditor may obtain audit evidence by inquiry or inspection to determine whether changes to
the automated control have been made that affect its continued effective functioning.

5 Communicating deficiencies in internal control

Topic highlights
Auditors have responsibility to communicate appropriately to those charged with governance and
management deficiencies in internal control that the auditor has identified in an audit of financial
statements.

HKSA 265 (Clarified) Communicating Deficiencies in Internal Control to those Charged with
Governance and Management deals with the auditor's responsibility to communicate
appropriately to those charged with governance and management deficiencies in internal
control that the auditor has identified in an audit of financial statements. The HKSA states that
significant deficiencies in internal control must be communicated to those charged with
governance.
The auditor may identify and discuss the deficiencies in internal control not only during this risk
assessment process but also at any other stage of the audit. This HKSA specifies which identified
deficiencies the auditor is required to communicate to those charged with governance and
management.
For significant deficiencies, the appropriate level is likely to be the chief executive or chief
financial officer (or equivalent) as these matters are also required to be communicated to those
charged with governance.
For other deficiencies in internal control, the appropriate level may be operational management
with more direct involvement in the control areas affected and with the authority to take appropriate
remedial action.

5.1 Meaning of deficiencies

Key terms
Deficiency in internal control – This exists when a control is designed, implemented or operated
HKSA 265.6 in such a way that it is unable to prevent, or detect and correct, misstatements in the financial
statements on a timely basis; or a control necessary to prevent, or detect and correct,
misstatements in the financial statements on a timely basis is missing.
Significant deficiency in internal control – A deficiency or combination of deficiencies in internal
control that, in the auditor's professional judgment, is of sufficient importance to merit the attention
of those charged with governance.

335
 Business Assurance

Significant deficiencies or not

HKSA
315. A6 Significance of the deficiencies depends on whether a misstatement has actually occurred, the
likelihood that a misstatement could occur and the potential magnitude of the misstatement.
Indicators of significant deficiencies in internal control
Evidence of ineffective aspects of the control environment include:
(a) Significant transactions that management is financially interested in but not being
appropriately scrutinised by those charged with governance
(b) Management fraud not prevented by the entity's internal control
(c) Management's failure to implement appropriate remedial action on significant deficiencies
previously communicated
(d) Absence of an expected risk assessment process within the entity
(e) Evidence of failure of entity risk assessment process
(f) Evidence of an ineffective response to identified significant risks
(g) Misstatements detected by audit procedures but not prevented, detected or corrected by
entity's internal control
(h) Restatement of previous financial statements due to misstatements or fraud
(i) Management's inability to review the preparation of the financial statements
A deficiency in internal control on its own may not be sufficiently important to constitute a significant
deficiency. However, a combination of deficiencies affecting the same account balance or
disclosure, relevant assertion, or component of internal control may increase the risks of
misstatement to such an extent as to give rise to a significant deficiency.
In some jurisdictions, the auditor may have responsibility to report directly to regulators in regulated
industries. In addition, for listed entities in certain jurisdictions, those charged with governance may
need to receive the auditor's written communication before the date of approval of the financial
statements in order to discharge specific responsibilities in relation to internal control for regulatory
or other purposes.

5.2 Requirement of auditor

HKSA 265.7, HKSA 265 (Clarified) requires the auditor to determine whether, on the basis of the audit work
8, 9, 10 performed, the auditor has identified one or more deficiencies in internal control and if so, on the
basis of the audit work performed, auditors should consider whether, individually or in combination,
they constitute significant deficiencies.

5.2.1 Discussion with management and those charged with governance

The auditor shall discuss the relevant facts and circumstances of his findings on deficiencies in
internal control with the appropriate level of management and those charged with governance as
this would provide an opportunity for the auditor to alert management on a timely basis to the
existence of deficiencies.
The level of management with whom it is appropriate to discuss the findings is one that is familiar
with the internal control area concerned and that has the authority to take remedial action on any
identified deficiencies in internal control.

5.2.2 Communication in writing

HKSA 265 (Clarified) requires that the auditor shall communicate in writing significant
deficiencies and other deficiencies in internal control identified during the audit to those charged
with governance and management at an appropriate level of responsibility on a timely basis.

336
 11: Internal control and tests of controls | Part D Assurance engagements

The content of the written communication of significant deficiencies in internal control includes:
(a) The description of the deficiencies and explanation of their potential effects (no quantification
of those effects are needed)
(b) The written communication of significant deficiencies in internal control should explain:
(i) The purpose of the audit was for the auditor to express an opinion on the financial
statements
(ii) The consideration of internal control by auditor is not for the purpose of expressing an
opinion on the effectiveness of internal control
(iii) The reported deficiencies that the auditor has identified during the audit and that the
auditor has concluded are of sufficient importance to merit being reported to those
charged with governance
(c) Suggestions for remedial action on the deficiencies
(d) Management's actual or proposed responses to these deficiencies
(e) Verifications whether management's responses have been implemented
(f) Regulatory authorities that require the auditor or management to furnish a copy of the
auditor's written communication on significant deficiencies
(g) The possibility of identifying more deficiencies if more extensive procedures on internal
control have been performed
(h) Communication for those charged with governance
(i) The relevant industry knowledge and practice in respect of the deficiencies
The level of detail at which to communicate significant deficiencies is a matter of the auditor's
professional judgment in the circumstances. The communication of other deficiencies in internal
control that merit management's attention need not be in writing, but may be oral.

5.3 Action taken by management and those charged with

governance
HKSA Management and those charged with governance may already be aware of significant deficiencies
265.A16 that the auditor has identified during the audit and may have chosen not to remedy them because
of cost or other considerations. The responsibility for evaluating the costs and benefits of
implementing remedial action rests with management and those charged with governance.
If a previously communicated significant deficiency remains, the current year's communication may
repeat the description from the previous communication, or simply reference the previous
communication. Auditors may have to inquire why the significant deficiency has not yet been
remedied.
Certain identified significant deficiencies in internal control may call into question the integrity or
competence of management. Without remedying the deficiencies, auditors may have further doubt
on management's integrity.
Nevertheless, the failure of management to remedy other deficiencies in internal control that have
been previously communicated may become a significant deficiency requiring communication with
those charged with governance.

Self-test question 4
Lewis (Clothing) Limited ('Lewis') is a retailer of clothing and accessories. It operates in many Asian
countries and has expanded steadily from its base in Hong Kong. The company has a year end of
31 December 20X0.

337
 Business Assurance

In the past, the company has ordered its clothing and accessories in bulk twice a year. From
experience, slow-moving goods and obsolete goods would be written off if these goods failed to
meet the key fashion trends.
The company has recently adopted a just in time ordering system. The fashion purchasers make
an assessment one year in advance as to what the key trends are likely to be.
The following describes the purchasing cycle of Lewis:
Ordering process
The purchasing manager from each country decides on the initial inventory levels for each store,
without consulting the sales manager or store managers. All the orders are communicated to the
central buying department at the head office in Hong Kong. An ordering clerk consolidates all the
orders and passes them to the purchasing director to review and authorise.
When the inventories are required to be re-ordered, it is the store manager's responsibility to re-
order the goods through the purchasing manager; they are prompted weekly to review inventory
levels as although the goods are just in time, it can still take up to at least five weeks for goods to
be received in store. All orders must be made through the purchasing manager. The store
managers cannot place orders independently. There is no centralised inventory system enabling
individual stores to check the availability of an item at other locations. Customers who require a
specific item of clothing which is not available in a particular store, have to contact other branches
themselves or search through the Lewis's main website.
Goods received and Invoicing
Goods received are delivered directly from the suppliers to the individual stores. Upon receiving the
goods, the quantities are checked by the shop's sales assistant against the supplier's delivery note,
and then the assistant produces a goods received note (GRN).
The checked GRNs are sent to head office for matching with purchase invoices.
The current system is very time-consuming as purchase invoices are manually checked with the
GRNs from the stores. Once the invoice has been agreed then it is sent to the purchasing director
for authorisation. It is at this stage that the invoice is entered onto the purchase ledger.
Required
As the external auditors of Lewis, identify and explain the deficiencies in the purchasing system
and describe the possible implication of each deficiency. Recommendations should be made to
address each deficiency identified. (16 marks)
(The answer is at the end of the chapter)

338
 11: Internal control and tests of controls | Part D Assurance engagements

Topic recap

INTERNAL CONTROL

· Control environment Auditor required to

· Risk assessment record the system:
process · Narrative notes
· Information system · Flowcharts
· Control activities · Questionnaires
· Monitoring · Checklists

Auditor to assess May include

adequacy of IT controls:
Testing of
system and · General automated
identity risk of controls
controls
material · Application
misstatement controls

System assessed System assessed

as weak as strong

Substantive
Test of controls
approach

Significant
deficiencies: Results Result
communicate to unsatisfactory satisfactory
those charged
with governance

Other
deficiencies Extend tests of Substantive Auditor places
in internal controls testing reliance on controls
control

339
 Business Assurance

Answers to self-test questions

Answer 1
(a) Possible internal control deficiencies
 Lack of physical security or control over financial assets including company chop and
cheque books.
 Inadequate authorisation control when an individual could sign singly to effect cheque
payment.
 Inadequate segregation of incompatible duties.
 Lack of timely bank reconciliation and improper bank reconciliation procedure where
informal bank statements downloaded from internet website were used in
reconciliation.
 Lack of timely and proper management control and review of banking activities
(b) Relevant control activities
Physical security
 The company chop and the bank account cheque books should be safe-kept by
accounts department staff who are not staff holding authorisation functions.
Authorisation
 Cheque signing requirement should be dual signatories based and include tiered
signing limit to involve senior personnel for larger cheque amounts.
Segregation of duties
 Incompatible accounting functions involved in cheque preparation and clearance
procedures should be assigned to different personnel.
 Incompatible functions include the following:
– Cheque signing or authorisation
– Custody of company chop and cheque books
– Preparation of cheques for signature
– Checker of cheque preparation accuracy
– Reconciliation of cheque payments to general ledger
Reconciliation
 The bank account general ledger should be reconciled to bank statements received
from bank by staff not involved in cheque issuance on a regular or daily basis, with
unusual entries explained and signed off by level-up reviewers.
Management monitoring
 The management should monitor the performance of cheque preparation and bank
reconciliation activities and sign off at regular intervals.
 The management may arrange surprise check on cheque preparation and cheque
book/company chop custody or re-perform bank reconciliation.

340
 11: Internal control and tests of controls | Part D Assurance engagements

Answer 2
Daniel and the audit team should hold a meeting with management in order to understand if the
exception found is an isolated case.
The audit team should exercise professional judgment in assessing management's response and
extend the test of control sample size.
A control reliance testing approach will only be considered as effective if management is able to
demonstrate that the exception found is an isolated case. Under the circumstances that no further
exception is found in the extended sample, the control reliance approach can be continued.
If a control reliance testing approach is considered to be ineffective, the audit team should consider
performing a combination of substantive tests and extending the testing samples for a vouching
test.
For example:
 Perform substantive analytical review, including reasonableness test
 Review the sales contracts and relevant terms and conditions
 Re-compute the sales rebates based on sales contracts
 Circulate confirmation to key customers to confirm the sales rebates
 Test the subsequent settlement of committed sales rebates

Answer 3
(a)
Internal control deficiencies Implications

Order of raw materials is based on prior Purchase orders could have been sent for raw
month's usage and computer generated materials not required or insufficient for
purchase orders are not reviewed prior production in the current or coming months or
to being sent. raw materials could have been ordered in times
of tight cash flows when insufficient funds are
available to pay for them. However, this
weakness rebounds more on the efficient
operation of the entity. It does not have much
direct bearing on financial statement
assertions, but would in remote cases that the
purchase of raw materials is so excessive that it
may materially affect the valuation assertions of
inventories.
Neither Goods Received Notes ('GRNs') It will be difficult to follow up unfulfilled orders
nor purchase orders are numbered. or account for missing/spoilt documents without
numbering. Liability for raw materials orders
may have not been recorded in a timely
manner.
No checking of goods received Records of inventory may not accurately reflect
inside of boxes to ensure that the the actual status of inventory on hand.
product type, quality and quantities are
correct.

341
 Business Assurance

Internal control deficiencies Implications

Lack of procedures if scanning process There may be unrecorded items/untimely

aborted. recording of items.
No records of raw materials held by sub- Raw materials may have to be reclassified as
contractor and no system to follow up work-in-progress. Valuation of any long
any long outstanding raw materials held outstanding raw materials held by
by sub-contractors. subcontractors may need to be adjusted.

(b) Key tests that CIS auditors should perform are on controls which are difficult to test using
manual methods. This will be the most efficient use of their limited time. Given the high level
of reliance placed on computer-generated data, controls tested may include those designed
to ensure that:
 Suppliers and sub-contractors used are selected only from the list of approved
suppliers and sub-contractors maintained on the master file
 Codes scanned on goods received match those on the master file
 Password access is functioning as expected and staff only have access to the
functions they need

Answer 4
Deficiency 1
The purchasing manager decides on the inventory levels for each store without consulting with
store or sales managers. The purchasing manager may not have the appropriate knowledge of the
local market and the inventories level for a particular store. This may result is inventory lines being
purchased which are unpopular with customers and therefore do not sell. In appropriate amounts of
inventory may be purchased resulting in stock-outs or high levels of unsold inventory.
The purchasing manager should initially communicate with the local store managers to understand
the market needs and sales volumes before placing the orders.
Deficiency 2
The purchasing director reviews and approves the purchase orders in a wholly aggregated manner.
Without the details of the orders, it will be difficult for the purchasing director to assess whether
overall the correct buying decisions are being made.
A purchasing senior manager should review the information prepared for each country and discuss
with local purchasing managers the specifics of their orders. These should then be authorised and
passed to the purchasing director for final review and sign off.
Deficiency 3
The re-ordering process is reliant on the store managers placing an order with the purchasing
manager.
As the re-ordering process can take up to five weeks, any delay by the store managers in placing
the orders could result in stock-outs, causing loss of income and reputation.
Automatic re-order levels should be set up in the inventory management systems.
Deficiency 4
There is no centralised inventory system connecting all the stores, therefore it is not possible for a
store to order goods from other local stores to serve the customers promptly. Instead customers
are told to contact the stores themselves, or use the company website.
Customers are less likely to make an effort to contact individual stores themselves and this could
result in the company losing out on valuable sales.

342
 11: Internal control and tests of controls | Part D Assurance engagements

A centralised inventory system should be maintained which allows inter-branch transfers between
stores.
Deficiency 5
The sales assistants are only instructed to check the suppliers' delivery notes to the actual
quantities delivered, without checking the quality. In addition there is no checking procedure for
goods received against purchase orders.
The stores are receiving goods without checking that the quantity matches the amount ordered and
that the quality is adequate. Inaccurate quantity of goods and poor quality of goods may be
accepted. Lewis may receive and pay for goods not ordered.
Deliveries from suppliers should only be accepted when the goods have been checked on arrival
for quantity and quality prior to acceptance from the supplier. A responsible official at each store
should produce the GRN from the supplier's delivery information.
A copy of the authorised order form should be sent to the store. This should then be checked to the
GRN. Once checked the order should be sent to head office and logged as completed. On a
regular basis the purchasing clerk should review the order file for any outstanding items.
(Any further deficiency can be suggested)

343
 Business Assurance

Exam practice

Control activities 9 minutes

In a recent dialogue with the internal audit function, you understand that the internal audit function
has issued an unsatisfactory report on the bank reconciliation process of your client. The report
from the internal audit function indicated that there was significant control deficiency over the cash
management process, and that the management processes and controls were not properly
exercised by the operation team.
Required

Explain the meaning of control activities and the required procedures relating to control
understanding in addressing significant risks. (5 marks)

HKICPA December 2012 (amended)

344
chapter 12

Substantive procedures,
including analytical
procedures
Topic list

1 Substantive procedures 2 Analytical procedures

1.1 Types of audit tests 2.1 Analytical procedures as risk
1.2 Substantive analytical procedures or assessment procedures
tests of details or both 2.2 Substantive analytical procedures
1.3 External confirmation as substantive 2.3 Analytical procedures at the overall
audit procedures review stage
1.4 Types of substantive testing 2.4 Practical techniques
1.5 Extent of substantive procedures
1.6 Timing of substantive procedures
1.7 Evaluate the audit evidence obtained

Learning focus

Substantive procedures are designed to ensure that the balances in the financial
statements are not materially misstated, that is, to detect whether there are any material
errors in the financial statements which have not been prevented by the entity's internal
controls. Auditors should consider whether they should use analytical procedures as
substantive testing or use only tests of details or even a combination of the two.

345
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
2.09 Audit procedures 3
2.09.07 Explain the types of substantive procedures and the issues in
evaluating the results obtained
2.09.08 Explain what is meant by analytical review and how analytical
review procedures are used in an audit

346
 12: Substantive procedures, including analytical procedures | Part D Assurance engagements

1 Substantive procedures

Topic highlights
Auditors need to obtain sufficient appropriate audit evidence to support the financial statement
assertions. Substantive procedures can be used to obtain that evidence.

HKSA 330 The Auditor's Responses to Assessed Risks requires that auditors shall design and
perform substantive procedures for each material class of transactions, account balance and
disclosure, irrespective of the assessed risks of material misstatement as the risk assessment is
judgmental and may not identify all risks of material misstatement and there are always inherent
limitations to internal control.
In relation to any assessed risk of material misstatement at the assertion level that is a significant
risk, the auditor must plan and perform substantive procedures that are specifically responsive
to that risk in addition to tests of controls. When the approach to a significant risk consists of
only substantive procedures, those procedures shall include tests of details.

1.1 Types of audit tests

HKSA 330.4 Substantive procedures are tests to obtain audit evidence to detect material misstatements in the
financial statements at the assertion level. They are generally of two types:
 Substantive analytical procedures
 Tests of details of transactions, account balances and disclosures
The auditor's substantive procedures should include:
 Agreeing the financial statements to the underlying accounting records
 Examining journal entries and other adjustments made during the course of preparing the
financial statements
The auditor should consider the nature, extent and timing of substantive procedures.

1.2 Substantive analytical procedures or tests of details or both

Topic highlights
Substantive tests are designed to discover errors or omissions.

The auditor may determine whether to:

 Perform only substantive analytical procedures and consider whether it will be sufficient to
reduce audit risk to an acceptably low level;
 Perform only tests of details; or
 Perform a combination of substantive analytical procedures and tests of details to be most
responsive to the assessed risks.
When should auditors use substantive analytical procedures or test of details or should both be
used?

347
 Business Assurance

The following table demonstrates the application of the two:

Substantive  More applicable to large volumes of transactions that tend to be

analytical predictable over time
procedures
 Auditors should investigate any unusual items deviated from
expectation
 Auditors should consider any expected relationships and obtain
adequate explanations and appropriate corroborative evidence
 Documentation is required
 Consider any relationships from known conditions
 To apply analytical procedures, information needs to be
sufficiently complete and accurate
 Should be applied when controls are reliable
Tests of details  For testing certain assertions of classes of transactions and
account balances ie existence and valuations
 Objective to obtain sufficient and appropriate audit evidence at
the assertion level

Substantive testing

Substantive analytical procedures Test of details

Use when: Use when:

 Less risky, predictable results  More risky and subject to more
 High turnover; lots of transactions verification

Substantive testing on statement of financial position's financial assertions

Account balances

Existence Completeness

Rights and Presentation and Accuracy, valuation

obligations classification and allocation

348
 12: Substantive procedures, including analytical procedures | Part D Assurance engagements

Substantive testing on statement of profit or loss and other comprehensive income's

assertions

Classes of transactions

Occurrence Completeness

Cut-off Accuracy Classification and

presentation

1.3 External confirmation as substantive audit procedures

HKSA HKSA 330 requires that the auditor shall consider whether external confirmation procedures are
330.19, A51 to be performed as substantive audit procedures.
External confirmations may provide relevant audit evidence to some of the assertions. For
example, a bank confirmation may request information relevant to other financial statement
assertions. However for some assertions, external confirmations provide less relevant audit
evidence.
The auditors shall consider the following factors to determine whether external confirmation
procedures are to be performed as substantive audit procedures:
 The confirming party's knowledge of the subject matter to be confirmed
 The ability or willingness of the intended confirming party to respond
 The independence of the intended confirming party
In addition, factors affecting the reliability of confirmations include the following:
 The control the auditors exercise over confirmation requests and responses
 The characteristics of the respondents
 Any restrictions included in the response or imposed by management

1.3.1 External confirmation for significant risks

External confirmations can provide high level of reliable audit evidence to respond to significant
risks of material misstatement, whether due to fraud or error as the external confirmations are
received directly by the auditor and are from appropriate confirming parties.
External confirmations may provide both financial and non-financial audit evidence and could be
performed in conjunction with inquiries.

349
 Business Assurance

1.4 Types of substantive testing

The types of substantive tests carried out to obtain evidence about various financial statement
assertions are outlined in the table below:

Audit assertion Type of assertion Typical audit tests

Completeness Classes of (a) Review subsequent events

transactions and (b) Cut-off testing
events and related (c) Analytical review
disclosures (d) Confirmations
(e) Reconciliations to control accounts
Account balances
and related
disclosures
Rights and Account balances (a) Reviewing invoices for proof that item
obligations and related belongs to the entity
disclosures
(b) Confirmations with third parties

Accuracy, valuation Account balances (a) Matching amounts to invoices

and allocation and related
(b) Recalculation
disclosures
(c) Confirming accounting policy consistent and
reasonable
(d) Review of post year-end payments and
invoices
(e) Expert valuation
Existence Account balances (a) Physical verification
and related (b) Third party confirmations
disclosures (c) Cut-off testing
Occurrence Classes of (a) Inspection of supporting documentation
transactions and
(b) Confirmation from directors that transactions
events and related
relate to business
disclosures
(c) Inspection of items purchased

Accuracy Classes of (a) Recalculation of correct amounts

transactions and (b) Third party confirmation
events and related (c) Analytical review
disclosures (d) Valuation by expert

Classification and Classes of (a) Confirming compliance with laws and

presentation transactions and accounting standards
events and related
(b) Reviewing notes for understandability
disclosures
Account balances
and related
disclosures

350
 12: Substantive procedures, including analytical procedures | Part D Assurance engagements

Audit assertion Type of assertion Typical audit tests

Cut-off Classes of (a) Cut-off testing

transactions and (b) Analytical review
events and related
disclosures

Use the following model for drawing up an audit plan:

 Agree opening balances with previous year's working papers
 Review general ledger for unusual records
 Agree entity schedules to/from accounting records to ensure completeness
 Carry out analytical procedures
 Test transactions in detail
 Test balances in detail
 Review presentation and disclosure in financial statement

1.5 Extent of substantive procedures

The basic concept is that the greater the risk of material misstatement, the greater the extent of
substantive procedures is required.
The extent of substantive procedures may depend on the results from tests of controls ie if tests
of controls are unsatisfactory, the extent may need to be increased. In designing tests of details,
the extent of testing is ordinarily related to sample size when using a sampling technique.
The factors that the auditor may consider when determining the sample size for tests of details:
(a) Auditor's assessment of the risk of material misstatement. The higher the inherent risk and
control risk, the more tests of details have to be performed to reduce the risk of non-
detection. Therefore, a larger sample is required.
(b) Auditor's desired level of assurance. The higher the level of assurance required, the greater
the sample size will be.
(c) The use of other substantive procedures to test the same assertion. An increase in the use
of other substantive procedures may reduce the sample size.
(d) Other factors such as the level of tolerable misstatement and the appropriate use of
stratification would affect the sample size.
HKSA 530 (Clarified) Audit Sampling requires the auditor when performing tests of details to
project misstatements found in the sample to the population as a whole to evaluate the results of
sampling. When a misstatement has been established as an anomaly, it may be excluded when
projecting misstatements to the population.
The most common methods of sample selection which will allow a sample representative of the
population are as follows:
(a) Random selection is a sample selection procedures whereby each sampling unit making up
the account balance or class transactions has a known chance of selection; often each item
has an equal chance of selection. The concept of random selection requires that the auditor
selecting the samples does not influence or bias the selection either consciously or
unconsciously.
(b) Systematic selection involves selecting every nth item in the population, the interval being
determined by dividing the number of items in the population by the sample size, and
selecting a random starting point.
(c) Haphazard sampling involves the auditor selecting sampling units without any conscious
bias, and in a manner that can be expected to be representative of the population.

351
 Business Assurance

1.6 Timing of substantive procedures

1.6.1 Substantive testing at interim date
HKSA 330.22 The auditor may choose to perform substantive procedures at an interim date and to compare and
reconcile information concerning the balance at the period end for any unusual amounts identified.
When the auditor has performed substantive testing at an interim date, the auditor must perform
further substantive procedures (possibly in combination with tests of controls) to cover the
remaining period to provide a reasonable basis for extending the audit conclusions after the
interim date. Auditors can use prior year substantive audit evidence only when there is no
fundamental change.
For any material misstatements detected at an interim date, HKSA 330 requires that the auditor
shall evaluate whether he needs to modify the risk assessment and the nature, extent and timing
of substantive procedures covering the remaining period.
Auditors can use prior year substantive audit evidence only when there is no fundamental change.
Generally, audit evidence obtained from the previous audit's substantive procedures provide little
or no audit evidence for the current period unless the related subject matter has not
fundamentally changed.

1.6.2 Substantive procedures related to the financial statement closing

process
HKSA HKSA 330 requires that the auditor shall perform the following procedures related to the financial
330.20 statement closing process:
(a) Agreeing or reconciling information in the financial statements with the underlying accounting
records, including agreeing or reconciling information in disclosures, whether such
information is obtained from within or outside of the general and subsidiary ledgers; and
(b) Examining material journal entries and other adjustments made during the course of
preparing the financial statements.

1.7 Evaluate the audit evidence obtained

HKSA HKSA 330 requires that the auditor shall evaluate the audit evidence obtained and consider
330.25-27 whether the assessment of risk of material misstatement at the assertion level remains appropriate.
The auditor should conclude whether sufficient appropriate audit evidence has been obtained to
reduce audit risk to an acceptable low level. Some of the factors that may influence the auditor's
judgment as to what constitutes sufficient and appropriate audit evidence, include the following:
 The significance of the potential misstatement in the assertion and the likelihood of its having
a material effect on the financial statements both individually or in aggregate
 Source and reliability of the available evidence
 Persuasiveness of the audit evidence
 Effectiveness of management's responses and internal controls to address the risks
 Results of audit procedures performed
 Understanding of the entity and its environment
Further audit evidence should be obtained if the auditor has not obtained sufficient appropriate
audit evidence. If still the auditor is unable to obtain sufficient appropriate audit evidence, the
auditor should qualify the auditor's report.

352
 12: Substantive procedures, including analytical procedures | Part D Assurance engagements

1.7.1 Evaluating sampling results for tests of details

Any unexpected high misstatements found in a sample may cause the auditor to believe that a
class of transactions or an account balance is materially misstated. The auditor should consider
whether the sample results provide a reasonable basis for conclusions about the population and
should further consider the likeliness of actual misstatement in the population.
The auditor should consider the results of other audit procedures in order to assess the risk of
actual misstatements in the population. The auditor may further request management to investigate
the identified misstatements and consider whether management shall make any necessary
adjustments. In addition, the auditor shall reconsider the nature, extent and timeliness of further
audit procedures.

1.7.2 Evaluation of overall presentation

The auditor shall perform audit procedures to evaluate whether the overall presentation of the
financial statements, including disclosures, is in accordance with the applicable financial reporting
framework an appropriate classification and description of financial information.
The flow chart on the following page illustrates the relationship between tests of control and
substantive testing.
You should bear in mind that the chart attempts to generalise and show a simplified depiction of the
flow and decision-making points in an audit approach. Audit approaches are bound to differ from
client to client in practice, depending on the nature of the business and the nature and level of risk
and so on. So the chart below should not be regarded as prescriptive.

353
 Business Assurance

HKSA 315 (REVISED) IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENTS
THROUGH UNDERSTAND THE ENTITY AND ITS DEVELOPMENT
[1. Accounting system 2. Control system 3. Control procedures]
Procedures: Walk-through test, inquiries, review documents, observation, inspection
DEVELOP OVERALL AUDIT PLAN

WALK-THROUGH TESTS TO CONFIRM UNDERSTANDING OF INTERNAL CONTROL

DOCUMENT UNDERSTANDING ON INTERNAL CONTROL SYSTEM

HKSA 315 (REVISED) PRELIMINARY ASSESSMENT OF CONTROL RISK

(Assessment of control risk should always be high) unless auditors are able to identify
internal controls likely to prevent and correct a material misstatement + HKSA 330
THE AUDITOR'S RESPONSE TO ASSESSED RISK for planning to perform tests of
control to support assessment

HIGH RISK MEDIUM RISK LOW RISK

NO TESTS OF CONTROL Extend understanding of internal

(ONLY SUBSTANTIVE controls, ie monitor controls, computer
TESTING) or applications controls–confirming
which controls are effective

TEST OF CONTROL

INTERNAL CONTROLS OPERATING

EFFECTIVELY

Perform minimum substantive

Perform appropriate substantive testing – testing – ie confirm preliminary
consider (NET) – nature, extent and timing assessment and perform only
analytical procedures

354
 12: Substantive procedures, including analytical procedures | Part D Assurance engagements

2 Analytical procedures

Topic highlights
Analytical procedures are used at all stages of the audit, including as substantive procedures.
When using analytical procedures as substantive tests, auditors should consider the information
available, assessing its availability, relevance and comparability.

Key term
Analytical procedures means evaluations of financial information through analysis of plausible
HKSA 520.4 relations among both financial and non-financial data. Analytical procedures also encompass such
investigation as is necessary of identified fluctuations or relationships that are inconsistent with
other relevant information or that differ from expected values by a significant amount.

HKSA 520.3 The objectives of the auditors as specified in HKSA 520 (Clarified) Analytical Procedures are:
(a) To obtain relevant and reliable audit evidence when using substantive analytical procedures;
and
(b) To design and perform analytical procedures near the end of the audit that assist the auditor
when forming an overall conclusion as to whether the financial statements are consistent
with the auditor's understanding of the entity.
According to HKSA 520 (Clarified) analytical procedures include the following:
(a) Comparisons of data such as:
(i) Comparable information from previous reporting periods
(ii) Forecast results using budgets or estimates
(iii) Predictions extrapolated from current data and their understanding of the entity
prepared by the auditors
(iv) Data derived from wider industry information, secondary research and so on.
(b) Ratio analysis to test the relationship of those elements of financial information that are
expected to conform to a predicted pattern because of past behaviour. This may be the
relationship of gross profit to sales, for example.
(c) Comparing financial information and relevant non-financial information where there should
be an obvious link, such as the relationship of payroll expenses to number of employees.
(d) Sensitivity analysis.
Analytical procedures can be used throughout the audit but their use in some circumstances is
stated in HKSA 315 (Revised 2016) and HKSA 520 (Clarified) as essential:
(a) As risk assessment procedures to obtain an understanding of the entity and its
environment
(b) Towards the end of the audit to help inform the overall conclusion as to the
reasonableness of the financial statements assertions
They may also be used as substantive procedures, either alone or in combination with tests of
details.

355
 Business Assurance

2.1 Analytical procedures as risk assessment procedures

HKSA 315.6b HKSA 315 (Revised 2016) requires that the risk assessment procedures shall include analytical
procedures as well as inquiries of management and individuals within the internal audit function,
observation and inspection. Analytical procedures performed as risk assessment procedures may
include both financial and non-financial information and may identify aspects of the entity of which
the auditor was unaware. The auditor should focus on areas where problems have occurred in
past audits and assess the results of developments in the entity's business. The auditor should
then design and implement responses to the assessed risks.
However, analytical procedures only provide a broad initial indication about whether a material
misstatement may exist.
Analytical procedures may help to identify the existence of unusual transactions or events, and
amounts, ratios, and trends that might indicate matters that have audit implications. This may assist
the auditor in identifying risks of material misstatement, especially risks of material misstatement
due to fraud.
The auditor can gain understanding and evaluate the analytical procedures by considering other
information gathered and results of such analytical procedures.
The auditor should obtain from entity the possible sources of information for analytical
procedures such as:
 Entity's interim financial information
 Entity's management accounts
 Updated budgets
 Industry information that is related to entity's business
 Relevant information related to current industry conditions
 Board minutes
 Any external correspondence
 Non-financial information

2.2 Substantive analytical procedures

HKSA 520.5 HKSA 520 (Clarified) states that auditors must decide whether using available analytical
procedures as substantive procedures in conjunction with tests of details, will be effective and
efficient in reducing detection risk for specific financial statement assertions. Auditors may
efficiently use analytical data produced by the entity itself, provided they are satisfied that it has
been properly prepared. It is based on the auditor's judgment to whether to use analytical
procedures or not.
The auditor will ordinarily inquire of management about the availability and reliability of
information needed to apply substantive analytical procedures and the results derived. It may be
efficient to use analytical data prepared by the entity, provided the auditor is satisfied that such
data is properly prepared.

2.2.1 Factors to consider before performing substantive analytical

procedures
When designing and performing substantive analytical procedures, the auditor is required to
consider the following factors:
(a) Determine the suitability of particular substantive analytical procedures of certain assertions,
i.e.
(i) Auditors will also consider the plausibility and predictability of the relationships
being tested. Some relationships are strong, for example between selling expenses
and sales in business where the salesforce is mainly paid by commission.

356
 12: Substantive procedures, including analytical procedures | Part D Assurance engagements

(ii) In general, substantive analytical procedures are more applicable to large volumes of
transactions that tend to be predictable over time and where an expectation of
relationship among data exists.
(b) Develop an expectation of recorded amounts or ratios and evaluate whether the
expectation is sufficiently precise by considering:
(i) The accuracy with which the expected results of substantive analytical procedures can
be predicted.
(ii) The degree to which information can be disaggregated.
(iii) The availability of financial and non-financial information.
(c) Evaluate the reliability of data from which the auditor's expectation of recorded amounts or
ratios is developed. For example:
(i) When controls are effective, auditors have greater confidence in the reliability of the
information and therefore, in results of analytical procedures.
(ii) The controls over non-financial information can often be tested in conjunction with
tests of accounting-related controls. For example, in establishing controls over the
processing of sales invoices, a business may include controls over unit sales
recording. The auditors could therefore test the controls over the recording of unit
sales in conjunction with tests of controls over the processing of sales invoices.
(d) Determine the amount of any difference of recorded amounts from expected values that is
acceptable without further investigation. This is influenced by:
(i) Materiality and consistency with the desired level of assurance.
(ii) The possibility a misstatement may cause the financial statement to be materially
misstated.
(iii) The persuasiveness of audit evidence.
According to HKSA 330 when information produced by the entity is used by the auditor in audit
procedures, the auditor should obtain audit evidence about the accuracy and completeness of the
information.

2.2.2 Drawing conclusions from substantive analytical procedures

Before drawing any conclusions from substantive analytical procedures, auditors should consider
the following factors:
(a) Materiality levels: auditors cannot solely rely on analytical procedures to draw audit
conclusions.
(b) Other audit procedures: auditors should perform other audit procedures in conjunction with
analytical procedures such as performing tests of details – vouching to supporting invoices
or tracing to ledger
(c) Accuracy of expected results of analytical procedures
(d) Frequency of a relationship – ie consider if there is a monthly pattern or an annual pattern
Analytical procedures are generally less detailed and less costly than substantive procedures.
However, where internal controls are weak and control risk is high, the auditor may have to rely
more on tests of details in order to obtain sufficient, appropriate evidence.

2.2.3 Relationship between assessment of inherent and control risks

Both inherent risk and control risk fall into the category of risk of material misstatement at
assertion level. HKSA 200 considers both inherent and control risk. No matter how well the
internal control system is designed and operated, it can only reduce but not eliminate risks of
material misstatements due to inherent limitations.

357
 Business Assurance

HKSAs often refer to a combined assessment of the 'risks of material misstatement' rather than
referring to inherent risk and control risk separately. However, the auditor may make separate or
combined assessments of inherent and control risk depending on preferred audit techniques or
methodologies and practical considerations.

2.3 Analytical procedures at the overall review stage

HKSA HKSA 520 (Clarified) requires that the auditor shall design and perform analytical procedures near
520.6, 7 the end of the audit that assist the auditor when forming an overall conclusion as to whether the
financial statements are consistent with the auditor's understanding of the entity.
The auditor shall compare the results of analytical procedures with other corroborate conclusions
drawn from other audit procedures. This is intended to assist the auditor in drawing reasonable
conclusions for the audit opinion. The results of analytical procedures may lead the auditor to
revise his assessment of the risks of material misstatement and modify his audit procedures.

2.3.1 Investigating significant fluctuations or unexpected relationships

According to HKSA 520 (Clarified), when analytical procedures identify significant fluctuations or
relationships that are inconsistent with other relevant information or that deviate from predicted
patterns, the auditor should investigate and obtain adequate explanations and appropriate
corroborative evidence.
Investigations will start with inquiries of management and then corroboration of management's
responses:
(a) By comparing them with the auditors' knowledge of the entity's business and with other
evidence obtained during the course of the audit; or
(b) If the analytical procedures are being carried out as substantive procedures, by undertaking
additional audit procedures, where appropriate, to confirm the explanations received.
If explanations cannot be given by management, or if they are insufficient, the auditors must
determine which further audit procedures to undertake to explain the fluctuation or relationship.

2.4 Practical techniques

Ratio analysis can be a useful technique. However, ratios mean very little when used in isolation.
They should be calculated for previous periods and for comparable entities. This may involve a
certain amount of initial research, but subsequently it is just a matter of adding new statistics to the
existing information each year. The permanent file should contain a section with summarised
financial statements and the chosen ratios for prior years.
In addition to looking at the more usual ratios the auditors should consider examining other ratios
that may be relevant to the particular entity's business.
Other analytical techniques include the following:
(a) Examining related accounts in conjunction with each other. Often revenue and expense
accounts are related to accounts in the statement of financial position and comparisons
should be made to ensure relationships are reasonable
(b) Trend analysis. Sophisticated statistical techniques can be used to compare this period with
previous periods
(c) Reasonableness test. This involves calculating the expected value of an item and
comparing it with its actual value, for example, for straight-line depreciation:
(Cost + Additions – Disposals)  Depreciation % = Charge in statement of profit or loss and
other comprehensive income

358
 12: Substantive procedures, including analytical procedures | Part D Assurance engagements

Some comparisons and ratios, measuring liquidity and longer-term capital structure, will assist in
evaluating whether the entity is a going concern, in addition to contributing to the overall view of the
financial statements. Declining ratios may indicate going concern problems.
The working papers must contain the completed results of analytical procedures. They should
include:
 The outline programme of the work
 The summary of significant figures and relationships for the period
 A summary of comparisons made with budgets and with previous years
 Details of all significant fluctuations or unexpected relationships considered
 Details of the results of investigations into such fluctuations/relationships

Self-test question
Green Life Limited ('Green') sells garden furniture from five retail stores. All sales are made either
in cash or by credit cards, mainly from customers living in New Territories who have properties with
gardens.
All items purchased are delivered to the customer using Green's own delivery trucks as most
customers could not transport these goods in their own motor vehicles. The directors of Green
indicate that the company has had a difficult year, but are optimistic to present some acceptable
results to the shareholders.
The statements of profit or loss for the last two financial years are shown below:
STATEMENT OF PROFIT OR LOSS
31 March 20Y0 31 March 20X9
HK$'000 HK$'000
Revenue 7,482 6,364
Cost of sales (3,520) (4,253)
Gross profit 3,962 2,111

Operating expenses
Administration (1,235) (1,320)
Selling and distribution (981) (689)
Interest payable (101) (105)
Investment income 145 –
Profit/(loss) before tax 1,790 (3)

Extract from Statement of Financial Position

Cash equivalents 253 (950)
Required
With reference to HKSA 520 (Clarified) Analytical Procedures explain the different types of
analytical procedures available to the auditor. (3 marks)
Using analytical procedures as part of risk assessment procedures for Green, identify and provide
a possible explanation for unusual changes in the statement of profit or loss. (10 marks)
(Total = 13 marks)
(The answer is at the end of the chapter)

359
 Business Assurance

Topic recap

AUDIT PROCEDURES

Substantive
Test of controls procedures at the Includes external
assertion level confirmation

See Chapter II

Must be used as risk Analytical Test of details Sampling

assessment procedures
procedures and
at end of audit

Extent depends on
results of tests of
Normally combined
controls and
with test of details
analytical procedures

360
 12: Substantive procedures, including analytical procedures | Part D Assurance engagements

Answer to self-test question

Answer
Types of analytical procedures
Under HKSA 520 (Clarified), analytical procedures can be used as:
 Comparison of comparable information to prior periods to identify unusual changes or
fluctuations in amounts.
 Comparison of actual or anticipated results of the entity with budgets and/or forecasts, or the
expectations of the auditor in order to determine the potential accuracy of those results.
 Comparison to industry information either for the industry as a whole or by comparison to
entities of similar size to the client to determine whether receivable days, for example, are
reasonable.
Net profit
Overall, Green's result has changed from a net loss to a net profit. Given that sales have only
increased by 17% and that expenses, and in particular administration expenses, appear low, then
there is the possibility that expenditure may be understated.
Revenue – increase 17%
According to the directors, Green has had a 'difficult year'. Reasons for the increase in sales
income must be ascertained as the change does not appear to agree with the directors' comments.
It is possible that the industry as a whole has been growing allowing Green to produce this good
result.
Cost of sales – fall 17%
A fall in cost of sales is unusual given that sales have increased significantly. This may have been
caused by an incorrect inventory valuation and the use of different (cheaper) suppliers. If quality
has been compromised this may cause problems with poor customer satisfaction or faulty goods in
the next year.
Gross profit (GP) – increase 88%
This is a significant increase with the GP% changing from 33% last year to 53% in 20Y0.
Identifying reasons for this change will need to focus on the change in sales and cost of sales.
Administration – fall 6%
A fall is unusual given that sales are increasing and so an increase in administration to support
those sales would be expected.
Expenditure may be understated, or there may have been a decrease in the number of
administration staff.
Selling and distribution – increase 42%
This increase does not appear to be in line with the increase in sales – selling and distribution
would be expected to increase in line with sales. There may be a mis-allocation of expenses from
administration. Alternatively if the age of Green's delivery trucks is increasing this may have
resulted in additional service costs.

361
 Business Assurance

Interest payable – small fall

Given that Green has a considerable cash surplus this year, continuing to pay interest is surprising.
Reasons why this might be the case include the timing of when the surplus cash was generated.
Also there may be loans which cannot be repaid early. The amount may be overstated – reasons
for lack of fall in interest payments must be determined.
Investment income – new this year
This is expected given the cash surplus at the year end. The amount of investment income does
appear high indicating possible errors. Alternatively, there may be other income generating assets
not disclosed in the extract of the statement of financial position.

362
 12: Substantive procedures, including analytical procedures | Part D Assurance engagements

Exam practice

Sources of evidence 22 minutes

In each of the four following situations, the auditors face two sources of evidence resulting from
their audit procedures.

Source A Source B

Situation 1 Observation of the client's physical Confirmation of the client's inventories

counting of inventories at the year- held at an independent warehouse by
end. requesting a confirmation from the
warehouse management.
Situation 2 Observation of the client's Observation of the client's inventories
inventories composed primarily of composed primarily of metal sheets.
sophisticated electronic equipments.
Situation 3 Review of all payments made to Request for suppliers' confirmations at
suppliers after the year-end to the year-end for all significant suppliers
determine if they were properly from which the client made purchases
recorded as trade payables at the during the year.
year-end.
Situation 4 Confirmation of the client's bank Checking the balance of the client's
balance at the year-end direct with bank accounts with bank statements
the bank. kept by the client.

Required
(a) For each of the four situations, state the most important financial statement assertion(s)
which are being tested by the described audit procedures. (4 marks)
(b) For each of the four situations, identify which of the two sources gives more persuasive
evidence, and briefly explain your reasoning. (8 marks)
(Total = 12 marks)
HKICPA February 2006 (amended)

363
 Business Assurance

364
 chapter 13

Specific audit procedures

Topic list

1 Tangible non-current assets 5 Bank and cash

1.1 Audit objectives for tangible non-current 5.1 Bank confirmation procedures
assets 5.2 Confirmation requests
1.2 Internal control considerations 5.3 Common audit procedures
1.3 Audit procedures for tangible non-current 5.4 Auditing cash
assets 6 Trade payables and accruals
1.4 Long-term investments 6.1 Audit procedures
2 Intangible non-current assets 6.2 Confirmation of trade payables
2.1 Audit risks in auditing intangible non- 7 Non-current liabilities
current assets 8 Litigation and claims
2.2 Auditing intangible assets 8.1 Audit of litigation and claims
2.3 Auditing goodwill 8.2 Provisions for litigation and claims
3 Inventory 9 Audit of provisions
3.1 Audit objectives for inventory 10 Capital and other issues
3.2 Audit procedures for inventory 11 Segment information
3.3 Physical inventory count 11.1 Segment information
3.4 Additional procedures for physical 12 Revenue
inventory counting conducted other than 12.1 Bill and hold arrangements
at the date of the financial statements 12.2 Consignment arrangements
3.5 Physical inventory count not possible – 13 Purchases
alternative procedures 13.1 Internal controls
3.6 Valuation of inventory 13.2 Substantive procedures
3.7 Inventory held by third party 14 Wages and salaries
4 Receivables 14.1 Internal controls
4.1 The receivables' confirmation 14.2 Substantive procedures
4.2 Positive v negative confirmation 15 Financial instruments
4.3 Sample selection 15.1 Purposes of HKAPG 1000
4.4 Other uses of external confirmations 15.2 Controls relating to financial instruments
4.5 Follow-up procedures 15.3 Audit considerations relating to financial
4.6 Evaluation and conclusions instruments
4.7 Impairment loss for irrecoverable debt 15.4 Other relevant audit considerations

Learning focus

In this chapter you will study the audit procedures you would perform to confirm specific
assertions in an entity's financial statements. You should understand why a specific procedure
is performed. We will examine the substantive audit of trade payables and accruals, long-term
liabilities and provisions and end with a brief look at capital. Revenue is considered in
conjunction with trade receivables and purchases are considered in conjunction with the audit
of trade payables.

365
 Business Assurance

Learning outcomes

In this chapter you will cover the following learning outcomes:

Competency
level
2.09 Audit procedures 3
2.09.09 Explain the appropriate audit tests for:
2.09.09.01 Tangible non-current assets
2.09.09.02 Intangible non-current assets
2.09.09.03 Inventory
2.09.09.04 Receivables
2.09.09.05 Bank and cash
2.09.09.06 Trade payables and accruals
2.09.09.07 Non-current liabilities
2.09.09.08 Provisions and contingencies
2.09.09.09 Capital and other issues
2.09.09.10 Long-term investments
2.09.09.11 Segment information
2.09.09.12 Revenue
2.09.09.13 Purchases
2.09.09.14 Wages and salaries
2.09.09.15 Financial instruments

366
 13: Specific audit procedures | Part D Assurance engagements

1 Tangible non-current assets

Topic highlights
These are key areas when testing tangible non-current assets:
 Confirmation of ownership
 Inspection of non-current assets
 Valuation by third parties
 Adequacy of depreciation rates

1.1 Audit objectives for tangible non-current assets

Financial statement assertion Audit objective
Existence and occurrence  Additions represent assets acquired in the year
and disposals represent assets sold or scrapped
in the year
 Recorded assets represent those in use at the
year-end
Completeness  All additions and disposals that occurred in the
year have been recorded
 Balances represent assets in use at the year-end
Rights and obligations  The entity has rights to the assets purchased and
those recorded at the year-end
Accuracy, valuation and allocation  Non-current assets are correctly stated at cost
less accumulated depreciation
 Additions and disposals are correctly recorded
Presentation and classification  Disclosures relating to cost, additions and
disposals, depreciation policies, useful lives and
assets held under finance leases are adequate
and in accordance with accounting standards

1.2 Internal control considerations

The non-current asset register is a very important aspect of the internal control system. It
enables assets to be identified, and comparisons between the general ledger, non-current asset
register and the assets themselves provide evidence that the assets are completely recorded.
Another significant control is procedures over acquisitions and disposals, that acquisitions and
disposals are properly authorised, and proceeds are accounted for.
Other significant aspects are whether:
 Security arrangements over non-current assets are sufficient
 Non-current assets are maintained properly
 Depreciation is reviewed every year
 All income is collected from income-yielding assets

367
 Business Assurance

1.3 Audit procedures for tangible non-current assets

Audit plan: Tangible non-current assets
Completeness  Obtain or prepare a summary of tangible non-current assets showing
how:
– Gross book value
– Accumulated depreciation
– Net book value
reconcile with the opening position.
 Compare non-current assets in the general ledger with the non-
current assets register and obtain explanations for differences.
 For a sample of assets which physically exist agree that they are
recorded in the non-current asset register.
 If a non-current asset register is not kept, obtain a schedule showing
the original costs and present depreciated value of major non-current
assets.
 Reconcile the schedule of non-current assets with the general ledger.
Existence  Confirm that the entity physically inspects all items in the non-current
asset register each year.
 Inspect assets, concentrating on high value items and additions in-
year. Confirm that items inspected:
– Exist
– Are in use
– Are in good condition
– Have correct serial numbers
 Review records of income-yielding assets.

 Reconcile opening and closing assets by numbers as well as amounts.

Valuation  Verify valuation to valuation certificate.

 Consider the source of valuation, reviewing:

– Experience of valuer
– Scope of work
– Methods and assumptions used
– Valuation bases are in line with accounting standards
 Reperform calculation of revaluation surplus.

 Confirm whether valuations of all assets that have been revalued have
been updated regularly by inquiries of the Chief Financial Officer and
inspection of previous financial statements.
 Inspect draft financial statements to check that entity has recognised
in the statement of profit or loss and other comprehensive income
revaluation losses unless there is a credit balance in respect of that
asset in equity, in which case it should be debited to equity to cancel the
credit. All revaluation gains should be credited to equity.

368
 13: Specific audit procedures | Part D Assurance engagements

Audit plan: Tangible non-current assets

 Review depreciation rates applied in relation to:

– Asset lives
– Residual values
– Replacement policy
– Past experience of gains and losses on disposal
– Consistency with prior years and accounting policy
– Possible obsolescence
 Review non-current assets register to ensure that depreciation has
been charged on all assets with a limited useful life.
 Examine depreciation policies and ensure they are correctly and
consistently applied in accordance with HKASs.
 Verify that the revaluation of assets is recorded properly.

 For revalued assets, ensure that the charge for depreciation is based
on the revalued amount by recalculating it for a sample of revalued
assets.
 Reperform calculation of depreciation rates to ensure it is correct.

 Compare ratios of depreciation to non-current assets (by category)

with:
– Previous years
– Depreciation policy rates
 Scrutinise draft financial statements to ensure that depreciation
policies and rates are disclosed in the financial statements.
 Review insurance policies in force for all categories of tangible non-
current assets and consider the adequacy of their insured values and
check expiry dates.
Rights and  Verify title to land and buildings by inspection of:
obligations
– Title deeds
– Land registry certificates
– Leases
 Obtain a certificate from lawyers/bankers:
– Stating purpose for which the deeds are being held (custody only)
– Stating deeds are free from mortgage or lien
 Inspect registration documents for vehicles held, confirming that they
are in entity's name.
 Confirm all vehicles are used for the entity's business.

 Examine documents of title for other assets (including purchase

invoices, architects' certificates, contracts, hire purchase or lease
agreements).
 Review for evidence of charges in statutory books and by company
search.

369
 Business Assurance

Audit plan: Tangible non-current assets

 Review leases of leasehold properties to ensure that entity has fulfilled

covenants therein.
 Examine invoices received after year-end, orders and minutes for
evidence of capital commitments.
Additions These tests are to confirm rights and obligations, valuation and
completeness.
 Verify additions by inspection of architects' certificates, solicitors'
completion statements, suppliers' invoices etc.
 Review capitalisation of expenditure by examining for non-current
assets additions and items in relevant expense categories (repairs,
motor expenses, sundry expenses) to ensure that:
– Capital/revenue distinction is correctly drawn
– Capitalisation is in line with consistently applied entity's policy
 Inspect non-current asset accounts for a sample of purchases to
ensure they have been properly allocated.
 Check purchases have been authorised by directors/senior
management by reviewing board minutes.
 Ensure that appropriate claims have been made for grants, and grants
received and receivable have been received, by inspecting claims
documentations and bank statements.
 Check additions have been recorded by scrutinising the non-current
asset register and general ledger.
Disposals These tests are to confirm rights and obligations, completeness,
occurrence and accuracy.
 Verify disposals with supporting documentation, checking transfer of
title, sales price and dates of completion and payment.
 Recalculate profit or loss on disposal.

 Check that disposals have been authorised by reviewing board

minutes.
 Consider whether proceeds are reasonable.

 If the asset was used as security, ensure release from security has
been correctly made.
Classification and  Agree opening balances with prior years.
presentation
 Review non-current asset disclosures in the financial statements to
ensure they meet HKAS 16 Property, Plant and Equipment criteria.
 For a sample of fully depreciated assets, inspect the register to
ensure no further depreciation is charged.
 Inspect draft financial statements to ensure that depreciation policies
and rates are correctly disclosed.

370
 13: Specific audit procedures | Part D Assurance engagements

Self-test question 1
You are the external auditor of Convenient Motor Limited ('CML'), a Hong Kong listed entity which
has a year end 31 March. You have been the auditor since CML's listing. CML has purchased over
70 trucks for hiring to CML's customers for transporting goods. Normally, the hiring time ranges
from one week to three months.
In the main, all the vehicles are running anywhere in Hong Kong except when some of them have
broken down the vehicles will be returned to CML's car park for repairs. Full details of all vehicles
are maintained in a non-current assets register.
CML will receive telephone orders or e-mail orders where the booked truck would be ready for
collection the next day. Standard hiring amounts are allocated to each booking depending on the
amount of time for which the vehicle is being hired.
The net book value of the trucks is $37.5 million as at the year end and it represents 35% of CML's
total assets.
Required
Describe the audit procedures the auditor should perform on the net book value of CML's trucks at
the year end.
(The answer is at the end of the chapter)

Note that inspection of a building's title deeds does not give audit evidence about existence and if
there is doubt that a building actually exists, the auditors should physically inspect it.

1.4 Long-term investments

When long-term investments are material to the financial statements, the auditor should obtain
sufficient and appropriate audit evidence regarding their valuation and disclosure.
The key audit issues to consider are:
(a) Whether the entity has the ability to continue to hold the investments on a long-term
basis
Audit procedure: Discuss with management and obtain written representations
(b) Whether to write down the investments to market values
Audit procedure: Obtain market quotations and compare with the carrying amounts of the
investment

2 Intangible non-current assets

Topic highlights
Key assertions for intangible non-current assets are existence and accuracy, valuation and
allocation.

The key assertions relating to intangibles are existence (not so much 'do they exist?', but 'are they
genuinely assets?') and accuracy, valuation and allocation. They will therefore be audited with
reference to criteria laid down in the financial reporting standards. As only purchased goodwill or
intangibles with a readily ascertainable market value can be capitalised, audit evidence should be
available (purchase invoices or specialist valuations). The audit of amortisation will be similar to
the audit of depreciation.

371
 Business Assurance

2.1 Audit risks in auditing intangible non-current assets

It is difficult to audit intangible non-current assets such as intellectual property products.
The reasons are as follows:
(a) It is difficult to identify whether and when there is an identifiable asset that will generate
expected future economic benefits.
(b) It is difficult to determine the cost of the asset reliably as the cost of generating the intangible
asset internally may not be distinguishable from the cost of maintaining or enhancing the
entity or of running day-to-day operations.
(c) There is difficulty in auditing the estimates used in determining the amount of expected
future economic benefits.

2.2 Auditing intangible assets

Substantive procedures should be performed including substantive analytical procedures and tests
of details. However, it is difficult to design any meaningful analytical procedures on intangible
assets. Therefore, it is more efficient to carry out substantive work mainly consisting of tests of
details as detailed in the table below:

Existence and accuracy, valuation and allocation of intangibles

Existence  Obtain an understanding of the entity's systems and the related
assertion intangible assets by reviewing internal documentation prepared by
the entity to ensure that the intangible assets exists
 Involve experts in ensuring the technical feasibility of the intangible
assets
 Confirm feasibility and viability by inspection of budgets
 Review past history for the existing intangible assets to ensure that
a market exists for the intangible assets
 Review subsequent sale and use of the intangible assets
 Review the entity's application process of relevant accreditation and
review the status of accreditation of all its intangible assets
 Agree purchased intangibles (for example patents, licences or
copyright) to purchase documentation agreement by inspection
 Inspect invoices to verify expenditure incurred on research and
development projects
Accuracy,  Confirm that capitalised development costs conform to HKAS 38
valuation and criteria by inspecting details of projects and discussions with
allocation technical managers
assertion
 Vouch to source documents to ensure that they are directly
attributable to the creation, production and preparation of the
intangible assets
 Inspect specialist valuation of intangibles and ensure it is reasonable
 Obtain entity's estimates of future economic benefits
 Review and test the process used by the entity to develop the
estimates

372
 13: Specific audit procedures | Part D Assurance engagements

 Evaluate data and consider the assumptions on which the estimate

is based. For example, by comparing estimates made for prior
periods with actual results of those periods
 Review entity's approval process for activities, capitalisation of
expenses and development of estimates for the intangible assets
 Review the appropriateness of entity's estimates in establishing its
impairment policy
 Review impairment testing and assess the reasonableness of the
calculation of a recoverable amount
 Review any amortisation calculations and ensure they are correct by
recalculation

2.3 Auditing goodwill

HKFRS 3 (Revised) Business Combinations defines goodwill as an asset representing the future
economic benefits arising from other assets acquired in a business combination that are not
individually identified and separately recognised. Unlike research and development costs and the
other intangibles mentioned in the paragraphs above, goodwill is not an identifiable asset.

Audit plan: Goodwill

Goodwill  Agree the consideration to sales agreement by inspection
 Consider whether asset valuation (including assumptions) is reasonable
 Agree that the calculation is correct by recalculation
 Review the impairment test and discuss with management
 Ensure valuation of goodwill is reasonable/there has been no
impairment not adjusted through discussion with management
 Check purchased goodwill is calculated correctly (it should reflect the
difference between the fair value of the consideration given and the
aggregate of the fair values of the separable net assets acquired)
 Check that only purchased goodwill has been capitalised

Self-test question 2
You are the auditor of CC Limited ('CC'). CC acquired DD Limited during the year and recorded
goodwill of HK$300 million and intangible assets such as trade mark, patent and customer
relationships of HK$500 million. Management of CC engaged X Limited to value the intangible
assets and advise on the business valuation of the transaction. Based on the business valuation
performed by X Limited, CC developed its goodwill impairment assessment and concluded that no
goodwill impairment is necessary.

373
 Business Assurance

Required

(a) Evaluate and explain the risk of material misstatement relating to the accuracy, valuation
and allocation assertion of CC Limited's goodwill and intangible assets.

(b) Suggest and discuss the audit procedures you would perform on goodwill and intangible
assets respectively in response to the assessed risk of material misstatement in part (a).
(The answer is at the end of the chapter)

3 Inventory

Topic highlights
There are five key assertions relating to inventory:
 Existence
 Completeness
 Rights and obligations
 Accuracy, valuation and allocation
 Cut-off

Inventory is often a major area of importance for the auditor and, historically, has been the
component of the statement of financial position that creates more problems than any other. There
are a number of reasons for this including the reasons stated below:
 Inventory is usually a significant balance in the calculation of profit and a material component
of the statement of financial position
 The determination of year-end quantities can be problematic
 There are different approaches to its valuation and estimation and subjective assessment is
usually required
 There is an increased risk of manipulation and fraud by management and relevant parties

3.1 Audit objectives for inventory

The following table demonstrates the audit objectives for inventory and the related financial
statement assertions. The audit procedures described in the remainder of this section are
undertaken to provide audit evidence to support these assertions.

Financial statement assertion Audit objective

Existence and occurrence  Recorded purchases and sales represent inventories
bought and sold
 Inventory on the statement of financial position
physically exists
Completeness  All purchases and sales are recorded
 All inventory at year-end is included on the statement of
financial position
Rights and obligations  The entity has rights to inventory recorded in the period
and at the year-end

374
 13: Specific audit procedures | Part D Assurance engagements

Financial statement assertion Audit objective

Accuracy, valuation and  Costs are accurately determined in accordance with
allocation accounting standards
 Inventory is recorded at year-end at the lower of cost
and net realisable value
Cut-off  All purchases and sales of inventories are recorded in
the correct period
Presentation and classification  Inventory is properly classified in the financial
statements
 Disclosures relating to classification and valuation are
adequate and in accordance with accounting standards

3.2 Audit procedures for inventory

The following table sets out audit procedures to test year-end inventory:

Audit plan: Inventory

Existence  Observe the physical inventory count (see section 3.3 for details)
Completeness  Complete the disclosure checklist to ensure that all the
disclosures relevant to inventory have been made
 Trace test counts to the detailed inventory listing
 Where inventory is held in third party locations, physically
inspect this inventory or review confirmations received from the
third party and match to the general ledger
 Compare the gross profit percentage to the previous year or
industry data
Rights and obligations  Verify that any inventory held for third parties is not included in
the year-end inventory figure by being appropriately segregated
during the inventory count
 For any 'bill-and-hold' inventory (ie where the inventory has been
sold but is being held by the entity until the customer requires it),
identify such inventory and ensure that it is segregated during the
inventory count so that it is not included in the year-end inventory
figure
 Confirm that any inventory held at third party locations is
included in the year-end inventory figure by reviewing the inventory
listing
 Inquire of management and review any loan agreements and
board minutes for evidence that inventory has been pledged or
assigned
 Inquire of management about warranty obligation issues

375
 Business Assurance

Audit plan: Inventory

Accuracy, valuation  Obtain a copy of the inventory listing and cast it, and test the
and allocation mathematical extensions of quantity multiplied by price
 Trace test counts back to the inventory listing
 If the entity has adjusted the general ledger to agree with the
physical inventory count amounts, agree the two amounts
 Where a continuous (perpetual) inventory system is
maintained, agree the total on the inventory listing to the
continuous inventory records, using computer-assisted auditing
techniques (CAATs)
 Vouch a sample of inventory items to suppliers' invoices to ensure
it is correctly valued
 Where standard costing is used, test a sample of inventory to
ensure it is correctly valued
 For materials, agree the valuation of raw materials to invoices and
price lists
 Confirm that an appropriate basis of valuation (eg FIFO) is being
used by discussing with management
 For labour costs, agree costs to wage records
 Review standard labour costs in the light of actual costs and
production
 Reconcile labour hours to time summaries
 Make inquiries of management to ascertain any slow-moving or
obsolete inventory that should be written down
 Examine prices at which finished goods have been sold after the
year-end to ascertain whether any finished goods need to be
written down
 If significant levels of finished goods remain unsold for an unusual
period of time, discuss with management and consider the need to
make allowance
 Compare the gross profit percentage to the previous year or
industry data
 Compare raw material, finished goods and total inventory turnover
to the previous year and industry averages
 Compare inventory days to the previous year and industry average
 Compare the current year standard costs to the previous year after
considering current conditions
 Compare actual manufacturing overhead costs with budgeted or
standard manufacturing overhead costs

376
 13: Specific audit procedures | Part D Assurance engagements

Audit plan: Inventory

Cut-off  Note the numbers of the last Goods Despatched Notes (GDNs)
and Goods Received Notes (GRNs) before the year-end and the
first GDN and GRN after the year-end and check that these have
been included in the correct financial year
Classification  Review the inventory listing to ensure that inventory has been
properly classified between raw materials, work-in-progress and
finished goods
Presentation  Review the financial statements to confirm whether the cost
method used to value inventory is accurately disclosed
 Read the notes to the financial statements to ensure that the
information is accurate and properly presented at the appropriate
amounts

3.3 Physical inventory count

Topic highlights
Physical inventory count procedures are vital as they provide evidence which cannot be obtained
elsewhere or at any other time about the quantities and conditions of inventories and work-in-
progress.

HKSA 501.4 HKSA 501 (Clarified) Audit Evidence – Specific Considerations for Selected items provides
guidance to auditors on attending the physical inventory count. It states that where inventory is
material, auditors must obtain sufficient appropriate audit evidence regarding its existence and
condition by attending the physical inventory count, unless this is impracticable and perform audit
procedures over the entity's final inventory records to determine whether they accurately reflect
actual inventory count results.
Procedures performed during attendance at physical inventory counting may serve as tests of
control or substantive procedures depending on the auditor's risk assessment, audit approach
and the specific procedures carried out.
It is always management's responsibility to ensure inventory figures in the accounts both
represent inventory that exists and that is actually owned by the entity.

3.3.1 The inventory count

A business may count inventory by one or a combination of the following methods:
(a) Physical inventory counts at the year-end
From the viewpoint of the auditor this is often the best method.
(b) Physical inventory counts before or after the year-end
This will provide audit evidence of varying reliability depending on:
(i) The length of time between the physical inventory count and the year-end (the
greater the time period, the less the value of audit evidence)
(ii) The business's system of internal controls
(iii) The quality of records of inventory movements in the period between the physical
inventory count and the year-end.

377
 Business Assurance

(c) Continuous (or perpetual) inventory where management has a programme of inventory-
counting throughout the year (see next sub-section).

3.3.2 Continuous (or perpetual) inventory

If continuous inventory counting is used, auditors will verify that management does the following:
(a) Ensures that all inventory lines are counted at least once a year.
(b) Maintains adequate inventory records that are kept up-to-date. Auditors may compare
sales and purchase transactions with inventory movements, and carry out other tests on the
inventory records, for example, checking casts and classification of inventory.
(c) Has satisfactory procedures for inventory counts and test-counting. Auditors should
confirm the inventory count arrangements and instructions are as rigorous as those for a
year-end inventory count by reviewing instructions and observing counts.
Auditors will be particularly concerned with cut-off, that there are no inventory movements
while the count is taking place, and inventory records are updated up until the time of the
inventory count.
(d) Investigates and corrects all material differences. Reasons for differences should be
recorded and any necessary corrective action taken. All corrections to inventory movements
should be authorised by a manager who has not been involved in the detailed work. These
procedures are necessary to guard against the possibility that inventory records may be
adjusted to conceal shortages. Auditors should check that the procedures are being
operated.
The audit work when continuous inventory counting is used focuses on tests of controls rather
than substantive audit work. Nevertheless, the auditor will also need to do some further substantive
audit work on completeness and existence at the year-end.
Attendance at an inventory count gives evidence of the existence (though not necessarily
ownership) of inventory and in identifying obsolete, damaged or ageing inventory. It also gives
evidence of the completeness of inventory, as do the follow-up tests to ensure all inventory sheets
were included in the final count.

3.3.3 Planning attendance at inventory count

Before the physical inventory count the auditors should ensure audit coverage of the count is
appropriate, and that the entity's count instructions have been reviewed.

Audit plan: Planning inventory count

 Review of previous year's arrangements.

 Discussion with management regarding inventory count arrangements and significant
changes.
 The nature and volume of the inventory.
 Risks relating to inventory.
 Identification of high value items.
 Method of accounting for inventory.
 Location of inventory and how it affects inventory control and recording.
 Internal control and accounting systems to identify potential areas of difficulty.
 How to ensure a representative selection of locations, inventory and procedures are
covered.
 How to ensure sufficient attention is given to high value items.
 Arrangements to obtain from any third parties' confirmation of inventory they hold.

378
 13: Specific audit procedures | Part D Assurance engagements

Audit plan: Planning inventory count

 Consideration of the need for expert help.

 Supervision by senior staff including senior staff not normally involved with inventory.
 Tidying and marking inventory to help counting.
 Restriction and control of the production process and inventory movements during the count.
 Identification of damaged, obsolete, slow-moving, third party and returnable inventory.
 Systematic counting to ensure all inventory is counted.
 Teams of two counters, with one counting and the other checking or two independent
counts.
 Serial numbering, control and return of all inventory sheets.
 Inventory sheets being completed in ink and signed.
 Information to be recorded on the count records (location and identity, count units, quantity
counted, conditions of items, stage reached in production process).
 Recording of quantity, conditions and stage of production of work-in-progress.
 Recording of last numbers of goods inwards and outwards records and of internal transfer
records.
 Reconciliation with inventory records and investigation and correction of any differences.

3.3.4 Attendance at inventory count

During the count the auditors should check the count is being carried out according to
instructions, carry out test counts, and watch for third party and slow moving inventory and
cut-off problems.

Audit plan: Attendance at inventory count

 Observe whether the entity's staff are following instructions as this will help to ensure the
count is complete and accurate.
 Perform test counts to ensure procedures and internal controls are working properly, ie the
application of appropriate control activities.
 Ensure that the procedures for identifying damaged, obsolete and slow-moving inventory
operate properly; the auditors should obtain information about the inventory's condition, age,
usage and in the case of work-in-progress, its stage of completion to ensure that it is later
valued appropriately.
 Confirm that inventory held on behalf of third parties is separately identified and accounted
for so that inventory is not overstated.
 Conclude whether the count has been properly carried out and is sufficiently reliable as a
basis for determining the existence of inventories.
 Consider whether any amendment is necessary to subsequent audit procedures.
 Gain an overall impression of the levels and values of inventories held so that the auditors
may, in due course, judge whether the figure for inventory appearing in the financial statements
is reasonable.

When carrying out test counts the auditors should select items from the management's count
records and from the physical inventory and check one to the other, to confirm the accuracy of the
count records. These two-way tests provide evidence for completeness and existence. The

379
 Business Assurance

auditors should concentrate on high value inventory. If the results of the test counts are not
satisfactory, the auditors may request that inventory is recounted.
The auditors' working papers should include:
 Details of their observations and tests
 The manner in which points that are relevant and material to the inventory being counted
or measured have been dealt with by the entity
 Instances where the entity's procedures have not been satisfactorily carried out
 Items for subsequent testing, such as photocopies of (or extracts from) rough inventory
sheets
 Details of the sequence of inventory sheets
 The auditors' conclusions

3.3.5 After the inventory count

There are a number of follow up procedures once the inventory count has taken place. Among
these are the preparation of a memorandum for the working papers and a summary of the results
of the observations, test counts and so on, giving an overall conclusion on the effectiveness of the
entity's physical inventory activities and the auditor's satisfaction with them. The table goes into
more detail:

Audit plan: Following up the inventory count

 Trace items that were test counted to final inventory sheets.

 Observe whether all count records, including consignment inventories if they are held, have
been included in final inventory sheets.
 Inspect the final inventory sheets to ensure they are consistent with count records.
 Ensure that continuous inventory records have been adjusted to the amounts physically
counted or measured, and that the reasons for the differences have been identified.
 Confirm there is a consistent cut-off by checking sales invoices and supplier invoices are
recorded in the proper period.
 Review replies from third parties about inventory held by or for them and check all
consignment inventory is included in the final valuation and against the detailed records held by
the entity.
 Confirm the entity's final valuation of inventory has been calculated correctly.
 Follow up queries and notify any problems to management.

3.3.6 Risk factors – existence and accuracy, valuation and allocation

When some of these risk factors appear, they will cause higher risk of material misstatements and
the following table shows the risks in relation to the most relevant assertions – existence and
accuracy, valuation and allocation.

Existence
 Inventories at multi-locations
 Inventories of small size but high value
 Manufactured goods require identification of raw materials, work-in-progress
 Inventories with similar appearance
 Inventories requiring special storage

380
 13: Specific audit procedures | Part D Assurance engagements

 Inventories are highly desirable and movable, ie the susceptibility of assets to loss or
misappropriation is high. For example, fraudulent schemes may be used to disguise the
unaccounted for portion of inventories
Accuracy, valuation and allocation
 Inventories with similar appearance
 Inventories requiring special knowledge to value
 Inventories purchased in bulk – difficult to allocate costs
 Inventories of high value – wrong identification is material error
 Inventories requiring special storage – increased chance of obsolescence
 Inventories with fluctuating net realisable value
 Manufactured goods – allocation of costs

3.4 Additional procedures for physical inventory counting

conducted other than at the date of the financial statements
HKSA 501.5 Irrespective of whether management determines inventory quantities by an annual physical
inventory counting or maintains a perpetual inventory system, the physical inventory counting may
be conducted at a date or dates other than the date of the financial statements.
HKSA 501 (Clarified) requires the auditor shall additionally perform audit procedures to obtain audit
evidence about whether changes in inventory between the count date and the date of the
financial statements are properly recorded. The auditor could consider the effectiveness of the
design, implementation and maintenance of controls over changes in inventory.

3.5 Physical inventory count not possible – alternative

procedures
3.5.1 Rollback exercise
If physical inventory count on planned date is not possible, the auditor should take or observe
some physical counts on an alternative date and perform, if necessary, other audit procedures on
intervening transactions (ie rollback). For the rollback, it is necessary to ascertain that entity's
records of inventory movements in the intervening period can be readily examined and
substantiated. A physical inventory count carried out after the year end could only be possible if
such records are available and found to be reliable.
The greater the interval between the financial statement date and the physical count date, the more
difficult the inventory rollback exercise will be. A rollback exercise will be highly dependent on the
soundness of the internal control system, in particular on inventories, and satisfactory maintenance
of inventory records.
Note details of the movement of inventory just prior to, during and after the count so that the
accounting for such movements can be checked at a later date. Auditors should assess the overall
results of the inventory rollback exercise and conclude whether they provide satisfactory evidence
as to the physical existence and conditions of entity's inventories as at the date of the financial
statements.

3.5.2 Other alternative procedures

When a physical inventory count (ie due to nature and location of the inventory) is impracticable
and a rollback exercise is also not possible, the auditors should perform other alternative
procedures to obtain sufficient appropriate audit evidence regarding the existence and
condition of inventory before considering modifying the auditor's report under HKSA 705
(Revised) Modifications to the Opinion in the Independent Auditor's Report as a result of the scope
limitation.

381
 Business Assurance

If the nature of work in progress is such that its existence cannot be verified by a physical count
then alternative procedures may include: examining supporting costing records, work tickets,
evidence of purchases and sales and testing the internal controls, as well as physical inspection.
Auditors can also compare the current activity between the physical count date and the date of
financial statement to activity of the equivalent period in the preceding year and investigate unusual
fluctuations. In addition, auditors can review the sales records and investigate the authenticity of
any unusually large sales made in the period prior to the inventory count date.
Auditors can determine whether any inventory is pledged as collateral or subject to any liens and
inspect the open purchase order file at the end of the reporting period for significant commitments
that should be considered for disclosure.

3.6 Valuation of inventory

Topic highlights
The valuation and disclosure rules for inventory are laid down in HKAS 2 Inventories. Inventory
should be valued at the lower of cost and net realisable value.

The auditor needs to consider the valuation of inventories by reviewing whether:

 The entity has followed HKAS 2 when accounting the value for inventories (i.e. lower of cost
or net realisable value)
 The entity has allocated the overheads appropriately
 The entity has applied the method of accounting for inventories consistently

3.6.1 Valuation of manufacturing inventories

(a) Raw materials
The auditor should check the value of raw materials by vouching to suppliers' invoices.
Standard costs can be used and auditor should check the basis of standards, compare
standard costs with actual costs and confirm proper treatment of variances.
(b) Work-in-progress and finished goods
The auditor should check on the method used by the entity to value work-in-progress and
finished goods, the system of internal control and the reasonableness of the valuation of
finished goods and work-in-progress.
The auditor should use analytical procedures.

3.6.2 Identification of slow-moving inventories or obsolete items

Audit procedures should determine whether slow moving or obsolete items have been included
in inventory. This may be done by the following methods:
(a) Review the perpetual records (or inventory cards) for slow-moving items.
(b) Discuss the quality of the inventory (in terms of turnover rate, sales prospect, demand of the
market etc) with management.
(c) Ask questions of production personnel during physical inventory observation about the extent of
the use or non-use of inventory items.
(d) Make observations during the physical inventory of rust, damaged inventory, inventory in
unusual locations, and unusual amounts of dust on the inventory.
(e) Be aware of inventory that is tagged obsolete, spoiled, or damaged, or is set aside because it is
obsolete or damaged.

382
 13: Specific audit procedures | Part D Assurance engagements

(f) Examine obsolescence reports, scrap sales, and other records in subsequent periods that may
indicate the existence of inventory that should have been excluded from the physical inventory
or included at a reduced cost.
(g) Calculate inventory ratios, by type of inventory if possible, and compare them with previous
years or industry standards.

3.7 Inventory held by third party

HKSA 501.8 HKSA 501 (Clarified) requires that if the entity has inventory that is held by third parties or in public
warehouses and is material to the financial statements, the auditor shall obtain sufficient
appropriate audit evidence regarding the existence and condition of that inventory by performing
the following procedures:
(a) Obtaining direct confirmation (HKSA 505 (Clarified) External Confirmations) relating to
quantities and ownership by writing directly to the custodian
(b) Perform inspection or other audit appropriate procedures such as:
(i) Observing physical counts of the inventory or arranging for the third party's
auditors to do so, if practicable
(ii) Obtaining a report on the adequacy of the third party's internal control
(iii) Inspecting documentation regarding inventory held by third parties
(iv) Requesting confirmation from other parties when inventory has been pledged as
collateral

Summary of audit procedures for auditing existence and accuracy, valuation and allocation
of inventories
Existence
 Consider whether inventories are material in the statement of financial position.
 Perform physical count.
 Assess the independence and competence of the counting team, eg whether entity's staff
other than from the warehouse have been sufficiently involved and whether the inventory
taking is supervised by an appropriately experienced and qualified staff member.
 Trace items selected from the records to the physical inventory and items selected from the
physical inventory to the count records.
 Check from the entity's inventory records to auditor's test data for the location and items to be
traced at later stage.
 Perform cut-off procedures on the details of the movement of inventory just prior to, during and
after the count.
 Obtain expert confirmation about the identification of specialist inventory.
 For inventories situated at different locations, consider at which locations attendance is
appropriate, taking into account the materiality of inventory and the risk of material
misstatement at different locations.
 Consider the procedures of recording the inventory count results onto the financial statements.
Accuracy, valuation and allocation
 Obtain a full list of inventory. Recalculate the total gross amount and match the recalculated
result to the amount in the statement of financial position.
 Use sampling to sample some expensive inventories and confirm with experienced staff of
entity that the actual type or class of these samples agree with the records.

383
 Business Assurance

 Obtain an independent expert's confirmation about the type or class of the inventories in the
sample and their valuation.
 Investigate entity's inventory accounting policy, particularly that relating to overhead allocation,
to consider whether the policy complies with relevant accounting standards. Reperform some
overhead cost allocations. Ask entity's management about any deviations from the policy.
 Trace some inventory items in the inventory sheets back to original purchase invoices to agree
the cost.
 Ask entity's management about the process for identification of obsolete and slow moving
inventories.
 Perform analytical procedures, eg compare finished goods to turnover ratios of current and
prior years, to consider whether the inventory holdings are reasonable.
 Obtain or prepare an inventory ageing analysis.
 Review subsequent sales and purchases.
 Trace inventory items to post-year end sales to determine the realisable value of inventory.
 Reconcile test counts recorded during the physical inventory observation to the inventory
listing.
 Review an analysis of inventory turnover, variances and overheads.

Self-test question 3
Assume you are Daniel Lai, an audit partner of ABC CPA Co. ('ABC'). Recently you accept a new
audit engagement of a listed company in Hong Kong, Big Bang Limited ('Big Bang').
For the purposes of improving production efficiency and better management of work in progress
and inventory, Big Bang has implemented a new enterprise resources planning ('ERP') system,
TIME system, during the year which allows real time recording of inventory in and out and
automates the weighted average inventory costing calculation. Daniel learnt this information from
his interview with the IT head and is considering this change in the audit plan.
Required
What audit procedures should Daniel plan to perform? (7 marks)
HKICPA December 2013 (amended)
(The answer is at the end of the chapter)

4 Receivables

Topic highlights
Existence, completeness and accuracy, valuation and allocation are key assertions relating to
the audit of receivables.

Audit procedures for receivables are set out in the table below. This covers the audit of sales and
prepayments as well as trade receivables. Receivables are often tested in conjunction with sales.
The key assertions for sales are occurrence, completeness and accuracy, valuation and
allocation.

384
 13: Specific audit procedures | Part D Assurance engagements

Audit plan: Receivables

Completeness  Agree the balance from the individual sales ledger accounts to the aged
receivables' listing and vice versa.
 Match the total of the aged receivables' listing to the sales ledger control
account.
 Cast and cross-cast the aged trial balance before selecting any samples
to test.
 Trace a sample of shipping documentation to sales invoices and into the
sales and receivables' ledger.
 Complete the disclosure checklist to ensure that all the disclosures
relevant to receivables have been made.
 Compare the gross profit percentage by product line with the previous
year and industry data.
 Compare the level of prepayments to the previous year to ensure the
figure is materially correct and complete.
Existence  Perform a receivables' circularisation on a sample of year-end trade
receivables (see section 4.1 for details of how to undertake the
receivables' circularisation).
 Follow up all balance disagreements and non-replies to the receivables'
confirmation.
 Perform alternative procedures for any exceptions and non-replies to the
receivables' confirmation.
 Review after-date cash receipts by inspecting bank statements and cash
receipts documentation.
 Examine the customer's account and customer correspondence to
assess whether the balance outstanding represents specific invoices
and confirm their validity.
 Examine the underlying documentation (purchase order, despatch
documentation, duplicate sales invoice etc.).
 Inquire from management explanations for invoices remaining unpaid
after subsequent ones have been paid.
 Observe whether the balance on the account is growing and if so, find
out why by discussing with management.
Rights and  Review bank confirmation for any liens on receivables.
obligations
 Make inquiries of management, review loan agreements and review
board minutes for any evidence of receivables being sold (e.g. to
factors).

385
 Business Assurance

Audit plan: Receivables

Accuracy,  Compare receivables' turnover and receivables' days to the previous
valuation and year and/or to industry data.
allocation
 Compare the aged analysis of receivables from the aged trial balance to
the previous year.
 Review the adequacy of the allowance for uncollectable accounts
through discussion with management.
 Compare the bad debt expense as a percentage of sales to the previous
year and/or to industry data.
 Compare the allowance for uncollectable accounts as a percentage of
receivables or credit sales to the previous year and/or to industry data.
 Examine large customer accounts individually and compare to the
previous year's balances.
 For a sample of old debts on the aged trial balance, obtain further
information regarding their recoverability by discussions with
management and review of customer correspondence.
 For a sample of prepayments from the prepayments' listing, recalculate
the amount prepaid to ensure that it has been accurately calculated.
 For a sample of sales invoices, compare the prices and terms to the
authorised price list and terms of trade documentation.
 Test whether discounts have been properly applied by recalculating
them for a sample of invoices.
 Test the correct calculation of tax on a sample of invoices.
Cut-off  For a sample of sales invoices around the year-end, inspect the dates
and compare with the dates of despatch and the dates recorded in the
ledger for application of correct cut-off.
 For sales returns, select a sample of returns documentation around the
year-end and trace to the related credit entries.
 Perform analytical procedures on sales returns, comparing the ratio of
sales returns to sales.
 Review material after-date invoices, credit notes and adjustments and
ensure that they are recorded correctly in the relevant financial period.
Occurrence  For a sample of sales transactions recorded in the ledger, vouch the
sales invoice back to customer orders and despatch documentation.
Classification  Take a sample of sales invoices and examine for proper classification
into revenue accounts.
 Review the aged analysis of receivables for any large credits, non-trade
receivables and long-term receivables and consider whether such items
require separate disclosure.
Presentation  Determine, through discussion with management, whether any
receivables have been pledged, assigned or discounted and whether
such items require disclosure in the financial statements.
 Read the disclosure notes to ensure the information is accurate and
properly presented at the appropriate amounts.

386
 13: Specific audit procedures | Part D Assurance engagements

4.1 The receivables' confirmation

Topic highlights
A confirmation of receivables is a major procedure, usually achieved by direct contact with
customers. There are two methods of confirmation: positive and negative.

4.1.1 Objectives of confirmation

HKSA External confirmation is a major substantive test used in the audit of accounts receivable balances.
505.7, 8
The external confirmation is a direct written response to the auditor from a third party. The
auditor designs and performs such procedures to obtain relevant and reliable audit evidence.
External confirmations can satisfy the financial assertions of existence, completeness and
rights and obligations and in addition can provide audit evidence about the absence of certain
conditions. External confirmation will produce audit evidence from each respondent whether the
amount owed by them to the entity at the date of confirmation is correct.
From an independent source (external parties), it is reliable audit evidence. It would satisfy the
criteria of 'appropriate' for evidence. Therefore, when it is reasonable to expect customers to
respond, the auditors should ordinarily plan to obtain direct confirmation of receivables to individual
entries in an account balance.
The confirmation of receivables on a test basis should not be regarded as replacing other audit
procedures, such as the testing in-depth of sales transactions, but the results may influence the
scope of such tests.

4.1.2 External confirmation procedures

HKSA 505 (Clarified) External Confirmations requires that the auditor shall maintain control over
external confirmation requests when using external confirmation procedures such as:
 Determining the information to be confirmed or requested
 Selecting the appropriate confirming party
 Designing the confirmation requests
 Sending the requests including follow-up procedures

4.1.3 Timing of confirmation

Ideally the confirmation should take place immediately after the year-end and hence cover the
year-end balances to be included in the statement of financial position. However, time constraints
may make it impossible to achieve this ideal.
In these circumstances it may be acceptable to carry out the confirmation prior to the year-end
provided that confirmation is no more than three months before the year-end and internal
controls are strong.

4.1.4 Management's refusal to allow the auditor to send a confirmation

request
Confirmation is essentially an act of the entity, who alone can authorise third parties to divulge
information to the auditors.
HKSA 505 (Clarified) outlines what the auditors' response should be when management refuses
permission for the auditors to contact third parties for evidence. Note that this applies to all such
external confirmations, not just trade receivables' confirmations.
If management asks the auditor not to seek the confirmation, the auditor should inquire of
management the reasons for the refusal and consider if there are valid reasons for the request and
obtain evidence to support this.

387
 Business Assurance

If the auditor agrees not to seek external confirmations, other alternative procedures should be
carried out to obtain sufficient appropriate audit evidence. The auditor should consider the integrity
of management and possible reasons for any concealment.
In addition, the auditor should evaluate the implications of management's refusal especially
whether it is related to fraud and the implication on nature, extent and timing of audit procedures. If
management's request is unreasonable, this may indicate a fraud risk factor that requires
evaluation in accordance with HKSA 240 The Auditor's Responsibilities Relating to Fraud in an
Audit of Financial Statements.
If the auditor does not accept the validity of management's request and is prevented from
undertaking the confirmations, the auditor shall communicate this with those charged with
governance under HKSA 260 (Revised) Communication with Those Charged with Governance.
The auditor also shall determine the implications for the audit and the auditor's opinion in
accordance with HKSA 705 (Revised) Modification to the Opinion in the Independent Auditor's
Report.

4.2 Positive v negative confirmation

When confirmation is undertaken, the method of requesting information from the customer may be
either positive or negative.

4.2.1 Positive confirmation

A positive external confirmation request asks the confirming party to reply to the auditor by either:
 Indicating the confirming party's agreement with the given information; or
 By asking the confirming party to provide information.
Though a positive confirmation request is expected to provide reliable evidence, there is a risk that
a confirming party may reply to the confirmation request without verifying whether the information is
correct. The auditor may ask the responding party to fill in the amount or furnish further information.
The positive method is generally preferable as it is designed to encourage definite replies from
those contacted. It is normally used when there is a small number of material accounts. However,
positive confirmation is more time-consuming and generally results in a lower response rate.

4.2.2 Negative confirmation

Negative confirmation request is a request that the confirming party responds directly to the auditor
only if the confirming party disagrees with the information provided in the request.
Negative confirmations provide less persuasive audit evidence than positive confirmations and the
auditor shall not use negative confirmation requests as the sole substantive audit procedure unless
all the following factors are present:
 The auditor has assessed the risk of material misstatement as low
 The entity has effective internal controls
 The population of items comprises a large number of small accounts
 A very low exception rate is expected
 The auditor is not aware of circumstances or conditions that would cause recipients of
negative confirmation requests to disregard the requests
Alternatively, in some circumstances, say where there is a small number of large accounts and a
large number of small accounts, a combination of both methods may be appropriate.
The statements will normally be prepared by the entity's staff, from which point the auditors, as a
safeguard against the possibility of fraudulent manipulation, must maintain strict control over the
preparation and despatch of the statements.

388
 13: Specific audit procedures | Part D Assurance engagements

Precautions must also be taken to ensure that undelivered items are returned, not to the entity, but
to the auditors' own office for follow-up by them.

4.3 Sample selection

Auditors will normally only contact a sample of accounts receivable. If this sample is to yield a
meaningful result it must be based upon a complete list of all accounts receivable. In addition,
when constructing the sample, the following classes of account should receive special attention:
 Long outstanding accounts
 Accounts written-off during the period under review
 Accounts with credit balances
 Accounts settled by round sum payments
 Accounts with nil balances
 Accounts which have been paid by the date of the examination

4.4 Other uses of external confirmations

External confirmations can be used in the following situations:
 Confirm bank balances and other information relevant to banking relationships
 Accounts receivable/payable and terms
 Consignment inventories
 Property title deeds held by lawyers or financiers for safe custody or as security
 Investment purchased but not delivered
 Loan balances including terms of repayment and restrictive covenants

HKSA
505.10, 12, 14
4.5 Follow-up procedures
4.5.1 Doubts about the reliability of responses to confirmation requests
There is always some risk regardless of the form of the response. Factors that indicate doubts
about the reliability of a response include that it:
 Was received by the auditor indirectly
 Appeared not to come from the originally intended confirming party ie responses received
electronically as it is difficult to identify the sender of information
If the auditor identifies factors that give rise to doubts about the reliability of the response to a
confirmation request, the auditor shall obtain further audit evidence to resolve those doubts. The
auditor may request to contact the confirming party and in addition, the auditor shall evaluate the
implications on the assessment of the relevant risks of material misstatement, including the risk of
fraud.

4.5.2 Non-responses

Topic highlights
Non-response is a:
 Failure of the confirming party to respond or fully respond, to a positive confirmation request
 Confirmation request returned undelivered

389
 Business Assurance

HKSA 505 (Clarified) requires the auditor shall perform alternative audit procedures to obtain
relevant and reliable audit evidence. Though oral response to a confirmation request does not meet
the definition of external confirmation, the auditor may request the confirming party to respond in
writing directly to the auditor. If the auditor is unable to obtain sufficient and appropriate audit
evidence, the auditor shall determine the implications for the audit and consider qualification of
auditor's opinion.
In certain situations, the auditor may consider a positive confirmation request is necessary to obtain
sufficient appropriate audit evidence especially when:
 The information available to corroborate is only available outside the entity
 Specific fraud risk factors prevent the auditor from relying on evidence from the entity
A non-response to a confirmation request may indicate a previously unidentified risk of material
misstatement.
The auditor may need to revise the assessed risk of material misstatement at the assertion level,
and modify planned audit procedures.

4.5.3 Exceptions

Key term
Exceptions are responses that indicate a difference between information requested to be
HKSA 505.6e confirmed, or contained in the entity's records, and information provided by the confirming party.

The auditor shall investigate exceptions to determine whether or not they are indicative of
misstatement or indicative of fraud. Finally, exceptions also may indicate a deficiency or
deficiencies in the entity's internal control over financial reporting.
Auditors may use the following table to consider the reasons for exceptions:

Reasons for exceptions

There is a dispute between the entity and the customer. The reasons for the dispute would have to
be identified, and impairment losses made, if appropriate, against the debt.
Cut-off problems exist, because the entity records the following year's sales in the current year or
because goods returned by the customer in the current year are not recorded in the current year.
Cut-off testing may have to be extended (see below).
The customer may have sent the monies before the year-end, but the monies were not recorded
by the entity as receipts until after the year-end. Detailed cut-off work may be required on receipts.
Monies received may have been posted to the wrong account or a cash-in-transit account.
Auditors should check if there is evidence of other mis-posting. If the monies have been posted to a
cash-in-transit account, auditors should ensure this account has been cleared promptly.
Customers who are also suppliers may net-off balances owed and owing. Auditors should check
that this is allowed.
Teeming and lading, stealing monies and incorrectly posting other receipts so that no
particular customer is seriously in debt is a fraud that can arise in this area. If auditors suspect
teeming and lading has occurred, detailed testing will be required on cash receipts, particularly on
prompt posting of cash receipts.

4.5.4 Unreliable responses

When an auditor concludes that the response of the confirmation is unreliable, the auditor may
need to revise the risk of material misstatement at the assertion level and modify planned audit
procedures accordingly, in accordance with HKSA 315 (Revised 2016). For instance, an unreliable
response might indicate a fraud risk factor that requires evaluation in accordance with HKSA 240.

390
 13: Specific audit procedures | Part D Assurance engagements

4.6 Evaluation and conclusions

HKSA 505 (Clarified) requires that the auditor shall evaluate whether the results of the external
confirmation procedures provide relevant and reliable audit evidence, or whether further audit
evidence is necessary.
The auditor may categorise such results as follows:
 A non-response
 A response indicating agreement with the information provided in the confirmation request
 A response indicating an exception
 A response deemed unreliable

4.7 Impairment loss for irrecoverable debt

The amount shown in the trade receivables in the statement of financial position should be
'Outstanding amount on trade receivable less impairment loss for irrecoverable debt'. It is related to
the accuracy, valuation and allocation assertion. Remember the impairment loss is management's
estimate so auditors need to refer to HKSA 540 Auditing Accounting Estimates, including Fair
Value Accounting Estimates and Related Disclosures.
Specific procedures for auditing the accuracy, valuation and allocation of trade receivables:
(a) The auditors should understand, ascertain and evaluate the effectiveness of the internal
controls over credit policy and control.
(b) The auditors should understand and ascertain the ageing of the trade receivable balances.
(c) Based on the aged analysis of trade receivables as at the reporting date, the auditors could
perform analytical procedures, such as comparing the trade receivable turnover with
previous years', similar entities, or the industry average.
(d) The auditors should investigate outstanding trade receivable balances, especially for
unusual and/or material amounts, and obtain satisfactory explanation from the entity.
Account balances involving related party transactions require special attention.
(e) The auditors should identify and investigate any account balance exceeding the maximum
credit limit and obtain satisfactory explanation from the entity.

Self-test question 4
DEF Trading Limited ('DEF') is principally engaged in purchasing different types of goods from
overseas manufacturers and reselling them to retailers in Hong Kong. Since trade receivables is a
material item in the statement of financial position of DEF, Wong & Co. (Wong), DEF's auditor, is
planning to use external confirmation to verify the account balance of trade receivables as at
31 March 20X0.
Wong sent out trade receivables confirmation requests to all its major debtors and has received the
following replies from four major debtors:
(i) Debtor A replied, 'Sorry, we can't answer your request for confirmation of our account unless
you provide details of all outstanding invoices'.
(ii) Debtor B replied, 'Yes, the outstanding balance of HK$488,000 agreed to our accounting
record'. However, Debtor B did not sign the response.
(iii) Debtor C replied, 'The balance of HK$580,000 was paid on 15 March 20X0.'
(iv) Debtor D replied, 'The amount should be HK$400,000 because the remaining HK$300,000
was for goods we received after 31 March 20X0.'

391
 Business Assurance

Required
(a) Evaluate the effectiveness of using external confirmation to obtain relevant and reliable audit
evidence at the existence, completeness, accuracy, valuation and allocation assertion level
of trade receivables.
(5 marks)
(b) Design additional audit procedures Wong should perform based on the replies from the
following four debtors:
(i) Debtor A (2 marks)
(ii) Debtor B (2 marks)
(iii) Debtor C (5 marks)
(iv) Debtor D (3 marks)
(Total = 17 marks)
HKICPA December 2010 (amended)
(The answer is at the end of the chapter)

5 Bank and cash

Topic highlights
Bank balances are usually confirmed directly with the bank in question.

5.1 Bank confirmation procedures

The audit of bank balances will need to cover completeness, existence, rights and obligations
and accuracy, valuation and allocation. All of these assertions can be audited directly by
obtaining third party confirmations from the entity's banks and reconciling these with the accounting
records, having regard to cut-off.
This type of audit evidence is valuable because it comes directly from an independent source
and, therefore, provides greater assurance of reliability than that obtained solely from the entity's
own records. The bank confirmation is mentioned as a source of external third party evidence in
HKSA 505 (Clarified).

5.2 Confirmation requests

Topic highlights
The bank confirmation letter can be used to ask a variety of questions, including queries about
outstanding interests, contingent liabilities and guarantees.

The auditors should decide from which bank or banks to request confirmation, having regard to
such matters as size of balance, volume of activity, degree of reliance on internal controls,
and materiality within the context of the financial statements.

392
 13: Specific audit procedures | Part D Assurance engagements

The auditors should determine which of the following approaches is the most appropriate in
seeking confirmation of balances or other information from the bank:
 Listing balances and other information, and requesting confirmation of their completeness,
accuracy, valuation and allocation
 Requesting details of balances and other information, which can then be compared with
the entity's records
In determining which of the above approaches is the most appropriate, the auditors should weigh
the quality of audit evidence they require in the particular circumstances against the practicality
of obtaining a reply from the confirming bank.
Difficulty may be encountered in obtaining a satisfactory response even where the entity submits
information for confirmation to the confirming bank. It is important that a response is sought for all
confirmation requests. Auditors should not usually request a response only if the information
submitted is incorrect or incomplete.

5.2.1 Preparation and despatch of requests and receipt of replies

Control over the content and despatch of confirmation requests is the responsibility of the auditors.
However, it is necessary for the request to be authorised by the entity. Replies should be returned
directly to the auditors and to facilitate such a reply, a pre-addressed envelope should be enclosed
with the request.

5.2.2 Content of confirmation requests

The form and content of a confirmation request letter will depend on the purpose for which it is
required and on local practices.
The most commonly requested information is in respect of balances due to or from the entity on
current, deposit, loan and other accounts. The request letter should provide the account
description number and the type of currency for the account.
It may also be advisable to request information about nil balances, and accounts which were
closed in the twelve months prior to the chosen confirmation date. The entity may ask for
confirmation not only of the balances on accounts but also, where it may be helpful, other
information, such as the maturity and interest terms on loans and overdrafts, unused facilities, lines
of credit/standby facilities, any offset or other rights or encumbrances, and details of any collateral
given or received.
The entity and its auditors are likely to request confirmation of contingent liabilities, such as those
arising on guarantees, comfort letter, bills and so on.
Banks often hold securities and other items in safe custody on behalf of customers. A request
letter may therefore ask for confirmation of such items held by the bank.
Auditor should state clearly the year end date on the confirmation. The auditors should check that
the bank has answered all the questions on the confirmation. If there is no reply, auditor should
follow up. Confirmation should be set in a standard form and any additional questions should be
attached with the confirmation.

5.2.3 Additional local guidance on bank confirmation requests

Additional local guidance is provided in HKSA 505 (Clarified) Appendix 1, which deals with
communication with banks but also applies to confirmations requested of other financial institutions,
for example, deposit-taking companies.
The auditor should send bank confirmation requests when the entity's banking activities, including
treasury operations, are significant to the audit.
The use of a standard bank request form is considered to be of benefit to both the banks and the
auditor for the confirmation or provision of information which is customarily held by banks.
When the auditor requires information of matters not covered by the standard request form, a
separate letter would be sent to cover the particular matter.

393
 Business Assurance

The auditor will review the bank's reply. The auditor may need to carry out additional tests on
matters relating to the entity's banking relationship.

5.2.4 Bank cut-off

Care must be taken to ensure that there is no window dressing, by auditing cut-off carefully.
Window dressing in this context is usually manifested as an attempt to overstate the liquidity of the
entity by:
(a) Keeping the cash book open to take credit for remittances actually received after the year-
end, therefore enhancing the balance at bank and reducing receivables
(b) Recording cheques paid in the period under review which are not actually despatched until
after the year-end, thus decreasing the balance at bank and reducing liabilities

5.3 Common audit procedures

Audit plan: Bank
 Obtain standard bank confirmations from each bank with which the entity conducted
business during the audit period.
 Reperform arithmetic of bank reconciliation.
 Trace cheques shown as outstanding from the bank reconciliation to the cash book prior to
the year-end and to the after-date bank statements and obtain explanations for any large or
unusual items not cleared at the time of the audit.
 Compare cash book(s) and bank statements in detail for the last month of the year, and
check items outstanding at the reconciliation date to bank statements.
 Review bank reconciliation previous to the year-end bank reconciliation and check that all
items are cleared in the last period or taken forward to the year-end bank reconciliation.
 Obtain satisfactory explanations for all items in the cash book for which there are no
corresponding entries in the bank statement and vice versa by discussion with finance
staff.
 Verify contra items appearing in the cash books or bank statements with original entry.
 Verify by inspecting paying-in slips that uncleared bankings are paid in prior to the year-end.
 Examine all lodgements in respect of which payment has been refused by the bank; ensure
that they are cleared on representation or that other appropriate steps have been taken to effect
recovery of the amount due.
 Verify balances per the cash book according to the bank reconciliation by inspecting cash
book, bank statements and general ledger.
 Verify the bank balances with reply to standard bank confirmation and with the bank
statements.
 Inspect the cash book and bank statements before and after the year-end for exceptional
entries or transfers which have a material effect on the balance shown to be in-hand.
 Identify whether any accounts are secured on the assets of the entity by discussion with
management.
 Consider whether there is a legal right of set-off of overdrafts against positive bank balances.
 Determine whether the bank accounts are subject to any restrictions by inquiries with
management.
 Review draft financial statements to ensure that disclosures for bank are complete and
accurate and in accordance with accounting standards.

394
 13: Specific audit procedures | Part D Assurance engagements

5.4 Auditing cash

Topic highlights
Cash balances should be verified if they are material or irregularities are suspected.

Auditors will be concerned that the cash exists, is complete, and belongs to the entity (rights and
obligations) and is stated at the correct value.
Where the auditors determine that cash balances are potentially material they may conduct a cash
count, ideally at the period-end. Rather like attendance at an inventory count, the conduct of the
count falls into three phases: planning, the count itself, and follow-up procedures.
Some of the common procedures are as follows:
 Count cash balances held and agree to petty cash book or other record:
– Count all balances simultaneously
– All counting to be done in the presence of the individuals responsible
– Inquire into any IOUs or cashed cheques outstanding for a long period of time
 Obtain certificates of cash-in-hand from responsible officials
 Confirm that bank and cash balances as reconciled above are correctly stated in the
financial statements

6 Trade payables and accruals

Topic highlights
The largest figure in current liabilities is usually trade accounts payable which are generally
tested by the comparison of suppliers' statements with purchase ledger accounts.

6.1 Audit procedures

As with accounts receivable, accounts payable are likely to be a material figure in the statement of
financial position of most entities. The tests of controls on the purchases cycle will have also
provided the auditors with some assurance as to the completeness of liabilities.
However, when conducting their work on the statement of financial position, auditors should be
particularly aware of the risk that an entity may wish to understate its liabilities in order to improve
its liquidity ratios and enhance profits (by understating the corresponding purchases). The auditors
will want reasonable assurance therefore that liabilities existing at the period end have been
completely and accurately recorded.
For trade payables, auditors will seek assurance on the two following points:
 Is there an effective cut-off between goods received and invoices received, so that
purchases and trade payables are recognised in the correct period?
 Do trade payables represent the actual amounts owed by the entity?
Generally, the inherent risks of material misstatement in completeness of accounts payable would
be deemed to be normal/medium. If the auditor is satisfied by the entity's internal controls he may
reduce the combined risks, (inherent risk and control risk) of material misstatement to low.
Before you look at how the auditors may design and conduct their tests with regards to accounts
payable, you need to appreciate why the list of balances is important and how this information is
used.

395
 Business Assurance

The following table sets out audit procedures to test trade payables and accruals:

Audit plan: Trade payables and accruals

Completeness  From a listing of trade payables reconcile the total to the

general ledger by casting and cross-casting.
 Consider whether there could be significant unrecorded
liabilities by inquiries of management; examine post year-end
transactions.
 Select a sample of suppliers' statements and trace these back
to the supplier's accounts.
 Examine files of unmatched purchase orders and supplier
invoices for any unrecorded liabilities.
 Perform a confirmation of trade payables for a sample (see
Section 6.2 for details of the trade payables' confirmation).
 Complete the disclosure checklist to ensure that all the
disclosures relevant to liabilities have been made.
 Perform comparisons of the following data to check for
reasonableness:
– Current year balances for trade payables and accruals to the
previous year.
– The amounts owed to a sample of individual suppliers in the
trade payables listing to amounts owed to these suppliers in
the previous year.
– The payables' turnover and payables' days to the previous
year and industry data.
Existence  Vouch selected amounts from the trade payables listing and
accruals schedule to supporting documentation (purchase
orders and suppliers' invoices and so on).
 Reconcile a selection of suppliers' statements to the relevant
suppliers' accounts.
 Perform a confirmation of trade payables for a sample.
 Perform analytical procedures which compare current period
balances to the previous period to test reasonableness. Use
ratios to calculate payables' turnover and compare the results to
the previous year.
Rights and obligations  Vouch a sample of balances to supporting documentation to
obtain audit evidence on rights and obligations.

396
 13: Specific audit procedures | Part D Assurance engagements

Audit plan: Trade payables and accruals

Accuracy, valuation and  Recalculate the sample of suppliers' invoices to confirm the
allocation amounts due are correct.
 Vouch selected samples from the trade payables listing and
accruals listing to the supporting documentation (purchase orders,
minutes authorising expenditure and suppliers' invoices etc.).
 Select suppliers' statements and reconcile these to the relevant
suppliers' accounts.
 For accruals, recalculate the amount of the certain accrual to
ensure the calculation is correct.
Perform the following comparisons:
 The current period balances for trade payables and accruals to
the previous period.
 The amounts owed to a sample of individual suppliers in the
trade payables listing to amounts owed to these suppliers in the
previous year.
 The payables' turnover and payables' days to the previous year
and industry data.
Cut-off  For a sample, compare the actual dates with the dates they
were recorded in the ledger to check cut-off has been applied
correctly.
 Test transactions either side of the period end to determine
whether amounts have been correctly recognised.
 Perform analytical procedures on purchase returns, by
comparing the purchase returns as a percentage of sales or
cost of sales to the previous year.
Occurrence  For a sample of vouchers, inspect supporting documentation
such as authorised purchase orders.
Classification  Review the trade payables listing to identify any large debits
(which should be reclassified as receivables or deposits) or
long-term liabilities which should be disclosed separately.
Presentation  Read the disclosure notes to ensure the information is accurate
and properly presented at the appropriate amounts.

6.2 Confirmation of trade payables

Confirmation of trade payables is not often used in practice because the auditor can test trade
payables by examining reliable, independent evidence in the form of suppliers' invoices and
suppliers' statements. However, it may be used where an entity's internal controls are weak, and
suppliers' statements are available where other internal documentation is not. Confirmation of trade
payables provides evidence primarily for the completeness assertion.
What confirmations will take place will depend on the auditor's assessment of internal control:
(a) Where the entity has strong internal controls and the auditor has reasonable assurance
that all liabilities are recorded, the confirmation will focus primarily, if not entirely, on large
balances.
(b) Where the auditor suspects there may be unrecorded liabilities, regular suppliers who
have small or zero balances on their accounts and a sample of other accounts will be
confirmed in addition to any large balances.

397
 Business Assurance

Auditors use a positive confirmation (referred to as a blank or zero-balance confirmation). This

means the confirmation does not state the amount owed but requires the supplier to provide a
detailed statement of the account, including the balance owed at the period end. When the
confirmation is received back, the amount must be reconciled with the entity's records.

Self-test question 5
You are a practising CPA and are engaged as the auditor of Amy Limited, a garment
manufacturing company. In the course of audit planning for the year ending 30 June 20X3, you
noted that the balance of the accounts payable, which is a material item on the financial statements,
is 50% lower than the corresponding amount of 30 June 20X2 and there is no significant change in
the business scale of Amy Limited.
Required:
(a) Assess and explain the level of risk of material misstatements relating to the completeness
assertion of the accounts payable of Amy Limited as at 30 June 20X3. (5 marks)
(b) Audit confirmation is a common audit tool. Suggest the audit confirmation procedures you
would perform for Amy Limited's accounts payable in the following:
 Selecting the accounts payable balances on which to perform the confirmation
 Controlling the accuracy and validity of the confirmation letters
 Controlling proper response to the confirmation request (7 marks)
(c) What are the appropriate follow up procedures if you do not receive the confirmation reply
after a reasonable period of time? (4 marks)
(Total = 16 marks)
HKICPA June 2013 (amended)
(The answer is at the end of the chapter)

7 Non-current liabilities

Topic highlight
Non-current liabilities are usually authorised by the board and should be clearly documented.

In this section we focus on non-current liabilities such as debentures, loan stock and other loans
repayable at a date more than one year after the year-end.
Auditors will primarily try to determine the following:
(a) Completeness: whether all non-current liabilities have been adequately recognised
(b) Accuracy: whether interest payable has been calculated correctly and included in the
correct accounting period
(c) Classification and presentation: whether long-term loans and interest have been correctly
disclosed in the financial statements. The risk of material misstatement in classification of
bank loans is usually low, since the terms of bank loans are clearly set out in the loan
agreements.
The main issue for the auditors is that debenture and loan agreements often stipulate conditions
with which the entity must comply, which may mean restrictions on the entity's total borrowings or
adherence to specific borrowing ratios.

398
 13: Specific audit procedures | Part D Assurance engagements

A minimal level of substantive procedures usually suffices unless there are new loans raised during
the reporting period, and tests will consist of substantive analytical procedures and obtaining
confirmation from the banks.

Audit plan: Non-current liabilities

 Either obtain or prepare a schedule of loans outstanding at the reporting date. For each
loan information should be given about the name of the lender, the date of the loan, the
maturity date, the interest date, the interest rate, the balance at the end of the period and
what the terms are regarding security.
 Compare opening balances to previous year's records.
 Test the clerical accuracy of the analysis.
 Compare balances to the general ledger.
 Agree name of lender etc, to register of debenture holders or equivalent (if kept).
 Trace additions and repayments to entries in the cash book.
 Confirm repayments are in accordance with loan agreement.
 Examine cancelled cheques and memoranda of satisfaction for loans repaid.
 Ascertain that borrowing restrictions imposed by agreements are not exceeded.
 Read signed board minutes relating to new borrowings/repayments.

 Obtain direct confirmation from lenders of the amounts outstanding, accrued interest
and what security they hold.
 Verify interest charged for the period and the adequacy of accrued interest.
 Confirm assets charged have been entered in the register of charges and notified to
the Registrar.
 Review any restrictive covenants in loan agreements and impairment losses relating to
default:
– Review any correspondence relating to the loan
– Review confirmation replies for non-compliance
– In the event of a default, determine its effect, and record findings
 Review minutes and cash book to confirm that all loans have been recorded.
 Review draft financial statements to ensure that disclosures for non-current liabilities
are correct and in accordance with relevant accounting standards. Elements repayable
within one year should be classified under current liabilities.

8 Litigation and claims

Topic highlight
The accounting treatments for litigation and claims is complex and involves judgment and this can
make them difficult to audit.

399
 Business Assurance

8.1 Audit of litigation and claims

HKSA Part of HKSA 501 (Clarified) Audit Evidence – Specific Considerations for Selected items covers
501.10, 11, 12 contingencies relating to litigation and legal claims, which represent the major part of audit work on
contingencies. Litigation and claims involving the entity may have a material effect on the financial
statements, and so are required to be disclosed or accounted for in the financial statements.
The auditor should carry out procedures in order to become aware of any litigation and claims
involving the entity which may have a material effect on the financial statements. Such procedures
would include the following:
(a) Make appropriate inquiries of management and others within the entity including in-
house legal counsel
(b) Review minutes of meetings of those charged with governance and correspondence with
the entity's lawyers
(c) Examine legal expense accounts
(d) Use any information obtained regarding the entity's business including information obtained
from discussions with any in-house legal department

8.1.1 Litigation and claims identified

When litigation or claims have been identified or when the auditor believes they may exist, the
auditor should seek direct communication with the entity's external legal counsel. This will help to
obtain sufficient appropriate audit evidence as to whether potential material litigation and claims are
known and management's estimates of the financial implications, including costs, are reliable.
When the auditor determines that the risk of material misstatement is a significant risk in which
this case relates to litigation and claims, the auditor shall evaluate the design of the entity's related
controls and determines whether they have been implemented. The communication may be in
writing and should be consented by management due to confidentiality.

8.1.2 Letter to the entity's external legal counsel

HKSA 501 (Clarified) discusses the form of the direct communication: communication should be
'through a letter of inquiry, prepared by management and sent by the auditor, requesting the
entity's external legal counsel to communicate directly with the auditor'.
A letter of general inquiry requests the entity's external legal counsel to inform the auditor of:
 Any litigation and claims of which counsel is aware
 Assessment of the outcome of the litigation and claims
 Estimate of the financial implications, including costs
If it is thought unlikely that the entity's external legal counsel will respond appropriately to a general
inquiry, the letter of specific inquiry should specify the following:
(a) A list of litigation and claims
(b) Management's assessment of the outcome of the litigation or claim and its estimate of the
financial implications, including costs involved
(c) A request that the entity's external legal counsel confirm the reasonableness of
management's assessments and provides the auditor with further information if the list is
considered by counsel to be incomplete or incorrect
The auditors must consider these matters up to the date of their report and so a further, updating
letter may be necessary.

400
 13: Specific audit procedures | Part D Assurance engagements

8.1.3 Disagreement between management and the entity's external legal

counsel
A meeting between the auditors and the entity's external legal counsel may be required, for
example where a complex matter arises, or where there is a disagreement between management
and the entity's external legal counsel. Such meetings should take place only with the permission of
management, and preferably with a management representative present.

8.1.4 Management refuses permission to communicate

HKSA 501 (Clarified) states the auditor shall perform alternative audit procedures when law,
regulation or any professional body prohibits the entity's external legal counsel from communicating
directly with the auditor.
The auditor shall modify the auditor's report in accordance with HKSA 705 (Revised) by giving
limitation on scope or a disclaimer of report in the event of either of the following:
(a) Management refuses to give the auditor permission to communicate or meet with the entity's
external legal counsel or the entity's external legal counsel refuses to respond appropriately
to the letter of inquiry or is prohibited from responding
(b) Auditor is unable to perform alternative audit procedures in order to obtain sufficient
appropriate audit evidence

8.1.5 Written representations

HKSA 501 (Clarified) requires that the auditor shall request management or those charged with
governance to provide written representations that all known actual or possible litigation and
claims whose effects should be considered when preparing the financial statements have been
disclosed to the auditor have been:
 Accounted for
 Disclosed in accordance with the applicable financial reporting framework

8.2 Provisions for litigation and claims

The auditor should consider whether management has recognised any provisions in the financial
statements for litigation and claims. If not, the auditor should consider whether it is necessary to do
so. The auditor should perform audit procedures such as those described in the table below.

Audit plan: Provisions/contingencies for litigation and claims

 Obtain details of all provisions which have been included in the financial statements and
all contingencies that have been disclosed.
 Obtain a detailed analysis of all provisions showing opening balances, movements and
closing balances.
 Determine for each material provision whether the entity has a present obligation as a
result of past events by:
– Review of correspondence relating to the item.
– Discussion with the directors. Have they created a valid expectation in other parties
that they will discharge the obligation?
 Determine for each material provision whether it is probable that a transfer of economic
benefits will be required to settle the obligation through the following procedures:
– Checking whether any payments have been made in the post year-end period in
respect of the item by reviewing after-date cash.

401
 Business Assurance

Audit plan: Provisions/contingencies for litigation and claims

– Review of correspondence with solicitors, banks, customers, insurance company
and suppliers both pre- and post year-end.
– Sending a letter to the legal counsel to obtain their views (where relevant).
– Discussing the position of similar past provisions with the directors. Were these
provisions eventually settled?
– Considering the likelihood of reimbursement.
 Recalculate all provisions made.
 Compare the amount provided with any post year-end payments and with any amount paid
in the past for similar items.
 In the event that it is not possible to estimate the amount of the provision, check that a
contingent liability is disclosed in the financial statements.
 Consider the nature of the entity's business. Would you expect to see any other
provisions, such as warranties?
 Consider the adequacy of disclosure of provisions and contingent liabilities in accordance
with HKAS 37 Provisions, Contingent Liabilities and Contingent Assets.

9 Audit of provisions

Topic highlight
The key issues in the audit of provisions are existence and accuracy, valuation and allocation.

The approach to auditing provisions is similar to that for the audit of contingencies.

Audit plan: Provisions/contingencies

 Obtain details of all provisions which have been included in the financial statements.
 Obtain a detailed analysis of all provisions showing opening balances, movements
and closing balances.
 Determine for each material provision whether the company has a present obligation
as a result of past events by:
– Review of correspondence relating to the item.
– Discussion with the directors. Have they created a valid expectation in other
parties that they will discharge the obligation?
 Determine for each material provision whether it is probable that a transfer of
economic benefits will be required to settle the obligation by:
– Checking whether any payments have been made in after the date of the
financial statements in respect of the item.
– Review of correspondence with solicitors, banks, customers, insurance
company and suppliers both pre and post year end.
– Sending a letter to the solicitor to obtain their views (where relevant).

402
 13: Specific audit procedures | Part D Assurance engagements

Audit plan: Provisions/contingencies

– Discussing the position of similar past provisions with the directors. Were
these provisions eventually settled?
– Considering the likelihood of reimbursement.
 Recalculate all provisions made.
 Compare the amount provided with any post year end payments and with any amount
paid in the past for similar items.
 In the event that it is not possible to estimate the amount of the provision, check that
this contingent liability is disclosed in the accounts.
 Consider the nature of the client's business. Would you expect to see any other
provisions eg warranties?
 Consider adequacy of disclosure of provisions.

10 Capital and other issues

Topic highlights
The audit of share capital and reserves is mainly concerned with the entity's compliance with
legal and regulatory requirements.

The auditor must agree the issued share capital as stated in the financial statements to the total
recorded in the share register.
Where an entity handles its own registration work an examination of share transfers on a test basis
should be performed. Where independent registrars carry out the work on behalf of an entity, the
auditors will normally examine the reports submitted by them to the entity, and obtain from them a
certificate of the share capital in issue at the period end.
Auditors should carry out careful checks as to whether entities have complied with local legislation
regarding the issue or purchase of their own shares. Auditors should take particular care if there
are any movements in reserves that cannot be distributed, and should confirm that these
movements are valid.

403
 Business Assurance

Audit plan: Capital and related issues

Issue of shares  Verify any issue of share capital or other changes during the year with
general and board minutes.
 Ensure issue or change is within the terms of the constitution, and
directors possess appropriate authority to issue shares.
 Confirm that cash or other consideration has been received or
receivable(s) is included as called-up share capital not paid.
Transfer of  Verify transfers of shares by reference to:
shares – Correspondence
– Completed and stamped transfer forms
– Cancelled share certificates
– Minutes of directors' meetings.
 Review the balances on shareholders' accounts in the register of
members and the total list with the amount of issued share capital in the
general ledger.
Dividends  Agree dividends paid and proposed to authority in minute books and
check calculation with total share capital issued to ascertain whether
there are any outstanding or unclaimed dividends.
 Agree dividend payments with documentary evidence such as the
returned dividend warrants.
 Check that dividends do not breach the distribution legislation.
 Check that imputed tax has been accounted for to the taxation authorities
and correctly treated in the financial statements.
Reserves  Agree movements on reserves to supporting authority.
 Ensure that movements on reserves do not contravene the legislation
and the entity's constitution.
 Confirm that the entity can distinguish distributable reserves from those
that are non-distributable.
 Ensure appropriate disclosures of movements on reserves are made in
the entity's financial statements by inspection of the financial statements.

11 Segment information

Topic highlights
The entity may be required or permitted to disclose segment information in the financial statements
according to the applicable financial reporting framework.

HKSA 501.13 The auditor is not required to perform audit procedures that would be necessary to express an
opinion on the segment information presented on a stand alone basis but rather the auditor has
responsibility regarding the presentation and disclosure of segment information in relation to the
financial statements taken as whole.
According to HKSA 501 (Clarified) Audit Evidence – Specific Considerations for Selected items,
when segment information is material to the financial statements, the auditor should obtain
sufficient appropriate audit evidence regarding its presentation and disclosure of segment
information in accordance with the applicable financial reporting framework (ie HKAS) by:
(a) Performing analytical procedures or other appropriate audit procedures appropriate in the
circumstances

404
 13: Specific audit procedures | Part D Assurance engagements

(b) Obtaining an understanding of the methods used by management in determining segment

information; such as:
(i) Evaluating whether such methods are likely to result in disclosure in accordance with
the applicable financial reporting framework
(ii) Where appropriate, testing the application of such methods
Requirement of disclosure of segment information
The entity may be required or permitted to disclose segment information in the financial
statements, depending on the applicable financial reporting framework.
The auditor's responsibility regarding the presentation and disclosure of segment information is in
relation to the financial statements taken as a whole.
Non-requirement of expression of opinion
Accordingly, the auditor is not required to perform audit procedures that would be necessary to
express an opinion on the segment information presented on a standalone basis.

11.1 Segment information

When obtaining an understanding of the methods used by management in determining segment
information and whether such methods are likely to result in disclosure in accordance with the
applicable financial reporting framework, auditors can perform or examine the following:
(a) Sales, transfers and charges between segments, and elimination of inter-segment amounts
(b) Comparisons with budgets and other expected results, for example, operating profits as a
percentage of sales
(c) The allocation of assets and costs among segments
(d) Consistency with prior periods, and the adequacy of the disclosures with respect to
inconsistencies.

12 Revenue
Topic highlights
For verification of revenue, auditors have to be aware of bill and hold arrangements and
consignment arrangements.

Revenue is a material figure in the financial statements where the auditor devotes special
attention. In most cases, an auditor would perform analytical review at the beginning in order to
predict the relationship of revenue to other figures in the financial statements.
The auditor wants to ensure revenue is completely and accurately recorded.
For financial statement assertions that are relevant to revenue, the auditor would concentrate on:
completeness, accuracy and cut-off.
The audit procedures are listed here:

Audit plan: Revenue

Completeness Analytical procedures
 Compare current year's revenue level with last year.
 Consider the effect on revenue value of changes in quantities sold or
products or prices.

405
 Business Assurance

Audit plan: Revenue

 Check the level of goods returned, sales allowances and discounts.
 Calculate the gross profit margin and record the reasons for changes.
 Perform a detailed analysis of the gross profit margin.
Vouching and tracing
 Trace from goods despatch notes or till rolls to revenue.
 Ensure sales invoices and despatch notes are all pre-numbered.
Cut-off  Obtain details of the last serial numbers of despatch notes issued
before the commencement of any inventory count.
 Ensure the entity has recorded all movement of inventory within the
period.
 Consider the last goods received notes and despatch notes prior to
and after the inventory count.
 Observe whether correct cut-off procedures are being followed in the
despatch and receiving areas.
 Check invoices and credit notes are dated in the correct period.
 Check invoices and credit notes are posted to the sales ledger and
general ledger in the correct period.
 Reconcile entries in sales ledger around the year end to daily batch
totals to ensure posting is correct and ensure the liability has been
recorded in the correct period.
 Review sales ledger control account around year end for unusual
items.
 Review material after-date invoices, credit notes and adjustments.
 Review shipment terms for goods in transit.
 Test inventory received and revenue after period-end and items in
transit.
 Examine sales transactions and supporting documentation for a
period before the physical inventory count and determine that goods
shipped before the physical inventory count have been included in
revenue and cost of sales, and that goods included in inventory are
not included in revenue and cost of sales.
 Determine that inventory received after period-end for which title had
passed as of the reporting date was reflected in goods in transit and
in accounts payable.
 Determine that recorded goods in transit were received after period-
end.
Accuracy  Cast the additions on invoices and check the pricing calculations.
 Check calculations of discounts.
 Check any purchase tax has been added appropriately.
 Trace any debits in the revenue account.
 Review reconciliations of sales ledger control account and investigate

406
 13: Specific audit procedures | Part D Assurance engagements

Audit plan: Revenue

on any unusual items.
 Review whether entity is following HKAS, new Companies Ordinance
(Cap. 622), and applies the accounting policies consistently
throughout the periods ie consistently following revenue recognition.
 Specific review on sales with higher discount or longer repayment
terms is required to ensure that the corresponding revenue and
receivables should be accounted for in accordance with HKFRS 15
Revenue from Contracts with Customers and HKFRS 9 Financial
Instruments.
 Ensure compliance with HKFRS 15 Revenue from Contracts with
Customers when recording revenue in respect of goods and services.
HKFRS 15 requires a five-step model to be applied in determining
when and at what amount revenue should be recognised (especially
in the first year of application).
 Review disclosures to ensure the numerous disclosure requirements
of HKFRS 15 are met (especially in the first year of application).
 Direct confirmation (positive or negative confirmation) meaning
verification of the accuracy from independent third party.
 Check to ensure that the sales have been properly authorised and
reviewed.
 Review revenue budget and forecast.

Self-test question 6
You are the auditor of Think Limited, a furniture manufacturer with a factory in Dongguan, China.
During the planning of the audit for the year ended 31 March 20X4, you obtained the following
financial information:
20X4 20X3
HK$'million HK$'million
Revenue 525 285
Cost of goods sold 350 242
Gross Profit 175 43

Property, plant and equipment 425 495

Accounts receivable 232 75
Accounts payable 155 105
Required
(a) Assess and explain the risk of material misstatement relating to the occurrence assertion of
revenue for the year ended 31 March 20X4. (4 marks)
(b) Discuss and propose the audit procedures for the occurrence assertion of revenue.
(6 marks)
(Total = 10 marks)

HKICPA June 2014 (amended)

(The answer is at the end of the chapter)

407
 Business Assurance

12.1 Bill and hold arrangements

HKFRS 15 defines a bill-and-hold arrangement as a contract under which an entity bills a
customer for a product but the entity retains physical possession of the product until it is transferred
to the customer at a point in time in the future. In order for the seller to recognise revenue in this
situation, control of the goods must have passed to the customer. Control may pass at the point of
delivery or when the product is shipped or at an earlier date ie the customer may obtain control
even though the seller has physical possession of the product.
In a bill and hold arrangement, in order for control to have passed, HKFRS 15 requires that the
following criteria must all have been met:
1 The reason for the bill and hold must be substantive (eg requested by the customer).
2 The product must be identified as belonging to the customer.
3 The product must be ready for physical transfer to the customer.
4 The entity cannot be able to use the product or transfer it to another customer.
To ensure these criteria are met, the auditor should perform the following additional procedures:
(a) Inquire of entity's management their reason for recognising bill and hold revenue and inspect
evidence of this
(b) Inspect the product to ensure it is ready for delivery, marked as belonging to the customer
and not being used by the entity
(c) Check that products recognised as bill and hold revenue are not included within inventory

12.2 Consignment arrangements

12.2.1 Risks related to consignment arrangements
When the entity has revenue from consignment arrangements in the financial statements, the risk
of material misstatement will be higher.
Recognition of revenue from consignment arrangements has the following risks:
Completeness
Consignees may not have a good accounting system to report in a timely way to the consignor
when the consignment goods are sold to third party customers. As it may take considerable time
for the consignees to prepare and provide the consignor with information on the consignment
goods that have been sold, a delay may result in the recognition of revenue from consignment
arrangements.
Occurrence
Revenue from consignment arrangements may not be properly identified and separated from
normal revenue. This may result in early recognition of revenue from consignment arrangements at
the time when goods are delivered to the consignee even before the performance obligation has
been satisfied.
Accuracy
The entity's accounting staff may not be familiar with HKFRS 15 and may not be able to apply the
requirements correctly to revenue from consignment arrangements.
Cut-off
Revenue may be recognised in the wrong accounting period. For example revenue may be
recognised too early where recognition is on delivery to the consignee, even though control has not
passed. Management may use consignment arrangements to manipulate revenue figures.

408
 13: Specific audit procedures | Part D Assurance engagements

12.2.2 Audit procedures on revenue from consignment arrangements

Audit plan: Revenue from consignment arrangements
 Discuss with local management the internal controls that are in place to:
– Identify the existence of revenue from consignment arrangements
– Ensure proper recognition of revenue from consignment arrangements
 Obtain an understanding of consignor's arrangements for revenue from consignment
arrangements by reviewing its consignment revenue agreements with major consignees.
 Perform walkthrough tests to confirm the auditors' understanding of the entity's system and
perform compliance tests on key internal controls.
 Perform cut-off tests on goods sold by the consignees before and after the year-end.
 Perform an analytical review of the consignees' payables balances and review subsequent
payment movement by vouching for relevant supporting documents to note any cut-off
errors.
 Review correspondence with consignees, particularly in relation to the consignment
arrangements and/or consignment sales returns and look for any delay in revenue
recognition.
 Review periodic consigned goods reports provided by the consignees to match the entity's
internal documentation. Ensure that any variance found was properly explained.
 Review and obtain explanations for any long outstanding receivables by the consignees,
which may indicate early recognition of revenue from consignment arrangements.
 Attend an inventory count to ensure the existence of consignment inventories if the amount
is material. Review the entity's consignment inventory reports and compare them to the
inventory count results to ensure the accuracy of the entity's consignment inventory
balances.
 Perform direct circularisation to selected consignees for sales transactions balances and
consignment inventories balances in any particular time frame to ensure the accuracy of
record-keeping between entity and consignees.

13 Purchases
Topic highlights
For verification of purchases, auditors may consider trade payables from the point of directional
testing.

The objectives for purchases and trade payables imply that:

(a) Goods and services should only be ordered in the correct quantity, quality and at the best
terms after appropriate requisition and approval
(b) All suppliers' invoices should be examined against proper authorised purchase orders
(c) All goods and services invoiced should be properly recorded in the accounting records on a
timely basis
(d) All purchases and trade payables should be properly classified in the financial statements

409
 Business Assurance

13.1 Internal controls

Auditors shall perform tests of controls by searching the following key internal controls:
(a) Requisition forms should be pre-numbered and should be approved by authorised persons.
Any blank forms should be controlled and recorded and the purchase department should not
be allowed to raise purchase requisitions
(b) Purchase orders should be pre-numbered and be created only based on approved items of
the requisition forms. Again blank form should be controlled and recorded
(c) Order procedures should involve tendering and receiving quotations from suppliers
(d) Sequence checks of purchase orders should be performed regularly
(e) Goods received notes and debit notes should be pre-numbered and should be sent
separately to different departments
(f) Proper controls should be placed on different types of documents such as suppliers'
invoices, vouchers and purchase ledgers
(g) Budgetary techniques should be used to control all goods and services purchased
(h) Proper cut-off procedures should be established

13.2 Substantive procedures

After obtaining understanding and ascertaining the effectiveness of the internal controls over
purchases and trade payables, the auditors shall determine the extent and timing of substantive
procedures.
Auditors should check the occurrence, completeness and cut-off assertions for all purchase
transactions. Valid reasons should be ascertained for the purchase transactions.
The following are the audit procedures to test the relevant financial statement assertions:

Audit plan: Purchases

Occurrence  Perform analytical procedures such as compare the level of purchases
and expenses of this year with previous year's level.
 Consider the ratio of trade payables to purchases and the ratio of
trade payables to inventory as compared with last year.
 Review the voucher register and purchase ledger for large or unusual
items.
 Check purchases and other expenses recorded in the purchase or
general ledger or cash to supporting documents such as approved
requisition forms, goods received notes or suppliers' invoices etc to
ensure all the purchases are valid and are allocated to the correct
purchase ledger.
 Perform external confirmations for a sample of trade payables'
balances.
 Consider any credit balances for purchases.

410
 13: Specific audit procedures | Part D Assurance engagements

Audit plan: Purchases

Completeness  Perform analytical procedures such as compare the level of purchases
and expenses of this year with previous year's level.
 Consider the ratio of trade payables to purchases and the ratio of
trade payables to inventory as compared with last year.
 Consider the effect on purchase value of changes in quantities
purchased or products or prices.
 Consider reasonableness of deductions and subsequent events.
 Consider any credit balances for purchases.
 Ensure payables are properly measured in accordance with HKFRS 9.
 Perform external confirmations for trade payables' balances.
 Perform procedures to search for unrecorded liabilities, such as
examining post year-end bank statements.
Cut-off  Check prenumbering of goods received notes before year end to
ensure invoices are posted to purchase ledger prior to year end or
included in accruals.
 Ensure last year accruals are not expenses again in the current year.
 Check goods returned notes prior to year end.
 Review large invoices credit notes after the year end.
 Review outstanding purchase orders for purchases completed but not
invoiced.
 Select goods received notes before and after year-end and check
against invoices entered in purchases, inventory and creditor accounts
for correct cut-off.
 Perform external confirmations for trade creditors' balances.
 Reconcile entries in sales ledger around the year end to daily batch
totals to ensure posting is correct and ensure the liability has been
recorded in the correct period.
 Review the control account around the year end for unusual items.

14 Wages and salaries

Topic highlights
Controls testing will normally be a key part of the audit of wages and salaries.
Payroll is an area where misappropriation through fraud is a risk.

14.1 Internal controls

Auditors shall perform tests of controls by searching the following key internal controls:
(a) Employee records or files should be maintained for each employee ie by the human
resources department.
(b) Employment procedures should be specified and documented ie employing and dismissing
an employee.

411
 Business Assurance

(c) Duty reporting records ie time-sheets or clock card records should be maintained.
(d) Output or piecework records for the employee salaried on their piecework performed should
be properly controlled and evidenced.
(e) A senior officer should be appointed to review independently the payroll records.
(f) Preparation of payroll should be performed by independent staff who are not involved in
employment duties.
(g) Proper control and documentation are required for check payment, cash payment and direct
debits.
(h) Deductions of Mandatory Provident Fund (MPF) or other pension contributions should be
properly reviewed and remitted.
(i) Independent review and comparison should be performed on a regular and on surprise basis.
(j) Comparison between the actual and budgeted payroll should be performed regularly.
Other tests of controls that could be done are:
(a) Review payroll costs ie checking authorisation
(b) Attend wages payoff and observe the procedures in operation
(c) Review records of employees

14.2 Substantive procedures

Analytical procedures are a good start to audit wages and salaries, that is, compare this year's
figures with last year, consider the wage rate changes and the sales/profits per employee.
For more specific procedures to test the financial statement assertions, please refer to the
following:

Audit plan: Wages and salaries

Occurrence  Examine personnel records, employment contracts to verify each
individual remuneration.
 Attend wage payout on an irregular basis.
 Investigate long outstanding payroll checks.
 Inspect tax records.
 Confirm with HR department.
 Conduct analytical procedures such as comparing payroll expenses
with prior years.
Accuracy  Check calculations of remuneration by re-computing.
 Check any deductions from salary such as pension or MPF.
Completeness  Cast check payroll records.
 Test commission expenses.
 Scrutinise payroll and investigate unusual items.
 Agree net pay to payroll ledger.

Self-test question 7
The following are independent situations. All items involved are material.
(a) The impairment loss for warranty account has a balance of HK$800,000 which is the same
as that of last year.
(b) A subsidiary engaged in importing has been audited by the Customs and Excise Department
which alleges that the entity has been avoiding customs duty on products it is importing.

412
 13: Specific audit procedures | Part D Assurance engagements

Management has indicated that it disagrees with this contention and will strenuously defend
the subsidiary's position. The entity has instructed its external legal counsel to handle the
dispute.
(c) You have sent confirmation requests to four major customers and the responses received
are as follows:
(i) 'Sorry, can't answer request unless you supply details of all invoices outstanding.'
(ii) 'Our balance of amount due to you at 31 December 20Y0 was HK$170,000. We have
paid your invoice dated 15 December 20Y0 of HK$160,000 last week on 23 February
20Y1. The remaining HK$10,000 is for your invoice dated 24 December 20Y0. We
don't know where your extra HK$20,000 came from'. (In your client's receivables
ledger, the balance at 31 December 20Y0 was HK$190,000.)
(iii) 'Balance agreed to our record' (However, the response was not signed).
(iv) 'Our balance due to you at 31 December 20Y0 was HK$310,000' (In your client's
receivables ledger, the balance at 31 December 20Y0 was HK$200,000.)
Your staff have not performed any other work in this area to date.
Required
In each of the above situations (a) to (c), describe the additional audit procedures you would
perform in order to obtain sufficient appropriate audit evidence.
(The answer is at the end of the chapter)

15 Financial Instruments

Topic highlights
'Hong Kong Auditing Practice Guidance' (HKAPG) - HKAPG 1000 conforms with IAPN 1000 and
it provides important practical assistance to auditors when addressing valuation and other
considerations pertaining to financial instruments.
Financial instruments may be used by financial and non-financial entities of all sizes for a variety of
purposes. Some entities have large holdings and transaction volumes while other entities may only
engage in a few financial instrument transactions. Some entities may take positions in financial
instruments to assume and benefit from risk while other entities may use financial instruments to
reduce certain risks by hedging or managing exposures. This Hong Kong Auditing Practice
Guidance (HKAPG) is relevant to all of these situations.

15.1 Purposes of HKAPG 1000

The purpose of the HKAPG1000 is to provide:
(a) Background information about financial instruments
(b) Discussion of audit considerations relating to financial instruments
HKAPGs provide practical assistance to auditors. This HKAPG is relevant to entities of all sizes,
as all entities may be subject to risks of material misstatement when using financial instruments.
The guidance on valuation in this HKAPG is likely to be more relevant for financial instruments
measured or disclosed at fair value, while the guidance on areas other than valuation applies
equally to financial instruments either measured at fair value or amortized cost. This HKAPG is also

413
 Business Assurance

applicable to both financial assets and financial liabilities. This HKAPG does not deal with
instruments such as:
(a) The simplest financial instruments such as cash, simple loans, trade accounts receivable
and trade accounts payable
(b) Investments in unlisted equity instruments
(c) Insurance contracts
This HKAPG has been written in the context of general purpose fair presentation financial reporting
frameworks, but may also be useful, as appropriate in the circumstance, in other financial reporting
frameworks such as special purpose financial reporting frameworks.
This HKAPG focuses on the assertions of valuation, and presentation and disclosure, but also
covers, in less detail, completeness, accuracy, existence, and rights and obligations.

15.2 Controls relating to financial instruments

Normally, it is the role of those charged with governance to set the tone regarding, and approve
and oversee the extent of use of, financial instruments while it is management's role to manage
and monitor the entity's exposures to those risks.
An entity's internal control over financial instruments is more likely to be effective when
management and those charged with governance have:
(a) Established an appropriate control environment, active participation by those charged
with governance in controlling the use of financial instruments
(b) Established a risk management process relative to the size of the entity and the complexity
of its financial instruments
(c) Established information systems that provide those charged with governance with an
understanding of the nature of the financial instrument activities and the associated risks,
including adequate documentation of transactions
(d) Designed, implemented and documented a system of internal control
(e) Established appropriate accounting policies, including valuation policies, in accordance
with the applicable financial reporting framework
An expectation that controls are operating effectively may be more common when dealing with a
financial institution with well-established controls, and therefore controls testing may be an effective
means of obtaining audit evidence.
Entities with a high volume of trading and use of financial instruments may have more sophisticated
controls, and an effective risk management function, and therefore the auditor may be more likely
to test controls in obtaining evidence.
When an entity has relatively few transactions involving financial instruments, it may be relatively
easy for the auditor to obtain an understanding of the entity's objectives for using the financial
instruments and the characteristics of the instruments.

15.3 Audit considerations relating to financial instruments

Certain factors may make auditing financial instruments particularly challenging:
It may be difficult for both management and the auditor to understand the nature of financial
instruments.
 Market sentiment and liquidity can change quickly.
 Evidence supporting valuation may be difficult to obtain.

414
 13: Specific audit procedures | Part D Assurance engagements

 Individual payments associated with certain financial instruments may be significant, which
may increase the risk of misappropriation of assets.
 The amounts recorded in the financial statements relating to financial instruments may not
be significant, but there may be significant risks and exposures associated with these
financial instruments.
A few employees may exert significant influence on the entity's financial instruments transactions.
These factors may cause risks and relevant facts to be obscured, which may affect the auditor's
assessment of the risks of material misstatement. Therefore the auditor needs to use professional
scepticism when assessing audit evidence and remain alert for possible indications of management
bias.
15.3.1 Planning consideration for auditing financial instruments
The auditor's focus in planning the audit is particularly on:
 Understanding the accounting and disclosure requirements
 Understanding the financial instruments to which the entity is exposed, and their purpose
and risks
 Determining whether specialised skills and knowledge are needed in the audit
 Understanding and evaluating the system of internal control in light of the entity's financial
instrument transactions and the information systems that fall within the scope of the audit
 Understanding the nature, role and activities of the internal audit function
 Understanding management's process for valuing financial instruments, including whether
management has used an expert or a service organisation
 Assessing and responding to the risk of material misstatement

15.3.2 Assessing and responding to the risks of material misstatement

The use of more complex financial instruments, such as those that have a high level of uncertainty
and variability of future cash flows, may lead to an increased risk of material misstatement,
particularly regarding valuation.
There would also be fraud risk factors related to financial instruments, for example:
 Incentives for fraudulent financial reporting by employees may exist where compensation
schemes are dependent on returns made from the use of financial instruments.
 Difficult financial market conditions may give rise to increased incentives for management or
employees to engage in fraudulent financial reporting: i.e. to protect personal bonuses.
 Misappropriation of assets and fraudulent financial reporting may often involve override of
controls.
The auditor's risk assessment process may lead the auditor to identify one or more significant
risks relating to the valuation of financial instruments, when there are:
 High measurement uncertainties related to the valuation of financial instruments
 Lack of sufficient evidence to support management's valuation of its financial instruments
 Lack of management understanding of its financial instruments or expertise necessary to
value such instruments properly
 Lack of management understanding of complex requirements in the applicable financial
reporting framework relating to measurement and disclosure of financial instruments
 The significance of valuation adjustments made to valuation technique outputs

415
 Business Assurance

15.3.3 Audit procedures on assertions of financial instruments

(a) Procedures that may provide audit evidence to support the completeness and
existence assertions include:
 External confirmation of bank accounts, trades, and custodian statements.
 Reviewing reconciliations of statements or data feeds from custodians with the entity's
own records.
 Reviewing journal entries and the controls over the recording of such entries.
 Reading individual contracts and reviewing supporting documentation of the entity's
financial instrument transactions, including accounting records.
 Testing controls, for example by reperforming controls.
 Reviewing the entity's complaints management systems.
 Reviewing master netting arrangements to identify unrecorded instruments.
(b) Procedures that may provide audit evidence to support the accuracy, valuation and
allocation assertion
The auditor should evaluate whether the valuation techniques used by an entity are
appropriate in the circumstances, and whether controls over valuation techniques are in
place,
In accordance with HKSA 540, the auditor considers the entity's valuation policies and
methodology for data and assumptions used in the valuation methodology.
In testing how management values the financial instrument and in responding to the
assessed risks of material misstatement in accordance with HKSA 540, the auditor should:
 Test how management made the accounting estimate and the data on which it is
based (including valuation techniques used by the entity in its valuations).
 Evaluate whether the assumptions used by management are reasonable.
 Test the operating effectiveness of the controls over how management made the
accounting estimate, together with appropriate substantive procedures.
 Develop a point estimate or a range to evaluate management's point estimate.
 Determine whether events occurring up to the date of the auditor's report provide audit
evidence regarding the accounting estimate.
 Evaluate the appropriateness of management's expert's work. This assists the auditor
in assessing whether the prices or valuations supplied by a management's expert
provide sufficient appropriate audit evidence to support the valuations.
(c) Procedures that may provide audit evidence to support the presentation and
classification assertions
The auditor's focus may need to be on the disclosures relating to risks and sensitivity
analysis. Information obtained during the auditor's risk assessment procedures and testing
of control activities may provide evidence in order for the auditor to conclude whether or not
the disclosures in the financial statements are in accordance with the requirements of the
applicable financial reporting framework.
Consideration of the appropriateness of presentation, for example on short-term and long-
term classification, in substantive testing of financial instruments is relevant to the auditor's
evaluation of the presentation and classification.

416
 13: Specific audit procedures | Part D Assurance engagements

15.4 Other relevant audit considerations

HKSA 580 Written representations
HKSA 540 requires the auditor to obtain written representations from management and, where
appropriate, those charged with governance whether they believe significant assumptions used in
making accounting estimates are reasonable.
HKSA 260 (Revised) Communication with those charged with governance
The auditor may communicate the nature and consequences of significant assumptions used in
fair value measurements, the degree of subjectivity involved in the development of the
assumptions, and the relative materiality of the items being measured at fair value to the financial
statements as a whole. In some cases, auditors may be required, or may consider it appropriate, to
communicate directly with regulators or prudential supervisors, in addition to those charged with
governance, regarding matters relating to financial instruments.

417
418
AUDIT PROCEDURES
Business Assurance

Topic recap

Non-current Inventory Receivables Cash Trade payables Provisions Sales and Wages and
assets purchases salaries

Completeness Existence Existence Completeness Completeness Existence Completeness Occurrence

Existence Completeness Completeness Existence Accuracy Completeness Accuracy Accuracy
Accuracy, Rights and Accuracy, Rights and Cut-off Accuracy, Cut-off Completeness
valuation and obligations valuation and obligations valuation and
allocation Accuracy, allocation Accuracy, allocation
Rights and valuation and valuation and
obligations allocation allocation
Cut-off

External Supplier statement • Discussion with Analytical • Controls testing

confirmation reconciliations management procedures • Analytical
• Physical Planning • Bank confirmation Review of legal procedures
•
inspection attendance and • Review of bank correspondence
• Recalculation review reconciliations
management
inventory count
procedures Positive Positive

Attendance at
inventory count

Test count
procedures
 13: Specific audit procedures | Part D Assurance engagements

Answers to self-test questions

Answer 1
Audit work on the trucks
Existence assertion
Agree to the physical asset to confirm existence of the trucks. For trucks out on hire during the
audit visit, obtain alternative evidence of existence such as payment from customer near year end
for hire or send confirmations.
Completeness assertion
For a sample of vehicle purchases during the year, trace details to the non-current assets register.
For a sample of sold/scrapped vehicles during the year, ensure asset has been removed from the
non-current assets register.
Accuracy, valuation and allocation assertion
Obtain non-current asset register from entity and cast the cost, depreciation and net book value
columns of the register and agree to final figures appearing on the statement of financial position.
Recalculate depreciation in the non-current asset register, ensuring that the rates used are those
disclosed in the financial statements.
Review profits and losses generated on sale of vehicles and ensure these are not excessive.
Check the accuracy of the depreciation rates used as this may indicate over or under charge of
depreciation.
Check the physical condition of the vehicle to assess any impairment of the trucks.
Rights and obligations assertion
Agree details to purchase invoice or similar document for evidence of ownership ie annual licence.
Occurrence assertion
Examine board minutes or similar documentation for evidence of authority to purchase vehicles.
Compare sales income to sale of similar vehicles with similar mileage and ensure comparable for a
sample of disposals during the year.
Check calculation of profit or loss on disposal of trucks.
Agree receipt on sale to the cash book.
Presentation and classification assertions
Agree totals in non-current asset register to the financial statements, ensuring vehicles are
disclosed separately in the non-current assets note (material item).
Ensure that the accounting policy for depreciation is clearly stated in the financial statements and is
the same as last year.

419
 Business Assurance

Answer 2
(a) The accuracy, valuation and allocation of goodwill and intangible assets may be materially
misstated if:
 improper business and intangible asset valuation prepared by X Limited due to wrong
assumptions, business data and valuation methodology used
 certain intangible assets are not identified from the acquisition
 useful lives of the intangible assets are over-estimated
 goodwill impairment assessment was not properly prepared by management with
reference to inappropriate business data and assumptions
(b) CC Limited's auditor should consider the below audit procedures on goodwill:
 Inspect the selling and purchase agreement and agree the consideration to the selling
and purchase agreement
 Assess the reasonableness of the business valuation performed by X Limited by
reviewing the valuation methodology, data and assumptions used
 Assess the competence, objectivity and independence of X Limited to ensure X
Limited has the expertise on advising the business valuation and intangible assets
 Recalculate the purchase price allocation among assets acquired and liabilities
assumed, intangible assets identified and goodwill allocated
 Check purchased goodwill is calculated correctly. It should reflect the difference
between the fair value of the consideration given and the aggregate of the fair values
of the separable net assets acquired
 Review the goodwill impairment assessment performed by CC Limited. Discuss with
management the reasonableness of assumptions and data used and appropriateness
of the assessment model
CC Limited's auditor should consider the below audit procedures on purchased intangible
assets:
 Inspect the selling and purchase agreement and agree purchased intangibles as to
the selling and purchase agreement
 Inspect the valuation report prepared by X Limited to ensure the valuations of the
intangibles are reasonable
 Assess the reasonableness of the useful lives of the intangible assets estimated by
X Limited and management
 Recalculate the amortisation calculations of the intangibles prepared by management

Answer 3
In response to the implementation of the new ERP system, Daniel should consider the following
audit procedures in his audit plan:
 Consider whether the audit team possesses the required expertise to audit the new ERP
system.
 Consider the timing of the audit procedures, eg performing a pre-implementation review or a
post-implementation review.
 Consider whether a computer expert is required to use CAATs and other audit software in
carrying out the testing.

420
 13: Specific audit procedures | Part D Assurance engagements

 Obtain an understanding from management as to whether the implementation of the new

ERP system has changed the processes and controls of the company's inventory cycle.
 Evaluate and validate the key management controls over the inventory cycle.
 Obtain an understanding from management of the processes and controls in place for the
data conversion from the old system to the new ERP system (i.e. how management ensure
the data conversion is accurate and complete).
 Evaluate the effectiveness of management's controls over data conversion.
 Validate the key management's controls over data conversion.
 If management's controls over data conversion are not effective, design appropriate
substantive test of details to ensure the data conversion from the old system to the new
system is accurate and complete.
 Test the IT general controls of the new ERP system, covering controls over data centre
operations, system software acquisition and maintenance, access security, and application
system development and maintenance.
 Use the control reliant approach rather than substantive testing approach for the inventory
costing calculation only if the controls in place are confirmed to be effective.

Answer 4
(a) The auditor uses assertions in assessing risks and designing and performing audit
procedures in response to the assessed risks. HKSA 315 (Revised 2016) categorises
assertions into those relating to classes of transactions and events and related disclosures,
and account balances and related disclosures.
While external confirmations may provide audit evidence regarding these assertions, the
ability of an external confirmation to provide audit evidence relevant to a particular assertion
varies.
External confirmation of trade receivable provides reliable and relevant audit evidence
regarding the existence of the account and customer as at a certain date, eg, 31 March 20X0
for DEF.
However, external confirmation of trade receivable does not ordinarily provide all the
necessary audit evidence relating to the accuracy, valuation and allocation assertion
because it is not practicable to ask the debtor to confirm detailed information relating to its
ability to pay the account.
External confirmation of trade receivable also does not ordinarily provide all the necessary
audit evidence relating to unrecorded trade receivable balances (the completeness
assertion).
(b) Wong should perform the following additional audit procedures:
(i) Wong should ask DEF to follow up Debtor A's response by providing the outstanding
statement with all necessary details to Debtor A after checking. It is unlikely that this
additional audit procedure is impractical.
(ii) Wong should verify the source and contents of the response in a telephone call to the
purported sender of Debtor B, and document oral confirmations in the audit
documentation file. Where practicable, Wong should return this response to Debtor B
for signature after asking DEF to communicate the issue with Debtor B.
(iii) Wong should check with DEF if the balance was actually received. Wong should verify
it with the bank statement. Wong has to obtain DEF's explanation on the reply of
Debtor C's confirmation.

421
 Business Assurance

If the HK$580,000 was received and credited to the wrong customer account, Wong
should investigate whether this is a clerical error. To assure both accounts have been
properly stated, the account originally credited should be reconfirmed unless the
customer has already questioned the propriety of the credit.
If there is no receipt evidence in DEF, Wong has to ask DEF to obtain the payment
evidence and sort out the issue with Debtor C. Wong needs to verify evidence once
the issue is sorted out. Wong should be alert if there is an unreasonable time lag
between the cheque receipt date and the bank-in date, it may be a teeming and lading
fraud and Wong should re-assess the audit risk and take necessary action.
(iv) Debtor D has effectively confirmed a balance of HK$400,000. The remaining
HK$300,000 goods in transit should be analysed to determine whether there is any
cut-off error. Wong should check when the goods were sent to and received by Debtor
D. The remaining HK$300,000 should be recognised as trade receivable if the arrival
date to the seller's port/airport (for FOB shipping point) is on or before 31 March 20X0
and the arrival date to the buyer's port/airport (for FOB destination) is on or before
31 March 20X0.

Answer 5
(a) As the balance of accounts payable is significantly reduced from the prior year and does not
match with the performance of the entity, the risk of material misstatement relating to the
completeness assertion of Amy Limited's accounts payable as at 30 June 20X3 is high.
The risk of material misstatements may be caused by:
 Amounts posted to accounts payable that do not relate to valid adjustments (credit
notes).
 Payments to trade creditors being recorded before the period end in error.
 Amounts in respect of goods-in-transit.
 Adjustments in respect of goods and services received (credit notes) being recorded
in the incorrect period.
 The reconciliation between the accounts payable sub-ledger and the general ledger
containing invalid reconciling items.
 The reconciliation between the accounts payable sub-ledger and the statements
received from the suppliers containing invalid reconciling items.
 Costs associated with importing raw materials not being recorded or being recorded in
the incorrect financial period.
 Inputting error
(b) Procedures for audit confirmation of Amy Limited's accounts payables include:
Selecting the accounts payable balances on which to perform the confirmation
The auditor should make a selection of relevant account balance items and prepare or have
the entity prepare confirmation requests for such a selection. The samples for confirmations
are selected from the accounts payable sub-ledger with total amount tied to the general
ledger by representative sampling. Selection may be based on the following:
 Major suppliers by reference to the purchase transactions throughout the year.
 Material balance as at the year end.
 Accounts showing material fluctuations from prior year.
 Auditor may also send confirmation to accounts payable with small or zero balance on
some situations to test the completeness assertion.

422
 13: Specific audit procedures | Part D Assurance engagements

Accuracy and validity of confirmation letters:

 Compare the addresses with the addresses on invoices or purchase orders.
 Agree the amounts shown on the confirmations to the accounts payable sub-ledger.
 Obtain the client's authorisation by endorsing or signing the confirmations.
Control the proper response
 Request the suppliers to send the confirmations to the auditor directly.
(c) If the confirmation is not received within a reasonable period of time, the auditor should
perform the following procedures:
(i) Arrange second request and/or phone the party to ask them to respond the original
request.
(ii) Perform the following alternative procedures:
(a) Obtain statements of the selected suppliers as at 30 June 20X3.
(b) Agree the balances with the samples selected.
(c) Select a sample of reconciliations between the accounts payable sub-ledger
and the statements received from suppliers and review the reconciliation.
(d) Test reconciling items by tracing them to supporting documentation.
(e) Evaluate whether the reconciling items are valid.
(f) If suppliers' statements are not available, perform the following procedures:
 Select a sample of debits to accounts payable and trace each selection to
credit notes or payments; documentation of payments made or other
supporting documentation; and evaluate whether debits are valid and
have been recorded in the appropriate period.
 Select a sample of goods received after period end; trace to invoices and
shipping terms and evaluate whether goods in-transit at period end where
ownership had passed to the entity have been recorded in accounts
payable.
(iii) Consider if the non response is an indication of a previously unidentified risk of
material misstatement. The auditor may need to reconsider or revise the assessed risk
of material misstatement or modify planned audit procedures.

Answer 6
(a) The risk of material misstatement relating to the occurrence assertion of Think Limited's
revenue for the year ended 31 March 20X4 is high, because:
 The revenue significantly increased 84% from the prior year and there was no
significant capital investment in Think Limited's property, plant and equipment to
increase its production capacity.
 The gross profit margin increased from 15% to 33%. For manufacturing company,
revenue should change in line with the cost of goods sold.
 The accounts receivable balances increased to 3 times of the same in the last year
and the debtor turnover period (accounts receivable / revenue  365 days) increased
from 96 days to 161 days. It indicated that the revenue may be overstated by
including non-exist debtors.

423
 Business Assurance

(b) The audit procedures for the occurrence assertion of revenue may include:
 Perform a financial analysis of the fluctuation of gross profit margin.
 Ask the management for the reasons for the fluctuation in gross profit margin with
reference to the market situation.
 Perform an industry comparison and analysis to document whether the change in
gross profit margin is in agreement with the current market trends and situation.
 Perform a walk through test and control test to ensure the existence and effectiveness
of internal controls implemented for the revenue cycle.
 Review whether the entity is recognising revenue in accordance with HKFRS 15
Revenue from Contracts with Customers. Confirm whether a consistent revenue
recognition policy has been applied throughout the periods.
 Discuss with the staff at the operational level to confirm that the business operation
procedure was correct and up to date and there are no key changes in the business
operation procedures.
 Perform substantive procedures by selecting samples from the sales ledger and
tracing them through to goods delivery documents to ensure proper recording.
 Perform direct confirmation of customers to confirm the total sales amount for the year.

Answer 7
(a) Given that the impairment loss for warranty account balance is material, audit steps in
accordance with HKSA 540 Audit of Accounting Estimates should be undertaken to obtain
sufficient appropriate audit evidence to conclude whether the accounting estimates for
warranty impairment loss made by the management is reasonable in the circumstances and
whether the impairment loss is appropriately disclosed.
In this case, it is appropriate for the auditor to review and test the process used by
management to develop the estimate. Given that impairment losses for warranty claims
usually take time to realise, it is unlikely that review of subsequent transactions may provide
the auditor with further audit evidence regarding an accounting estimate made by
management. (However, this does not mean that the auditors need not perform normal
procedures on subsequent events, for example, inquire of management whether the claim
levels have changed unexpectedly after the year-end.) It is also unlikely that an independent
estimate for comparison with that prepared by management is necessary.
In reviewing and testing the process used by management, the auditor would ordinarily
perform the following steps:
(i) Ensure the impairment loss satisfies the recognition criteria under the relevant HKASs
(ii) Evaluate the data and consider the assumptions on which the impairment loss
warranty is based
(iii) Review and/or reperform the calculations involved in the estimate
(iv) Compare last year's estimates with the actual warranty costs incurred to determine
whether last year's estimate was accurate
(v) Consider management's approval procedures and obtain management
representations

424
 13: Specific audit procedures | Part D Assurance engagements

(b) HKSA 501 (Clarified) states that when the auditor believes a risk of material misstatement
regarding litigation or claims may exist, the auditor should seek direct communication with
the entity's legal counsel. Normally, the communication would be in the form of a letter to the
external legal counsel that specifies:
(i) A list of litigation and claims
(ii) Management's assessment of the outcome of the litigation or claim and its estimate of
the financial implications, including costs involved
(iii) A request for the solicitors to confirm the reasonableness of management's
assessment of the outcome of the claim and its estimate of the financial implications,
including costs involved
The letter, which should be prepared by management and sent by the auditor, should
request the entity's legal counsel to communicate directly with the auditor.
Where necessary, the auditor would meet with the entity's legal counsel to discuss the likely
outcome of litigation and claims.
(c) (i) Where time allows, send to the customers details of the outstanding invoices for
confirmation. Where this is not practicable, perform appropriate alternative
procedures. For example, trace balance to any subsequent cash receipt and agree
unpaid amounts to invoices and proof of delivery.
(ii) The debtor has effectively confirmed a balance of HK$170,000. The auditor should
trace the remaining HK$20,000 to subsequent payment or, invoices and proof of
delivery.
The exception may indicate a misstatement in the entity's records. In such a case, the
auditor determines the reasons for the misstatement and assesses whether it has a
material effect on the financial statements. If an exception indicates a misstatement,
the auditor reconsiders the nature, timing and extent of audit procedures necessary to
provide the audit evidence required.
(iii) Verify the source and contents of a response in a telephone call to the purported
sender, and document oral confirmations in the working papers. Where practicable
this response should be returned to the debtor for signing.
(iv) The balance of HK$310,000 should be reconciled to the entity's record of HK$200,000
by verifying any differences in recording payments, invoices and delivery of goods.
The exception may indicate a misstatement in the entity's records. In such a case, the
auditor determines the reasons for the misstatement and assesses whether it has a
material effect on the financial statements. If an exception indicates a misstatement,
the auditor reconsiders the nature, timing and extent of audit procedures necessary to
provide the audit evidence required.

425
 Business Assurance

Exam practice

X Limited 21 minutes
C Limited is a customer of X Limited. In X Limited's accounting records, HK$2,589,000 is shown
as an outstanding balance receivable from C Limited as at 30 June 20Y0. C Limited and X Limited
have recently been disputing over the quality of some products delivered from X Limited to
C Limited.
Required
You are the auditor of X Limited. Explain how you would evaluate the accuracy, valuation and
allocation assertion of the overall trade receivables balance, in which HK$2,589,000 due from C
Limited is under dispute, in X Limited's accounting records. (12 marks)
HKICPA June 2011

Z Construction 27 minutes
A CPA (Practising), Benny, and his team are carrying out the audit of the financial statements for a
mid-size construction company called Z Construction. Today, Benny receives the bank
reconciliation at the financial year-end date from Z Construction's Financial Controller and the bank
confirmation reply from Z Construction's banker. Benny has also asked the financial controller to
arrange to send a confirmation letter to Z Construction's lawyer.
Required
(a) List out the audit procedures that Benny and his team should conduct in respect of the bank
reconciliation. (7 marks)
(b) In addition to the balances of current and deposit accounts, explain two more particular items
for the construction industry that Benny and his team should seek to ascertain or confirm
from the bank confirmation reply. (4 marks)
(c) Explain what Benny and his team should seek to ascertain or confirm from the lawyer's
confirmation letter. (4 marks)
(Total = 15 marks)
HKICPA June 2012

Inventory 27 minutes
You are working on an audit engagement for a client who owns over 150 chain shoe stores in Hong
Kong. Your client owns five different shoe brands and each of the brands specialises in a different
style of shoe product. During the course of the audit, you look into the inventory ledger and find
that the inventory balance as at year end increased three-fold to HK$200 million compared to last
year, representing 20% of the total assets of the company as at year end, and the inventory aging
has been deteriorating significantly compared to last year.
You therefore discuss with the management their assessment on the appropriateness of the
inventory provision. The managing director explains to you that he is very optimistic about their
future development. According to the managing director, they have just acquired three more shoe
brands and will open another 50 shoe stores in Hong Kong in the coming year and therefore the
inventory balance as at year end had tripled compared to last year. In addition, he is confident that

426
 13: Specific audit procedures | Part D Assurance engagements

there will be no inventory provision required against their shoe products given that their shoe
products are always well-received by their customers in the market.
Required
(a) Assess and explain the risk of material misstatement relating to the accounting estimate over
the inventory valuation as at year end. (5 marks)
(b) After talking to the managing director, you are not satisfied with the explanation from the
managing director on the inventory. What audit procedures would you further perform in
response to the risk of material misstatement discussed in (a)? (10 marks)
(Total = 15 marks)
HKICPA December 2012

Cash and bank 18 minutes

In a recent dialogue with the internal audit function, you understand that the internal audit function
has issued an unsatisfactory report on the bank reconciliation process of your client. The internal
audit report indicated that there was significant control deficiency over the cash management
process, and that the management processes and controls were not properly exercised by the
operation team.
Required
(a) Assess and explain the risk of material misstatement relating to the existence and accuracy
assertions of the cash and bank balance as at year end. (3 marks)
(b) Suggest and explain the audit procedures you would perform in response to the risk of
material misstatement identified in Question (a). (7 marks)
(Total = 10 marks)
HKICPA December 2012 (amended)

427
 Business Assurance

428